Mobile apps, artificial intelligence and cybersecurity will be the main focus areas of France's data protection authority, the Commission nationale de l'informatique et des libertés, in coming years. During the IAPP Data Protection Intensive: France this week in Paris, CNIL Secretary General Louis Dutheillet de Lamothe laid out the regulator's focus areas, as well as the projects it has or will soon launch in those key areas.

According to Dutheillet de Lamothe, the EU General Data Protection Regulation brought a revolution for accountability and, though it led to progress, it still needs to be solidified in practice.

One way this change has materialized, he said, is through the increase of complaints lodged to the regulator. At its highest, the CNIL received up to 14,000 complaints, an increase of 30% compared to previous years. In 2022 — for the first time since the application of the GDPR — the CNIL managed to process more complaints than it received.

The DPA still faces some operational challenges, which have incentivized it to change how it accompanies organizations through compliance. Among others, the CNIL is adjusting its sandbox process. Launched in early 2022, this process started thematically, first addressing data protection and privacy questions raised on health data and then advertising technology.

It received positive feedback about the sandbox, including that it is a useful tool and has attracted a lot of candidates, but it is also resource-intensive for the CNIL.

Currently, the CNIL is moving to a nonthematic approach and will select projects based on several criteria, primarily ones that could impact personal data protection, convey innovative ideas raising questions of legal certainty and benefit from regulator’s help.

The CNIL will test the system in 2023. Dutheillet de Lamothe reassured DPI delegates and said the CNIL is implementing walls between its legal support and control teams, to give participating organizations confidence that they do not need to be concerned by the CNIL's control arm if they implement the sandbox team's recommendations.

The CNIL also introduced a simplified, nonpublic procedure that will be faster than a standard procedure. In this context, the CNIL can launch "dry procedures" to notify a compliance breach to an organization. When it is "sufficiently certain" there is a problem, the CNIL can issue a nonpublic formal notice, without an enforcement nature, to incentivize the organization to bring its practices into compliance. In this system, the formal notice will be reserved to a limited number of specific cases.

As a prolific regulator, the CNIL also faces a communication challenge in ensuring the privacy community and wider public are aware of, and can access, its positions and decisions to better apprehend the full extent of its doctrine. To that end, it embarked on a massive project to catalog all its decisions, positions and relevant jurisprudence and aims to publish the guide in French towards the end of the year.

Looking at the CNIL's priorities moving forward, mobile apps are near the top of the list.

In November 2022, the CNIL launched its three-step plan to tackle mobile apps, by first monitoring and building its technical understanding of the topic, then developing guidance and recommendations – expected to be published throughout 2023 and formally adopted at a later stage – and finally launching enforcement actions as needed.

The secretary general said "there might be control but that is not the (CNIL's) main objective; it is about bringing legal certainty on the interpretation of the GDPR for mobile apps." He also said, "the CNIL won’t refrain from processing complaints that address issues related to mobile apps on which there is no legal uncertainty, for example, identifiers."

During his speech Tuesday, Dutheillet de Lamothe touched on other issues that animate European circles.

On international data transfers, he expressed relative confidence in the adoption of the draft EU adequacy decision for the U.S. Though, he conceded "there will no doubt be further debates on the issue, leaving some form of potential uncertainty," referring to the recent opinion from the European Data Protection Board.

Dutheillet de Lamothe said these debates should distinguish data transfers strictly speaking from questions of extraterritorial application of the law, which go beyond the mere transfer issue. In this context, he cited France’s SecNumCloud cybersecurity reference framework, which introduces sovereignty requirements for cloud service providers operating on sensitive data in the French market.

"This reflection must continue," he added.

In closing, the Dutheillet de Lamothe pointed to the remaining challenge of harmonizing GDPR enforcement across 27 member states. As the European Commission drafts legislation to further harmonize procedural aspects of GDPR enforcement across Europe, he said harmonization is key. "Cultural diversity calls for procedural autonomy of each country, but we need common principles to conduct our processes. We need harmonization."