Authors: Denise Lebeau-Marianna, Tess Muckensturm and Divya Shanmugathas Since our last post, the French Supervisory Authority (the “CNIL”) has published a Q&A and a post on June 7, 2022 regarding Google Analytics, where it highlights the key points of its formal notices and gives some practical advice to website operators. Lessons to be drawn from …
The French Supervisory Authority (the “CNIL”) sent a Formal Notice to a web operator using Google Analytics ordering to comply. Though the decision has been taken against one web site it should apply to the use of Google Analytics in general. It should be noted that the European Data Protection Supervisor (“EDPS”) took the same …
On 31 December 2021, the restricted committee of the French Data Protection Supervisory Authority (“CNIL”) (i) fined Facebook Ireland 60 million euros and Google a total of 150 million euros (i.e., 90 million euros for Google LLC and 60 million euros for Google Ireland Limited) for failing to allow the users of facebook.com, google.fr and …
Every year, the French supervisory authority (the “CNIL”) publishes its key priorities for upcoming dawn-raids. In 2021, more than 50% of the CNIL’s dawn-raids will focus on: (i) websites cybersecurity, (ii) health data protection and (ii) cookies. 1. Websites cybersecurity Website security incidents are among the most common non-compliances identified by the CNIL during its …
The CNIL’s key priorities for upcoming dawn-raids in 2021 Read More »
By Denise Lebeau-Marianna – Partner and Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …
On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1]. I. Factual background and …
In its landmark decision of the 24th of September (C-507/17), the EU Court of Justice in Luxembourg has sided with Google over a claim by the French supervisory authority regarding the application of the so-called ‘right to be forgotten’. This right refers to the ability for individuals in Europe to demand that search engines, such …
Europe: ‘Right to be forgotten’, but only in Europe? Read More »
By Denise Lebeau-Marianna and Caroline Chancé On 11 April 2019, the French Data Protection Supervisory Authority (CNIL) published two draft standards intending to provide practical guidance in relation to the processing of personal data for HR management and whistleblowing systems. The purposes of such standards is to: Assist businesses in their compliance process, and Help …
FRANCE: The CNIL publishes new standards on HR management and whistleblowing schemes Read More »
By Denise Lebeau-Marianna (Partner) & Alexandre Balducci (Associate) Why did the CNIL adopt a specific regulation for the use of biometric data processing in the workplace? In accordance with Article 9 (4) of the General Data Protection Regulation (GDPR) which provides that “Member States may maintain or introduce further conditions, including limitations, with regard to …
FRANCE: THE FIRST CNIL STANDARD REGULATION FOR BIOMETRIC SYSTEMS IN THE WORKPLACE Read More »
By Denise Lebeau-Marianna and Caroline Chancé On 31 January 2019, the French Data Protection Supervisory Authority (CNIL) and the French General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF, authority in charge of consumer protection) signed a new protocol of cooperation to improve protection of personal data of consumers. This new protocol replaces a …
FRANCE: New cooperation agreement between the CNIL and DGCCRF Read More »
By Denise Lebeau-Marianna, Caroline Chancé and Alexandre Balducci On 21 January 2019, the restricted committee of the French Data Protection Supervisory Authority (CNIL) fined Google LLC 50 million euros for breaching GDPR for lack of transparency, inadequate information and lack of valid consent regarding personalized advertising. This is the first decision rendered by the CNIL …
By Denise Lebeau-Marianna and Caroline Chancé On 18 January 2019, French President Emmanuel Macron announced his intention to appoint Marie-Laure Denis as the next president of the French Data Protection Supervisory Authority (CNIL). If her nomination is confirmed by the Parliament, Marie-Laure Denis will take over the presidency of the CNIL on 1st February 2019, a position …
FRANCE: Marie-Laure Denis expected to become the new CNIL president Read More »
By Denise Lebeau-Marianna and Yaël Hirsch On 12 December 2018, the French Government issued an ordinance[1] finalizing, at the legislative level[2], the alignment of the French Data Protection Law (“FDPL”) with the General Data Protection Regulation[3] (“GDPR”) and the Directive 2016/680[4]. Following-up the adoption of the GDPR, the French Law No. 2018-493 related to personal data protection[5] …
FRANCE: ONE MORE STEP TO ENSURE CONSISTENCY OF THE NEW FRENCH DATA PROTECTION LAW Read More »
By Denise Lebeau-Marianna and Tiphaine Caulier The French Data Supervisory Authority (the CNIL) released guidance on December 28th 2018 on the principles to be followed when an organization that collects personal data through online or hard copy forms, shares it with business partners or data brokers to send SMS or emails for marketing purposes. To comply …
FRANCE: CNIL PUBLISHES GUIDANCE ON DATA SHARING FOR MARKETING PURPOSES Read More »
The French Council of State affirmed the EUR 25,000 fine imposed by the CNIL on Editions Croque Futur (challenges.fr) for non-compliance with French data protection law, and in particular cookie requirements. The facts go back to 2014-2015 when the French data protection authority (the CNIL) found out that French company Editions, Croque Futur, publisher of …
FRANCE: Website publisher fined for violation of the cookie requirements Read More »
Immediately after the entry into application of the GDPR, the CNIL received several complaints over “forced consent” and unlawful processing. On May 25, the non-profit European Center for Digital Rights (known as nyob for “none or your business”), founded by Max Schrems, filed four, very similar, complaints over “forced consent” against Google (Android), Instagram, WhatsApp …
FRANCE: First GDPR complaints lodged with the CNIL Read More »
The newly adopted French data protection law is already challenged by Senators who requested a constitutional review the day after the new law’s adoption. This had been announced: at least 60 Senators have referred the new French data protection law to the French Constitutional Council. Despite the accelerated procedure initiated by the Government in December …
FRANCE: The new data protection law under Constitutional review Read More »
On 9 February 2018, the French National Assembly adopted at first reading the new draft data protection law implementing the EU General Data Protection Regulation (“GDPR”) and EU Data Protection Directive on Police and Criminal Justice Cooperation into French law. After two days of discussion and 180 amendments reviewed, the French National Assembly has adopted …
FRANCE: Draft data protection law – one step closer to a final version Read More »
By Denise Lebeau-Marianna and Caroline Chancé On September 29, 2017, the French data protection authority (the CNIL) published practical guidance on General Data Protection Regulation (“GDPR”) requirements intended for data processors. The objective is to guide them on how to comply with their new obligations. Under the GDPR, data processors have new responsibilities and liabilities in …
By Florence Guthfreund-Roland and Mathilde Hallé Pursuant to several provisions of the French Code Monétaire et Financier, entities from the banking and financial sector are required to implement processes and strategies to detect, measure and manage operational risks within their group (on a consolidated basis). Fraud prevention/detection systems must be adapted to the entities’ activities and …
FRANCE: CNIL adopts new single authorization on fraud prevention systems Read More »
