The CNIL unveils its investigation strategy for 2021

Communication of the CNIL on its website, dated 3 March 2021

 Every year, the CNIL decides to focus its enforcement action on a few key topics, in addition to launching investigations following complaints or news events. The priorities of this year, which the CNIL recently unveiled, remain mostly identical to last year’s.

Cookies and other tracers

This topic was also a star of 2020. The main difference for 2021 is that the CNIL will now extend its investigations to verifying that the rules on consent supplemented by the CNIL’s latest guidelines and practical recommendations on cookies (published on October 1^st, 2021), are complied with.

As a reminder, the CNIL had left stakeholders until the end of March 2021 to bring their cookie consent mechanisms into compliance with the new rules. However, in 2020 the CNIL still launched several investigations to verify the companies’ compliance with the other rules regarding cookies and other tracers which were not affected by the new CNIL’s guidance – e.g., providing sufficient information before placing cookies.

Security of health data

The CNIL wishes to continue its program of investigations initiated in 2020 on this topic. This is not surprising considering the ongoing health crisis and the recent events in France, where the press recently shed light on a very serious data breach which involved the unauthorized public disclosure of the health data concerning almost 500,000 persons.

Cybersecurity of French websites

Cybersecurity will be the only new key topic of the CNIL’s investigations program for 2021. According to the French data protection authority, security breaches impacting websites were among the most numerous compliance defects identified by the CNIL in 2020.

The CNIL indicated that it would focus its verifications on data collection forms, the use of the HTTPS protocol as well as on password security.

The French authority also announced that it would pursue the cooperation with its European counterparts, noting that, in 2020, it was designated as a lead authority in over 100 cases and participated in enforcement actions as a concerned authority in over 400 other cases.