In 2020, the CNIL fined 11 companies in France. What lessons can be learned from these decisions and fines?

First, companies are almost always controlled by the CNIL and then sanctioned following a complaint filed by a data subject. The sanctions were pronounced generally between 15 and 18 months after the CNIL's initial controls following the complaint(s).

Second, the CNIL in determining the amount of the fine took into account not only the size of the company, the number of violations and their seriousness, but the number of persons concerned (for example, retaining data of more than 3 million former customers and 25 million prospects beyond required durations), and company efforts in regularizing during the investigation. For example, Carrefour France was fined 2.25 million euros and its bank, Carrefour Banque € 800,000[1], whereas Nestor, a small food delivery service, was fined 20,000 Euros[2]. In this decision, the CNIL also took into consideration the consequences of COVID-19 on the company's financial situation. 

Third, in determining applicable rules on data retention periods, the CNIL took into account consumer and regular purchase and retail trends. Thus, keeping data of inactive clients for four years after their last purchase was deemed excessive[3]. An online sales company was fined for not having defined any data retention period and for not regularly deleting or archiving data. This is consistent with CNIIL's principles (for example, a recommended three-year rule for prospects' data after the last contact, or a two-year rule for candidates' data after the last contact). 

Fourth, many decisions concern violation of data subject information notices and the exercise of rights. Often, the information provided was considered incomplete or incomprehensive and lacking certain required information[4], or also too general and imprecise[5]. As regards the exercise of rights and access rights, in the Carrefour decision, the CNIL noted that the company did not comply with the one-month period and determined that asking for a copy of the person's ID to verify his/her identity before answering their access rights' request was deemed excessive and unjustified as there was no doubt on their identity. The CNIL also sanctioned the company if it only partially responded to the information or access requests. Information and transparency on the data processing remain essential obligations. 

Fifth, a number of decisions sanctioned for having failed to obtain consent, whether it be consent of prospects to receive emails or to use cookies (advertisement). Where consent was not obtained, the CNIL also ordered the deletion of the personal data collected without such consent. Google LLC and Google Ireland Limited were fined on December 7, 2020 a total of 100 million euros for not having obtained the user's prior consent as regards to advertisement cookies, for not having informed users regarding such cookies and for not having fully taken into consideration cookie deactivation requests[6]. Similarly, the CNIL fined Amazon Europe Core 35 million Euros for having placed cookies used for advertising purposes on users’ computers, without obtaining prior consent and providing adequate information[7]. In particular, the cookie banner displayed on the website indicated that cookies were used to allow Amazon to "offer and improve their services". The CNIL found such message too general and approximate and considered that it did not allow users to understand that cookies placed on their computer were mainly used to display personalized ads. Furthermore, the banner did not explain to the user that it could refuse such cookies and how to do so. 

Likewise, PERFORMECLIC, a very small two employee company whose business is to send messages for prospecting purposes on behalf of advertisers, was fined 7,300 Euros in particular for failure to prove prior consent from individuals to whom messages were sent and to adequately inform them[8]. 

Sixth, a number of companies were sanctioned due to a lack of safety of the personal data collected and processed (e.g.¸ no requirement for a robust password, keeping credit card information for more than six months after an order). Two doctors were thus recognized as having violated their data safety obligation, for not having ensured that personal data was not freely accessible online and not systematically encrypting personal data hosted on their servers[9]. They had also failed to notify data breaches to the CNIL after having learned that the medical imagery was freely accessible online. They were fined € 3,000 and € 6,000 respectively. 

Finally, the CNIL regularly remind companies of their need to comply with the principle of data minimization: only adequate, pertinent, and limited data should be collected in light of the purpose for such collection. In this regard, the online shoe seller SPARTOO was fined 250.000 euros on July 28, 2020 in particular for taping all of the telephone calls received by its customer service, the sole purpose for such taping being to enable to train the customer service staff. This was deemed excessive insofar as the person in charge of training only listened to one conversation per employee per week, whereas banking data of customers were taped and kept. Moreover, having a badging system to control employee working hours which took employees' picture each time was deemed excessive, as a simple badging system would have been sufficient, except where only specific circumstances would have justified the need to also take the person's picture. Furthermore, it was noted no use was made of the pictures. The entities were not fined here but rather summoned to change their system within three months.   

The main lessons to learn from these decisions for entities that process personal data are: 

• Comply with transparency (providing sufficient information clearly);
• Apply the data retention rules defined and delete or archive data where necessary; 
• Do not collect more data than needed; 
• Ask for consent where required; 
• Ensure sufficient safety rules.