Late last month, French President Emmanuel Macron announced he would appoint the next president of the French data protection authority. Marie-Laure Denis took office Feb. 1, just as former CNIL President Isabelle Falque-Pierrotin departs. While Denis comes with the president's approval and a CV most would envy, regulators and privacy professionals who've worked with Falque-Pierrotin on the global stage acknowledge she's a tough act to follow.
That's in part because she took the CNIL through a time of significant change. Chair for two terms, from 2011 to 2018, she saw the DPA through the drafting and then the passage of the EU General Data Protection Regulation.
Irish Data Protection Commissioner Helen Dixon said, "IFP has been an articulate and consistent voice representing EU data protection authorities for the last four years in communicating to both EU and international stakeholders."
Dixon notes that not only did Falque-Pierrotin lead the CNIL, but she also chaired the Article 29 Working Party "during an unprecedented period of transformation, driven in part by key judgments from the Court of Justice of the European Union," including the right-to-be-forgotten ruling in 2014 and the strike-down of Safe Harbor in 2015. Then, there's the matter of the GDPR, which Falque-Pierrotin guided both the CNIL and the WP29 through during her tenure.
At the WP29, Dixon said, Falque-Pierrotin and her team "output a record number of guidance papers on important EU data protection concepts, such as the right to data portability, how to interpret the transparency principle, in addition to leading the preparations for the operationalization of the successor to WP29, the European Data Protection Board. All this was delivered by IFP with the utmost skill and under significant time pressures."
Then, there was the historic $57 million fine against Google for GDPR violations, of course.
IAPP Vice President Omer Tene echoed Dixon's praise, adding that Falque-Pierrotin also contended with the fallout from the Snowden revelations and preparations for Brexit.
"During her term as president of the CNIL, she established the French data protection authority as a central pillar of global privacy enforcement," Tene said. "She recognized the importance of tech expertise for regulators in this space and positioned the CNIL as one of the more tech-savvy regulators worldwide."
French attorney Ariane Mole of Bird & Bird agreed with Tene that Falque-Pierrotin made her mark on the international stage by taking the CNIL to the next level, understanding the authority would have to make some advances in order to regulate in an era of rapid technology development and under reform as sweeping as the GDPR.
"On the one hand, there is some CNIL flavor in the Article 29 Working Party’s guidelines on the GDPR. And on the other hand, she also promoted the CNIL to get a European vision and to be very much involved in the new GPDR mechanisms," Mole said. "For instance, there is a specific department within the CNIL dedicated to GDPR compliance tools. The CNIL is also quite advanced on certification mechanisms, on BCRs, and has created a specific [privacy impact assessment] software that can be used in several languages in order to help companies making PIAs. Because IFP was both the president of the CNIL and of the Article 29 Working Party, it has given the CNIL a more European capacity."
But beyond what she achieved on paper, it was Falque-Pierrotin's disposition that was perhaps most effective.
"As a leader, she was always graceful and open-minded even as she drove hard to achieve her goals," Tene said.
It seems to be that exact balance that most impressed those both working as her peers and reliant on the guidance of her agencies for their own practice.
"She was at the same time strong and flexible," Mole said. "She also had an ability to listen, and I noticed this many years ago even before she became president of the CNIL. I remember that when I was pleading for a client before the CNIL’s court, she was the CNIL’s rapporteur on the case — and I can tell you that usually, CNIL’s rapporteurs would not change their opinions, but she was different. She listened and amended her report in consideration of what was said."
In addition, Mole said, Falque-Pierrotin didn't rule from a castle on high.
“What struck me about IFP was that she was reachable, more than the former presidents of the CNIL. She was very busy, of course, but you still did not need to go through a lot of channels in order to contact her. It was possible to email her and get a response," she said.
Looking ahead to Denis and her role as CNIL's new leader, Mole hopes she'll continue her predecessor's work in keeping a European vision but also will take into consideration various market realities.
"Despite the fact that the GDPR was supposed to harmonize European data protection laws, there are still local law divergences and different interpretations between countries. The GDPR is not only complex for companies, but it is also applied by data protection authorities with different views, so the challenge is that data protection authorities should both reach a more practical interpretation of the data protection requirements and work in the same way."
Mole said it's important that, like Falque-Pierrotin, Denis comes from the Conseil d’Etat, the French administrative supreme court.
"It is generally a good thing to have someone who understands the law," Mole said.
For now, DPAs and privacy practitioners will wait to see how that understanding translates in future CNIL guidance regulation.
If you want to comment on this post, you need to login.