On 31 December 2021, the French data protection authority (CNIL) has issued a sanction against two companies of the GOOGLE Group (GOOGLE LLC and GOOGLE IRELAND LIMITED) and the company FACEBOOK IRELAND LIMITED for failure to comply with Article 82 of the French Data Protection Act of 6 January 1978 as amended.
- facebook.com ;
- google.fr ;
Several clicks were necessary to refuse all the cookies, whereas a single click on the button provided for this purpose (“I accept” or “Accept cookies”) was sufficient to accept them all.
Consequently, the CNIL imposed the following financial penalties:
- 150 million euros against GOOGLE (90 million euros for GOOGLE LLC and 60 million euros for GOOGLE IRELAND LIMITED);
- 60 million against FACEBOOK IRELAND LIMITED.
Délibération SAN-2021-023 du 31 décembre 2021 – Légifrance (legifrance.gouv.fr)
Délibération SAN-2021-024 du 31 décembre 2021 – Légifrance (legifrance.gouv.fr)
As every year as Christmas approaches, the CNIL recalls a few tips on connected toys and in particular their security.
The CNIL recommends in particular to:
– check that the toy does not allow anyone to connect to it (check that its pairing with a smartphone or on the Internet requires a physical access button to the toy or the use of a password);
– change the default setting of the toy (password, PIN code, etc.);
– secure access to the online account attached to the toy with a strong password different from your other accounts;
– check that the object has a light when it is listening or transmitting information on the Internet;
– say as little as possible at the time of registration: for example, give a random date of birth if the system needs to determine an age;
– create a specific email address for the toys used by the child;
– use pseudonyms as much as possible instead of the child’s name / first name.
All of the CNIL’s advice can be found below:
European Data Protection Board (EDPB) has adopted on 12 February 2019 an information note on data transfers under the GDPR in the event of a no-deal Brexit.
EDPB confirms that as of 30 March 2019, unless an adequacy decision is adopted by the European Commission by then, data transfers must be based either on:
- standard data protection clauses,
- binding corporate rules
- codes of conduct
- derogations (strictly interpreted).
It is therefore recommended to:
- identify the data processing which imply a data transfer to the UK,
- amend the contract with appropriate clauses,
- update internal documentation (register of processing operations),
- update privacy notice.