By Pascale Gelly and Elisabeth Quillatre

CNIL annual report 2008

The French data protection authority (CNIL) issued its 29th annual report on May 13. The 2008 report outlines the key topics addressed by the authority last year, such as peer-to-peer, video surveillance, processing activities around fraud, the G29 presidency, and more. The CNIL also presented data protection challenges, wondering whether privacy is an endangered sphere; how to best protect and assist businesses, considering whether there should be no limit to European and international police cooperation, and whether surveillance of vulnerable people is justified. The authority also stressed its role in assisting businesses facing e-discovery requests.

The CNIL increased its staff resources to 120 last year and hopes for 132 staff members by the end of 2009.

In 2009, the authority wants to work on its financing sources, and is very much in favor of having businesses that process personal data contribute to its funding.

The authority received 4,244 claims and completed 218 investigations in 2008, a 33 percent increase over the previous year. Twenty-five percent of investigations resulted from individuals’ claims. The CNIL issued 126 injunction letters to infringers. Most infringements have been resolved since only 10 entities were sanctioned (from mere warnings, to up to 30.000-Euro fines).

The report states that onsite investigations will remain a priority in 2009.

In addition, 3,679 organizations have appointed data protection officials (correspondants à la protection des données personnelles) leading to a total number of 989 DPOs, some being shared resources.

Intelligent advertising screens under CNIL’s authority

The CNIL conducted an onsite investigation of “intelligent” advertising LCD screens managed by the RATP (Paris public transportation company) and installed in one of the most frequented Paris subway stations at the beginning of this year. (See April 2009 Privacy Advisor, Global Privacy Dispatches, “Behavioral video surveillance in the Paris subway.”)

These “intelligent” devices broadcast ads and measure audience reaction via closed-circuit television (CCTV) cameras, enabling them to count the number of people stopping by and to calculate the time people spend looking at the ads.

During its investigation, the CNIL found that only statistical data were processed, and that images were neither recorded nor transferred to third parties, nor seen by providers.

Yet, the CNIL believes that this activity could be considered as processing of personal data, therefore subject to data protection law. The mere fact that statistics are issued after analyzing images of citizens’ identifiable faces, which are considered personal data under the European Directive 95-46-EC, supports this.

Thus, the CNIL considers itself competent to assess the legitimacy of these audience-measurement devices, as well as to assess the relevance of the data collected and to ensure that the rights of data subjects are guaranteed.

Data transfer: a faster authorization process will come

The law “simplification and clarification of the law; simplification of procedures” has finally been passed.

Previously, the CNIL individually examined requests for transfer authorizations during plenary sessions and authorized them by an express deliberation.

With this new law, the CNIL now gives its president the authority to authorize data transfers outside the European Union. The CNIL hopes this fast-track process will be used for routine types of data transfers.

Additionally, this new law lets the CNIL publish its opinion on bills at the request of the president of one of the Parliament’s permanent committees. It also simplifies the CNIL process to deliver a quality label for products and procedures intended to protect individuals’ privacy.
For more on this law, see the Privacy Advisor, March 2009, Global Privacy Dispatch article “Hope for a fast(er) data transfer authorization process.”

Online store sanctioned for spam

CDiscount, one of Europe’s most successful online discount retailers, has been sanctioned by the CNIL for non-compliance with a data subject’s right to object to the use of personal data for direct marketing purposes.

According to Article 38 of the French Data Protection Act, any natural person “is entitled to object, at no cost to himself, to the use of the data relating to him for purposes of canvassing, in particular for commercial ends, by the controller of a current or a further data processing.”
After failed attempts to unsubscribe from CDiscount mailing lists using the opt-out means provided by this data controller, several Internet users filed complaints with the CNIL. CDiscount claimed that technical problems with its software module were to blame, and that those problems had been resolved. Yet the CNIL continued receiving claims from Internet users who tried unsubscribing not only by clicking on the link, but also by e-mail, postal mail, and via a surcharged phone number, in vain. The CNIL then sent a formal notice to CDiscount. The notice went unanswered. The company said it was not delivered to the appropriate person in the company.

As a consequence, the CNIL imposed a e30.000 fine, stating that the Internet users’ requests were unfulfilled.

The CNIL acknowledged CDiscount’s commitment to appointing a data protection correspondent.


A High Authority for the distribution of works and the protection of rights on the Internet was created by the so-called HADOPI law, passed by the Senate on May 13.

One of its missions is to protect copyrighted works from infringement committed over electronic communications networks.

It is entitled by law to obtain the data retained and processed by operators, as well as the identity and contact details of subscribers whose network access has been used to reproduce or provide protected works without authorization.

In case of infringement, the subscriber may receive a warning letter through the ISP. In case of a repeat infringement within six months, the commission may send a second recommendation. If another infringement takes place within the year following the last letter, then after contradictory proceedings, the commission may request the suspension of the network access (two months to a year) or issue an official injunction to prevent repeated infringements, unless a settlement is found with the subscriber.

Secondary legislation is necessary before this HADOPI law can be implemented in order to address, in particular, the means of appeal and the specificities of the data processing the High Authority may carry out.

This HADOPI law has given rise to controversies. Therefore, it is no surprise that this test is now challenged before the constitutional court.

Pascale Gelly and Elisabeth Quillatre of the French law firm Cabinet Gelly can be reached at


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»