Protecting personal data is one of the major issues of our time. It’s essential to know who to contact in case your rights are violated. In France, several authorities are responsible for ensuring the protection of personal data (such as name, address, social security number). Each has its own responsibilities and areas of intervention.
The National Commission on Informatics and Liberty (CNIL)
What is the CNIL?
The CNIL was established by the French Data Protection Act of January 6, 1978. It oversees the protection of personal data in both public and private information systems and paper files. Its mission is to ensure that information technology does not harm:
- human identity;
- human rights;
- privacy;
- public and private liberties.
This independent administrative authority is composed of 18 members, either elected or appointed.
What are the CNIL’s missions to protect personal data?
The CNIL pursues four main missions:
Inform and protect rights
One of the CNIL’s key roles is to respond to requests from individuals and companies. It also conducts public communication through the press, its website, and social media. It handles complaints related to:
- online reputation, such as requests to remove content;
- commercial requests, like opposition to commercial emails;
- human resources issues, such as video surveillance or employee vehicle tracking;
- banking matters, including entries in national credit files.
Support compliance and advise
The CNIL helps both private and public actors comply with the General Data Protection Regulation (GDPR). It provides a toolbox adapted to different needs and sizes. It also advises on regulatory texts related to personal data protection.
Anticipate and innovate
The CNIL contributes to debates on ethical data issues through:
- its digital innovation laboratory (LINC);
- its forward-looking committee;
- the European CNIL-INRIA prize;
- the Privacy Research Day, a major academic conference on data protection.
Inspect and sanction
The CNIL can inspect private and public organizations. If it finds non-compliance, it may issue formal notices or sanctions. In 2022, it conducted 345 inspections and issued 147 formal notices. Possible sanctions include:
- ordinary sanctions, with fines up to €20 million;
- simplified sanctions for less complex or lower-severity cases.
What is the role of the CNIL?
The CNIL acts as a regulator for personal data in the digital world. It supports companies in compliance and helps individuals exercise their rights. People whose data is collected have several rights, including:
- the right to access their data at any time;
- the right to rectify or oppose the use of their data;
- the right to data portability;
- the right to be forgotten (erasure and de-indexing);
- the right to be notified if data is compromised;
- the right to compensation for material or moral damage related to GDPR violations;
- the right to file a group action.
The General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF)
What is the DGCCRF?
The DGCCRF is part of the French Ministry of the Economy. It helps design and implement economic policy, oversees proper market functioning, and serves both consumers and businesses.
What are the DGCCRF’s missions related to personal data protection?
The DGCCRF conducts investigations and inspections to ensure companies respect personal data protection rules. It can sanction businesses that fail to comply with sensitive data processing rules and informs consumers about their data protection rights and risks.
In 2019, the CNIL and DGCCRF signed a cooperation protocol to strengthen consumer protection and adapt it to new digital challenges. Their collaboration aims to:
- raise awareness of risks when sharing personal information;
- share best practices among professionals;
- simplify reporting of data protection and consumer rights violations;
- conduct joint inspections;
- propose joint European actions;
- pool expertise, especially in investigation tools;
- exchange analyses on legislative and regulatory changes.
The Council of State
What is the Council of State?
Established in 1799, the French Council of State is the highest administrative jurisdiction. It advises the government and is composed of about 300 members, including state councillors, masters of requests, and auditors.
What are its missions in personal data protection?
The Council of State adjudicates administrative disputes related to personal data protection. It may be consulted by the government on issues concerning personal data protection and issues recommendations on data collection and processing. It reviews the legality of CNIL decisions and resolves competency conflicts.
For example, in June 2020 the Council rejected Google’s appeal against a CNIL fine, finding the company failed to meet transparency obligations and deeming the €50 million fine proportionate. It also upheld most of the CNIL’s cookie guidelines, though it annulled the absolute ban on “cookie walls” that block site access if cookies are refused.
Judicial courts
What are judicial courts?
The judicial court was formed by merging the former lower courts. It handles disputes not assigned to a specialised court.
How to bring a case before the judicial court
A judicial court can be seized by:
- a summons, a formal notice by a judicial officer that a trial has begun;
- a petition, a written request filed by an individual (either self-represented or with a lawyer);
- a joint petition, when both parties agree to have the court decide the dispute.
The judge can also order parties to attempt mediation first.
What are their missions in data protection?
Judicial courts adjudicate personal data protection violations, grant compensation to victims, issue orders to stop violations, and impose sanctions.
For example, in March 2021, after a data breach reported by the CNIL, the Paris judicial court ordered ISPs to suspend access to a website that exposed health data of 500,000 individuals.
The Collective for Digital Marketing Actors (CPA)
What is the CPA?
The CPA is a professional organisation of 88 members specializing in digital marketing, including affiliate marketing, acquisition emailing, couponing, lead generation, display advertising, legal, and more.
Over 140 companies have signed the CPA’s email charter, committing to:
- implement GDPR-compliant email collection and monetization practices;
- use third-party form encapsulation tools.
How does the CPA contribute to data protection?
The CPA works to regulate market practices and promote consumer-respectful development through quality charters, legal monitoring, and member training.
The CPA is divided into several sections:
- retail;
- email;
- lead generation;
- search;
- legal;
- e-marketing technologies;
- skills and professions.
The legal section, created in 2017, focuses on legal topics and includes lawyers, jurists, and marketing performance experts. In April 2021, it published a practical guide on CNIL cookie recommendations to help members comply with consent requirements. The e-marketing technology section released cookieless technical guides in January 2021 to inform advertisers about the impact of ending third-party cookies and alternative tracking solutions.
Conclusion
In France, many authorities monitor compliance with personal data protection rules. Whether it’s data collection, storage, access, modification, dissemination, or erasure, companies must comply with applicable laws.
To implement GDPR-compliant acquisition operations, contact our experts for support.
