![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The CNIL has issued its onsite investigation programme for 2009. Areas of focus in the private sector will be:
- recruitment activities (including recruitment agencies, Internet sites, and large groups);
- the sports sector (all data processing, including video surveillance, supporters lists, and blacklists);
- the marketing sector (new techniques, new targets, Web sites, businesses in the field); and
- healthcare providers (all data processing concerning patients’ rights).
It is worth reminding readers that the CNIL annual report indicates that, in 2008 only 25 percent of onsite investigations resulted from individuals’ claims. This shows the importance of the targeted areas identified in the investigation programme.
Fifteen recommendations for enhanced privacy
Privacy in the era of digital memory. For an increased trust between citizens and the information society. This is the title of the information report made on behalf of the Legislative Committee of the Senate on May 27, 2009 and released on June 3, 2009.
In this report, the Legislative Committee of the Senate, mindful of privacy in the digital era, issues a series of 15 recommendations highlighting areas to be improved in order to better guarantee the right to privacy. The report results from an assessment of the main threats to civil liberties: video-surveillance, PNR, cookies, proliferation and interconnection of police files, social networks, RFID, highway tolls, and so on, in order to make citizens aware of the need to protect privacy and to become a free and informed “homo numericus.” Data protection is presented as a fundamental pillar of our society.
The first three recommendations aim to strengthen awareness on personal data:
- To strengthen the importance attached to awareness on issues related to privacy and personal data in school programs;
- To promote the organization and the launch of a large-scale information campaign in order to sensitize citizens on privacy challenges in the digital era as well as to inform them about their rights under the Data Protection Law;
- To promptly promote the creation of labels identifying and promoting software, applications and systems providing enhanced guarantees for the protection of personal data. In this respect, a recent law has simplified the process for the CNIL to deliver quality labels (see July Global Privacy Dispatch).
Other recommendations aim to increase the legitimacy of the CNIL:
A tax to fund the CNIL – Supported by CNIL president, the idea is to create a “low-cost” fee, to be paid by large public and private organizations that process personal data (just like what already exists in Great Britain). We heard at the AFCDP conference (see story below) that the government is not in favour of this approach yet, but instead agreed to increase the budget of the CNIL.
Creation of decentralized antennas – To further strengthen its activities and its fields of investigation, the CNIL would ensure its presence in France through the creation of decentralized antennas. At the AFCDP conference, Alex Türk shared that this will not happen in the near future, but that the CNIL will soon open a second branch in Paris.
A mandatory DPO – For all public and private companies of more than 50 employees, a DPO shall be appointed. Among all 15 recommendations, this one, along with the security breach notification recommendation, is the most likely to impact businesses if it ever comes to life.
To make public the hearings and the decisions of the litigation committee of the CNIL – Among recommendations to complement the current legal framework, the Senate calls for a clarification of the legal status of the IP address. Considered as a personal data by the Article 29 Working Party and the CNIL, but not by some French court decisions, the debate about how to characterize IP addresses remains open. Senators have become convinced that the IP address is “a way to identify an Internet user, such as a postal address or a phone number.” Thus, the senators argue that the IP address is personal data and should be protected as such.
Moreover, the senators support the ongoing momentum towards the definition of international standards in the field of personal data protection.
The senators are also in favour of the creation a minima of an obligation to notify the CNIL of security breaches. The CNIL would then consider whether individuals should be notified as well.
Furthermore, the creation of police files should be under the sole authority of the legislator.
The senators also believe that the legislature should consider the creation of a right of “heteronymat” and a “right to oblivion.”
As for the last (but not least) recommendation, the senators wish to raise the principle of privacy as a constitutional principle. However, Alex Türk mentioned at the AFCDP conference that a revision of the constitution is unlikely to happen soon.
For most of these recommendations, it is still a bit early to tell whether they will be brought to life by the government and the legislator. One can be sure that with Alex Türk being both at the head of the CNIL and a Member of the Senate, they will be strongly supported.
The role and future of data protection officers
The AFCDP (French Association of Data Protection Correspondents) held its 5th annual conference in Paris in June. The theme was “The Future of The Profession of Data Protection Officer: Status and Perspectives.”
Present were Alex Türk, Article 29 Working Party president and CNIL president; Gérard Lommel, Türk’s counterpart in Luxemburg; and representatives of the profession from several countries, including data protection officers from Groupama and Novartis, and representatives from fellow associations, such as the German GDD. Bojana Bellamy represented the IAPP. She conquered the audience and convinced most attendants that it takes the brain of a woman to be data protection officer. IAPP Board Vice-President Nuala O’Connor Kelly sent a message to the audience and the members of AFCDP to share her enthusiasm about the IAPP-AFCDP sister relationship.
This conference presented an opportunity to take stock of DPOs in Europe and to discuss the function of the DPO and its development. In addition to France, Germany, Luxembourg, the Netherlands, and Sweden, the countries of Estonia, Hungary, and Slovakia have provided DPO status in their data protection laws—Germany being the pioneer in this area. Even Switzerland recently modified its data protection law to incorporate the function of DPO. A compared view of each legal system highlighted where improvements could be made.
If only one sentence could summarize this conference, it could be: the role of the DPO is much more than a job, it has become a profession, a sector of the economy even, and it is only the beginning.
For more information, visit the association Web site: www.afcdp.net
Coauthored by Elisabeth Quillatre of the French law firm Cabinet Gelly.