France has hit an all-time record in notifications of personal data breaches, up 79% from 2020, the latest report of the country’s data protection supervisor CNIL has found. EURACTIV France reports.
The year 2021 was not smooth sailing for CNIL, France’s data protection watchdog and guardian of the EU’s General Data Protection Regulation (GDPR), according to the latest activity report it presented on Wednesday (11 May).
Over the past year, CNIL received 5,037 notifications of personal data breaches – about 14 notifications per day – a 79% increase compared to the year before.
The increase reflects a greater awareness of the obligation to report on the part of the companies but also an increase in cyberattacks, CNIL President Marie-Laure Denis has said, warning that the figure still falls “far below the reality” of the situation.
Among the notified data breaches, 58% are the result of computer attacks, particularly ransomware – which saw a 128% increase compared to 2020.
The preferred targets of these attacks are, unsurprisingly, small and medium-sized enterprises (43%) and very small enterprises (26%), as they are “less well-armed than large companies in the face of this threat,” the French data watchdog explained.
In 2021, the CNIL was also active in carrying out repressive measures as it sent 135 formal notices to companies that lead to 18 sanctions, half of which related to poor data security.
Because of its sanctions, CNIL cashed in a cumulative €214 million in fines, compared to only €138 million the previous year.
CNIL’s president also expressed satisfaction with the cooperation with fellow EU data protection authorities. Of the 18 sanctions CNIL imposed in 2021, four were carried out in close collaboration with other data protection authorities as part of the “one-stop-shop” approach foreseen by the GDPR.
The report also pointed to CNIL having been consulted on 17 draft decisions, including one that led to a €225 million fine being imposed on Whatsapp.
“The mobilisation of the CNIL at the European level is not limited to the repressive level,” Denis told journalists.
As a member of the European Data Protection Committee (EDPS), the CNIL takes part in discussions on many EU legislative proposals, including the Data Act, the Digital Governance Act, the Digital Markets Act, the Digital Services Act, and the AI Act.
“The CNIL has the legal and IT skills, as well as the experience, to play a leading role in the application of these texts,” the watchdog’s president said, welcoming the “will of the EU to have a particularly active regulation on digital issues”.
Asked if the CNIL’s human and financial resources would match the major role the watchdog is set to have in many of these EU data protection laws, Denis noted that there was “an awareness on the part of the public authorities of the importance of the CNIL’s missions”.
But “the fact remains that we are still very small compared to some of our counterparts”, she added, citing the example of the UK and Germany.
The data watchdog also noted the efforts made to pave the way for the successor of the controversial EU-US Privacy Shield, citing the EU Court of Justice’s Schrems II ruling, which essentially rendered data transfers under the Privacy Shield illegal, and identifying it as an “important area of work”.
On the latest EU-US agreement on the Trans-Atlantic Data Privacy Framework concluded in March, Denis said it was, at least for the time being, “an agreement in principle”.
This announcement “is a first step, but it is only a first step,” she added, noting that it does not “modify at this stage the legal framework” for transfers and the position several EU authorities have adopted on Google Analytics.
“Discussions are still ongoing” but “we have never seen the beginning of a text on the subject,” she also said.
[Edited by Zoran Radosavljevic]