Under the EU Charter of Fundamental Rights, all member states were required to create a data protection authority. These agencies are tasked with protecting the rights of EU citizens’ data in the member state. The French Data Protection Authority in France is the CNIL.
In this article, we will discuss what the CNIL is, what its responsibilities are, and its general effects on business.
What is the CNIL?
In contrast to newer data protection agencies, like the Spanish AEPD, the Commission Nationale de l’informatique et des Libertés (CNIL) was created in 1978, beginning its main activities in 1980. The organization was formalized in response to the SAFARI program – an attempt by the French government to create a centralized database of all French citizens. Today, it is the French administrative, regulatory body responsible for enacting data privacy law. It ensures that the collection, storage, and use of French citizens’ personal data is in accordance with both French law and the GDPR.
The CNIL is comprised of seventeen members from several government entities – four of which must be members of the French parliament. The other twelve members are elected by their representative organizations.
What are the CNIL's responsibilities?
The CNIL’s responsibilities were originally described in the French Data Protection Act (1978). The CNIL’s mission is to:
- Inform French citizens of the data privacy rights
- Protect the data privacy rights of French citizens
- Regulate and advise the French government
- Propose and enact certifications and corporate rules that create conformity
- Liaise and participate in the European Data Protection Board (EDPB).
- Inspect data collection and administer penalties
- Appraise new technologies that may affect the data privacy rights of French citizens
How does the CNIL relate to the EU?
The EU Charter of Fundamental Rights first formalized the right of EU citizens to the protection of their personal data. Under the initial European Data Protection Directive, data protection agencies in each member state were provided a set of standards with which to guide the drafting of legislation.
However, recently those common standards have been replaced by the overarching framework of the GDPR. The GDPR is managed by the EDPB – which is composed of representatives from the national data protection authorities of EU member states, including the CNIL.
Therefore, while legislation is passed at the European level, the enforcement and guidance are conducted in France by the CNIL.
Thus, the CNIL is responsible for enforcing three laws:
- French Data Protection Act
- The GDPR
- ePrivacy Directive
The latter law was enacted in 2002 to legislate the confidentiality of communication and the rules involving tracking and monitoring.
If there are any violations of the above laws, then the CNIL has the power to issue fines. In the case of violations of the GDPR, organizations can be fined up to €20 million or 4% of annual global turnover – whichever is highest.
Who is subject to the CNIL?
Anyone familiar with the GDPR will know that any organization that caters their goods and services (paid or free) to EU citizens or monitors EU citizen online activity is subject to the regulation. That means any organization that collects, uses, or discloses EU citizen data should be doing so according to the GDPR.
That does not include websites that do not cater to EU citizens but which can be accessed by EU citizens: for example, a local restaurant in London.
However, France also has numerous overseas territories, which are considered an integral part of the French state. Therefore, any business which falls into the following two categories are required to comply with the CNIL:
- Businesses based in France or French Overseas Territories
- Businesses collecting or processing personal data of French citizens (in the metropole or the overseas territories)
What are the consequences of CNIL non-compliance?
The most obvious consequence of non-compliance is a fine. The CNIL notably fined Google in a 2016 case (see below).
Typically, the CNIL will issue a fine either:
- Following a complaint or report of a violation
- Following a CNIL-led investigation
Either way, the chair of the CNIL can appoint a rapporteur from the CNIL’s commissioners. The incriminated organization is informed and provided with the relevant documentation. Then, the restricted committee – composed of five CNIL commissioners and a chairperson – reviews the case.
If found guilty, the organization is forced to pay a fine as described in the GDPR.
Notable cases of the CNIL
Like the Spanish AEPD, the CNIL’s most notable case involved Google and the « right-to-be-forgotten » concept. The CNIL argued that Google should respect French rulings worldwide on the right to be forgotten. Google argued, however, that this could lead to abuses in « less open and democratic » states.
Previously, while French citizens could have their search results deleted in the European version of Google, they would still appear globally. The CNIL ordered Google to enact the same policy for all global results. The tech giant was fined €100,000 for non-compliance.
Yet, Google appealed the decision, stating that:
« If French law applies globally, how long will it be until other countries – perhaps less open and democratic – start demanding that their laws regulating information likewise have a global reach. »
Indeed, similar criticisms have been raised regarding the EU GDPR’s « extraterritorial effects. »
With the GDPR still the most stringent data protection legislation worldwide, it’s critical to understand the enforcement arm for the EU member states. For the past forty years, the CNIL has been responsible for defending the data privacy rights of French citizens globally.
For further information on their responsibilities and activities, please refer to the CNIL website.