Greetings from Brussels!
CNIL President Marie-Laure Denis gave her first official interviews this week coinciding with the release of the French authority’s 2018 activity report. If you want an overview of the report’s main points, you can find an English summary here. As you will know, there was a change of guard at the CNIL in early February with the appointment of Denis. It was certainly welcome to see her inaugural interviews in "Le Monde" and "La Tribune."
She stated that the GDPR has facilitated increased French awareness around data protection. The CNIL website registered a staggering 8 million unique visitors last year, according to one of her recent interviews, which is almost an 80% increase on the year before. This enhanced awareness was also reflected in a record number of complaints to the CNIL, up by 33%, with a third of the complaints centered around the dissemination of personal data on the internet, as well as 20% concerning marketing and commercial practices.
Denis also said there are approximately 17,000 DPOs acting on behalf of more than 51,000 organizations; notably, this number reflects internal, outsourced and "shared" DPO functions. With more than 4 million companies in France, Denis acknowledged that while not all organizations will require a DPO by default, she reconfirmed the CNIL estimate for the need of 80,000 DPOs under the provisions of the GDPR.
There is still much uncertainty around the handling of complaints as the CNIL interacts with other EU member state DPAs. The CNIL continues to receive many questions involving corporate obligations around data protection and breach notifications. It is also interesting to note that since GDPR came into effect, breach notifications increased in 2018. However, and conversely in 2019 to date, leading French privacy pros informed me that breach notifications to the CNIL have dropped off significantly.
Denis stated that the authority will continue to support French organizations, acknowledging that not all entities have the same capacity to meet their obligations. However, taken that the GDPR was adopted in 2016, Denis felt that sufficient time and support has been afforded organizations to comply with the regulation, and now it is time to show more determination and firmness on controls and enforcement.
For 2019, priorities are clear: Ensuring that data subject rights, such as access, rectification and deletion are respected. More focus will be directed at processors and subcontractors as keys to personal data flows. Finally, the CNIL will also step up its monitoring in the area of new rights of minors and parental consent for children under 15.
At the macro level, Denis sees an augmented role for the CNIL as an effective digital regulator ahead to anticipate and innovate for social and economic changes in the digital era. On the international scene, the CNIL intends to continue to maintain a leading role within the EDPB, and outside the EU, it will continue to prioritize cooperation that fosters the convergence of data protection principles worldwide.
This year heralds new energy and promise in Marie-Laure Denis, and I think it is fair to say we have another strong and confident leader taking the reins of the French authority.
If you want to comment on this post, you need to login.