CNIL

On November 6, 2018, the French data protection authority (the “CNIL”) published a report that discusses some of the questions raised by the use of blockchain technology and perceived tensions between it and foundational principles found in the General Data Protection Regulation (the “GDPR”).  As we noted in an earlier blog post on this topic, some pundits have claimed that certain features of blockchain technology, such as its reliance upon a de-centralised network and an immutable ledger, pose GDPR compliance challenges.  The CNIL has attempted to address some of these concerns, at least in a tentative manner, and further guidance from EU privacy regulators can be expected in due course.

De-centralised network

The CNIL acknowledges that EU data protection principles have been designed “in a world in which data management is centralised,” and where there is a clear controller of the data (“data controller”) and defined third parties who merely process the data (“data processors”).  Applying these concepts to a de-centralised network such as blockchain, where there are a multitude of actors, leads to a “more complex definition of their role.”  In brief, EU data privacy rules are the square peg to blockchain’s round hole.

Notwithstanding this, the CNIL considers that participants on a blockchain network, who have the ability to write on the chain and send data to be validated on the network, must be considered data controllers.  This is the case, for instance, where the participant is registering personal data on the blockchain and it is related to a professional or commercial activity.  By contrast, according to the CNIL, the miners, who validate the transactions on the blockchain network, can in certain cases be acting as data processors.  As a consequence, data processing agreements would need to be in place between the data controllers and the data processors on any blockchain network.

The CNIL further considers that where there are multiple participants who decide to carry out processing activities via a blockchain network, they will most likely be considered “joint controllers,” unless they identify and designate their roles and responsibilities in advance.   Individuals who use the blockchain for personal use (i.e., individuals who access the network to buy and sell a virtual currency), however, would not be data controllers as they can rely on the “purely personal or household activity” exception.  
Continue Reading The CNIL Publishes Report On Blockchain and the GDPR

By Kristof Van Quathem and Anna Sophia Oberschelp de Meneses 

Exactly one month after the GDPR started applying, the French Supervisory Authority (“CNIL”) issued a formal warning to two companies in relation to their processing of localization data for targeted advertising (see here).  The CNIL found that the consent on which both companies relied did not comply with the General Data Protection Regulation (“GDPR”).  The CNIL also concluded that one of the companies was keeping geolocation data for longer than necessary.

Fidzup and Teemo offer a tool (“SDK-tool”) that allows their customers, mobile app operators, to collect geolocation data and to use this data to provide customized advertising to their app users.  The two companies create profiles on the app users based on the users’ visits to certain points of interests identified by the customers, such as the physical stores of the customer (or of competitors).  They then provide advertising in the form of pop-ups to the app users.  Once a user downloaded a customer’s app, geolocation data is collected, irrespective of whether the app is running, and combined with other data collected about the app user, such as, an advertising ID and technical information about the device (e.g., MAC address).  Both companies relied on user consent obtained by the app operator to process the personal data they collected.  The agreements with Fidzup and Teemo required their customers to inform app users about the targeted advertising activities enabled by the SDK-tool and to obtain the app users’ consent.

The CNIL concluded that the consent obtained did not meet the requirements of the GDPR.  Under the GDPR consent must be “freely given, specific, informed and unambiguous”.  According to CNIL, the consent obtained did not meet any of these requirements.
Continue Reading French Supervisory Authority Issues 2 GDPR Warnings

As we approach the May 2018 effective date of the EU General Data Protection Regulation (“GDPR”), there have been a number of global developments over the last few months with respect to the so-called “right to be forgotten,” which will be codified under Article 17 of the GDPR.

European Developments

In the EU, we previously reported on a Court of Justice of the EU (“CJEU”) decision that limits the right to be forgotten with respect to public records.  And in February, A French high administrative court raised several questions to the CJEU relating to the right to be forgotten in light of the Google v. Costeja Gonzalez decision.  The questions address whether and in what circumstances search engines must delist links to websites in response to requests from data subjects, and arose in the context of a pending dispute between Google and CNIL, the French data protection authority.

A decision by a Circuit Court in Ireland recognized the right of a former election candidate to request the removal of information posted about him on Reddit under the right to be forgotten.  And the UK recently solicited views on its own implementation of the GDPR, including input regarding the interplay between the right to be forgotten and freedom of expression in the media.
Continue Reading Developments in the Right to Be Forgotten

On June 16, 2016, the French data protection authority (“CNIL”) launched a public consultation on the General Data Protection Regulation (“GDPR).   The consultation focuses on four priority themes set out in the Article 29 Working Party’s 2016 Action plan:

  • the data protection officer;
  • the right to data portability;
  • data protection impact assessments; and
  • certification.

Continue Reading The CNIL and EDPS Launch Public Consultations

Industry eagerly awaits further guidance from data protection authorities (“DPAs”) relating to the EU-U.S. Privacy Shield as well as on the validity (or otherwise) of other mechanisms for transfers to the U.S. such as standard contractual clauses (“SCCs”) and binding corporate rules (“BCRs”).  As we explained in recent posts (here and here), publication of an opinion by the Article 29 Working Party, representing, among other things, the EU’s data protection authorities, is a key next step that will shape enforcement and data transfer options for companies in the post-Schrems environment.  Until then, here is a summary of the approach that some of the national DPAs are taking:
Continue Reading EU DPA Enforcement Guidance Post-Schrems

May 2015 saw a number of developments in the EU mHealth sector worthy of a brief mention.  The European Commission announced that it would work on new guidance for mHealth apps, despite the European Data Protection Supervisor and British Standards Institution publishing their own just weeks earlier.  In parallel, the French data protection authority announced a possible crackdown on mHealth app non-compliance with European data protection legislation.  This post briefly summarizes these developments.
Continue Reading May 2015 EU mHealth Round-Up

By Fredericka Argent

The UK’s Information Commissioner’s Office (ICO) has announced that it is looking to introduce a system of “privacy seals” for organizations doing business in the UK.  The seal is intended to be a consumer-facing stamp of approval demonstrating that a particular organization is meeting or surpassing the compliance requirements of the UK’s Data Protection Act.  The ICO expects that this will provide numerous benefits, both for companies, who could gain an advantage over competitors, and for customers, who should feel confident entrusting their personal information to companies displaying the seal.  It is hoped that the privacy seal will incentivize good data protection practices across UK businesses.

The privacy seals themselves will be delivered by third party operators who are endorsed by and work with the ICO.  It is expected that different operators will focus on different sectors, meaning that accreditation schemes can be tailored to particular industries.  For example, an operator handling the privacy seals for mobile app companies may be different to the operator assigned to healthcare service providers.  A privacy seal will only be awarded to an organization once they have demonstrated that they meet the relevant data protection standards.
Continue Reading The UK’s Data Protection Regulator to Introduce “Privacy Seals” for Businesses

On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at

Continue Reading Google Fined by the CNIL for Privacy Breaches as European Regulators Continue Investigation

The CNIL announced in a press release on Thursday that it has issued a formal notice to Google Inc. that requires the search engine to provide clear and sufficient information to users about how their data is being used. In particular, the Paris based regulator wants Google to:

  • Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
  • Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
  • Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
  • Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
  • Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page; and
  • Inform users and then obtain their consent in particular before storing cookies on their terminal.

Continue Reading French Data Protection Authority: 3-Month Deadline for Google to Comply With Privacy Laws

By Dan Cooper

On 16 October, 2012, the French data protection authority, the CNIL, released a report on behalf of the Article 29 Working Party that examines Google’s compliance with European data protection law.  The report marks a new stage in an investigation which began nine months ago, when Google
Continue Reading CNIL and Article 29 Working Party Release Report on Google Privacy Policy