The National Commission for Computing and Liberties (CNIL), guardian of French people’s personal data, imposed 21 sanctions in 2022 for a total amount of more than 101 million euros, down from previous years, she announced Tuesday, January 31 in a report. A total amount down compared to previous years: the cumulative amount of fines had reached a record level of 214 million euros in 2021after 138 million euros in 2020.
These sanctions were facilitated by the law relating to criminal liability and internal security, passed at the end of 2021, which created a new simplified sanction procedure. Four sanctions were thus imposed in 2022 by the CNIL thanks to this new procedure, which makes it possible to process files that do not present any particular difficulties thanks to an accelerated procedure. In this case, the president of the restricted formation decides alone, without the need for a collegial decision.
The CNIL nevertheless highlights a record number of formal notices: 147, compared to 135 in 2021 and around fifty in previous years. The Commission also counted 87 closed files, which corresponds to to sanction and formal notice procedures following, in particular, the examination of the actions taken by the organizations to bring themselves into compliance ».
The formal notices concerned the obligation to appoint a data protection officer, the application of the rules on commercial prospecting, or data transfers across the Atlantic. Seventy-two of them contain at least one breach related to cybersecurity.
Several sanctions against GAFAM
In 2022, the Commission received 12,000 complaints and dealt with 13,000, thus succeeding for the first time in reducing the stock of some 7,000 reports still pending, explained to Agence France-Presse (AFP) its general secretary, Louis Dutheillet de Lamothe.
Several sanctions have targeted GAFAM: in 2022, this was the case for Microsoft, sanctioned by a fine of 60 million eurosthe largest of the year, made public at the end of December, then from Apple, with a recent fine of 8 million euros that the company intends to contest.
The CNIL finally adopted three decisions “in cooperation with its European counterparts” and has “actively participated in five procedures” undertaken at European level to settle disputes over draft decisions. Since the entry into force of the European Data Protection Regulation (GDPR) in 2018, the CNIL has imposed a fine of just over 500 million euros, i.e. one fifth of the total fines decided by the European authorities ( 2.5 billion euros).