RGPD

QWANT: The CNIL Reminds the Company of Its Obligations Regarding the Processing of Personal Data

The protection of personal data has become a crucial issue in the digital age, where every online interaction generates a multitude of information that may be exploited. The case of QWANT, the French search engine, is a prime example of the challenges that companies face in com

Contents
Schedule a discussion

Reading time:

6 min

The protection of personal data has become a crucial issue in the digital age, where every online interaction generates a multitude of information that may be exploited. The case of QWANT, the French search engine, is a prime example of the challenges that companies face in complying with data protection regulations. Indeed, the CNIL, the regulatory authority in France, recently reminded QWANT of its legal obligations regarding the processing of personal data, emphasizing the importance of full transparency towards users. This situation raises fundamental questions about the distinction between anonymized data and personal data, as well as about companies' responsibilities under the GDPR. In this article, we will explore the legislative framework surrounding QWANT, the reasons why the CNIL classifies its data as personal data, the changes made to the company's privacy policy, and the implications of the formal reminder of legal obligations issued by the CNIL.

If you wish to engage a lawyer specializing in personal data law, contact me!

Why does the CNIL consider QWANT's data to be personal data?

The question of how to classify the data processed by QWANT was at the heart of the analyses carried out by the CNIL. In 2019, the CNIL was faced with a complaint asserting that the information collected by QWANT was not anonymous but instead constituted personal data, thereby subject to the GDPR. Indeed, even though QWANT claimed to use anonymization techniques, the CNIL found that the methods implemented did not guarantee that users could not be re-identified. This finding rests on the idea that data such as IP addresses, even when truncated or hashed, may still allow indirect links to individuals.

This analysis led to an essential clarification: contrary to QWANT's assertions, the technical information transmitted to MICROSOFT in order to display contextual advertising and carry out other marketing operations is regarded as personal data. Indeed, the CNIL emphasizes that mere pseudonymization cannot suffice to rule out the classification as personal data, particularly where the information can be cross-referenced with other available data. Accordingly, QWANT had to comply with its obligations of information and transparency towards users, a key requirement of the GDPR. This position taken by the CNIL is a reminder of the crucial importance of personal data regulations and calls on companies to remain vigilant as to the nature of the data they collect and process. Now, we will examine the changes QWANT made to its privacy policy following this clarification by the CNIL.

Let's discuss your needs for 15 minutes!

What changes did QWANT make to its privacy policy following the CNIL's conclusions?

The evolution of QWANT's privacy policy following the observations made by the CNIL in 2019 reflects a willingness to adapt to regulatory requirements. In response to the authority's reclassification of its data, QWANT made significant changes to its privacy policy in 2020. The main objective of these adjustments was to ensure strict compliance with the GDPR and to inform users transparently about the processing of their personal data. First, the company introduced a more appropriate term, describing the data transmitted to MICROSOFT as "pseudonymous". This nuance is essential because it indicates an acknowledgment of responsibility regarding the nature of the data processed and highlights the fact that genuine anonymization was not in place. This change allowed QWANT to address, in part, the criticisms raised by the CNIL regarding the risks of user re-identification.

On the other hand, QWANT also clarified the advertising purpose of transmitting data to MICROSOFT, as well as the legal basis justifying this processing. These clarifications reinforced the transparency required by data protection regulations. Users can now better understand how their data is used, particularly in the context of contextual advertising, which is less intrusive than behavioral advertising. This change of course also shows that the company intended to fully comply with its information obligations, provided for in Articles 12 and 13 of the GDPR. Finally, to reinforce the consistency and uniformity of the information communicated internationally, QWANT ensured that its privacy policy was updated in all available languages. This reflects a desire to harmonize the level of information provided to users across the various markets in which QWANT operates. Through these changes, QWANT clearly signaled its commitment to complying with the legislative framework on personal data and to correcting the previous perception of its privacy policy. This transparency initiative is a step in the right direction towards regaining users' trust.

I want reliable legal documents!

What is the nature of the formal reminder of legal obligations issued by the CNIL, and what are its implications for QWANT?

This measure, although not punitive, underscores the need for the company to comply with the applicable legislative frameworks, in particular the GDPR. The formal reminder of legal obligations entails immediate and long-term adjustments for QWANT in its data management. This means the company must ensure that its privacy policy is not only clear and precise, but also that it faithfully reflects its data processing practices. The information obligations, as set out in Articles 12 and 13 of the GDPR, remain paramount. This means that QWANT must provide users with complete information about the nature of the data collected, the purposes of its processing, and users' rights.

Another aspect to consider is QWANT's good faith in this matter. Although errors of interpretation as to the classification of the data led to breaches, the CNIL acknowledged the efforts made by QWANT to implement technical measures aimed at reducing the risk of re-identification. This factor of good will enabled the company to avoid more severe penalties, such as a fine. However, this does not eliminate the need for ongoing development of the privacy policy to align its practices with compliance with legal standards. The CNIL, as the supervisory authority, remains vigilant regarding companies' compliance with data protection requirements.

The QWANT case shows that administrative adjustments can be undertaken to prevent potential breaches, while offering an opportunity for remediation to companies that cooperate with the authorities. In this context, QWANT must now establish an ongoing dialogue with the CNIL to ensure that its practices can evolve within a framework that respects users' rights. As QWANT commits to strengthening its practices regarding personal data protection, it is essential to remain attentive to users' reactions to these changes and to the transparency of the information provided. The challenges surrounding personal data management remain complex, and companies must navigate this constantly evolving field with care.

For more information, please consult the CNIL's article: https://www.cnil.fr/fr/qwant-cnil-traitement-des-donnees-personnelles-rappel-obligations-legales.

To learn more

Why did the CNIL remind Qwant of its obligations?

Following a complaint, the CNIL determined that the data processed by Qwant constituted personal data subject to the GDPR, rather than genuinely anonymous data. It reminded the search engine of its obligations of information and transparency towards users, a central requirement of the GDPR.

What is the difference between anonymized data and personal data?

Anonymized data no longer makes it possible, by any reasonable means, to re-identify a person. If re-identification remains possible, even indirectly, the data remains personal and subject to the GDPR. The threshold is demanding: incomplete anonymization is not enough to rule out classification as personal data.

Why does pseudonymized data remain personal data?

Pseudonymization reduces the risk but does not eliminate the possibility of re-identification. Data such as IP addresses, even when truncated or hashed, may still be cross-referenced with other information to link it to a person. The CNIL therefore considers that mere pseudonymization is not enough to rule out classification as personal data.

Is an IP address personal data?

Yes, in principle. Even when truncated or hashed, an IP address may allow indirect links to a person, particularly through cross-referencing. It is therefore generally classified as personal data and subject to the GDPR. This classification requires information, a legal basis, and respect for the rights of the data subjects.

What transparency obligations does the GDPR impose?

The GDPR requires that individuals be clearly informed about the data collected, the purposes, the recipients, and their rights. In the Qwant case, the CNIL emphasized that the transmission of technical data to a partner for advertising purposes had to be transparent. Fair and accessible information is a fundamental requirement of the regulation.

What must a company do after a formal reminder of obligations from the CNIL?

It must remedy the identified breaches: clarify its privacy policy, correctly classify its data, fairly inform users, and secure its processing operations. Qwant accordingly amended its privacy policy. A formal reminder, although not a penalty, requires effective and documented compliance.

Does cross-referencing data affect its classification?

Yes. Data that appears anonymous may become personal again if it can be cross-referenced with other available information to identify a person. The CNIL assesses the risk of re-identification holistically. This cross-referencing criterion is decisive in classifying data and triggering the application of the GDPR.

How can the GDPR compliance of one's processing operations be secured?

You must correctly classify the data processed, verify the actual effectiveness of anonymization techniques, fairly inform users, and document compliance. The Qwant case shows that insufficient anonymization exposes a company to a reminder from the CNIL. Legal support helps secure these classifications and avoid breaches of transparency.

Still have questions?

Our team is available!

Have a question?

Vos informations restent strictement confidentielles.
Thank you! We will get back to you shortly. If you'd like to speed things up, schedule a time with me directly here:
Schedule a 15-minute call
Oops! Something went wrong while submitting the form.
Homme en costume bleu foncé avec cravate et pochette blanche, bras croisés, regardant vers l'avant.

Ressources

Aller plus loin

00
article(s) affiché(s) sur
00

5 min

How to notify a concentration to the Competition Authority?
Notifying a concentration is a legal obligation that allows the Competition Authority to review the impact of a merger or acquisition on a given market. In France, this procedure aims to prevent abuses of dominant position and to ensure a competitive balance in

5 min

Breach of Data Security Rules: NTT Data Romania Sanctioned by the ANSPDCP
The data breach suffered by NTT Data Romania, sanctioned by the National Authority for the Supervision of Personal Data Processing (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, ANSPDCP), underlines the crucial importance of protecting personal data in the context of growing cyberattacks. Indeed, the breac

9 min

Domain name protection: 5 essential preventive strategies in 2025
In today's digital ecosystem, the domain name has established itself as one of the most strategic intangible assets for any organization. As a true gateway to your digital universe, it simultaneously serves as your business address, your brand identifier and a valuable l

14 min

Commercial agent status: rights, register and termination indemnity
The commercial agent status is one of the most protective in French business law. Yet it remains largely unknown to managers of micro-businesses and SMEs, to startups in the commercial structuring phase, and to independent professionals who negotiate contracts on behalf of third-party companies. When poorly understood, i

6 min

The buzz around AI-generated Ghibli-style images: what lessons can we learn?
With the advent of new technologies, artificial intelligence has taken a monumental step forward in artistic creation. The emergence of DALL·E 3, integrated into OpenAI's ChatGPT platform, has not only captivated a broad audience with its ability to generate images of a qualit

3 min

How to get your software development contracts right?
Are you an IT service provider wondering how to navigate the maze of software development contracts? Look no further. In this article, we break down what a software development contract is and how you can optimise its drafting to best meet your needs and those of your clients
Prendre rendez-vous
Book an appointment