Cookie assessment criteria published by the CNIL of France

The CNIL of France has published a cookie assessment criteria guide to aid businesses in determining the validity of cookies and other tracers. 


The CNIL has published guidelines on the use of cookies and other tracers, which initially prohibited cookie walls as they were seen as a violation of the principle of free consent. A cookie wall requires users to consent to cookies, in order to gain access to a site or service. The CNIL concluded that the validity or legality of cookie walls was better determined on a case by case basis, rather than prohibiting cookie walls altogether. The authority deemed it necessary to publish a guide containing preliminary criteria, to assess the legality of the use of cookie walls, in the absence of a position from the CJEU. 


While not prohibited in France, a careful assessment is required prior to the implementation of cookie walls. 


Cookie walls require an internet user to accept cookies or other tracking devices in order to access the content of a website. In most cases, there is an alternative, paid option, in the form of a subscription, to compensate for any loss of advertising revenue from targeted ads made possible by the collection of cookies. The validity and legality of cookies is intended to be assessed on a case by case basis based on what alternatives are offered to users if they choose to decline cookies, and how reasonable these alternatives are. This will require a careful assessment of the alternative options, as suggested by the CNIL. 


CNIL outlined several key factors which are considered in determining the validity of cookie consent and cookie walls. 


While the validity of a cookie wall is to be determined on a case by case basis, there are a few key determining factors which the CNIL highlighted. For one, it matters whether or not the Internet user who refuses cookies still has a fair alternative to access the content. In some cases, paid access can be granted, replacing the cookie wall with a paywall. In cases where there is a paywall to access content, CNIL will consider whether the price is deemed reasonable. This, in most cases, will be determined by the amount of ad revenue which would be lost as a result of the user refusing cookies. Another important point to consider is whether the cookie wall can cover “all” cookies indiscriminately, or just certain types of cookies. 


CNIL recommends that the publisher offers a real and fair alternative allowing users access to the site, in the event that they refuse cookies, which does not does not include having to consent to the use of their data. In cases where the user chooses paid access without consenting to cookies, there may be limited cases where cookies can still be deposited. The CNIL stressed that users should be able to accept and refuse cookies based on their purpose, and should be able to access the site setting and revoke consent at any time. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Medical data breach leads to major fine from CNIL

Earlier this month, the CNIL imposed a fine of €1.5 million after a medical data breach affecting nearly 500,000 people revealed a company’s security flaws.


Early last year, a major data breach affecting nearly 500,000 people was reported. The breach involved information including users’ surnames, first names , social security numbers, names of their prescribing doctors, dates of their examinations, and most critically medical information on conditions (HIV, cancers, genetic diseases, pregnancies, drug treatments followed by the patient, or even genetic data). In February 2021, the CNIL carried out several inquiries into the company DEDALUS BIOLOGY, a software company, which supports medical analysis laboratories. Based on the findings, CNIL concluded that the company had breached several obligations under the GDPR, in particular the obligation to ensure the security of personal data. The CNIL decided to impose a fine of 1.5 million euros and to make this decision public. The amount of this fine was decided based on the seriousness of the violations, but also considered the turnover of the company.


CNIL sanctioned the software company for violating several GDPR obligations following the medical data breach.


Two companies requested the services of DEDALUS BIOLOGY for the migration from software to another tool. In this case, the company extracted a larger volume of data than was required to perform this task. The company has therefore processed data beyond the instructions given by the data controllers.

This breach of the obligation for the processor to comply with the instructions of the controller is a violation of article 29 of the GDPR. CNIL also fined the company over a breach of the obligation to regulate their processing by a formalized legal act as the maintenance contracts transmitted to CNIL by DEDALUS did not contain the information provided for by article 28-3 of the GDPR which stated that data processing “…shall be governed by a contract or other legal act under Union or Member State law…”


During its investigation, CNIL also encountered several technical and organizational faults in terms of security within DEDALUS BIOLOGY with regard to the operations of migrating the software to another. These included the lack of a specific procedure for data migration operations, the lack of encryption of personal data stored on a problematic server, as well as  the absence of automatic deletion of data after migration to the other software. In addition the company’s systems lacked the authentication required from the Internet to access the public area of ​​the server and had user accounts shared between several employees on the private area of the server. DEDALUS also lacked a supervision procedure and security alert escalation on the server. This lack of satisfactory security measures contributed to the data breach which compromised the medical and administrative data of nearly 500,000 people and violated  Article 32 of the GDPR. 

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

New cookie consent popup launched by Google following CNIL fine

Google is rolling out a new cookie consent pop up, after receiving a fine from the CNIL under the EU GDPR.


Google recently shared a preview of its new cookie consent popup. This new popup will initially be available on YouTube in France. However Google has expressed that it plans to roll out the new design across all Google services in Europe. This new cookie consent popup comes a few months after the CNIL of France fined Google €150 million for breaching data protection law. According to CNIL, Google failed to comply with current regulation with regard to presenting tracking choices to users with the previous cookie consent popup. Not only has the text been updated, but more importantly, the choices offered at the bottom of the cookie consent popup are very different.


Google made some drastic changes to the choices offered at the bottom of the new cookie consent pop up.


The choices at the bottom of the screen, as will be reflected in the new cookie consent popup, are radically different. With the old design, users had two options — “I Agree” and “Customize”. With the old popup, users who clicked on “Customize”, would be taken to a separate web page with several options. In order to disable all personalization settings, they would have to click “off” three times and then click confirm. In the new design, there is now a third option, a “Deny All” button that lets users opt out of tracking altogether with a single click, with the two main buttons being the same color, size and shape. Under the EU GDPR and the ePrivacy rules, online services have to obtain clear consent from their users before they can process not-strictly necessary cookies data. Consent must be informed, specific and freely given in order for it to be legally obtained. The new approach will allow Google to get more meaningful consent from users.


Inspired by guidance from the CNIL, under the EU GDPR, Google has overhauled its approach to managing cookies.


After the initial roll out of the updated popup on YouTube in France, Google plans to use the same design for its search engine as well across the European Economic Area, the U.K. and Switzerland. Many users won’t see the updated popup. Users who are already logged into a Google account have settings that are already stored in their profiles. Also, people who are using Google Chrome more than likely have their web browser tied to their Google accounts if they have ever logged into a Google service in the past. New users will soon experience more options with the new cookie consent popup. Existing users can however review their privacy settings. “Following conversations and in accordance with specific directives from the Commission nationale de l’informatique et des libertés (CNIL), we carried out a complete overhaul of our approach. In particular, we have changed the infrastructure we use to manage cookies,” Google wrote in a recent blog.

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

AI resources from CNIL published to support professionals

A collection of AI resources from CNIL were published in an effort to aid professionals in maintaining compliance. 


With the developments in the use of AI systems over the years, new challenges in terms of data protection have presented. As part of its missions of information and protection of rights,  the CNIL has offered a set of content devoted to AI, to aid professionals, as well as specialists and the public in general, in this regard. These resources form part of a larger European strategy, which is aimed at encouraging excellence in the field of artificial intelligence. This strategy includes rules intended to guarantee the reliability of these AI technologies. More particularly, it is about developing a solid regulatory framework for AI based on human rights and fundamental values, building the trust of European citizens.


In addition to helping professionals maintain compliance, the AI resources from CNIL are also aimed at specialists in the field, and would prove helpful to the general public as well. 


The resources are aimed at three main audiences: AI professionals which consist of data controllers or subcontractors, specialists (AI researchers, data science experts, machine learning engineers, etc.), and the public at large. These resources can be very helpful to members of the general public who are  interested in the operation of AI systems and their implications in our daily lives or those who wish to test their operation. Specialists who handle artificial intelligence on a daily basis, and who are curious about the challenges that artificial intelligence poses to data protection will also find these resources very helpful. The resources are however, mainly tailored to professionals who process personal data based on AI systems, or who wish to do so and who want to know how to ensure their compliance with the GDPR.


The AI resources from CNIL include two extensive guides for professionals empowering them to take greater responsibility for remaining in compliance with the use of their AI systems. 


The CNIL provides two main resources which would prove helpful to AI professionals, a detailed guide for GDPR compliance, as well as a self assessment guide for organizations to assess their AI systems with regard to GDPR compliance. The guide for GDPR compliance should prove helpful at every stage of the lifespan of AI systems; the learning stages, as well as the stages of production. It encourages continuous improvement as well as continuous assessment, to ensure that once the system is deployed, it meets the operational needs for which it was designed. This guide takes into account the known challenges presented by AI systems and aims to deal with them preemptively, and on a consistent basis throughout their use. The self assessment guide provided by CNIL is to be used in conjunction with the GDPR compliance guide, and helps AI professionals to assess the maturity of their AI systems with regard to the GDPR. It aims to  empower these professionals with instructional tools which help promote transparency and user rights, prevent breaches, and maintain compliance, and best practices. 

Do you use AI in your organisation and need help ensuring compliance with AI regulations?  Aphaia can help. Aphaia also provides AI Ethics Assessments and both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.