The CNIL’s Missions
Informing & Educating
The CNIL has the general mission of informing individuals of their rights accorded to them by the French Data Protection Act.
The CNIL responds to requests made by individuals and companies alike. In 2013, it received almost 125,000 telephone requests for advice or further information.
The CNIL leads awareness campaigns targeting the general public by means of the press, its website, social networks and target workshops. While being directly requested for leading training programmes on the Data Protection Act within many organisations, companies, or institutions, the CNIL participates also in conferences, seminars, and workshops in order to inform and be informed. It brings together a collective of over 60 organisations that lead campaigns in favour of education on the digital world.
Protecting the Rights of Citizens
Any individual can contact the CNIL, when they are experiencing difficulties in exercising their data protection rights. The CNIL ensures that citizens can effectively access their data contained in the processing. In 2013, the CNIL received 5640 complaints which include:
- e-reputation (requests for the erasure of data on the internet);
- commerce (requests to stop publicity by mail);
- human resources (supervision mechanisms like video surveillance or the geolocalisation of vehicles);
- and banks and loans (objection to their registration within the files of the Banque de France).
Focus: Filling out Complaints Online
The CNIL offers on its website an online complaint service for handling of complaints such as: the erasure of personal data on the internet, the objection to receiving publicity by mail, and the updating of the accuracy of personal data.
It’s Your Right!
The Right to Access, to Object and to Rectify
Everyone has the right to be informed of all data stored in a file by contacting directly those who have created and store the file. Moreover, they have the right to obtain a copy of the data—with the costs of doing so remaining equal to that of the reproduction of the data. Any individual has also the possibility to object to the processing of their personal data on legitimate grounds. They can refuse the filing of their data without having to justify themselves, if the information requested will be used for commercial purposes. Everyone can rectify, complete, update, block or erase information about them, when this information is declared to be erroneous or inexact; moreover, this also extends to cases of prohibitions on the collect, utilisation, communication or conservation of said data.
5640 Complaints Received The Right to Access National Security, Defence and Public Security Files
On the behalf of citizens, the CNIL can access national security, defence, and public security files that contain their data—especially surveillance and judicial police files. This type of access is called an indirect access. When requesting the CNIL to consult these files, one must write a letter to the CNIL indicating precisely their address and their telephone number as well as including a photocopy of their identity card.
Regulating & Advising
The regulation of data protection is brought about by differing tools:
- authorisations that implement data processing;
- official opinions on the government’s draft legislation that will impact data protection or create new files;
- legal frameworks simplifying the completion of prior formalities;
- recommendations allowing the CNIL to establish its doctrine in different domains; and
- requests for advice from data controllers, which are being sent in higher quantities and notably by data protection officers.
The 2013 annual activity results give testimony to a dramatic increase of activity in regard to 2012 with more than 2,500 adopted decisions and deliberations.
Accompanying the Conformity
The objective is to propose a conformity “toolbox” by using the different means of action at the CNIL’s disposal: the data protection officers (Correspondants Informatique et Libertés) who form a privileged network of experts; the development of certifications and Binding Corporate Rules that frame transfers of personal data within multinational companies outside the EU; the creation of “conformity packages” that are sector-based reference models covering an entire sector or professional branch.
The Certifications
The CNIL now has the power to deliver certifications for products or procedures that deal with data protection.
The “certification CNIL” allows a company to distinguish itself from others by the quality of their services. For the users, it is a trust indicator on products and procedures that allows users to identify and favour organisations that guarantee a high level of protection for their personal data.
Data Protection Officers (CILs)
At an era where the digital world is inherent to our daily lives, the data protection officers (CILs) have become absolutely essential actors within public and private organisations which deal with personal data.
Ensuring an optimal level of protection for personal data is not only a legal obligation, but also a question of the company’s credibility regarding the users or the clients. In 2013, almost 13,000 organisations chose to appoint a data protection officer in order to reinforce the technical and legal security of their international heritage.
Anticipating Innovation
In the framework of the CNIL’s innovation and prospective, it strives to consolidate two objectives: the taking into consideration, at a very early stage, of new subjects like tendencies, technologies or upcoming uses for data; and, the assessment of case studies and analyses brought about by innovative tools and projects.
The Laboratory
The CNIL constructed a laboratory within its walls that is dedicated to the testing and experimentation of cutting-edge products and applications. This laboratory has provided for the possession of products at their beta stages in order to test their functions and evaluate their potential impact on the private lives of citizens. With keeping “privacy by design” in mind, the CNIL strives to reinforce its consulting role for companies in regards to the integration of personal data requirements within their technological developments. Finally, the CNIL aims to contribute to the development of technological solutions that protect citizens’ private life.
The Prospective Committee
In order to reinforce its mission to elaborate and reflect on potential prospects, the CNIL created in 2012 the Prospective Committee that brings together six external experts. This committee strives firstly to be the coordination committee of scientific studies led by the CNIL. The two main missions of the Prospective Committee are the annual establishment of the studies led by the CNIL and the exploration of new fields of studies.
The Thesis Award
The thesis award “Informatique et Libertés” recognises the value of academic works and strives to incite the development of research regarding data protection and privacy rights in universities. This award touches many different disciplines such as: social sciences, law, political science, economy as well as technical fields. A sum of €7,000 is given to the winner in order to facilitate the publication of their thesis.
Inspecting and Sanctioning
The ex-post inspections are considered to be the favoured method of intervention by the CNIL for the data controllers. It allows for the CNIL to verify the concrete implementation of the law.
The programme of interventions is established in function of the current events and the high level issues (new technologies, problematic current events and revelations) for which the CNIL is called upon to inspect.
The CNIL has the competence to inspect video surveillance systems established within the French territory. It has performed 130 video surveillance inspections in 2013 alone.
Regarding inspections or complaints, the CNIL’s restricted committee (composed of 5 members and a Chair other than the CNIL’s Chair) can render various types of sanctions which include:
- A warning, which can be made public.
Hypothetically, if the CNIL’s Chair has already officially rendered an order and if the data controller does not changed its practices to conform to the order, the restricted committee can render more coercive sanctions after respecting the contradictory principles within administrative procedures:
- A monetary sanction (except for Government data processing) of up to €150,000 and up to €300,000 for repetitive violations. This sanction can be made public; moreover, the restricted committee can demand the sanction be published in the press at the costs of the sanctioned organisation. The total amount for the sanctions will be collected by the Public Treasury and not by the CNIL.
- A cease-and-desist injunction on the data processing.
- A withdrawal of the prior authorisation given by the CNIL.
In cases of immediate and grave violations on fundamental rights and freedoms, the CNIL’s Chair can refer a request to the competent jurisdiction to order any necessary security measure. It can also denounce any violations of the French Data Protection Act to the State Prosecutor.