The CNIL, France’s DPA, gains new online inspection powers

Law No. 2014-344 of 17 March 2014 amends France’s Data Protection Act giving the Data Protection Authority, the CNIL, the right to perform online checks. The new power allows the CNIL to remotely detect and react to data breaches on the Internet. The findings will be recorded and may result in enforcement action.

The online inspections will apply to "data freely accessible or rendered accessible" online, mainly large databases of contact and billing information, and does not allow the CNIL to override or break companies’ security to gain entry into their information systems.

A CNIL spokesperson told PL&B: “The CNIL will not infringe companies’ security to gain access to their systems. But I want to stress that ‘security breaches’ only represent a part of our online inspections. This new law also allows us to check how individuals are informed of the use of their data, how their consent is collected when it’s necessary and how cookies and tracking tools are employed.”

“If an infringement has occurred, the CNIL’s President can decide whether to issue an injunction or not. This injunction will compel the organization to take the necessary measures within a determined period of time.”

This new power, contained in a consumer protection law is in addition to the existing on-site inspections. The CNIL is planning to start online inspections in the next few weeks.

See the law and the CNIL’s summary of the effect of the new law on its operations.