The National Commission for Informatics and Freedoms (Cnil), guardian of the privacy of the French in the face of digital technology, pronounced 14 sanctions and 49 formal notices in 2020, according to the institution's annual report.
An increase compared to 2019, where the Cnil had pronounced 8 sanctions and 42 formal notices.
In 2020, several companies were pinned by this Commission, such as the Spartoo e-commerce site last August.
The company was fined 250,000 euros for failing to comply with the General Data Protection Regulation (GDPR).
This European text entered into force in 2018 and the CNIL is responsible for enforcing it in France.
Regarding the site specializing in the online sale of shoes, the Cnil had noted
"a breach of the principle of data minimization"
, and estimated, in particular, that
"the full and permanent recording of telephone calls received by customer service employees
[was]
excessive ”.
Read also: The CNIL rules on cookies come into force
A few months later, in November, it was Carrefour's turn to be pinned.
The French gendarme imposed a fine of 3 million euros on two companies in the large distribution group for violating European rules on personal data.
Seized of several complaints against the group, "
the CNIL noted shortcomings concerning the treatment of the data of the customers and the potential users
".
Carrefour France then paid the sum of 2.25 million euros and Carrefour Banque, 800,000 euros.
Increased revenue from fines
In total, the fines imposed in 2020 represent 138.5 million euros against 51.4 million euros a year earlier, under the effect of two record sanctions for Google and Amazon under their cookie policy ( respectively 100 and 35 million euros). The number of complaints received by the CNIL decreased slightly in 2020, with 13,585 complaints received. But the number of notifications of personal data breaches increased by 24% to 2,825, due in part to a wave of ransomware attacks seen in 2020. Hacking alone is responsible for 1,315 notifications personal data breach, i.e. + 70% over the previous year. The number of visits to the CNIL site also increased by 21% to 9.7 million, a record level according to theinstitution.
Read also: Cyber attacks: why your health data is so fragile and coveted
In a foreword, the president of the CNIL, Marie-Laure Denis, believes that the health crisis has “
proved the great robustness of the GDPR
”.
“
The GDPR has shown itself to be flexible enough to allow member states of the European Union to take into account the need to process and share information in an exceptional health context
,” she added.
Read also: The Cnil brings downsides to the health pass
The CNIL has thus authorized 89 scientific research projects on Covid-19 requiring access to personal data, out of a hundred files received, she indicates in her report. This involved, for example, the reuse of data from the medical files of patients who were not able to be informed, subject to allowing them a right of erasure later. Or to accept that the data of minors be used with the authorization of only one parent, if it was too difficult to consult the other parent in time.