In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. It has been performing, since 2011, about 400 on-site investigations each year, some within a published annual programme, others following a claim or a hot topic in the news.
Since the recent enactment of the Consumer Act, the CNIL agents will be able to perform assessments, called “contrôles”, without moving from their offices on Rue Vivienne. The March 17 Act indeed provides that CNIL agents may operate investigations and assess noncompliance by analysing information available, whether willingly or inadvertently, online. On the basis of these investigations, which may for instance relate to websites’ online notices or easily accessible data breaches, the CNIL may then issue compliance orders.
The CNIL precises on its website that the law does not enable it to bypass security measures in place to protect websites.
Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at firstname.lastname@example.org.