In 2020, the French data protection authority (so-called "CNIL") fined 11 companies in France (see our article for further details).

What happened in 2021? In 2021, the CNIL fined 12 companies and also issued summons and warnings towards certain companies or organisations. As in 2020, companies are almost always controlled and sanctioned by the CNIL following a complaint filed by data subjects. One sanction followed an investigation carried out after the company notified a data breach; it only discovered the breach after three and a half years. 12 million people were impacted, but the company decided not to notify the data subjects[1]. 

In 2021, the fines ranged from 3,000 euros (against a small company that runs a company directory) to 150 million euros (Google) – an even larger spectrum than the year before. This is yet another illustration that the CNIL takes into account various factors when determining the fine: the size of the company, number of violations and their seriousness, but also corrective measures implemented, including during the procedure. Such decisions are also often pedagogical and aim to help to improve data compliance.  

The main non-compliances sanctioned by the CNIL in 2021 are similar to 2020: 

The CNIL's main target: cookies 

The CNIL adopted guidelines on cookies in October 2020. Since March 31, 2021 – the deadline to be compliant with the new cookie rules – the CNIL issued more than 100 corrective measures (summons mainly but also fines) in relation to cookies. On December 31, 2021 the CNIL fined Facebook 60 million euros and Google 150 million euros. The CNIL found that the, and websites did not make refusing cookies as easy as accepting them, thus influencing users in their choice in favour of consent to be able to quickly consult a website[2]. The Figaro (one of the main press websites in France) was also fined 50,000 euros, as advertisement cookies were placed on the users' terminals without their prior consent. 

Companies should therefore pay particular attention to cookie compliance.

Lack of information of data subjects 

AG2R La Mondiale was sanctioned for absence of information of data subjects when solicited by phone by data processors[3]. The CNIL here reminded companies that data subjects solicited by phone should have access to complete information either by pressing a number on the phone or by email. 

Monsanto was fined 400,000 euros for keeping a file containing the personal data of 200 political figures, journalists and other people of influence, for lobbying purposes. Such people had not been informed of the processing of their data for several years[4]. 

Non-existent data retention periods (or non-applicability of such periods)

An online DIY company was fined for keeping contact details of clients who had not ordered or logged in on the website for five years[5]. Such sanction is consistent with the CNIL's principles and its recommended three-year rule for prospects' data after the last contact. 

AG2R La Mondiale was fined 1.75 million euros notably for exceeding the data retention period provided by the French Code of insurance and keeping data, including sensitive health data, as well as bank details of more than two million clients[6]. 

Ineffective right of access and right of erasure 

French telephone operator Free Mobile was fined 300,000 euros for various GDPR non-compliances, including not responding to access requests within the required timeframe[7]. In its decision, the CNIL specified with regard to data deletion requests that disabling the user's account is not sufficient and that the data must be completely deleted[8]. 

Lack of security measures to protect the data 

A number of companies were sanctioned due to a lack of security of the data collected and processed[9]. In a decision concerning a company victim of credential stuffing attacks with the use of robots[10], the CNIL suggested the following mitigation solutions:

  • the limitation of the number of requests allowed per IP address on the website to slow down the rate at which attacks were carried out; or 
  • the appearance of a CAPTCHA at the first attempt to authenticate users to their account, which is very difficult for robots to bypass.
Direct marketing: failure to obtain consent or ineffective right to object 

The CNIL sanctioned several companies for having failed to obtain consent (consent of prospects to receive emails or to use advertising cookies). The online DIY company sent marketing messages to users who had created an account but had not yet purchased anything, which normally requires the users' consent[11]. It also placed advertising cookies on the users' computer without their prior consent. 

Free Mobile was sanctioned for non-compliance with the right to object, as it did not take into account the complainants' requests that no direct marketing messages be sent to them[12].

Finally, the Luxembourg data protection authority (CNPD) imposed a record fine of 746 million euros to Amazon, following a complaint addressed to the CNIL by an association (the CNPD was the leading supervisory authority and had jurisdiction). The decision is not public yet[13] and the CNPD has not disclosed the grounds for sanction but the media have indicated that it was linked to Amazon's failure to collect its users consent in compliance with GDPR provisions. 

Non-compliance with the principle of data minimisation 

The RATP (Paris public transportation company) was fined 400,000 euros for keeping data relating to the number of days that employees were on strike in a file on career development. The CNIL found that the collection of such data was not necessary and that the company could have achieved the same purpose by collecting data on days of absence in general, and not days on strike specifically[14].

The main lessons to learn from these decisions for entities that process personal data are: 

  1. Comply with cookies rules (collect consent where required and allow users to object as easily as they can accept cookies);
  2. Comply with transparency and information obligations, in particular regarding data subjects' rights;
  3. Apply the data retention rules defined and delete or archive data where necessary; and
  4. Ensure sufficient safety rules and implement quick mitigation measures in case of a data breach.

[1] Decision against SLIMPAY of December 28, 2021 available here.

[2] Decision against Facebook Ireland Limited of December 31, 2021 available here and decision against Google LLC and Google Ireland Limited of December 31, 2021 available here.

[3] Decision against AG2R La Mondiale of July 20, 2021 available here.

[4] Decision against Monsanto of June 14, 2021 available here.

[5] Decision against Brico Privé of July 26, 2021 available here.

[6] Decision against AG2R La Mondiale of July 20, 2021 available here.

[7] Decision Against Free Mobile of December 28, 2021 available here. Press release in English available here.

[8] Decision against Brico Privé of June 14, 2021 available here.

[9] Decision againt the RATP of October 29, 2021 available here.

[10] Credential stuffing is a cyberattack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service. The attacker is hoping that some fraction of the users also have an account at the other service, and that they reused the same usernames and passwords for both services.

[11] Decision against Brico Privé of June 14, 2021 available here.

[12] Decision Against Free Mobile of December 28, 2021 available here

[13] The decision is not public at this stage in accordance with Luxembourg law (the decision can only be made public once all appeal procedures have been exhausted).

[14] Decision against the RATP of October 29, 2021 available here.

Key Contacts

Emmanuelle Lecornu-Mercier

Emmanuelle Lecornu-Mercier

Managing Associate, Employment

View profile