On 15 March 2023, the French Supervisory Authority (the “CNIL”) unveiled in a post its four key priorities regarding its upcoming investigations for 2023 targeting specific sectors (I), to which it added another topic related to DPO in line with the coordinated enforcement framework of the European Data Protection Board to gauge whether DPOs can exercise properly their job (II).

As a reminder, in 2022, the CNIL priority topics were (i) direct marketing (ii) monitoring telework and (iii) the use of cloud computing (see our previous post).

1. The national key priorities for 2023

• Use of “smart” cameras by public stakeholders

With the upcoming 2024 Olympic and Paralympic Games in France and the usage of such devices in large-scale sporting events planned for 2023 (rugby world cup), the CNIL provided guidance and published opinions on the use of so-called “smart” cameras:

• Last July, the CNIL published its position on the deployment of these cameras in public spaces. This document provides guidance on the conditions applicable to the use of this technology which presents high risks to the data subjects’ right to privacy.
• At the end of last year, the CNIL also gave its opinion on the draft Law relating to the 2024 Olympic and Paralympic Games which notably introduces the possibility to implement, on an experimental basis, smart cameras in areas accessible to the public for detecting and reporting in real-time predetermined events likely to threaten the safety of people.

The CNIL’s roadmap for its dawn raids in 2023 is thus to check that the use of “smart” cameras, complies with the legal framework.

• The use of the personal credit repayment incidents by banks

A file named “Fichier des incidents de crédit aux particuliers” (FICP) (personal credit repayment incidents file) held by the Banque de France, includes information on payment incidents related to overdrafts and loans granted for non-professional needs, as well as information on over indebtedness. The banks are required to consult this file before granting a loan. Given the sensitiveness of such file,  the related processing activities represent a high risk for data subjects.

It is therefore paramount to ensure that the entries in such file are accurate and that the data retention term and conditions of management of this file are compliant with the data protection law (e.g., management of data subjects’ rights). The CNIL will also check the measures implemented to ensure the security of the data.

• The access to the electronic patient record in health care institutions

The security of health data has already been under the CNIL’s scrutiny over the past years and subject to investigations in 2020 and 2021 in health care institutions.

For 2023, the CNIL will continue to focus on health care sector. A particular attention will be paid to the conditions of access to the electronic patient record in health care institutions and in particular the technical and organizational security measures implemented to ensure  the security of health data. This decision comes from several claims filed with CNIL for unauthorized access by third parties to patient records held by health care institutions.

• Tracking of users by mobile applications

Phone manufacturers enable applications publishers to track users for advertising, statistical or technical purposes (e.g., Apple IDFA, IDFV and Google AAID). Such identifiers equivalent to cookies are generally used without the user’s information or consent. While the CNIL presented its three steps action plan, last November 2022 to protect privacy in the context of mobile apps usage (see, in French only), several investigations have been carried out by the CNIL on applications accessing identifiers generated by smart phones operating system, without the users’ consent. The CNIL will continue its investigations in 2023.

Last December, the CNIL already issued a fine for an amount of €3 million against a company publishing video games for smartphone and which used Apple’s IDFV identifier for advertising purpose without the users’ valid consent (see, in French only).

2. Support to the coordinated enforcement framework regarding Data Protection Officers

On the same day of the CNIL’s publication, the European Data Protection Board (EDPB) made a press release regarding the launch of a coordinated enforcement to assess whether the  Data Protection Officers (DPO) have the position required by the GDPR in their organization. The CNIL will verify the conditions of appointment  and modalities of exercise of the DPO function.

In France, the CNIL has already published a practical guide on DPO (see our previous post). In line with EDPB, it is likely that the CNIL will send questionnaire for fact finding or determine if an investigation is relevant and can conduct investigations. The results of this initiative will be analyzed in a coordinated manner and the Supervisory Authorities will decide whether national supervision and enforcement actions would be necessary. The EDPB will publish a report on the outcome of this analysis in an aggregated format.

Once again, the coming year promises to be a busy one for the CNIL and organizations targeted by this new annual dawn raid program.

For more information, please contact denise.lebeau-marianna@dlapiper.com, Partner.

Facebook
Twitter
LinkedIn

Since our last post, the French Supervisory Authority (the “CNIL”) has published a Q&A and a post on June 7, 2022 regarding Google Analytics, where it highlights the key points of its formal notices and gives some practical advice to website operators.

1. Lessons to be drawn from the formal notices regarding the use of Google Analytics

The CNIL confirms that, although the formal notices were issued only against certain French companies (notably specifically targeted by NOYB’s complaints) all websites using Google Analytics are concerned. Hence, the anonymization of the formal notices is a call from the CNIL to all website operators using Google Analytics to make their websites compliant.

Therefore, “all controllers using Google Analytics similarly to the companies targeted by the formal notices should consider the use thereof as unlawful under the GDPR”. Thus, the CNIL prompts all website operators using Google Analytics to find alternative solutions with sufficient safeguards.

While the legal issues raised by Google Analytics have been examined in coordination with other EU Supervisory Authorities, each website operator subject to a claim has been investigated on a case-by-case basis in accordance with the responses provided by each organization.

2. Why is Google Analytics non-compliant

• The standard contractual clauses entered into between Google and website operators are not sufficient to ensure by themselves an adequate level of protection. The supplementary measures implemented by Google – whether contractual, organizational, or technical – are ineffective against access requests by US intelligence services.
• The setup of Google Analytics does not prevent the transfer of personal data outside the EU since all personal data collected via Google Analytics is hosted in the US. The sole use of solutions subject to third-country laws is likely to raise difficulties in terms of access by foreign government authorities to personal data hosted in the EU (unless such access is based on an international agreement in compliance with Article 48 of the GDPR). This begs the question whether companies should only use solutions offered by EU companies.
• The CNIL furthers notes that (i) even though an IP-anonymization function exists, it does not apply to all transfers as it is optional and (ii) it is unclear whether the anonymization takes place before the data is transferred to the US. The CNIL further states that the sole use of unique identifiers may render an individual identifiable when combined with other information such as browser or operating system meta data. Finally, the CNIL explains that the combined use of Google Analytics with other Google services such as marketing, may increase the risk of tracing individuals since it may allow to retrace their browsing history on a huge number of sites.
• Regarding the encryption of the personal data, the CNIL finds that it is not efficient since Google LLC proceeds to the encryption and must provide access to the data under its custody as well as to the encryption keys necessary to access the data in the clear. To be considered as a sufficient supplementary measure, the encryption keys should notably be kept under the exclusive control of the data exporter, or other entities established in a country offering an adequate level of data protection.

3. Proxyfication and alternative solutions proposed by the CNIL but with stringent conditions

The CNIL opens a window enabling the use of Google Analytics by stating that a solution involving a proxy server that avoids direct contact between the user’s terminal and Google’s servers could be considered as a sufficient supplementary measure. However, the proxy server will have to meet all the criteria applicable to supplementary measures set forth in the Recommendations of June 18,2021.

The CNIL also refers to a list of audience measurement tools which do not require users’ consent. Amongst other, the following tools are mentioned:

• SmartProfile, version 21, from Net Solution Partner,
• Matomo Analytics, version 4, from Matomo,
• Eularian, version 6, from Eularian Technologies.

However, such list does not address the issues raised by international data transfers and notably the consequences of the Schrems II decision. Thus, although a data exporter uses a solution listed by the CNIL, it will not be exempted from carrying out a data transfer impact assessment in the event of data transfers to a third country.

If such data transfer impact analysis leads to the conclusion that supplementary measures are needed, the use of the proxyfication method as mentioned above for Google Analytics, which allows to send only pseudonymized data prior to the data export to servers located outside the EU when properly set up, could be considered as an appropriate measure.

This solution involves both technical and financial considerations for data controllers: the CNIL enumerates a list of measures that must be implemented in order to use a valid proxyfication, such as (i) guaranteeing that the IP address is not sent to the server of the measurement tool, (ii) replacing the user ID by the proxyfication server, (iii) removing any information on the referer website, (iv) re-processing information participating in the generation of fingerprint, (v) No collection of unique ID cross-sites, (vi) deletion of any data likely to lead to a reidentification, (vii) the proxyfication server should not involve transfers out of EU to a third country. However, the CNIL acknowledges that implementing all these measures can be expensive and complex. As an alternative, the CNIL recommends controllers to use a solution that does not transfer personal data outside the EU.

4. A risk- based approach is not admitted

The CNIL finally reiterates that controllers cannot take a risk-based approach relying on the likelihood of data access requests. As long as such access is possible, additional technical measures as described in the EDPB’s recommendations on measures that supplement transfer tools  must be taken in order to make such access impossible or ineffective.

The CNIL thus reaffirms the European position that has been taken since the Schrems II decision, maintaining the users of such tools in a difficult situation in particular when the likelihood of access to the data is very low.

For more information, please contact denise.lebeau-marianna@dlapiper.com, Partner, IPT Department DLA Piper France LLP.

It should be noted that the European Data Protection Supervisor (“EDPS”) took the same position against the EU parliament and issued a reprimand for the placement of Google Analytics and Stripe on a Covid 19 testing site, without having appropriate measures in place. Such reprimand was prefiguring a wave of aligned decisions by EU regulators, which started with the Austrian Authority, is now followed by the CNIL in France whereas the Dutch and Danish Supervisory Authorities already issued statements that they were considering the Austrian decision.

1. Context of the Formal Notice

Following the 101 complaints filed by the association ‘My Privacy is None of Your Business’ (“NOYB”), the CNIL has indicated that the transfer of personal data to the United States through Google Analytics is illegal.

This position is based on an analysis of the conditions of data processing through Google Analytics and the risks thereof for the data subjects carried out by the CNIL in cooperation with the other EU Supervisory Authorities.

2. Legal grounds of CNIL’s position

Unfortunately the CNIL’s communication on its website published on 10 February 2022 remains very high level and does not allow to have a good understanding of the rationale behind such decision, notably in light of EDPB Recommendations.

We only note that according to the CNIL :

• since the invalidity of the Privacy Shield, and in the absence of an adequacy decision, transfers to the United States are currently not sufficiently regulated and do not offer a sufficient level of protection.
• Google Analytics uses a unique identifier attributed to website visitors, which is a personal data. The processing is thus not anonymized;
• Even if Google has adopted additional measures (which for several of them are those recommended by EDPB) to secure the transfer of their personal data to the US, they are not considered sufficient to prevent access to this data by US intelligence service.

Therefore, transfers of personal data to the United States through Google Analytics is illegal as it raises a risk for the users of French web sites using Google Analytics.

The CNIL thus ordered the website operator to make its data processing compliant with the GDPR within one month from the formal notice, “if necessary by stopping to use Google Analytics functionality (under the current conditions) or by using an alternative tool that does not involve a transfer outside the EU.”

The CNIL informs in its communication that other formal notices have been issued against other websites operators using Google Analytics and that the EU Supervisory Authorities are also extending their investigations to other tools used by the websites leading to a transfer of personal data to the US

3. Key Take away

Therefore, each company should determine whether:

• the way it uses Google Analytics includes a processing of personal data and if so, whether Google Analytics parameters may not be modified to comply with the EU Data Protection Laws requirements. The CNIL recommends, if such change of the parameters is not possible, to use alternative tools which do not involve a transfer of data outside EU, which in practice, will have a substantial impact, as Google Analytics is very widely used;
• it uses other tools for its websites that may involve transfers to the US. In such case, it should either cease to use them or proceed to the anonymization of the data processed, unless the providers of such tools are able to evidence that additional measures have been taken that ensure an adequate protection, bearing in mind that at the moment there is a trend from the EU Supervisory Authorities to consider that such additional measures are generally not sufficient even if the servers are located in the EU if there is even potentially a transfer to the US.

On the Supervisory Authorities side, it would be helpful to have more practical advice on why they consider that the additional measures that cloud service providers are taking since the CJEU decision of Schrems II are still not sufficient. Companies are lost and call US and EU authorities to find rapidly an agreement framing such transfers from EU to US. Though discussions are underway, the outcome still remains uncertain.

For any question related to this decision, please contact Denise Lebeau-Marianna, Partner or Yaël Hirsch, senior associate – Data Protection – IPT Department DLA Piper France LLP.

Regardless of the very substantial amount of fines applied, in a context where the CNIL’s issues several formal notices for non-compliances with cookies regulations since the end of March 2021, these decisions give an opportunity to analyze what are the CNIL’s expectations and what sanctions may be anticipated for companies targeting French users through their websites.

1. Context of the infringements sanctioned

The CNIL’s decisions were taken further to:

• several complaints lodged with the CNIL regarding Facebook Ireland, Google LLC and Google Ireland Limited (“the Companies”) practices with respect to their use of cookies, between October 2020 and July 2021, respectively four complaints against Facebook and two against Google; and
• online investigations conducted by the CNIL onto the Companies’ websites, which revealed that they were failing to comply with the requirements governing cookies under Article 82 of the French Data Protection Act.

Article 82 of the French Data Protection Act and the CNIL guidelines dated and 17 September 2020, require that the Website cookies banner offers users the option to reject cookies as easily as they may accept them. However, although the Companies banner displayed a button allowing to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to reject the deposit of cookies as easily. Several clicks were necessary to reject all cookies (3 for Facebook and 5 for Google), when only one click was necessary to accept them all.

The restricted committee, which is the body responsible for issuing sanction within the CNIL, ruled that such a method affected the users’ freedom of consent and thus an infringement of Article 82 of the French Data Protection Act, as the several steps implemented to refuse cookies was a way to discourage users from rejecting them while favoring an opt-in which is more easy to choose.

The restricted committee does not challenge the fact that the Companies offer a choice to accept or refuse cookies but more the practical implementation of the refusal mechanism which is either complex (for Google where the user has to click on a “personalize button” and to go through a detailed page presenting cookies to make his choice) or unclear (notably for Facebook where the “cookies set up page” was leading to an acceptance button which was confusing regarding the nature of cookies accepted). The restricted committee reminds that next to an “Accept all” Button, a “Refusal all” button must be implemented.

2. Justification of the sanctions level

Based on the above infringement, the restricted committee issued:

• two fines against Google for a total amount of 150 million euros (i.e., 90 million euros for Google LLC and 60 million euros for Google Ireland Limited); and
• one fine against Facebook Ireland of 60 million euros

Such fines are based on the following considerations:

• the scope of the processing;
• the high number of data subjects;
• the substantial profits generated by the Companies from advertising, using the data collected through cookies placed with a biased consent whereas other companies which have duly offered users the opportunity to reject all cookies as easily as to accept them have seen a decrease in the number of consents and thus their advertising revenues;
• the fact that the Companies were already made aware of their lack of compliance with Article 82 of the French Data protection Act, by the CNIL; and
• the continuous CNIL’s communication on the necessity to ensure that refusal of cookies should be as easy of their acceptance

It is interesting to note that while the fine issued against Facebook was applied to Facebook Ireland Limited considered as the sole data controller, Facebook France being the “establishment” of the Facebook group in France, the fine against Google was applied to both Google LLC based in California and Google Ireland Limited considered as joint controllers.

In addition, the CNIL issued an injunction for each Company to remedy to their practices in order to guarantee the users’ freedom of consent within three months as from the notification of the CNIL’s decision, subject to a late payment penalty of 100.000 EUR per day.

These sanctions fall within the global conformity strategy regarding cookies that the CNIL started about 2 years ago. Since 31 March 2021, the CNIL has issued almost 100 formal notices related to cookies infringements of French and Foreign websites (including order to comply with the Cookies regulation and sanctions).

3. CNIL remains competent even if a Lead Authority has been appointed

The Companies attempted to challenge the CNIL’s competence as they appointed a Lead Authority which is the Irish Data Protection Commissioner.

The restricted committee decision is grounded on the following considerations:

a. Material competence

The CNIL remains materially competent to investigate and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France. The CNIL used the same rationale as in previous decisions regarding the use of cookies (notably, sanction pronounced on 7 December 2020 against Google) to challenge Google’s defense arguing that the French data protection authority was not competent to control cookies policies.

The CNIL held that the “one stop shop” mechanism set forth in the GDPR does not apply to the extent its action was related to Article 82 of the French Data Protection Act, which transposes the provisions of the “e-Privacy” directive into French law.

According to the restricted committee:

• a distinction has to be made between on the one hand, the operations consisting in depositing and reading cookies in a user’s terminal and, on the other hand, the subsequent use made of the data generated by these cookies, for example for profiling purposes, referred to as “subsequent processing” (also known as “post processing”).
• Each of these two successive stages is subject to a different legal regime: while read and/or write operations are governed by special rules, set out in Article 5(3) of the ePrivacy Directive and thus to the CNIL’s competence, further processing is subject to the GDPR and, as such, may be subject to the “one-stop shop” mechanism, if they relate to transborder data processing activities.

Therefore, as the present procedure related only to the reading and/or writing operations in the terminal of users located in France, the CNIL’s competence is confirmed.

b. Territorial competence

The CNIL remains also territorially competent pursuant to Article 3 of the French Data Protection Act since the use of cookies is carried out within the “framework of the activities” of the French local companies (Facebook France and Google France), which constitutes the respective “establishment” of the Companies on French territory.

Each Company has the opportunity to lodge an appeal against the CNIL decisions before the Council of State, highest French Administrative Court.

Google already appealed the previous CNIL’s decision on cookies dated December 2020 but such appeal was rejected by the Council of State in March 2021.

For any question related to this decision, please contact Denise Lebeau-Marianna, Partner or Yaël Hirsch, senior associate – Data Protection – IPT Department DLA Piper France LLP.

Authors: Denise Lebeau-Marianna,  Yaël Hirsch, Paul Sierzputowski