FRANCE: New cooperation agreement between the CNIL and DGCCRF

By Denise Lebeau-Marianna and Caroline Chancé


On 31 January 2019, the French Data Protection Supervisory Authority (CNIL) and the French General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF, authority in charge of consumer protection) signed a new protocol of cooperation to improve protection of personal data of consumers.


This new protocol replaces a previous agreement signed by the two French authorities in 2011 and is aimed at reinforcing their cooperation in consumer protection and adapting it to the new digital challenges: advances in data collection and processing technologies, fast development of ecommerce, proliferation of the Internet of Things (IoT), acceleration of the “customer experience race” (which requires businesses to get more and more customer insights to satisfy rising demands, offer always more personalized and meaningful, cross-channel experience and effectively engage with hyperconnected customers), etc.

By joining forces, the French data protection authority and the French consumer protection authority hope to:

  • Better inform consumers on the risks they face when sharing their personal data, and spread good practices implemented by professionals;
  • Facilitate the exchange of information regarding the violations of consumer protection law and of consumer data protection law;
  • Conduct joint controls;
  • Make joint action propositions at EU level;
  • Mutualise expertise, notably regarding investigation tools; and
  • Share their analysis in the evolution of the legal and regulatory consumer and data protection framework.

An annual report will be produced to monitor the outcomes of this cooperation between the CNIL and DGCCRF.

The new protocol has not been published yet, but we will update this post as soon as it becomes available.

In any case, this new agreement clearly shows the French authorities’ determination in ensuring strong consumer protection, in particular with respect to the processing of their personal data. This announcement came only 10 days after the CNIL imposed the largest penalty pronounced by a EU data protection supervisory authority (50 million euros) against a company (Google LLC) for breaching GDPR for lack of transparency, inadequate information and lack of valid consent regarding personalized advertising (for an analysis of the CNIL’s decision, you can read our previous post), which reinforces the impression that authorities are getting ready for some enforcement actions.

A new era of consumer and data protection litigation is therefore up and running! B2C businesses will need to be more careful than ever in the way they collect and process consumer personal data, the way they inform them of such processing, etc. They should review all their privacy documentation to ensure that the level of information is sufficiently precise, easily understandable and available to consumers. They must also ensure that all the key principles of the GDPR are respected in en effective manner.

But have no fear: although it is usually seen as a burden and as putting a brake on business and innovation, compliance with GDPR can in fact be a powerful tool to ensure confidence and increase competitiveness, as we explain in our article for Law A La Mode (published last November and which covers different trends in the retail sectors in relation to GDPR).

The DLA Piper Paris Data Protection, Commercial & Litigation Teams are experienced in handling consumer and data protection litigation in front of both administrative (such as the CNIL and DGCCRF) and judicial authorities.


For more information, please contact Denise Lebeau-Marianna or Caroline Chancé.