Addressing the French Parliamentary Commission on Digital Rights, CNIL and Article 29 Working Party Chair Isabelle Falque-Pierrotin commented on the current state of negotiations of the proposed European General Data Protection Regulation, warning that excessive reliance on a risk-based approach could undermine fundamental rights. A risk analysis is useful as a guide to allocate resources, but should not affect the underlying rights of the data subject, she said. To illustrate her point, Falque-Pierrotin used the analogy of a home owner who lives in a part of the city where burglaries are frequent. The risk-based approach means that the home owner will buy more locks for doors, and that police authorities may devote more resources to patrolling. It does not mean, however, that home owners have different rights depending on where they live. Falque-Pierrotin is concerned that the current negotiations on the risk-based approach may confuse these two concepts, leading to a situation where individuals’ rights are reduced or ignored for low-risk processing.
Falque-Pierrotin likewise said that accountability should apply to all forms of processing, not just to “risky” ones. Obviously the level of resources and safeguards applied will depend on the level of the risk, but the principle of accountability, i.e. having a data protection governance structure in place, should remain constant.
Falque-Pierrotin recommended to the French parliamentary commission that the French constitution be revised to include specific reference to data protection. In theory, constitutional protection already exists in France via the European Charter on Fundamental Rights and the European Convention on Human Rights. However, thirteen European countries have put data protection in their constitution, and France’s doing so would send a strong signal internationally. Falque-Pierrotisn also recommended changes to French law to reinforce individuals’ right to control their own personal data. Falque-Pierrotin stressed that the right to control personal data is now distinct from the right to protection of an individual’s private life. When asked by Hogan Lovells partner Winston Maxwell whether this new right to control personal data should be included in France’s Civil Code, Falque-Pierrotin responded that the principle would more appropriately be put in the preamble of a law revising France’s existing data protection act.
Other legislative changes recommended by Falque-Pierrotin include an express right for individuals to request the delisting of certain content on search engines, as recently confirmed by the European Court of Justice, and the right to data portability. When asked whether French lawmakers should await the adoption of the EU Regulation or on the contrary insert these provisions in the upcoming French digital law, Falque-Pierrotin simply mentioned that the CNIL had made legislative recommendations to the government relating to the new digital law and that those recommendations include a provision increasing the CNIL’s sanctioning powers.
When asked about the tension between data protection principles and big data, Falque-Pierrotin insisted that data protection principles do not impede big data. She pointed to the recent compliance packs that the CNIL has developed for the insurance and banking sectors. The compliance pack for the insurance industry contains a roadmap to help insurance companies manage big data projects within their sector. The compliance packs will evolve over time so as to accompany market and technological developments, said Falque-Pierrotin. They represent a co-regulatory framework negotiated between a given industry sector and the CNIL. Falque-Pierrotin said that she puts a great deal of hope in these compliance packs as a dynamic co-regulatory tool to manage complex issues such as those posed by big data.