CNIL publishes 2023 Annual Report

From Data Bytes 46 summarising updates from April 2024¹

The CNIL's 2023 annual report unveiled key highlights pertaining to its following four core missions: 

• Informing individuals and safeguarding their rights: In 2023, CNIL launched a public awareness campaign, engaging with over 2,500 individuals through conferences and workshops across six regions. Complaints from the general public surged in 2023, with the regulator receiving 16,433 complaints, marking a 35% increase from 2022. Despite the influx, the CNIL processed all received complaints for the second consecutive year. Moreover, indirect access requests experienced a remarkable surge of 217%, amounting in 20,810 requests received via the dedicated online service. The CNIL's website also saw a record-breaking 11.8 million visits, underscoring growing interest in data protection, particularly concerning topics such as phishing, cookies, and artificial intelligence ("AI"). 
• Providing compliance support and guidance: In its commitment to assisting professionals in achieving compliance, the CNIL strengthened its support strategy in the realm of AI. Within this context, the CNIL provided heightened assistance to companies demonstrating notable economic or innovative potential, and hosted the third edition of its "sandbox" program. In addition to offering sector-specific and tailored support (with 1,651 advisory requests received in 2023), the CNIL also developed 13 new reference materials: comprising 5 guides, 4 reference documents, 2 recommendations, and 2 methodologies tailored to the healthcare sector.
• Fostering anticipation and innovation: In 2023, the CNIL collaborated with the research community to host the second edition of the international Privacy Research Day, convening 4,439 regulators and researchers. As part of its role in anticipation and innovation, the CNIL published an AI roadmap centred on three core principles: guiding privacy-conscious AI development, fostering collaboration among innovative stakeholders, and auditing existing systems while safeguarding individuals. Recognising the increasing relevance of data protection in environmental contexts, CNIL explored the intersection between data protection and the environment in its 9th IP report entitled "Data, Footprints, and Freedoms", comprising 32 articles and case studies. Additionally, CNIL organised the air2023 ethics event, attracting 1,700 participants, and subsequently published a booklet in 2024 summarising the event's key themes.
• Investigating and sanctioning violations of the General Data Protection Regulation ("GDPR") and related laws: the CNIL conducted 340 investigations in 2023, issuing a total of 42 sanctions (twice as many as in 2022), including 36 fines amounting to €89,179,500. The CNIL Chair issued 168 formal notices and 33 reminders of legal obligations to organisations in breach of data protection regulations. Notably, 24 of the aforementioned sanctions were issued under the "simplified procedure", introduced in 2021 in order to streamline cases lacking legal complexity. 

 1 https://www.cnil.fr/en/cnil-publishes-its-annual-report-2023 ; https://www.cnil.fr/sites/cnil/files/2024-04/cnil_44e_rapport_annuel_2023.pdf 

Authors: Nicolas Quoy, Partner; Antoine Boullet, Senior Associate.