Emphasising the need to increase consumer confidence in the digital environment, in 2008, the European Parliament recommended that data protection and privacy rules be included in any consumer strategy.1 Following this recommendation, the French Consumer Council (Conseil National de la Consommation) set up a working group dedicated to the protection of consumers' personal data and issued 27 proposals targeted at improving and strengthening consumers' rights.2 Perhaps most important of all, the French Consumer Council recommended that the expertise and control capabilities of the French Data Protection Authority (Commission Nationale de I'Informatique et des Libertés, the "CNIL") should be strengthened.
CNIL and the French General Directorate of Competition, Consumer Affairs and Fraud Control (Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes, the "DGCCRF") decided to join forces to increase the protection of consumers' personal data. In January 2011, they entered into a general cooperation protocol (the "Cooperation Protocol").
Early Stages Of Collaboration
The main goal of the Cooperation Protocol was to raise consumer awareness and gather information on noncompliance with data protection. Both CNIL's control department and DGCCRF's national investigation department can conduct on-site investigations. The protocol initially set up three cooperation principles
- Exchange between CNIL and DGCCRF of information gathered during investigations. When potential violations of data protection laws are identified in investigations by the DGCCRF, that department must inform CNIL. The same applies when potential violations of consumers' rights or anti-competitive practices are identified by CNIL; they must notify DGCCRF.
- Work and controls on matters of common interest. CNIL and DGCCRF can decide to jointly conduct investigations.
- Training of staff. Under the Cooperation Protocol, CNIL should deliver specialist training to DGCCRF's staff and vice versa.
Since 2011, key areas of collaboration between CNIL and DGCCRF include the processing of personal data by social networks, deceptive commercial practices related to compliance with the European General Data Protection Regulation (GDPR) and the use of personal data in e-commerce.
The 2019 Cooperation Protocol: One Step Further
On 31 January 2019, CNIL and DGCCRF signed a new Cooperation Protocol. This updated version is designed to reinforce the collaboration between these two departments. With the increase in online consumerism and the Internet of Things (IoT), areas of common interest between DGCCRF and CNIL are expected to grow. This made it necessary to adapt the initial Cooperation Protocol to take account of new digital issues and challenges.
On their websites,3 CNIL and DGCCRF each specifies the principal areas of cooperation and their objectives:
- improving consumers' awareness of the risks at stake when they communicate personal data and supporting the spread of professional best practice in this area
- enabling easier information exchanges where noncompliance with consumer law and consumer personal data protection law is in issue
- conducting joint controls
- jointly supporting proposals for action at the European level
- pooling skills (particularly investigation tools) and
- sharing their analyses of the evolution of the legislative and regulatory framework governing protection of consumers and their personal data.
An annual report will be drafted to ensure monitoring of this cooperation.
The 2019 Cooperation Protocol has not yet been published.
Less than one year after the application of the GDPR, this new Cooperation Protocol illustrates the French authorities' will to reinforce their control of companies' compliance with the new data protection principles and obligations.
Companies operating in France should expect the multiplication and reinforcement of joint controls by CNIL and DGCCRF. These joint controls may be unannounced (as they are when CNIL or DGCCRF implements their own controls).
It should also be noted that consumer associations in France are very active in the field of data protection. They can file a complaint for data breach with CNIL and communicate information to DGCCRF which may trigger investigations. Consequently, companies need to be prepared for unannounced on-site controls and should be able to demonstrate that processing takes place in accordance with data protection laws.
1 European Parliament resolution of 20 May 2008 on EU consumer policy strategy 2007-2013 (2007/2189(INI)), §17.
2 French Consumer Council, report dated 18 May 2010, available in French at: https:// www.economie.gouv.fr/files/files/directions_services/cnc/avis/2010/180510protection_donnees_perso.pdf.
3 https://www.cnil.fr/fr/la-cnil-et-la-dgccrf-font-evoluer-leur-protocole-de-cooperationpour-renforcer-la-protection-des and https://www.economie.gouv.fr/dgccrf/ cnil-et-dgccrf-font-evoluer-protocole-cooperation-pour-renforcer-protection-desconsommateurs (in French).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.