France: Opened consultation on CNIL draft Recommendation for Multi-Factor Authentication

On 28 March 2024, the French Data Protection Authority (CNIL) opened a consultation on a draft recommendation to support users and providers of multi-factor authentication (MFA) in data protection compliance until 31 May 2024. The draft recommendation serves as a guide for data controllers on the necessity of MFA and General Data Protection Regulation (GDPR) compliance in MFA implementation, including legal bases, data minimisation, adherence to data subjects' rights, and the selection of compliant authentication methods. The draft recommendation covers only authentication, excluding identity and access management, and includes explanatory boxes on specific issues and practical examples of MFA implementations that integrate privacy by design.