Communication from the CNIL on its website
Each year, the French Data Protection authority (the CNIL) decides to focus part of its controls on three specific topics, in parallel to controls following complaints from data subjects or current events. The authority has just unveiled the new themes that will occupy it this year: direct marketing, surveillance in the context of remote work and the use of cloud computing.
Direct marketing, whether carried out electronically, by telephone or by post, is a subject that impacts a very large number of people on a daily basis. The rules in this area differ according to the means used: prior consent for electronic means (e-mail, SMS, push notifications, etc.), the right to object for telephone or postal means. With regard to direct marketing by telephone, in France people also have the possibility to oppose it globally in advance by registering on the governmental service Bloctel.
The CNIL has announced that it will allocate significant resources on this issue, based partly on its guidelines on processing activities related to “commercial management”, which was recently published in its final version. The authority also specifies that its actions will focus in particular on the compliance of data brokers specializing in the resale of data.
Surveillance in the context of remote work
The worldwide pandemic linked to COVID-19 has led companies to accelerate their digital transition and to equip themselves to enable remote work. In this context, many new tools have been developed or at least adopted on a large scale: communication software (videoconference, chat), collaborative work software, etc.
The CNIL believes that some of these tools allow employers to monitor more closely the daily tasks and activities of their employees. Therefore, it considers important to verify the conditions under which these tools have been deployed and are used in practice.
Use of cloud computing
Cloud computing services have, for the moment, given rise to relatively few decisions and positions from the CNIL. This situation should change in 2022, as the authority believes that these technologies should be given special attention.
The CNIL has already identified a particularly sensitive issue in the context of the use of cloud computing: the massive transfers of data outside the EEA that the use of these services may involve. The CNIL should therefore carefully study the measures put in place by data exporters and importers to ensure that transfers comply with the GDPR and the principles set out in the CJEU’s “Schrems II” ruling. The authority will also analyze the compliance of contracts between data controllers and cloud providers acting as processors.
The CNIL specifies that this issue should also be linked to the action launched on February 15, 2022 by the European Data Protection Board (EDPB). Indeed, the EDPB has just announced a coordinated action of twenty-two European supervisory authorities concerning the use of cloud services in the public sector. This action, which will take place during most of 2022, should target more than seventy-five public bodies in Europe. In France, the CNIL announced that its own controls will target five ministries.
In 2022, the CNIL will therefore take various actions on each of these topics, which may result in simple formal notices or formal sanction procedures. Data controllers and processors involved in processing activities corresponding to these themes can already take stock of their practices and take any necessary corrective action.