GDPR: The CNIL multiplies fines, according to the “Observatory of CNIL Sanctions” of Walter Billet Avocats

  • The CNIL confirmed in 2023 its desire to identify breaches of the GDPR and opted for a sanction on more than thirty occasions.

  • Three major fines were imposed against Criteo, Amazon France Logistique and Yahoo! EMEA Ltd, for a total of 82 millions euros.

  • The authority has also increased more modest fines by using the simplified procedure introduced in April 2022, to sanction companies of all sizes but also public entities.


The second edition of “The Observatory of CNIL Sanctions” from the Walter Billet Avocats firm confirms the desire of the public administration to continue to identify and sanction breaches of the General Data Protection Regulation (GDPR), which came into force mid-2018.

Created from the examination of decisions taken during the year 2023, “The Observatory of CNIL Sanctions” makes it possible to establish that the authority headed by Marie-Laure Denis has issued more than thirty fines – to compare with the 21 sanctions taken during the previous year.

With an annual rate of progression which exceeds 50% for the first time over the last four vintages, the sanctions imposed demonstrate the rise in control procedures regarding the processing of personal data.


Three fines exceeding 1 million euros…

Although having communicated much less publicly in recent months on such decisions, the CNIL has therefore moved up a gear. This should certainly be seen as the logical continuation of what the administration had underlined during its previous annual report, indicating that it had set a record with 147 formal notices in 2022.

That being said, the panorama of CNIL interventions presents a significantly different configuration from one year to the next. While seven companies had been fined more than 1 million euros, in 2022, only three have suffered a sanction of such magnitude, this time: Criteo (40 millions), Amazon Logistique France (32 millions) and Yahoo! EMEA Ltd (10 millions).

Six others were fined more than 100,000 euros, including the Canal + Group (€600,000), Doctissimo (€380,000) and SAF Logistics (€200,000).


… and an increase in simplified procedures

In addition to these major sanctions, “The CNIL Sanctions Observatory” highlights the fact that the multiplication of fines is essentially the result of recently introduced intervention methods. “Last year, the CNIL made particular use of the simplified procedure, created in April 2022 and allowing it to rule quickly on cases that do not present any particular legal difficulty. In this context, it did not hesitate to order on numerous occasions the payment of the maximum penalty, a fine of 20,000 euros,” analyzes Alan Walter, co-founding partner of Walter Billet Avocats and expert in new technology law. and personal data.

From a global point of view, and as in 2022, the CNIL has sanctioned stakeholders of all sizes. In addition to commercial companies, it also continued to place health practitioners (general practitioners, dental surgeons, etc.) as well as actors in the public sphere (municipalities, ministries, etc.), just as concerned by the text governing the collection and processing of personal data.

On the other hand, if the protection authority carries out its actions regardless of the sector of activity of the targeted entity, it appears from the sanctions pronounced in 2023 that these particularly concerned companies developing an activity linked to new technologies. (IT), whether mobile application developers, software publishers, or even websites and media.


Failure to cooperate punished

“Regarding the reasons given during its investigations, the CNIL sanctioned multiple actors for lack of cooperation, particularly within the framework of the simplified procedure,” continues Alan Walter. In light of these facts, it is worth remembering that it is appropriate to cooperate in good faith with the CNIL as part of its investigation, in order to limit or even avoid any risk of conviction. »

Including in “classic” procedures, the CNIL has reiterated in practice that it does not hesitate to impose significant sanctions in the event of a lack of cooperation. It therefore appears essential to remind all entities concerned by an inspection that it is not enough to be prepared and that it is necessary to surround yourself well to be able to follow these investigation procedures and to comply with requests from the public administration.

In this regard, it is also interesting to note that the CNIL liquidated the penalty imposed against the company Clearview AI and decided that it will have to pay 5.2 million euros for not having complied. to the injunction formulated in the sanction decision of October 2022 – already imposing a fine of 20 million. “This specific case demonstrates that any lack of reaction to a sanction is likely to result in a new fine,” insists Alan Walter.


Don’t let your guard down in 2024

Without a doubt, such recommendations will still be relevant, again this year. Indeed, on December 12, 2023, the CNIL signed a joint declaration with the Competition Authority, highlighting “their common ambition and their desire to deepen their cooperation”. At the beginning of January, the data protection authority also used its LinkedIn account to list the fifteen positions that it opened for permanent recruitment at the start of the year, a sign of a desire to continue the development of its activities.

Such initiatives are in line with history and constitute as many indicators, if necessary, of the need for businesses and administrations not to let down their guard in 2024. All controlled organizations can also refer to the guideline relating to the calculation of administrative fines, adopted on May 24 by the European Data Protection Committee (EDPS). Although not binding on the CNIL, this document makes it possible to understand potential convictions in the event of non-compliance with the GDPR.

Alan Walter indicates: “These guidelines take into account in particular in the calculation method the amounts covered by the GDPR (which constitute ceilings), the seriousness of the breach and the turnover of the organization in question. This amount may subsequently be reassessed in the event of aggravating or mitigating circumstances, linked to the behavior of the organization (such as repeat offenses, the degree of cooperation or the extent of the actions put in place to limit the damage suffered by the persons concerned).”

Methodology: “The Observatory of CNIL Sanctions” from the Walter Billet Avocats firm is carried out on the basis of decisions made public by the CNIL. The amounts of the sanctions, the articles of the GDPR mentioned and the identities of the companies and organizations concerned are extracted from the documents revealed by the CNIL and available on its website, as well as from the decisions available via Legifrance.

The comments appearing in “The Observatory of CNIL Sanctions” are based on the analysis carried out by the IP-IT team of the Walter Billet Avocats firm, led by Alan Walter.