Amid fresh fears about data protection, on November 14th, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertes (CNIL) published a checklist of recommended actions travellers should take to secure phones, computers and tablets when travelling outside the European Union.

On April 30, 2020, the French data protection authority, the CNIL, published a guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes.  The guidance is significant in two respects.  First, it speaks to the CNIL’s view of this activity in the context of the GDPR and privacy concerns.  Second, beyond the context of direct marketing related privacy issues, the guidance lays out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data.

In late March, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) released a model regulation (the “Model Regulation”) governing the use of biometric access controls in the workplace.  Unlike many items of personal information, biometric data (such as a person’s face or fingerprints) is unique and, if stolen or otherwise compromised, cannot be changed to avoid misuse.  Under Article 9 of the GDPR, biometric data collected “for the purpose of uniquely identifying a natural person” is considered “sensitive” and warrants additional protections.  The GDPR authorizes Member States to implement such additional protections.  As such, the French Data Protection Act 78-17 of 6 January 1978, as amended, now provides that employers – whether public or private – wishing to use biometric access controls must comply with binding model regulations adopted by the CNIL, the first of which is the Model Regulation.