The French Data Protection Agency, Commission Nationale Informatique et Libertés (CNIL) will focus on 4 topics for its investigation:

  • use of “smart” cameras by public actors
  • the use of the file on a personal credit repayment incident
  • the management of health files
  • mobile apps

The use of “smart” cameras by public actors

As large scale events will take place in France over 2023 (World Cup Rugby) and 2024 (Olympic Games), CNIL has made it a priority to ensure the use of “smart” cameras, particularly by local authorities, is made with full compliance with European legislation as per GDPR. First mentioned as a key item in the 2022-2023 strategic plan, then part of a public consultation to determine its position, the CNIL continues its journey to resolve numerous questions raised by this particular theme.
As a result, the CNIL has decided to make this subject a priority for its investigations in 2023 and will verify compliance with the legal framework by public players.

The use of the personal credit repayment incidents file

It is mandatory for any Banks to consult the File on personal credit payment Fichier national des incidents de remboursement des crédits aux particuliers (FICP) before granting credit. In an economic context where obtaining funds is becoming more difficult, CNIL want to ensure the data is strongly monitored and keep up to date as the contrary could lead to dramatic consequences for individuals. The checks will be focused on how banks interact with the file and maintain the correct information.  

Access to the electronic patient record in health care institutions

Over the past few years, there is no doubt the CNIL is focusing on health in the Data Protection and Privacy sphere by providing regular recommendations and opinions. The security of health-related data within this theme, is an ongoing key topic since 2020 and will continue as the CNIL is still facing a large number of complaints and cases.  The CNIL’s focus is on access to the computerised patient file and, as a result of this, the CNIL faces multiples complaints about unauthorised third-party access to the patient’s file in health establishments.

User tracking by mobile applications

Marketing campaigns, Analytics and Cookies are common place in the very competitive world. However, these must be controlled and have the consent of individuals. 

CNIL provided its recommendation on the above and started investigations to find applications that access identifiers generated by mobile operating systems in the absence of user consent. As a result of this, the Marketing and Privacy Office must join forces in developing a robust mobile application to ensure it complies with GDPR regulatory framework.

HewardMills have a number of Data Analysts and Consultants who are well placed to advise on any queries that your organisation may have in relation to this CNIL investigation.

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at