On May 11, 2021, the National Commission for Computing and Liberties published its Activity Report over the year 2021. Increased mobilization on cybersecurity and reinforcement of repressive action: the year that has just ended will have been particularly intense for the CNIL.
14,143 complaints were filed in 2021
In all, the CNIL will have received 14,143 complaints in 2021. In its activity report, the Commission specifies that it has closed 12,522. It has also carried out 384 checks. These checks revealed breaches, which prompted the CNIL to issue 135 formal notices and 18 sanctions. In total, the CNIL distributed fines for an amount of 214 million euros.
Cyberattack: Russia hacked a network of satellites just before the invasion of Ukraine
Illustration: CNIL
During the summer of 2021, the CNIL had, for example, imposed a fine of 1.75 million euros on AG2R La Mondiale, for a failure to comply with the obligations relating to the GDPR (general regulation on data protection). It is one of the main objectives of the CNIL : “provide legal certainty to all professionals with regard to the GDPR, regardless of their sector of activity and their size”.
The CNIL specifies that 89 of the 135 formal notices related to cookies, one of the priority themes set by the French organization for this year 2022. This is undoubtedly the subject with which the Commission is most confronted. In 2020, the cookie policy has been tightened. The CNIL wanted to modify the rules and make their use more complex for advertising purposes. Over the past two years, an unprecedented control campaign has brought to light numerous non-compliant practices.
The CNIL has found a level of cybersecurity that is too low
Alongside control and repression actions, the Commission has also developed new tools to enable the development of virtuous digital innovation. According to the report, this translated in practice into the “setting up a first personal data sandbox for health”. Thanks to this innovative device, 12 projects were supported by the CNIL, including 4 in a reinforced way.
As explained by Marie-Laure Denis, president of the CNIL, “the permanent emergence of new technologies and the omnipresence of personal data processing in all areas of life are the challenges that the CNIL will still be facing in 2022”. One of the CNIL’s missions is also to act in the field of cybersecurity. 22 checks were carried out, including 15 with public bodies.
During its investigations, the CNIL found “obsolete cryptographic suites making websites vulnerable to attacks, shortcomings regarding passwords and, more generally, insufficient resources with regard to current security issues”. In 2022, the Commission wishes pursue this collaborative regulation strategy and stay close to the field.