The French Data Protection Authority (DPA), the CNIL, has expressed its satisfaction on the draft report (the “draft Report”) released by the European Parliament on the new European Data Protection Regulation (the “Regulation”).
One of the major points of concern for the CNIL was that the draft Regulation had proposed that the competent DPA to rule over a complaint was to be the DPA where the data controller had its main establishment.
The CNIL considered in January 2012 that “In practice, this means that where a web user has a problem with a social network which main establishment is in another member state, the complaint will be handled by the authority of the latter,” resulting in practice in less protection for citizens given the broadening gap between European Data Protection Authorities, especially with the UK Commissioner.
The CNIL therefore welcomes warmly the conclusions of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs report that was published a couple of weeks ago. The amendments tabled by the rapporteur, Mr Albrecht, are considered by the CNIL as “real progress and an important stepping stone.”
Four major items have been highlighted by the CNIL:
- Criterion of competence of the supervisory authorities: The draft Report changes the “rules of jurisdiction” and sets forth that the place of residence of the citizen will be used as criterion of competence instead of the main establishment. The CNIL will in that respect regain power (and jurisdiction) over complaints filed in France, even if the main establishment of the data controller is located outside France.
- Single point of contact: According to the draft Report, the lead authority will be designated as single point of contact for controllers and processors who have activities in more than one Member State. This authority would have to instruct cross-border situations in the name and on behalf of all the competent authorities, and to ensure coordination before adopting a decision. The CNIL sees here a real opportunity to expand its area of influence. The fight against Google that this blog has been following is to be seen in that respect as a real life test.
- Role of the European Data Protection Board (EDPB): The CNIL welcomes the creation of the EDPB that would help to generate a harmonized implementation of the European rules and would have decisional power. According to the draft Report, the EDPB would draft guidelines for the supervisory authorities, and deliver opinions on the codes of conduct drafted at EU level. Moreover, the EDPB would have to be consulted by the European Commission in the preparation of delegated acts and implementing acts, which number would be much reduced.
- Protection of citizens’ rights: The draft Report improves citizens’ rights by the use of ‘pseudonymisation' and anonymisation of data, as well as by the free exercise of a right to object and the clarification of what constitutes the expression of consent in the online environment.
The CNIL finally welcomes the removal by the draft Report of the possibility to use non-binding legal instruments in the context of data transfers to non-EU Member States.
All in all, this draft Report constitutes a strong support for the “hardliners” led by the CNIL in the on-going discussions on the draft Regulation.