The CNIL’s key priorities for upcoming dawn-raids in 2021

Every year, the French supervisory authority (the “CNIL”) publishes its key priorities for upcoming dawn-raids. In 2021, more than 50% of the CNIL’s dawn-raids will focus on: (i) websites cybersecurity, (ii) health data protection and (ii) cookies.

1. Websites cybersecurity

Website security incidents are among the most common non-compliances identified by the CNIL during its dawn-raids. Data breach notifications have also increased by 24% in 2020 and continue to have a double digit growth in the European Union (please see in this respect the DLA Piper’s Data breach report 2021).

The CNIL already underlined in 2020 that the cybersecurity of websites was a key issue. The CNIL will therefore continue in 2021 to check the security levels of French websites and in particular, personal data collection forms, use of HTTPS protocol, compliance with its recommendations on passwords and strategies implemented to protect against ransomware.

2. Health data security

While health data security was already a key topic for the CNIL in 2020, the current health crisis has further highlighted the challenges coming from the ever-growing digitization of the health sector. The recent an health data breach of an online hosting platform, that affected the health data of nearly 500,000 data subjects has also led the CNIL to increase its dawn-raids in the health sector, focusing in particular on the digitalization of patients’ files management within health establishments or online medical appointment booking platforms.

3. Cookies

In response to ongoing user complaints regarding internet tracking, the CNIL has published new Guidelines and Recommendations on the use of cookies and other trackers in October 2020, which are now effective since the 1st April 2021. (For further information on the Guidelines and Recommendations, please see DLA Piper’s post 1 and post 2). The CNIL will thus increase its control of the conformity of the website to its Guidelines and Recommendations. Some of them already started last year with several decisions such as the one held notably against Carrefour where the absence of clear information on the purposes of the cookies and the possibility to reject cookies as easily as to accept them were under the CNIL’s scrutiny). It’s worth noting that such control is facilitated by CNIL’s extended powers to control online.

For any question related to this decision, please contact Denise Lebeau-Marianna, Partner or Yaël Hirsch, senior associate – Data Protection – IPT Department DLA Piper France LLP.  Manon Zaoui.

Authors: Denise Lebeau-Marianna,  Yaël Hirsch, Manon Zaoui.