Increasing number of sanctions and fines by CNIL, the authority reveals

The French administrative regulatory body has issued more sanctions thanks to a ‘simplified procedure’ to handle complaints.

Twice as many sanctions were issued by the CNIL (National Commission on Informatics and Liberty), in 2023 compared to 2022, the French authority’s latest annual report shows. A total of 42 sanctions were issued, with 36 fines totalling over €89m ($95m). In total, the authority carried out 340 investigations during the year.

More than half the sanctions originate from a ‘simplified procedure’ to cases that “do not present any particular legal difficulty.” It was created in 2021, and enables the CNIL to act more effectively with complaints, and to issue fines up to €20,000 ($21,401).

The Chair of the CNIL also sent out 168 formal notices and 33 reminders of legal obligations against organizations over breaches of data protection regulations. A slight increase to 2022’s total of notices and reminders (148 vs 29).

Yet, even though the authority issued close to 50% more fines during 2023, the total amount was less than in 2022 when 19 fines were made out, totalling more than €101m ($108,218,257).

Public fines

Many of the sanctions and fines during 2023 were not made public. Among those that were shared are:

  • June 15: CRITEO fined €40m (42.3m) for, in particular, failing to verify consent from individuals whose data had been processed.
  • September 18: SAF LOGISTICS fined €200,000 ($213,449) for collecting too much data from its employees, infringing on their privacy and not having cooperated enough with the CNIL services.
  • September – November: Ten sanctions made out under the “simplified sanction procedure” on private and public-sector players, with fines totalling €97,000 ($103,825) for failures regarding;
    – the obligation to respond to CNIL requests;
    – data minimization (geolocation and continuous video surveillance of employees);
    – information on the processing carried out and its purposes; and
    – the obligation to respect the rights of individuals, and in particular to respond to a request for objection.
  • October 12: GROUPE CANAL+ fined €600,000 ($640,339) for failing to comply with its obligations in terms of commercial prospecting and rights of individuals.
  • December 11: In cooperation with the Dutch Data Protection Authority Autoriteit Persoonsgegevens, Uber B.V. and Uber Technologies Inc. were fined €10m ($10.7m) for several breaches of driver information.
  • December 29: YAHOO EMEA LIMITED fined €10m ($10.7m) for failing to respect users who refused cookies on its website and for not allowing users of its Yahoo! Mail messaging service to freely withdraw their consent to cookies.
  • December 29: TAGADAMEDIA fined €75,000 for collecting prospect data without valid consent, due to the misleading appearance of its competition forms.
  • December 29: NS CARDS FRANCE fined €105,000 ($112,061) for failing to comply with the rules on cookies and tracers, and for several breaches of the GDPR regarding data retention periods, information to individuals and data security.

Increasing public complaints

During the year, the authority received 16,433 complaints from the general public, a 35% increase on 2022, and processed the same amount.

The authority also saw an increase traffic to its website, with close to 12 million visits during the year.

“The website has seen a record audience, with 11.8 million visits, testifying to the ever-growing interest of the public – both professionals and individuals – in data protection, particularly regarding phishing, cookies and artificial intelligence,” the CNIL said.

The authority also noted a 35% visitor increase to its “Need help” frequently-asked-questions database – especially regarding subjects connecting to the national payment incident file (FICP) and criminal records.

Complaints received12,193 16,433
Complaints processed13,425“as many complaints as it received”
Fines total amount€101,277,900
Formal notices*148168
Reminders of legal obligations *2933
*Issued by the Chair of the CNIL

For 2024, so far, the CNIL has issued three public sanctions, which include:

  • January 31: PAP, publisher of the (De Particulier à Particulier) website fined €100,000 ($106,741) for notably failing to comply with its obligations in terms of data retention periods and data security.
  • January 31: FORIOU fined €310,000 ($330,900) for using data supplied by data brokers for commercial prospecting purposes – without ensuring consent from the concerned individuals.
  • April 4: HUBSIDE.STORE also fined €525,000 (560,326) for using data supplied by data brokers for commercial prospecting purposes – without ensuring consent from the concerned individuals.