Personal data

On July 10, 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework.

This decision concludes that the USA ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the European Union to US companies under the new Framework.

As such, personal data can henceforth flow safely from the European Union to US companies adhering to the new Framework, without having to put in place additional data protection safeguards.

The French Data Protection Authority imposed on AG2R LA MONDIALE a 1.75 million euros fine for failing to comply with the obligations under the General Data Protection Regulation regarding data retention periods and information to be provided to individuals.

Two breaches were mainly highlighted: an excessive retention period for personal data and a lack of information provided to people during telemarketing calls by subcontractors.

On March 17, 2021, the European Commission presented a proposal for a regulation to create a digital green certificate to facilitate free movement within the European Union in the current context of the COVID-19 pandemic.

This contemplated digital tool was discussed in a joint opinion from the European Data Protection Board and the European Data Protection Supervisor dated March 31, 2021, published on April 6, 2021.

In an order dated March 12, 2021, the Conseil d’Etat (French Administrative Supreme Court) refused to suspend the partnership between the French State and Doctolib in the context of the COVID-19 vaccination campaign.

The plaintiffs had requested this suspension in summary proceedings, arguing that the safeguards provided by Amazon Web Services for data hosting were insufficient.

When visiting a website or using mobile apps, users must be informed and give their consent before cookies or other trackers are deposited or read, unless these trackers benefit from one of the exemptions provided for by law.

Following the publication of its guidelines and recommendation on October 1, 2020, the French Data Protection Authority has given until March 31, 2021 to bring websites and mobile apps into compliance with the new rules.

In a deliberation No. 2021-006 issued on January 19, 2021, the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority, hereinafter the “CNIL”) gave its opinion on a draft Decree aimed at strengthening the system for tracing the chains of COVID-19 transmission, known as the “Contact Covid” information system, as part of the French Government’s strategy to fight against the spread of the virus.

This article outlines the CNIL’s main observations and recommendations which aim at maintaining the protection of often sensitive personal data while the draft Decree foresees a considerable and substantial extension of the information collected.