France Enforces Cookies Regulations
The French data protection authority CNIL issued on December 16, 2013, its recommendations (source document in French) for the implementation of cookies in compliance with the data protection regulations applicable in France. In a communication (source document in French) dated July 11, 2014, CNIL indicated that, as of October 2014, it will be monitoring and enforcing compliance with these regulations. CNIL will specifically be analyzing compliance on key issues including (i) the types of cookies that are implemented, (ii) the purposes of such data processing, (iii) how consent from the data subject is obtained when required, and (iv) whether the data subjects are duly informed about the implementation of cookies. Businesses with websites that target French users should promptly ensure compliance of their cookie implementation policy with French data protection regulations.
DPA Authorizes Screening Processes More Widely
In a May 6 decision (source document in French), the Commission Nationale de l'Informatique et des Libertés ("CNIL") authorized the French subsidiary of an international group outside of the banking and financial sectors to implement personal data processing of its commercial partners for screening purposes, in order to prevent risks of corruption and money laundering. This decision shows that, subject to compliance with strict conditions, the CNIL is willing to authorize such screening processes implemented for compliance with foreign law requirements (such as the Foreign Corrupt Practices Act in the United States or the UK Bribery Act) even though the data controller is not subject to a French law screening obligation.
DPA Warns Freight Company Following Leak
CNIL warned (source document in French) an international logistics, freight, and express mail company that it had violated a 1978 information privacy law when it was discovered that personal data for nearly 700,000 clients of the company was freely accessible on the internet. CNIL's warning cited the company's failure to institute time-limiting measures on document retention and failure to independently verify the security of an information system designed by a third party.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.