CNIL - French Data Protection Supervisory Authority’s strategy for 2020

Posted - 20.04.2020


Now reading : CNIL - French Data Protection Supervisory Authority’s strategy for 2020

On 12 March 2020, the French Data Protection Authority1 ("DPA") announced its objective for the year 2020 to conduct formal procedures of control over processing activities based on a thematic approach. The French DPA therefore intends to operate controls with regard to the three following themes:

  1. Security of health data

As sensitive personal data is [are] subject to strict conditions of processing, in particular with regard to the requirements set out under Article 9 of the EU General Data Protection Regulation 2016/679 (“GDPR”), the French DPA wishes to ensure that appropriate measures of security are being implemented when players operate processing activities involving this type of data2 .

  1. Mobility and geo-tracking

The French DPA notes that many applications and devices enable users to benefit from certain functions that involve geo-tracking technologies. As these technologies may have an impact on the private life of individuals, the French DPA is willing to operate certain controls, in particular with regard to the proportionality of the data to be collected by providers proposing such applications.

  1. Cookies and other tracking tools

Combining the rules set out in the GDPR with the principles deriving from the e-Privacy Directive 2002/58/EC3 , the French DPA issued a deliberation during the summer of 2019 establishing new guidelines4 aiming at strengthening the conditions of the validity of the consent to be obtained from any user prior to the deposit of cookies on his/her terminal equipment. The French DPA initially intended to issue a recommendation for spring 2020, to provide for certain operational guidance with regard to the use of cookies and subsequent consent rule, while players would benefit from a 6-month period from the issuance of this recommendation, to implement all necessary measures in order to be in line with the GDPR principles on consent when using cookies; however, the issuance of such a recommendation will be postponed due to the management of the COVID-19 crisis.

As far as the Grand Duchy of Luxembourg is concerned, the 2018 activities report of the Luxembourg DPA5  shows that the Luxembourg DPA is also willing to conduct certain audits and controls based on a thematic approach, and, in this respect, this authority has already carried out a global audit over certain companies with regard to the potential mandatory requirement to appoint a Data Protection Officer.


This may also interest you :

  • 1CNIL – Commission Nationale de l’Informatique et des Libertés.
  • 2It is clear that the recent COVID-19 crisis and subsequent management of health data will have an impact from a data protection regulatory standpoint.
  • 3Please note that the draft proposal for an e-Privacy Regulation, as issued by the European Commission, and aiming at repealing the e-Privacy Directive while establishing reinforced consent rules for the use of cookies, is still being debated within the European institutions.
  • 4See CNIL deliberation here.
  • 5See report here.

Stay informed

Receive our regular newsletters and newsflashes.