Greetings from Brussels!

This week, the CNIL officially announced its annual compliance monitoring and audit priorities for 2021. As is the case with many of the other national data protection authorities, the CNIL will continue to prioritize the follow-up on complaints in connection with the current pandemic and health crisis. In addition to this, the CNIL will orient its control functions around website cybersecurity, general security of customer and consumer data, health data security, and the use of cookies.

During 2020, website security vulnerabilities were among the most common flaw identified by the CNIL. Data security-based notifications saw a significant bump in 2020 increasing by 24% compared with 2019 with 2,825 notifications received. The CNIL continues to see cybersecurity as an ongoing risk in what concerns French websites. Specific attention will be paid to the mechanisms for personal data collection and the use of HTTPS security protocols, as well as compliance by organizations with CNIL recommendations on areas such as passwords and authentication measures. Additional information sought by the CNIL will be around organizational contingencies and strategies deployed to safeguard against ransomware.

Not surprisingly, health data security figures high on the CNIL agenda. This is a common enough trend emerging across Europe as health data continues to play a central role at the heart of the COVID-19 recovery. When coupled with the growth in the field of digitalization, the health sector has some acute challenges around issues such as access management to patient history, and online platforms of processing and sharing medical data and files. Health sector controls and investigations were already a focus in 2020. In particular, the deployment of safeguards against data breaches will be of primary interest to the authority. Incidentally, the Dedalus France group, a software solutions provider, recently suffered a data breach impacting 28 laboratory clients across France affecting more than half a million French citizens. That cyberattack is now subject to a joint investigation by the national agency for the security of information systems, the ministry of health and the CNIL. The continuation of inspections into the sector will allow the CNIL to further its assessment and guidance in the function of data protection and security levels with respect to French health data.   

The third priority will be the monitoring of compliance with the applicable rules around storing or reading non-essential cookies and other tracking technologies. This effort was launched in April 2020, and the CNIL is extending the priority this year with the extended scope of verifying adherence to the CNIL’s updated guidelines and recommendations relating to the collection of user consent as adopted 1 Oct. last year. With the adoption, the CNIL allowed for a transition period of six months for organizations to comply. That deadline will expire at end of this month, and the authority intends to carry out inspections to enforce the guidelines thereafter.    

I spoke with Yann Padova, IAPP country leader for France, to get a local opinion on the priorities. For one, this is the first time the CNIL has carried over a priority (cookies) into a successive year, which speaks to the enforcement ahead. Building on the fines levied against U.S. tech firms for alleged French cookie law violations last December, Padova observed there seems to be a shift in focus toward EU and French companies so we can possibly expect more investigations in this regard. Cybersecurity as a focus is increasingly mainstream as the frequency and complexity of data breach incidence is on the rise, it is “one of the very few proactive sources of information received by regulators from companies and administrations along with complaints” Padova added. Notably, in France, ransomware and health data breaches have received heavy media coverage of late, so clearly, this requires CNIL attention as a function of public opinion. Lastly, it should be noted the authority’s inspection resources are finite, and the unfolding of data-related incidence will likely determine the level of reactive versus proactive activity this year.