Release of CNIL's investigation plan for 2023

The CNIL has just released its investigation plan for 2023.

The controls conducted by the CNIL based on this investigation plan will come in addition to controls resulting from complaints received, reports of data breaches, or related to current events.

For 2023, the CNIL will focus on the following four priority topics:

The use of "augmented" cameras by public actors

A growing number of French public local authorities are increasing their use of augmented or intelligent cameras. These new types of cameras are intended to be used for large-scale events in France, such as the Rugby World Cup in 2023 and the Olympic Games in 2024.

The CNIL intends to conduct controls to ensure that the use of augmented cameras by public actors respects the existing legal framework.

Use by French banking institutions of the National Register of Household Credit Repayment Incidents (FICP)

The FICP is a French public database managed by the Banque de France collecting information on payment incidents and over-indebtedness by French households. Consultation of this register by French banks is compulsory and decisive, for example when granting a loan.

The CNIL intends to investigate the conditions under which banks access, update, and consult this register, notably after incidents of payment.

Access by healthcare institutions to personal digital medical records (DMP)

The security of health data is a key issue for the CNIL. Numerous complaints have been received, and many controls have already been carried out by the CNIL concerning unlawful access to digital patient records.

The CNIL intends to increase its controls in 2023 to ensure that measures put in place by healthcare institutions to ensure the security of health data are sufficient.

Use of tracking technologies by mobile applications

Phone manufacturers allow application publishers to have access to various identifiers allowing to track users for various purposes, both advertising and technical (Apple IDFA, IDFV, Google AAID…). The CNIL considers that the systematic use of these identifiers is carried out too often without appropriate information given by users and valid consent collected.

The CNIL intends to ensure that access to these identifiers complies with its guidelines on the use of cookies and other tracking technologies, notably consent rules.

Simultaneously, the CNIL will continue its current work and consultation aimed at establishing good practices in terms of mobile application development.