CNIL — Commission Nationale de l’Informatique et des Libertés

Overview

The Commission Nationale de l’Informatique et des Libertés (CNIL) is France’s independent data protection authority, established in 1978 and designated as France’s national supervisory authority under the GDPR (Article 51). CNIL enforces data protection law, issues binding decisions and practical guidance for researchers and organisations processing personal data, and authorises secondary use of sensitive health datasets including the SNDS national health data system under the CESREES pathway. Its délibération no. 2020-091 provides specific conditions under which cookieless web analytics are exempt from the ePrivacy consent requirement, and has been widely adopted as a practical compliance framework for audience measurement tools including Matomo. CNIL coordinates with other EU supervisory authorities through the European Data Protection Board (EDPB) and is the lead authority for data protection matters concerning French research institutions.

Connections

• relatedTo: GDPR (CNIL is France’s designated national supervisory authority established under GDPR Article 51)
• memberOf: EDPB (CNIL is France’s representative on the European Data Protection Board)
• relatedTo: EHDS (CNIL is France’s national supervisory authority for EHDS implementation under Article 36, which routes EHDS enforcement through existing GDPR national authorities)
• relatedTo: Health Data Hub (CNIL regulates health data access through the CESREES authorisation pathway under which the Health Data Hub operates)

Resources

• https://www.cnil.fr/en
• https://www.cnil.fr/fr/cookies-et-traceurs-que-dit-la-loi (CNIL guidance on cookies and trackers)
• https://www.cnil.fr/sites/cnil/files/atoms/files/deliberation_2020-091.pdf (délibération no. 2020-091 on analytics exempt from consent)