At a March 27 event organized by American Chamber of Commerce in France and sponsored by Hogan Lovells, CNIL chairperson Isabelle Falque-Pierrotin said that the proposed new European regulation represents a “new paradigm” for business, because it will share the load of regulation between businesses and data protection authorities. Other speakers, including the EU Data Protection Supervisor and an official from the US Embassy in France also provided insights.
Here is a video of the keynote speech by CNIL Chair Isabelle Falque-Pierrotin, at the AmCham France, EU General Data Protection & Privacy Regulation Conference on 27 March 2012:
Here is a video of EU Data Protection Supervisor Peter Hustinx at the 27 March Conference, commenting on "accountability" and consent:
Here is a video of US Embassy in France Minister Counselor Wendela Moore on the White House privacy program and on the "long history" of privacy protection in the United States:
More on what Mme Falque-Pierrotin said at the gathering….
Co-Regulation: Falque-Pierrotin said “co-regulation is the good answer,” indicating that the CNIL has already been applying the accountability principle: French law has already provided for the possibility to name data protection officers (DPOs) in companies, the CNIL has begun delivering privacy seals in connection with auditing and training procedures, and the CNIL has been the champion at a European level for binding corporate rules (BCRs).
Compliance Pack: Falque-Pierrotin indicated that compliance will be the biggest issue for businesses over the coming years, and that the CNIL was preparing a “compliance pack” to help businesses implement effective compliance programs. The pack will be based in large part on the CNIL’s existing practices in BCRs.
EU-US Convergence, But Issues With US Approach: Although the US and the EU are converging in terms of substance, Falque-Pierrotin cautioned that significant differences in approach still exist. She commented that President Obama’s Consumer Bill of Rights would not be binding without legislation, and that the codes of conduct would only be mandatory for companies who choose to sign them. Falque-Pierrotin expressed skepticism regarding self regulatory frameworks.
Sanctions: “Sanctions should be adjusted depending on whether a company has implemented accountability mechanisms” said Falque-Pierrotin, recommending a sort of “leniency program” similar to what exists in competition law.
Problems with Centralized Approach: The CNIL chairperson criticized certain aspects of the proposed regulation’s “one-stop shop” approach, indicating that the extremely centralized approach may not be well adapted for all businesses, particularly bricks-and-mortar. Finally, Falque-Pierrotin expressed her vision that BCRs should not be looked at as simply a tool for transferring data within the corporate group, but rather as a global compliance architecture that would permit transfers not only within the group but with other entities. The CNIL is working with the Department of Commerce to identify “points of interconnection” between BCRs and the US’s vision for cross-border data transfers.