The CNIL is taking stock of its repressive action in France on Tuesday over the past year. If the quantity of sanctions is decreasing compared to the previous year, the Commission highlights the record number of formal notice.
The National Commission for Data Protection (CNIL), guardian of the personal data of the French, pronounced 21 sanctions in 2022 for a total amount of more than 101 million euros, in decrease compared to previous years , she announced Tuesday January 31 in a report. A total amount down compared to previous years: the cumulative amount of fines had reached the level Record of 214 million euros in 2021 , after 138 million euros in 2020.
These sanctions were facilitated by law relating to criminal liability and internal security, voted at the end of 2021, which created a new simplified sanction procedure. Four sanctions were thus pronounced in 2022 by the CNIL thanks to this new procedure, which makes it possible to deal with the files that do not present any particular difficulties thanks to an accelerated procedure. In this case, the president of the restricted training rules alone, without the need for a collegial decision.
The CNIL nevertheless underlines a record number of formal notice: 147, against 135 in 2021 and fifty in previous years. The Commission also deducted 87 closed files, which corresponds “to sanction and formal notice procedures at the end, in particular, of the examination of the actions taken by the organizations to comply”.
The formal notices concerned the obligation to designate a data protection officer, the application of the rules on commercial prospecting, or data transfers across the Atlantic. Sixty-two of them include at least a breach linked to cybersecurity.
Several sanctions against GAFAM
In 2022, the Commission received 12,000 complaints and dealt with 13,000, thus succeeding for the first time in reducing the stock by some 7,000 reports still pending, explained to the France-Presse ( AFP) its secretary general, Louis Dutheillet de Lamothe.
Several sanctions targeted the GAFAM: in 2022, this was the case of Microsoft, sanctioned by a fine of 60 million euros, the largest of the year, made public at the end of December, then D ‘Apple, with a recent fine of 8 million euros that the company intends to contest.
The CNIL has finally adopted three decisions “in cooperation with its European counterparts” and “actively participated in five procedures” initiated at European level to settle disputes on decision -making projects. Since the entry into force of the European Data Protection Regulation (GDPR) in 2018, the CNIL has pronounced just over 500 million euros fine, or a fifth of the total fines decided by the European authorities ( 2.5 billion euros).