Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

CNIL’s Annual Report Highlights Right To Be Forgotten and Shortcomings of proposed regulation

The French data protection authority (CNIL – Commission Nationale de l’Informatique et des Libertés) published in July 2012 its annual report for 2011. Here are its highlights:

CNIL enhances technical capabilities, launches "Privacy 2020". The CNIL said it significantly increased the number of computer engineers on its staff in 2011 to a point where the CNIL says it has more technological capabilities than any other data protection authority in Europe. "Privacy 2020" is the CNIL’s new think tank initiative to develop a framework for privacy rules in the next decade. The CNIL has created a special advisory board to make recommendations on forward-looking policy issues, chaired by Professor Michel-Jean Bengosi from the Ecole Polytechnique. The "CNIL Labs" conducted studies on smartphones and on social media networks in order to identify technological risks but also better understand consumer expectations.

CNIL critiques proposed EU regulation. The proposed new European regulation drew criticism in the CNIL’s report on three points. First, the CNIL expressed concern that making a single data protection authority responsible for the European-wide activities of an enterprise could result in a significant decrease in the level of protection of individuals. Citing the example of a social network whose main establishment is located in another European member state, the CNIL said it was inappropriate to reduce the role of the French data protection authority ("DPA") to a simple mailbox to forward complaints to the principal DPA responsible for the social network’s activities. According to the CNIL, a French user who is harmed by the activities of an enterprise doing business in France should be able to look to the French regulator for redress.

The second point on which the CNIL diverges from the Commission is on the issue on international data transfers. The CNIL believes that transfers to countries that have not been recognised as providing adequate protection should be based on contractual clauses or BCRs that have been approved in advance by the CNIL. Under the proposed regulation, an international transfer based on standard contractual clauses will not require the prior approval of the DPA.

Finally, the CNIL made the point that the new accountability measures included in the draft regulation should not be viewed as a form of self-regulation, or as a trade-off for less regulatory supervision. Instead, the accountability measures should be viewed as a supplement to existing regulatory principles and enforcement practices.

Promotion of the European model worldwide. The CNIL thinks of itself as the thought leader for data protection in Europe. In its annual report the CNIL says that the European model should serve as a template for other regions of the world. In particular, the CNIL said it hoped that other countries would accede to the Council of Europe’s Convention 108 on data protection.

Co-regulation. While critical of self-regulation, the CNIL embraces co-regulation. The annual report highlights several areas where the CNIL has approved industry guidelines and worked closely with corporations in the development of standards and binding corporate rules. In this respect the CNIL does not seem too far removed from the US multi-stakeholder process initiated under the Obama administration.

Nineteen sanctions in 2011 but only five fines.The annual report contains a list of sanctions issued in 2011. The highest monetary sanction issued by the CNIL was the 100,000 € sanction against Google, in connection with Google’s Street View activity. Most of the CNIL sanctions in 2011 consisted of warnings ("avertissements"). Only five monetary sanctions were issued.

Right to be forgotten. The CNIL promoted the right to be forgotten in various ways in 2011, including by issuing standards pursuant to which public archives could be made available electronically to the public. Among the rules imposed by the CNIL is a requirement that electronic public archives be searchable via the name of an individual only after 120 years from the person’s birth. Also certain sensitive data such as data relating to race or religion must be redacted from data made available in the electronic services. The CNIL also illustrated in its annual report how it helps citizens correct and obtain the deletion of data contained in police records that could hurt a person’s ability to get a job in certain sectors. The CNIL cited examples where police records had not been updated and had erroneously maintained a criminal record when the person had been acquitted or the matter involved an offense committed when a person was a minor. A majority of the police files reviewed by the CNIL were either rectified or deleted as a result of the CNIL’s actions.

Whistleblowing.The CNIL’s annual report contains a special chapter on whistleblowing. The CNIL has a blanket authorisation for a certain type of whistleblowing systems, but more and more corporations are requesting specific authorisations from the CNIL for systems that go beyond the blanket authorisation. In 2011 the CNIL received 30 requests for authorisations and issued 19 specific authorisations and one refusal. The CNIL pointed out that the extension of the scope of whistleblowing hotlines to areas beyond traditional accounting violations was becoming more and more widespread and accepted by the CNIL under certain conditions. For example, the CNIL has accepted that complaints relating to employment discrimination be included in the hotline but on the condition that the usage of the hotline for discrimination claims not be permitted on an  anonymous bases.

Cloud computing. The CNIL also highlighted its activities in connection with cloud computing, but this the CNIL’s recent recommendations on cloud computing has been covered elsewhere in our blog.