On May 21, 2024, France adopted law No. 2024-449 to secure and regulate the digital space. This law grants new enforcement powers and authority to the French Data Protection Authority (CNIL), including to seize documents, record declarations during dawn raids, and enforce certain provisions of the Digital Services Act (DSA) and the Digital Governance Act (DGA).
Power to Seize Documents and Record Declarations During Dawn Raids
The CNIL now has the power to seize documents relating to potential breaches of the General Data Protection Regulation (GDPR), the French Data Protection Act, and certain provisions of the DSA during on-site inspections. Previously, the CNIL was only allowed to take copies of documents.
The CNIL now also can make audio recordings of witness statements made during investigations, either on-site or during a hearing at the CNIL, with the witness’s consent. Previously, the CNIL was not allowed to make such recordings.
This widening of the CNIL’s powers raises new questions about the procedural guarantees companies and individuals have during CNIL inspections and hearings. In France, the seizure of materials is traditionally an authority of the judiciary, not administrative authorities such as the CNIL. The existence of effective remedies and procedural safeguards, such as the obligation of the CNIL to obtain an order from a judge prior to the seizure and the possibility of seeking a judicial order to prevent seizure, is lacking today, which is a serious shortcoming. By comparison, organizations subject to dawn raids of the French Competition Authority benefit from such guarantees. For example, competition dawn raids are always subject to the prior authorization by a judge and a judiciary police officer is always present during the raid.
Power to Enforce Certain Provisions of the DSA
For online platforms that have their main establishment or legal representative in France, the CNIL is now the competent authority to enforce provisions of the DSA relating to:
Failure to comply with the above rules can result in administrative fines up to six percent of the online platform’s worldwide turnover. The CNIL can also issue an injunction to comply with a daily penalty of up to five percent of the average daily worldwide turnover or income of the provider. The amount of this daily penalty is considerably higher than the one the CNIL may order under the General Data Protection Regulation (max 100,000 EUR per day).
However, in the event an online platform fails to comply with the CNIL’s requests during an investigation or provides inaccurate, incomplete, or misleading information, the maximum amount of an administrative fine is limited to one percent of the worldwide turnover.
In France, the ARCOM (the media authority) and the DGCCRF (the consumer protection authority) are competent to enforce other provisions of the DSA.
Power to Enforce Certain Provisions of the DGA
The CNIL is now authorized to enforce certain provisions of the DGA relating to data altruism. “Data altruism” refers to the voluntary sharing of data by individuals or organizations without receiving a benefit beyond the compensation of the costs to make the data available for objectives of general interests. These general interests encompass healthcare, mobility, and climate change.
For instance, the CNIL will be responsible for maintaining the public national register of recognized data altruism organizations in France and handling complaints made by natural and legal persons, including in relation to transparency obligations.
The above changes show that the CNIL’s powers and responsibilities are growing, positioning the CNIL as one of the most significant digital regulators in Europe. They also demonstrate the increasing regulatory complexity in France and in the EU, flowing from the implementation of all the digital acts that have recently been enacted. We will be on the lookout for new enforcement actions from the CNIL to see how these new powers will be used.
For more information on the new enforcement powers of the CNIL or any related matter, please contact Cédric Burton, Yann Padova, Marie Catherine Ducharme, or another member of the firm’s privacy and cybersecurity practice.