The protection of personal data has become a crucial issue in the digital age, where every online interaction generates a wealth of information that can be exploited. The case of QWANT, a French search engine, is exemplary of the challenges faced by companies in complying with data protection regulations. Indeed, France's regulatory authority, the CNIL, recently reminded QWANT of its legal obligations regarding the processing of personal data, stressing the importance of total transparency vis-à-vis users. This raises fundamental questions about the distinction between anonymized data and personal data, as well as companies' responsibilities in the face of RGPD regulations. In this article, we'll explore the legislative framework surrounding QWANT, the reasons why the CNIL classifies its data as personal, the changes made to the company's privacy policy, and the implications of the CNIL's reminder of legal obligations.
If you are looking for a personal data lawyer, contact me!
Why does the CNIL consider QWANT data to be personal data?
The question of the classification of data processed by QWANT has been at the heart of analyses carried out by the CNIL. In 2019, the CNIL was confronted with a complaint claiming that the information collected by QWANT was not anonymous but rather constituted personal data, thus subject to RGPD regulations. Indeed, even though QWANT claimed to make use of anonymization techniques, the CNIL ruled that the methods implemented did not guarantee the absence of user re-identification. This finding is based on the idea that data, such as IP addresses, even truncated or hashed, can still enable indirect links with individuals.
This analysis has led to an essential clarification: contrary to QWANT's assertion, technical information transmitted to MICROSOFT to display contextual advertising and carry out other marketing operations is considered personal data. Indeed, the CNIL emphasizes that simple pseudonymization is not sufficient to rule out the classification of personal data, particularly when the information can be cross-checked with other available data. Thus, QWANT had to comply with its obligations to provide information and transparency to users, a key requirement of the RGPD. This speech by the CNIL serves as a reminder of the crucial importance of personal data regulations and invites companies to be vigilant about the nature of the data they collect and process. Now, let's take a look at the changes QWANT has made to its privacy policy following this spotlight from the CNIL.
What changes has QWANT made to its privacy policy in response to the CNIL's findings?
The evolution of QWANT's privacy policy following observations issued by the CNIL in 2019 demonstrates a willingness to adapt in the face of regulatory requirements. In response to the authority's requalification of its data, QWANT made significant changes to its privacy policy in 2020. The main aim of these adjustments was to ensure strict compliance with the RGPD and to transparently inform users about the processing of their personal data. As a first step, the company introduced a more appropriate term, describing the data transmitted to MICROSOFT as "pseudonymous". This nuance is essential, as it indicates an assumption of responsibility for the nature of the data processed, and underlines the fact that true anonymization was not in place. This change has enabled QWANT to respond in part to the CNIL's criticisms concerning the risk of user re-identification.
QWANT has also clarified the advertising purpose for which the data was transmitted to MICROSOFT, and the legal basis justifying this processing. These clarifications have reinforced the transparency required by data protection regulations. Users can now better understand how their data is used, particularly in the context of contextual advertising, which is less intrusive than behavioral advertising. This change of direction also shows that the company intended to fully comply with its information obligations, as set out in Articles 12 and 13 of the RGPD. Finally, to reinforce the consistency and uniformity of information communicated internationally, QWANT has ensured that its privacy policy is updated in all available languages. This reflects a desire to harmonize the level of information provided to users in the various markets where QWANT is present. Through these changes, QWANT has clearly signaled its commitment to respecting the legislative framework regarding personal data, and to rectifying previous perceptions of its privacy policy. This transparency initiative is a step in the right direction towards regaining users' trust.
What is the nature of the CNIL's reminder of legal obligations and what are the implications for QWANT?
This measure, while not punitive, highlights the need for the company to comply with current legislative frameworks, in particular the RGPD. For QWANT, the reminder of legal obligations implies immediate and long-term adjustments to its data management. This implies that the company must ensure that the privacy policy is not only clear and precise, but also that it accurately reflects data processing practices. Information obligations, as stipulated in Articles 12 and 13 of the RGPD, remain paramount. This means that QWANT must provide users with full information on the nature of the data collected, the purposes of its processing and users' rights.
Another aspect to consider is QWANT's good faith in this case. Although misinterpretations of data qualification led to breaches, the CNIL recognized QWANT's efforts to implement technical measures to reduce the risk of re-identification. This goodwill factor enabled the company to avoid more severe sanctions, such as a fine. However, this does not rule out the need for ongoing development of the privacy policy to bring its practices into line with legal standards. As a supervisory authority, the CNIL remains vigilant as to companies' data protection compliance.
The QWANT case shows that administrative adjustments can be made to prevent potential violations, while offering a chance of redress to companies that cooperate with the authorities. In this context, QWANT must now establish an ongoing dialogue with the CNIL to ensure that its practices can evolve within a framework that respects users' rights. While QWANT is committed to strengthening its practices in terms of respect for personal data, it is essential to remain attentive to users' reactions to these changes and to the transparency of the information provided. The challenges surrounding the management of personal data remain complex, and companies need to navigate carefully in this constantly evolving field.
For more information, please consult the CNIL article: https: //www.cnil.fr/fr/qwant-cnil-traitement-des-donnees-personnelles-rappel-obligations-legales.
