The CNIL was not created yesterday.
Issues that have been present since the end of the 20th century
The CNIL was created on January 6, 1978. Even at that time, the rise of information technology and the automated processing of personal data were already raising many concerns in terms of privacy protection.
It was in response to these concerns that the French Data Protection Act of 1978 was enacted. Its aim? To establish data protection principles and create an independent authority to monitor their application. The French Data Protection Authority (CNIL) was born!
An authority that evolves with the times
Since its creation, the CNIL has evolved to adapt to technological advances and new challenges in data protection.
To this end, several amendments were made to the Data Protection Act in 2004. These strengthened the powers of the CNIL by introducing new obligations for data controllers.
The icing on the cake: in 2018, with the entry into force of the General Data Protection Regulation (GDPR), the CNIL saw its remit expand even further. It now includes the new European data protection requirements.
What are the five missions of the CNIL?
1. Monitor compliance with privacy regulations
The primary mission of the CNIL is simple (at least in appearance): to protect citizens' personal data. It is therefore responsible for monitoring the proper application of data protection laws, ensuring that data processing respects the rights of individuals.
2. Advising and informing citizens
The CNIL plays a key role in raising awareness and providing information. It publishes guides, recommendations, and opinions to help individuals and businesses understand—and comply with—their rights and obligations regarding data protection.
It even organizes awareness campaigns to inform the general public about these issues.
3. Verify and sanction
The National Commission for Information Technology and Civil Liberties intervenes not only to prevent, but also to punish violations of privacy.
With powers of control and sanction, it can carry out inspections and audits to verify that data processing complies with regulations. And in the event of non-compliance, the CNIL can even impose sanctions—ranging from simple warnings to substantial fines.
4. Receiving and handling complaints
The CNIL is also responsible for receiving and processing complaints from individuals concerning the protection of their personal data. It examines complaints, conducts investigations if necessary, and may take measures to remedy any violations found.
5. Award certifications and labels
To promote best practices in data protection, the CNIL issues certifications and labels. These certify that a company's practices comply with current standards, thereby providing official recognition and a guarantee of quality.
How does the CNIL work?
A well-regulated structure
The CNIL is composed of a college of 18 members:
- 1 member of the Commission for Access to Administrative Documents (CADA);
- 2 members of the Economic, Social, and Environmental Council;
- 4 members of parliament (2 representatives and 2 senators);
- 5 qualified individuals (appointed by the Speaker of the House of Representatives, the President of the Senate, and the Cabinet);
- Six representatives from the highest courts (two members of the Council of State, two members of the Court of Cassation, two members of the Court of Auditors).
It is structured into different divisions, each with specific responsibilities:
- legal support;
- protection of rights and sanctions;
- technology and innovation;
- public relations;
- administration and finance.
What is the CNIL's budget?
The CNIL is mainly funded by a government grant, supplemented by contributions from administrative penalties imposed on offenders.
In 2023, its annual budget amounted to approximately €23 million.
This sum is primarily intended to cover the Commission's operating expenses, but it is also used for:
- conduct audits;
- organize awareness campaigns;
- develop tools and services designed to help individuals and businesses protect their data.
These resources enable it to deploy a team of experts comprising lawyers, engineers, and IT specialists.
How does the CNIL collaborate with other national entities?
The CNIL does not operate alone. It works closely with other French entities, all of which aim to strengthen personal data protection and ensure compliance with legislation.
It works in partnership with other independent administrative authorities, such as the Ombudsman and the Commission for Access to Administrative Documents (CADA), to address cross-sectoral issues. It also cooperates with ministries, in particular the Ministry of the Interior and the Ministry of Justice, to ensure the consistent and effective implementation of data protection rules.
On a smaller scale, the CNIL also plays an active role in supporting businesses and local authorities by offering them guides, training, and advice to help them comply with the requirements of the General Data Protection Regulation.
And internationally?
Just because the CNIL is a 100% French institution does not mean that it does not collaborate withdata protection authorities around the world! It is a member of the European Data Protection Board (EDPB) and, as such, participates in the development and harmonization of data protection policies within the EU.
The CNIL also exchanges information and best practices with equivalent organizations in other countries. The goal? To facilitate the management of cross-border privacy issues.
And that's not all: it works with international organizations, such as the Article 29 Working Party and the Organization for Economic Cooperation and Development (OECD), to promote high standards of data protection worldwide.
What regulatory frameworks for the CNIL?
The General Data Protection Regulation (GDPR)
As you probably know, but it never hurts to remind yourself: the GDPR, which came into effect on May 25, 2018, is the main European regulation on personal data protection. Its objectives? To harmonize data protection laws across all EU member states and strengthen individuals' rights to privacy and security of personal information.
And what about the CNIL in all this? It is responsible for ensuring compliance with the GDPR in France. In this context, it is committed to:
- inform and raise awareness among citizens and businesses about the GDPR through guides and training courses;
- conduct audits and checks to verify organizations' compliance with the GDPR;
- impose fines in the event of non-compliance;
- handle complaints from citizens regarding violations of their data protection rights.
The Data Protection Act
This is THE law that led to the creation of the CNIL in 1978. Amended several times (notably to adapt to the GDPR), it is France's leading legislation on personal data protection.
It guarantees individuals' rights toaccess, rectify,erase, and transfer their data. At the same time, the CNIL imposes strict obligations on companies and government agencies regarding the collection, processing, storage, and security of this same personal data.
The ePrivacy Directive
The ePrivacy Directive, also known as the " Privacy and Electronic Communications Directive," complements the GDPR. It specifically regulates electronic communications data, such as cookies, geolocation data, and metadata. The CNIL oversees the implementation of this directive in France, in particular by regulating the use of cookies and trackers on websites.
Actions and interventions by the CNIL: a few examples
Penalties for companies
In 2023, the CNIL's figures skyrocketed: 340 inspections, 42 penalties (twice as many as in 2022), including 36 fines totaling €89,179,500.
However, this crackdown is nothing new: in January 2019, the CNIL imposed a record fine of €50 million on Google for failing to comply with its obligations regarding transparency, information, and consent under the GDPR. The reason? The Commission found that:
- the information provided by Google to users was not easily accessible or understandable;
- consent for the personalization of advertisements was not validly obtained.
Two years later, in December 2020, the CNIL also fined Carrefour France and Carrefour Banque a total of €3 million, and Amazon €35 million, for various infringements related to:
- excessive data collection;
- non-compliant data retention practices;
- violations of user rights.
Compliance checks
The CNIL also had a role to play during the COVID-19 pandemic! It participated in the evaluation and supervision of contact tracing apps, such as "StopCovid" in France. It ensured that these apps complied with data protection principles, particularly with regard to consent and the minimization of data collected.
Guidelines
But the CNIL does more than just monitor and sanction: it regularly intervenes to regulate behavior by publishing guidelines and best practices.
In particular, it has worked on regulating the use of video surveillance systems in both public and private spaces. That is why, in 2020, it published recommendations for the use of video surveillance in businesses, emphasizing the importance of:
- proportionality;
- information for data subjects;
- data security.
Speaking of surveillance... In 2020, the Commission updated its guidelines onthe use of cookies and other trackers, strengthening the requirements for prior consent and clear information for internet users. True to its mission, it then carried out checks and imposed sanctions on companies that did not comply with these new rules.
Awareness campaigns
To avoid having to impose excessive penalties, education is key. The CNIL therefore regularly organizes awareness campaigns to inform the public about data protection. These campaigns cover a wide range of topics, from online data security to the protection of personal information on social media.
An example? The CNIL has been actively involved in Cybermoi/s, an event organized every year throughout October by ANSSI and Cybermalveillance.gouv.fr: webinars, password generation tools (Phrase2passe), posters, etc. The Commission spares no expense in raising awareness among businesses and individuals.
Reports and publications
Every year, the CNIL publishes its comprehensive activity report. It details its actions, trends observed in data protection, and challenges ahead.
But that's not all: it produces numerous reference documents: guides, standards, recommendations, reference methodologies, etc., all tailored to the needs of the various sectors concerned.
Research and innovation
You may not know it, but the CNIL also has close ties with the world of research. In particular, it organizes an annual Privacy Research Day, an international conference that brings together regulators and researchers to discuss the subject of privacy.
She also works on developing new privacy protection technologies, such as Privacy by Design and Privacy Enhancing Technologies (PETs).
In addition to promoting innovation, the Commission also has a role in supporting it. In this context, in 2023 it published a roadmap on artificial intelligence aimed at:
- encourage the development of privacy-friendly AI;
- collaborate with and support the most innovative stakeholders in the sector;
- audit existing systems.
Further proof that the CNIL is in step with the times, and particularly with our current environmental context, is that it has chosen the intersection between data protection and the environment as the subject of its ninth IP notebook from the Digital Innovation Laboratory (LINC).
Impact and repercussions of the CNIL
For individuals
For individuals, the CNIL is a guarantor of the protection of personal data rights. Individuals can exercise their rights (access, rectification, deletion) using the tools and resources provided by the CNIL. It also intervenes to protect citizens against abuse and violations of their personal data.
For businesses
Companies must comply with CNIL regulations, which involves implementing robust data protection measures. The CNIL provides guidelines and recommendations to help companies comply with legislation (particularly the GDPR), and CNIL certifications can serve as proof of compliance.
About the company
The CNIL plays a key role in promoting a culture of data protection in France. Its impact is felt not only through regulation and sanctions, but also through public awareness and education. It contributes to the creation of a digital environment that is secure and respectful of individual rights... A great program, isn't it?
In practice: the question box
Who is affected by the CNIL?
Any individual or legal entity (companies, associations, government agencies) that collects or processes personal data in France.
What are individuals' rights with regard to data protection?
Right of access: consult personal data held by an organization
Right to rectification: correct inaccurate or incomplete data
Right to erasure (right to be forgotten): request the deletion of data
Right to restriction of processing: restricting the use of data
Right to portability: to receive the data in a structured, commonly used format and transfer it to another data controller.
Right to object: object to the processing of data for legitimate reasons
How can you exercise your rights with the CNIL?
Individuals can file a complaint online on the CNIL website, send a letter by post, or contact the CNIL by telephone. They must provide specific information about the organization concerned and the nature of the alleged violation.
What are the obligations of companies and organizations?
- Inform individuals about the collection and processing of their data
- Obtain explicit consent from individuals for certain categories of data
- Ensuring data security and confidentiality
- Appoint a data protection officer (DPO) in certain cases
- Keep a record of processing activities
What penalties can be imposed by the CNIL?
The CNIL may impose various penalties, ranging from warnings and formal notices to financial fines of up to €20 million or 4% of the company's global annual turnover (whichever is higher).
How does the CNIL handle complaints?
The CNIL examines each complaint to determine whether an investigation is necessary. It may request additional information from the complainant or the organization concerned. If a violation is found, the CNIL may initiate disciplinary proceedings.
In short
The CNIL is, above all, a key player in the protection of personal data in France. Its role has evolved with technological advances and legislative changes, but its fundamental mission remains the same: to protect individual freedoms in the digital world.
By continuing to inform, regulate, and sanction, the CNIL ensures that citizens' privacy is respected and that personal data is processed securely. In a world where data plays an increasingly crucial role, the CNIL is more important than ever in ensuring a balance between innovation and the protection of individual rights.
‍
.png)
