Cookies, video surveillance and ransomware: the Cnil almost overwhelmed in 2021

The Commission is concerned about the lack of means at its disposal to apprehend its new missions, which will be decided within the framework of the new European legislation on digital technology.

The Cnil, guardian of the privacy of Internet users in France, mobilized on multiple fronts in 2021, from “cookies” with significant sanctions pronounced against the giants of the web to cybersecurity and data sovereignty. An intense activity for which the institution requires more resources.

If the number of complaints seems to have reached a “high plateau” at more than 14,000, the year 2021 was “unprecedented” in terms of sanctions, “both in terms of the number of measures adopted (18 sanctions and 135 formal notices ) than by the cumulative amount of fines, which reaches more than 214 million euros” (+55%), detailed the Commission in its annual report published on Wednesday.

After giving companies time to adapt to the subject of “cookies”, these web tracers widely used by advertising giants, the Cnil was able this time to rely on European GDPR regulations, which provide for fines of up to to 4% of turnover.

Thus, Google and Facebook were sanctioned in December to the tune of 150 and 60 million euros respectively, because “they did not allow millions of Internet users to refuse “cookies” as easily as to accept them”, recalled the president of the Cnil Marie-Laure Denis during a press conference. The two giants have since indicated that they have modified their interface, noted the CNIL.

The regulator reiterated its warning on the traffic analysis tool Google Analytics, on which it announced 3 formal notices.

“The recent announcement of an agreement in principle (on data transfers, editor’s note) between the EU and the United States is an important first step, but does not at this stage modify the legal framework for transfers. absence of a text which will not be ready for several months, the actors must take measures to ensure compliance with data protection”, declared Marie-Laure Denis.

Without response from the American company Clearview, formal notice to remove the images of people residing in France from its database used for facial recognition purposes, Marie-Laure Denis said “seriously considering entering the restricted commission of the Cnil” to launch a sanction procedure.

The Commission has also observed a dramatic increase in reports of data breaches, more than 14 per day on average, linked to the awareness by companies of the obligation to report any leak of personal data, but also to the “very strong growth in computer attacks, in particular ransomware attacks” which primarily target companies, communities and public bodies, particularly in the health sector.

Some 3,000 breaches, or 59% of reports, were the result of hacking, and more than 2,150 were related to ransomware, she found.

Faced with this growing activity and the prospect of obtaining new missions through the new European regulation on digital technology (DSA, DMA, Data Act, regulation on artificial intelligence, ePrivacy regulation), the Cnil wants to develop its practice.

It intends to “take more small sanctions” based on a simplified procedure allowing the only president of its restricted formation to impose fines of a maximum amount of 20,000 euros, and penalties of 100 euros per day maximum.

“When, for example, we sanction a dentist’s office, we have found that it makes it possible to bring an entire sector into compliance”, justified Marie-Laure Denis.

“It is a real need to reinforce the means of the Cnil”, she continued. The institution will have 270 agents at the end of 2022 for a budget of some 22 million euros, still far from its British and German counterparts, which have nearly 1,000 agents.

Victoria Beurnez with AFP

Leave a Comment