Regulatory priorities were the inaugural topic du jour here in Paris at the IAPP Europe Data Protection Intensive: France. CNIL President Marie-Laure Denis outlined her agency's aims during her keynote address Wednesday morning.
Online advertising and cookies are a focus for the CNIL right now, she said, noting the data protection authority currently has a draft recommendation open for public consultation, which includes modalities for obtaining consent. Denis said a final recommendation should be published in either March or April. Once the recommendation is validated by the French Conseil d'Etat, the CNIL will provide a grace period for six months. Like many other DPAs in the EU, however, handling a rise in data protection complaints from citizens is straining resources. During a follow-up panel discussion, CNIL Director of Economic Co-Regulation Sophie Nerbonne said the DPA is working to create a more efficient way to facilitate and simplify internal processes for handling the influx of complaints.
Dale Sunderland, deputy commissioner of the Irish Data Protection Commission, said the agency has received more than 10,000 complaints. That means it has had to prioritize its work. He said there are currently 23 investigations into so-called big tech companies, but, more notably, two investigations are now at the decision-making stage. Though he was not able to provide a timeline for the decisions, there is clearly some movement for cases being handled by perhaps the most-watched DPA in the world.
Among other priorities, Sunderland said the DPC is working on draft guidance for the protection of children under the EU General Data Protection Regulation. This comes on the heels of work by the U.K. Information Commissioner's Office on children's privacy. (The IAPP's Angelique Carson recently hosted a podcast on the ICO's work here.)
Sunderland said children's privacy is becoming a hot topic for DPAs in the EU, noting there are thorny issues, including difficulty verifying parental consent for the child.
As for the status of the one-stop shop, both the CNIL and the Irish DPC provided an optimistic outlook on its viability. Nerbonne was also optimistic about the one-stop-shop approach, saying there have been 150 draft decisions, mainly on existing rights of the individual or notification of a data breach. "This is the beginning of a common approach," she said.
However, Michael Kaiser, data protection officer at Germany's Hesse Data Protection Authority, was a bit more cautious. Since Germany has 16 DPAs governing each of its federal states, plus a federal DPA, finding consensus within the country has been a challenge. Though Kaiser said his agency aims to cooperate with other German federal states and EU DPAs, he would not let other agencies have the power to regulate the companies in Hesse, which, he noted, happen to include many of the banks and financial institutions in Germany.
During her keynote, the CNIL's Denis also said the agency has been active within the EDPB in recent months on the issue of access to electronic evidence by foreign public authorities; including frameworks such as the U.S. CLOUD Act, the Second Protocol at the Budapest Convention and the European Commission's own proposal for access to electronic evidence. Denis also said the CNIL has been active in developing guidelines on the GDPR's territorial scope, video surveillance and connected cars.
Finally, the Internal Market Information System that EU DPAs use to communicate regulatory work is working so far, according to Kaiser. Sunderland did note, however, that it's a legacy tool facilitating communications, not case management. "The GDPR has some inherent bureaucratic issues," said Sunderland, noting the EDPB network is evolving to meet these challenges.