On September 22, 2011, new provisions under the French Data Protection Authority’s (“CNIL’s”) internal regulation (Délibération n°2011-249 du 8 septembre 2011) came into force. The CNIL recently amended its regulations to incorporate a new chapter (Chapter IV bis) that sets forth a specific procedure for issuing privacy seals in accordance with the French Data Protection Act. The Act authorizes the CNIL to “issue a quality label to products or procedures intended to protect individuals with respect to processing of personal data, once [the CNIL] has recognized them as in compliance with the provisions of the Act.”
The new provisions create a labeling committee tasked with developing draft benchmarks for evaluating products or procedures and assessing privacy seal applications to determine whether the product or procedure complies with the relevant standards. Once the benchmarks have been published, applicants wishing to obtain a seal must fill out a form including a description of the relevant product or procedure and information on how it satisfies the requirements. The CNIL will have two months from the date it receives an application to test the product or procedure for compliance and make a decision about whether to grant a privacy seal. Decisions will be made during the CNIL’s plenary sessions and communicated to applicants within eight days. Once approved, organizations may display the CNIL’s logo to indicate their product or procedure has been granted a privacy seal. The seal will be valid for three years and renewable, however, the CNIL may monitor labeled products or procedures to determine whether they continue to comply with the benchmarks and may revoke a seal at any time.
The CNIL has indicated that the first privacy seals would be granted to data processing auditing procedures and to privacy trainings.