Published: February 2020
Below is the English translation of the keynote speech at the IAPP Data Protection Intensive: France 2020, presented by Marie-Laure Denis, CNIL president.
Paris, France, Wednesday, Feb. 12, 2020
Opening general session
Speech by Marie-Laure Denis, president, Commission nationale de l’informatique et des libertés (CNIL)
Courtesy translation: In the event of any inconsistencies between the French-delivered version and this English-courtesy translation, please note that the French version, checked against delivery, shall prevail.
Ladies and gentlemen,
Good morning, everyone. It is a pleasure to be with you this morning and to be able to speak at the opening of this conference, which promises to be rich in exchanges and learnings. Allow me first of all to welcome you to Paris and to thank IAPP and its president, Trevor Hughes, for the invitation to take part in this meeting.
I hope that the debates to which the CNIL will be taking part over the next two days will further strengthen the essential links we need to maintain with all stakeholders in the digital ecosystem.
In its new strategic roadmap for 2019–2021, presented last October, the CNIL affirmed its willingness to pursue its role as an effective and pragmatic data regulator.
In this regard, allow me to share with you the CNIL’s actions and priorities for the coming months.
The common thread of our road map is the appropriation and implementation for all — individuals, professionals, the European collective — of the promises and potential of the (EU General Data Protection Regulation).
In this sense, we want the CNIL to be a regulator anchored in the digital world and that it will bring to bear all its expertise, both legal and technological.
Since we are at the IAPP, I would like to inform you that we are continuing our work on certification. After the certification of the (data protection officers’) competences and skills, we will publish next May a new certification scheme for training organizations wishing to provide GDPR training. This scheme, which includes accreditation requirements for certifying bodies and a referential of certification criteria, is eagerly awaited because it is linked to the broader context of the national reform of vocational training.
The issue of online advertising and cookies is also a topical subject on which the CNIL is acting with a dedicated action plan. You will have the opportunity to discuss this topic in more detail today during a panel discussion with a representative of the CNIL. We have adopted a draft recommendation on the modalities for obtaining consent, which is currently undergoing public consultation. This is not a prescriptive text but a proposed instruction manual for our guidelines, published on July 4, 2019, which were themselves a reminder of existing positive law. As regards the timetable, we have already announced that we would adopt a final recommendation at the end of this public consultation, either in March or April. The CNIL will then grant an adaptation period to stakeholders — validated by the French Conseil d’Etat — of six months after the adoption of this recommendation.
Finally, and without being exhaustive this morning on all of our actions at the moment, we are currently working on privacy protection in cloud services, a sector where there are sometimes very large data processors and small data controllers. Beyond the cloud services sector alone, we also want to focus on cybersecurity, of which the protection of personal data is an important component. From this perspective, the CNIL's targets — particularly in terms of support — will be the general public and (small- and medium-sized enterprises) rather than very large companies, which have more resources and capacities. For example, we will certainly update our recommendation concerning passwords, which concern eight out of 10 attacks. We have also just published a guide for those involved in web and application development, including recommendations for securing websites, applications and servers. It is also through this type of action that we see our role as a regulator of the “digital daily life” of individuals and organizations.
Whether in the area of personal data protection, but also in other related fields, such as cybersecurity, the year that has just begun is full of challenges for the CNIL. They are also challenges for all stakeholders of the digital ecosystem. We will have to respond to these challenges with ambition and consistency. This is the spirit in which we are acting.
In addition, the CNIL is active at the European level by contributing to all the work of the (European Data Protection Board). We have been particularly active in recent months on the issue of access to electronic evidence by foreign public authorities, whether in the context of the U.S. CLOUD Act, the second additional protocol to the Budapest Convention or the (European) Commission’s proposed regulation on access to electronic evidence. We have also been involved in the development of guidelines on key topics such as the GDPR territorial scope, video surveillance, connected vehicles or privacy by design. These are just a few examples. In general, we are very involved at the European level. The Europeanisation of our activities is developing and I am very pleased about this!
In a few months we will celebrate the second anniversary of the effective application of the GDPR. A report from the European Commission on this issue is expected next May.
Indeed, May 2018 was a big step for all of us, and the regulation is already translating into new positive realities.
First of all, a stronger awareness of the general public and professionals. Very concretely, this is reflected in an increase of calls and requests for advice from the CNIL. Some 150,000 phone calls were recorded last year, not to mention the 14,000 complaints received, an increase of 27% compared to 2018. In 2019, the number of visits to our website remained at the unprecedented level reached in 2018, with approximately 8 million visits. We also note that some of the GDPR’s tools are beginning to be fully embraced. In France, more than 20,000 (DPOs) have been appointed within 65,000 entities.
Still at the French level, though we observe a better awareness of the issues at stake, we maintain an active enforcement policy. Last year, the CNIL carried out 300 inspections, imposed eight financial penalties and issued approximately 50 orders. Most of the time, guidance is sufficient to ensure compliance with the GDPR. When data processing is massive or involves serious risks and a warning is not enough, we go further.
At the global level, the GDPR still makes a name for itself. The impact of the GDPR has been felt well beyond the (European) Union, either in terms of compliance or in terms of legislative development in third countries — and this will be discussed by one of the conference panels tomorrow. At the same time, we notice that data governance in a globalized digital ecosystem can also be the scene of a certain confrontation of existing models and standards.
We therefore believe that it is crucial to continue our efforts to affirm the European model. The “GDPR dynamic” must continue. And to do so, we must step up our efforts to provide guidance, tools, but also corrective measures and sanctions where necessary. Making our actions concrete, including at European level with collective decisions, means guaranteeing the credibility of our model at European level and beyond.
While we are all pursuing our efforts, some doubts and criticisms are beginning to be voiced, in particular about the role of the lead authorities and decisions on the major actors. Decisions and sanctions on the major digital actors are monopolizing attention — even impatience — and it is true that it is essential to reach decisions as quickly as possible on the emblematic cases expected by all. To do so, we must work effectively and together between authorities. In this context, decisions concerning the major digital actors must be presented quickly.
However, one must recognize that the one-stop shop system is unique in the world and the most sophisticated existing data protection enforcement mechanism.
Although difficulties have been identified in the implementation of the system, we are working on improving its functioning.
It should also be noted that it is already working. More than 80 decisions on cross-border cases have been adopted under the one-stop-shop mechanism, and nearly 150 draft decisions are currently being worked on by all concerned authorities at European level.
As the (European) Council already did, the EDPB is currently preparing its contribution to feed into the Commission’s reflections in the drafting of the report on the assessment of two years of application of the GDPR; this contribution will be discussed and probably adopted next week by the EDPB plenary session.
These discussions are fundamental in order to reach a united, coordinated and collective message on the functioning of our cooperation and more broadly on the implementation of the GDPR.
May 25, 2018, marked the beginning of a new era for data protection. All Europeans have committed in the construction and success of this new model.
The year 2020 is probably the moment of some kind of truth. It is now crucial to make the promise of the GDPR even more concrete.
Our credibility is at stake. This model is about a data regulation that reaffirms the fundamental rights to personal data protection and privacy, while facilitating and integrating the new realities of the digital ecosystem.
In conclusion, I would like to stress the importance of dialogue between regulators and digital players in order to carry out our missions successfully. Two days of discussions and debates will certainly not be too much to tackle all the issues you have to deal with on a daily basis. I would like to thank the IAPP once again for inviting the CNIL to take part in these exchanges.
You will also have several opportunities to dialogue with representatives of the CNIL on numerous issues at the heart of current challenges. These debates are also an opportunity for us, as a regulator, to take the pulse of the stakeholders who are at the heart of the compliance and application of the legal framework that we must, together, defend and put into practice.
I wish you all an excellent conference with fruitful debates and constructive exchanges. Thank you very much.