Data protection and privacy have been for several years a major issue of public policy for France and the European Union. Globalization and the rise of digital technology make it necessary to review the existing EU legal framework. On 25th January, the European Commission has therefore adopted draft EU Regulation and Directive reforming the EU framework of data protection. The moment we are living being historic, it is essential to take the full measure of it as it will be the new landscape of European data protection for the XXIst century.
The CNIL recognizes that the proposed regulation provides substantial improvements that were expected and necessary. Citizens' rights are thus largely strengthened: recognition of a right to be forgotten, right to the portability of data and clarification of the rules relating to consent and to the exercise of rights.
At the same time, companies benefit from a simplification of administrative burdens while being subjected to increased obligations as the draft regulation intends to impose companies to designate Data Protection Officers and to implement internal procedures to ensure the implementation of data protection principles (audits, registers, privacy by design ...). The CNIL also welcomes the strengthening of powers of sanctions of national data protection authorities as well as the call for an increased cooperation at the European level.
However, the CNIL considers that the proposed procedures to implement the system is not optimal and will not ensure an effective implementation of the suggested improvements.
The CNIL is particularly concerned about the risk of an increased distance between European citizens and their national authorities. Indeed, by proposing that the competent authority is the one where the main establishment of a company is located, regardless the targeted public by its activity, national authorities are reduced to play a role of mailbox. In practice, this means that where an web user has a problem with a social network which main establishment is in another member state, the complaint will be handled by the authority of the later.
Such a reform will strengthen the bureaucratic and distant image of the European institutions and will deprive widely the citizens of the protection offered by their national authority.
The CNIL is strongly opposed to such a criterion which will constitute a real regression towards the citizens’ rights. It would be paradoxical that the rights of citizens for data protection would finally be less protected than those he benefits of under consumption law which privileges a competence based on the place of residence of the consumer.
Broadly speaking, the CNIL considers that the scheme proposed by the European Commission leads to a centralization of the regulation of privacy in the hands of a limited number of authorities. The European Commission will also benefit from an important normative power.