Perhaps more so than any other country, the French take data privacy very seriously. While it took the Internet revolution and rise of social media for some countries to worry about consumer protections, France has a data protection tradition that dates back to the 1970s.
For decades, Commission Nationale de l'Informatique et des Libertés, better known as CNIL, has been at the center of those efforts. The group, whose full name translates as National Commission on Informatics and Liberty, is an independent regulatory body that oversees the application of privacy law to the collection, storage, and use of personal data. It is comprised of 17 members from various government entities, including four from French parliament
On Tuesday, Sophie Nerbonne, CNIL’s deputy director for legal affairs and director of compliance, discussed the state of data privacy enforcement at Compliance Week Europe in Brussels.
More recently, CNIL was behind a September “cookie sweep,” a series of not-so-surprise company audits to assess compliance with French and European Union rules requiring websites to obtain user consent before installing cookies, those tiny bits of data that get popped onto your hard drive every time you visit certain websites. Users must also have the ability to know how cookies are used and to opt-out of the data collection.
Nerbonne updated the audience on the status of long- delayed EU-wide personal data protection legislation. Among the possible measures included in the legislation are mandatory breach notices, the right to portability of personal information, the “right to be forgotten, requiring a project and product based Privacy Impact Assessment; and fines €100 million or 5 percent of global turnover for companies that transmits personal data outside the EU without a customer’s permission.
“A lot of work has been done and there are just a few points to clarify,” she said. “We are still hoping that by the end of the first part of next year it will be done and then it will take two years to put the new regulation into application. Even if its approved next year, we still have those two years to elaborate on this new framework.”
The governmental push for increased fines is long overdue, Nerbonne said. Currently, her agency’s fines are capped at €150,000. A new bill at the Ministry of Affairs in France could also “substantially increase” fines. Investigations and penalties are “not credible otherwise,” she said.
Although her role as CNIL’s director of compliance puts her among the peer group of compliance officers, Nerbonne wasn’t able to offer those in attendance much comfort about their added duties and expanded concerns pertaining to data collection. The right to be forgotten, codified by a court ruling that forced Google to erase nearly all online links to those who object will continue to be the norm, even if it frustrates such routine company business as background checks and anti-money laundering screens. The information, she said, must now be gathered from the original source, not a search intermediary.
She did promise, however, that moving forward CNIL would strike to work more with companies and help them comply with what are difficult restrictions to abide by. “There will be a closer relationship with businesses and an effort to reach a mutual understanding,” she said.