Tag: CNIL
19. May 2023
The French Data Protection Authority (CNIL), also known as the AI Action Plan, released a statement on May 16, 2023, outlining its artificial intelligence policy. This strategy expands on the CNIL’s prior work in the field of AI and contains a number of projects targeted at encouraging the adoption of AI systems that respect people’s right to privacy.
The four key goals of the AI Action Plan are as follows:
Increasing awareness of AI systems and how they affect people: The newly created artificial intelligence service at the CNIL will place a high priority on addressing critical data protection issues related to the creation and use of AI applications. These problems include preventing illegitimate scraping of publicly accessible online data, securing user-transmitted data within AI systems and guaranteeing users’ rights over their data with regard to AI training datasets and created outputs.
Directing the creation of AI that respects privacy: The CNIL will publish guidelines and best practices on a variety of AI subjects in order to enable organizations engaged in AI innovation and to get ready for the eventual adoption of the EU AI Act. Along with advice for the creation of generative AI systems, this will include a thorough manual on the regulations governing data exchange and reuse.
Supporting creative actors in the French and European AI ecosystem: The CNIL prioritizes the defense of fundamental rights and freedoms in France and Europe while attempting to promote innovation within the AI ecosystem. The CNIL intends to issue a call for projects inviting participation in its 2023 regulatory sandbox as part of this endeavour. It also aims to promote more communication among academic groups, R&D facilities, and businesses engaged in the creation of AI systems.
The CNIL will create an auditing tool specifically made for assessing AI systems in order to conduct audits and ensure control over these systems. It will keep looking into AI-related grievances brought to its attention, especially those involving generative AI.
10. January 2023
After receiving several complaints , in November 2022, the French Data Protection Authority (CNIL) decided to impose a fine of 300.000 Euros upon the French phone operator FREE for several violations of the rules contained in the GDPR.
In particular, findings included violations of:
- Article 12 and 21 GDPR, regarding transparent communication on how the data subjects can exercise their rights, in particular the right of erasure.
- Article 15 GDPR, regarding the right of access by the data subject.
- Article 32 GDPR, regarding the security of personal data.
- Article 33 GDPR, as FREE did not comply with the obligation to document a personal data breach.
As a consequence of these findings, CNIL decided to impose a fine upon FREE, with an order to comply with the GDPR’s rules regarding the management of access and erasure requests and to justify this compliance within three months from the decision, with an additional fine of 500 Euros for each day overdue.
28. October 2022
The French data protection authority CNIL imposed a fine of 20 million Euros on Clearview AI, being the latest in a line of authorities deeming the processing activities of the biometrics company unlawful under data protection law.
Clearview AI is a US company that extracts photographs and videos that are directly accessible online, including social media, in order to feed its biometric image database, which it prides itself to be the biggest in the world. Access to the search engine based on this database is offered to law enforcement authorities.
The case
The decision followed several complaints from data subjects in 2020, which led to the CNIL’s investigations and a formal notice to Clearview AI in November 2021 to “cease the collection and use of data of persons on French territory in the absence of a legal basis” and “facilitate the exercise of individuals’ rights and to comply with requests for erasure.” However, the company did not react to this notice within the two-month deadline imposed by the CNIL. Therefore, the authority imposed not only the fine but also an order to Clearview AI “to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it had already collected, within a period of two months.” In addition, it set a “penalty of 100,000 euros per day of delay beyond these two months.”
CNIL based its decision on three breaches. First, Clearview AI had processed the data without a legal basis. Given the “intrusive and massive nature of the process which makes it possible to retrieve the images present on Internet of the millions of internet users in France”, Clearview AI had no legitimate interest in the data processing. Second, the CNIL sanctioned Clearview AI’s inadequate handling of data subjects’ requests. Lastly, it penalized the company’s failure to cooperate with the CNIL.
The impact of the decision
For over two years, Clearview AI has been under the scrutiny of data protection authorities (“DPA”s) all over the world. So far, it has been fined more than 68 million Euros in total. Apart from CNIL’s fine, there have been fines of 20 million Euros by Greece’s Hellenic DPA in July 2022, over 7.5 million pounds by the UK Information Commissioner’s Office in May 2022 and 20 million Euros by the Italian Garante in March 2022.
CNIL’s decision was likely not the last one, considering that the all-encompassing nature of Clearview AI’s collection of personal data that – given the company’s business model – inevitably concerns EU data subjects. Whether the company will comply within the two-month period is yet to be seen.
30. August 2022
On August 24th, 2022, the Austrian NGO noyb announced that it had filed a complaint against Google with CNIL, the French Supervisory Authority in the context of direct marketing emails.
According to noyb, several google users on whose behalf noyb filed the complaint, have received advertising emails for which these users have not given their consent. This would however contravene Art. 13 (1) ePrivacy Directive which reads the following: “the use […] of electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.”
The issue of “inbox advertising” has also received the attention of the Court of Justice of the European Union (CJEU). In its judgment from 2021, the CJEU pronounced itself on the lawfulness of this advertising practice holding the view that emails sent to user’s inbox for the purpose of direct marketing require consent.
Noyb highlights in its announcement that “[s]pam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider.”
It remains to be seen whether this complaint will lead to the imposition of a fine by the CNIL.
29. June 2022
On June, 23, 2022, the Italian Data Protection Authority (Garante) released a statement on the use of Google Analytics (GA) holding the view that the use of GA by Italian websites without otherwise applicable safeguards violates the GDPR.
Garante comes out as the third data protection authority within the EU that declares the transfer of personal data through GA illegal. Earlier this year, CNIL and the Austrian data protection authority delivered a decision each, both coming to the same conclusion, namely that the use of GA violates the GDPR.
What lead to this statement is that Garante had received a number of complaints. However, it is also the product of coordination with other European privacy authorities.
In its reasoning, Garante assigns a special role to cookies that help GA to collect personal data, such as the IP address, visited pages, type of browser, and the kind of operating system. Garante considers it as proven that personal data is being transferred to the US when using GA. Garante reiterates that IP addresses qualify as personal data and that the pseudoanonymisation undertaken by GA is not sufficient to protect personal data from being accessed from US governmental agencies.
Garante called on all controllers and processors involved in Italian website operations for compliance and ordered a period of 90 days to comply with their obligations under the GDPR. The statement further states: “The Italian SA calls upon all controllers to verify that the use of cookies and other tracking tools on their websites is compliant with data protection law; this applies in particular to Google Analytics and similar services.”
25. February 2022
Following complaints received, but also on its own initiative, the French data protection supervisory authority Commission Nationale Informatique et Liberté (hereinafter ‘CNIL’) carries out checks, also based on reports of data protection violations. CNIL has published three topics for 2022 on which it will focus in particular. These topics are: commercial prospecting, surveillance tools in the context of teleworking, and cloud services.
With regard to commercial prospecting, CNIL draws particular attention to unsolicited advertising calls, which are a recurring complaint to CNIL in France.
In February 2022, CNIL published a guideline for “commercial management”, which is particularly relevant for commercial canvassing.
Based on this guideline, CNIL will control GDPR compliance. The focus here will be on professionals who resell data.
Regarding the monitoring tools for teleworking, identified as CNIL’s second priority, CNIL aims to assist in balancing the interests of protecting the privacy of workers who have the possibility of home office due to COVID-19 and the legitimate monitoring of activities by informing the rules to be followed for this purpose. CNIL believes that employers need to be more strictly controlled in this regard.
Last but not least, CNIL draws particular attention to the potential data protection breaches regarding the use of cloud computing technologies. Since massive data transfers outside the European Union can be considered here in particular, activities in this area must be monitored more closely. For this purpose, CNIL reserves the right to focus in particular on the frameworks governing the contractual relationships between data controllers and cloud technology providers.
14. February 2022
On 10th February 2022, the French Data Protection Authority Commission Nationale de l’Informatique et des Libertés (CNIL) has pronounced the use of Google Analytics on European websites to not be in line with the requirements of the General Data Protection Regulation (GDPR) and has ordered the website owner to comply with the requirements of the GDPR within a month’s time.
The CNIL judged this decision in regard to several complaints maybe by the NOYB association concerning the transfer to the USA of personal data collected during visits to websites using Google Analytics. All in all, NOYB filed 101 complaints against data controllers allegedly transferring personal data to the USA in all of the 27 EU Member States and the three further states of European Economic Area (EEA).
Only two weeks ago, the Austrian Data Protection Authority (ADPA) made a similar decision, stating that the use of Google Analytics was in violation of the GDPR.
Regarding the French decision, the CNIL concluded that transfers to the United States are currently not sufficiently regulated. In the absence of an adequacy decision concerning transfers to the USA, the transfer of data can only take place if appropriate guarantees are provided for this data flow. However, while Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, the CNIL deemed that those measures are not sufficient to exclude the accessibility of the personal data for US intelligence services. This would result in “a risk for French website users who use this service and whose data is exported”.
The CNIL stated therefore that “the data of Internet users is thus transferred to the United States in violation of Articles 44 et seq. of the GDPR. The CNIL therefore ordered the website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU. The website operator in question has one month to comply.”
The CNIL has also given advice regarding website audience measurement and analysis services. For these purposes, the CNIL recommended that these tools should only be used to produce anonymous statistical data. This would allow for an exemption as the aggregated data would not be considered “personal” data and therefore not fall under the scope of the GDPR and the requirements for consent, if the data controller ensures that there are no illegal transfers.
16. December 2021
France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), has published a guidance on the use of alternatives to third-party cookies.
The guidance aims to highlight that there are other ways to track users online than through third-party cookies, and that it is important to apply data protection principles to new technologies with tracking ability.
In the guidance, the CNIL gives an overview on what cookies are and the difference between first-party and third-party cookies, as well as the meaning of the two for personalized advertisement targeting.
It also highlights consent management and collection as being the key role to ensure a data protection compliant online tracking culture for new tracking methods and technologies. Further, the guidance also emphasizes that consent is not the only important requirement. In addition, online tracking and targeting methods should ensure that users keep control of their data and that all data subject rights are allowed and facilitated.
In light of this, the CNIL has gone ahead and published a guide for developers to help outline how to implement data protection compliant third-party cookies and other tracers in order to sensibilize people that are part of the implementation process as to how to stay compliant.
However, the CNIL also issued about 60 cookie compliance notices and 30 new orders to organizations for not offering users a data protection compliant ability to refuse cookies.
The CNIL has stepped up efforts to tackle cookie management and consent in order to ensure the rights and freedom of the data subjects in relation to their personal data online are kept safe. It has made clear that cookies are its main focus for the upcoming year, and that it will continue to hold companies liable for their insufficient data protection implementation.
11. August 2021
On August 6, 2021, Amazon disclosed the ruling of the Luxembourg data protection authority Commission nationale pour la protection des donées (CNPD) in an SEC filing, which imposed a record-breaking €746 million fine on Amazon Europe Core S.à.r.l. for alleged violations of the EU General Data Protection Regulation (GDPR) on July 16, 2021.
Based on press reports and Amazon’s public statements, the fine appears to relate to Amazon’s use of customer data for targeted advertising purposes.
The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that aims to represent the interests of thousands of Europeans to ensure their data is used according to data protection law in an attempt to avoid Big Tech companies manipulating their behavior for political or commercial purposes. The complaint also targets Apple, Facebook, Google and LinkedIn and was filed on behalf of more than 10,000 customers and alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.
Amazon stated that they „strongly disagree with the CNPD’s ruling“ and intend to appeal. „The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The amount of the fine is substantially higher than the proposed fine in a draft decision that was previously reported in the press. The French data protection authority (CNIL) said Luxembourg’s decision, which is “of an unprecedented scale and marks a turning point in the application of the GDPR and the protection of the rights of European nationals.“
The CNIL confirmed the CNPD fined Amazon, and other European member states agreed to the Luxembourg decision. Amazon will have six months to correct the issue.
29. July 2021
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a fine of 400,000 € on the U.S.-based biotechnology corporation Monsanto Company for contravention of Article 14 GDPR regarding the information of data subjects about the collection of their personal data and Article 28 GDPR concerning contractual guarantees which lay down relations with a data processor.
In May 2019, several media outlets revealed that Monsanto was in possession of a file containing personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers). The investigations carried out by the CNIL disclosed that the information had been collected for lobbying purposes. The individuals named on this “watch list” were Monsanto’s opponents and critics from several European countries, meant to be “educated” or “monitored”. This strategy should have influenced the debate and public opinion on the renewal of the authorization of glyphosate in Europe, a controversial active substance contained in Monsanto’s best-known product for weed control. The reason for the still current scientific controversy is the causation of diseases by glyphosate, most notably cancer.
The file included, for each of the individuals, personal data such as organization, position, business address, business phone number, cell phone number, business email address, and in some cases Twitter accounts. In addition, each person was given a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues such as pesticides or genetically modified organisms.
It should be noted that the creation of contact files by stakeholders for lobbying purposes is not illegal per se. While it is not necessary to obtain the consent of the data subjects, the data have to be lawfully collected and the individuals have to be informed of the processing.
In imposing the penalty, the CNIL considered that Monsanto had failed to comply with the provisions of the GDPR by not informing the data subjects about the storage of their data, as required by Article 14 GDPR. In addition, none of the exceptions provided in Article 14 para. 5 GDPR were applicable in this case. The data protection authority stressed that the aforementioned obligation is a key measure under the GDPR insofar as it allows the data subjects to exercise their other rights, in particular the right to object.
Furthermore, Monsanto violated its obligations under Article 28 GDPR. As a controller, the company was required to establish a legal framework for the processing carried out on its behalf by its processor, in particular to provide data security guarantees. However, in the CNIL’s opinion, none of the contracts concluded between the two companies complied with the requirements of Article 28 para. 4 GDPR.
