French watchdog unleashes simplified sanctions on GDPR violators


With a simplified procedure in place, the French data protection agency CNIL is raining fines down on companies for various data protection violations.

The agency has issued nine new sanctions, totaling €83,000, in the past three months alone.

CNIL also shared the main shortcomings leading to fines:

  • Unlawful data processing (publishing sensitive data in a promotional video, publishing names of individuals expelled from an association)
  • Failure to minimize data (excessive comments, systematically recording all phone calls at a call center)
  • Cookie consent violations (no easy way to reject cookies)
  • Lack of cooperation with CNIL
  • Data security lapses (weak passwords, storing passwords in plain text, lack of access controls)
  • Failure to respect individuals' rights (denying access to medical records)
  • Failure to properly inform individuals

CNIL now frequently relies on the simplified procedure introduced in 2022, which concerns cases that do not present any particular difficulty and for which a fine of up to €20,000 may be imposed.

In November 2023, CNIL announced ten sanctions amounting to €97,000 for similar violations to organizations that failed to respond to CNIL requests, minimize the use of geolocation and continuous video surveillance of employees, and others.

Organizations must follow the principle of minimization

One company was fined for breaching the principle of minimization, which requires companies to only collect personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is processed.

“A company systematically recorded all conversations on incoming and outgoing calls between telesecretaries, patients, and professionals for purposes of training, evaluation, and in the event of possible litigation,” CNIL noted.

“A systematic and complete recording of retentions does not appear necessary for the proper execution of the service nor with a view to possible legal requisitions.”

Another company operating in the field of computer programming and artificial intelligence broadcasted its promotional video using patient files. The images included the patients’ first name, surname, gender, and sometimes even address and telephone number without consent. This constitutes unlawful data processing under the GDPR.

Websites must allow users to refuse cookies with a click

CNIL also fined one company that did not offer means for users to refuse cookies with the same degree of simplicity as accepting them.

“The site allowed you to accept all cookies immediately by clicking on a button. But to refuse them, you had to click on the settings and access an interface to activate or deactivate cookies,” CNIL explained.

Such a mechanism is contrary to the legal requirements described in the Data Protection Act (ePrivacy directive). According to the ePrivacy directive, internet users must give their consent prior to depositing and reading certain trackers, which include cookies, fingerprinting, invisible pixels, and other similar identification technologies.

In this case, the company got away easily, compared to Yahoo!, which was fined €10 million by CNIL last year for failing to respect the choice of internet users who refused cookies.

As Cybernews found out, many websites still do not provide an easy way to refuse cookies, or they disrespect user choices.