On 24 January and 8 April 2022, the procedure before the French Data Protection Authority (CNIL) was reformed with the aim notably to better respond to the growing number of complaints that the CNIL receives each year following the entry into force of the GDPR. Notable changes include the introduction of an injunction to communicate information to the CNIL, a simplified sanction procedure for simple cases, changes to the normal sanction procedure and changes to the procedure for formal notices.

On 24 January and 8 April 2022, the procedure before the French Data Protection Authority ("CNIL") was reformed with the aim notably to better respond to the growing number of complaints that the CNIL receives each year.

These changes were implemented by the Law no. 2022-52 of 24 January 2022 and the Decree no. 2022-517 of 8 April 2022 which respectively amended the Loi Informatique et Libertés (“French Data Protection Act”) and the decree implementing said act (“Implementing Decree”).

Sanction proceedings before the CNIL are carried out by a specific body within the CNIL called the Restricted Committee (Article 9 of the French Data Protection Act). In case of infringements by a data controller or processor of the GDPR or of the French Data Protection Act, the President of the CNIL (who cannot sit on the Restricted Committee) can notably decide to refer the case to the Restricted Committee (she can also issue formal notices to the controller or processor, see §3 below). The Restricted Committee then rules on the basis of a report drafted by a Rapporteur (who is in charge of investigating the case) and, following adversarial proceedings during which the controller or processor is invited to present its observations, decides whether to issue sanctions (Article 16 of the French Data Protection Act).

The main changes brought to the procedures before the CNIL are described below.

New procedures before the CNIL

The President of the Restricted Committee can now issue injunctions to communicate information to the CNIL subject to a daily penalty of up to 100€.

When a case has been referred to the Restricted Committee (i.e. sanction proceedings have been launched), its President may issue an injunction to communicate information to the CNIL, if the controller or processor has not responded to a prior formal notice. This injunction can be issued with a penalty of up to 100€ per day of delay, enforced if need be by the President of the Restricted Committee (Article 20, IV of the French Data Protection Act).

This new injunction can only be issued after adversarial proceedings conducted as follows: a Rapporteur drafts a report, the controller or processor has 15 days to respond and the President of the Restricted Committee subsequently rules on the injunction on this basis. No hearing is held.

In case of an injunction, the controller or processor must submit proof of compliance demonstrating that the requested documents were duly communicated. In case of late compliance or total or partial non-compliance, the President of the Restricted Committee can enforce the daily penalty (Article 47-1 of the Amended Implementing Decree).

Simple cases can be dealt with through simplified sanction proceedings with limited sanction powers.

The President of the CNIL may, under certain conditions, initiate simplified proceedings wherein the President of the Restricted Committee (or a member of the Restricted Committee designated for this propose) rules alone on the case (Article 22-1 of the French Data Protection Act).

The conditions to initiate simplified proceedings are:

  • the case does not present any particular difficulty (either because of existing precedent or because the factual and legal issues at stake are simple), and
  • the limited sanction powers (see below) are an appropriate response to the infringement.

The limited sanction powers that can be issued in simplified proceedings are:

  • a formal warning,
  • an injunction to comply with the GDPR or the French Data Protection Act with a potential daily penalty of up to 100€, and/or
  • an administrative fine of up to 20,000€.

The President of the Restricted Committee may refuse to engage in simplified proceedings, in which case the proceedings revert to the normal procedure. If the President of the Restricted Committee does not refuse to engage in simplified proceedings, he/she rules on the basis of a report to which the controller or processor may respond. The simplified proceedings will follow a similar procedure to that of normal proceedings (i.e. same time-limits, same adversarial proceedings) (Articles 45-1 and 45-2 of the Implementing Decree).

The decisions of the President of the Restricted Committee taken in simplified proceedings are not public.

Reform of the normal sanction proceedings

The Rapporteur's powers are reinforced.

During sanction proceedings, the Rapporteur can now explicitly request exhibits or information from the controller or processor and can request that the CNIL's services carry out additional investigations. In practice, these powers already existed but they were not specifically provided for in the Implementing Decree.

If the Rapporteur decides to put an end to the sanction proceedings, she/he must now expressly inform the concerned controller or processor (Article 39 of the Implementing Decree).

The Rapporteur can also be assisted by certain qualified external parties (e.g. judges, civil servants, other experts, etc.) provided they have no conflict of interests (Article 41 of the

Implementing Decree).

The time-limits for the exchanges of briefs in the scope of the sanction proceedings are extended.

The number of exchanges between the Rapporteur and the controller or processor is no longer limited to 2 rounds. This means that the Rapporteur is free to decide how many exchanges of briefs are needed before the case is ready to be heard. In addition, the time-limit to respond to the Rapporteur's reports is extended to 1 month in all scenarios (previously, it was limited to 15 days for the second round). The President of the Restricted Committee can now agree to extend these time-limits by more than 1 month upon request of the controller or processor (previously, extensions could not exceed 1 month).

Once the adversarial part of the proceedings is closed, the President of the Restricted Committee must set the date of the hearing before the Committee at least 15 days in advance (previously, it was at least 1 month in advance) (Article 40 of the Implementing Decree).

Experts can now attend the session before the Restricted Committee.

The controller or processor can now invite experts to attend and be heard during the hearing (in addition to its outside counsel) (Article 42 of the Implementing Decree).

Additional powers granted to the President of the CNIL

The President of the CNIL has greater flexibility when she issues formal notices.

The President of the CNIL can now set whichever time-limit she deems appropriate for a controller or processor to comply with a formal notice, and can renew this time-limit once (previously, the time-limit could not exceed 6 months, renewable once) (Article 38 of the Implementing Decree). The minimum time-limit of at least 10 days granted to comply, except in case of emergency, is maintained.

The President of the CNIL may close formal notice proceedings without proof of compliance from the controller or processor (whereas before proof of compliance was always mandatory). In such a case, compliance can be reviewed later on (months or years afterwards), possibly in the scope of new proceedings. If the President of the CNIL requires proof of compliance within a certain delay, she can impose a 24 hour time-limit to bring forward said proof in case of emergency (Article 20, II of the French Data Protection Act).

The President of the CNIL can now decide to simply remind controllers or processors of their legal duties.

In case of infringement of the GDPR or the French Data Protection Act, the President of the CNIL may now simply remind the controller or processor of its legal duties (this is intended for minor infringements) (Article 20, II of the French Data Protection Act).

The Law of 24 January 2022 and the Decree of 8 April 2022 entered into force on 26 January and 11 April 2022, respectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.