CNIL's Strategic Focus Areas for Data Protection in 2024

Each year, the CNIL selects key areas of high interest to concentrate its investigations and assess the compliance of select commercial sectors. On February 8, The CNIL announced its four main areas of focus for investigations for 2024.

Data Collection for the Summer Olympic and Paralympic Games in Paris

This major international event that will take place over July and August 2024, is anticipated to draw millions of spectators and thousands of athletes – requiring major security measures to be deployed.

These measures warrant the CNIL's oversight and verification of their precise and strict application. The CNIL will conduct audits on the implementation of QR codes for access to restricted areas and the use of enhanced camera technologies.

In addition to the security aspect, the CNIL will also be looking at the more commercial aspects of the Olympic Games, in particular the data collected in connection with ticketing services.

Data Collected Online from Minors

The CNIL has been keeping a close eye on this topic for a few years.

The aim is for the CNIL to check the applications and sites most popular with children and teenagers to assess whether age control mechanisms have been implemented effectively, what security measures are in place and whether the principle of data minimization has been respected.

As a reminder, the GDPR lays down specific provisions for data protection of minors, requiring a reinforced degree of information and a minimum age to be able to consent to processing – which is 15 years in France.

Further, French law and some European regulations impose age requirements on the provision of certain services or goods, requiring the sites in question to verify the age of the customer: purchase of alcohol, access to pornographic sites, online gambling and betting, certain banking services, etc.

However, age verification still presents a number of challenges, and a major risk to privacy.

On 3 June 2021, the CNIL issued an opinion on a draft decree specifying the obligation of sites disseminating pornographic content to prevent minors from accessing such content. On this occasion, it specified some main principles in order to reconcile protection of privacy and youth protection – recommending the use of an independent third-party age verifiers, which must be based on:

• direct collection of identity documents;
• an estimate of age based on browsing history; or
• biometric processing for identification purposes^[1].

Loyalty Programs and Dematerialized Receipts

Most supermarket chains offer a loyalty program, which may involve the collection of extensive information about consumers; consisting of their eating habits, family makeup, children's age groups, and pets. This data can then be re-used for commercial prospecting or targeted advertising.

In addition, the recent French law of 10 February 2020 on dematerialization of receipts will also lead to additional processing of personal data to enable, for instance, the sending of the receipt via SMS or email. As data controllers, businesses must therefore comply with the fundamental principles of data protection, including lawfulness, transparency and data minimization:

• lawfulness of the processing – if consumers wish to receive electronic tickets, their data may be processed on the basis of legitimate interest;
• transparency – information concerning the processing of personal data in this context must be clear and concise. Retailers can provide a first level of information at the checkout; and
• data minimization – businesses should use the most data-friendly options, enabling people to retrieve their receipts without transmitting their contact data to retailers (e.g., via QR code scanning).

In any case, it is up to the consumer to decide whether or not they want to receive an electronic ticket.

Data Subjects' Right of Access

As part of the third action of the Coordinated Enforcement Framework of the European Data Protection Board (EDPB), the CNIL and its counterparts will be carrying out checks on the implementation of the data subject’s right of access.

Increased enforcement of access requests represents a challenge for all data controllers, especially employers. Indeed, it is becoming increasingly common for employees to request access to their employers (current or former) to their personal data in order to gather and produce evidence in litigation.

However, some data are protected by specific legislation (for instance, confidentiality of correspondence, trade secret etc.). It is therefore essential to carry out an in-depth analysis of the request in line with the regulators’ guidance and case law.

While defining these priorities for 2024 the CNIL recalls that, on average, these themes account for 30% of the inspections carried out each year.

BCLP can assist you in achieving compliance or prepare for a CNIL inspection. If you would like to discuss anything raised in this briefing, please contact Geraldine Scali, Pierre-Emmanuel Frogé or your usual BCLP contact.