ENDitorial: EU DP Regulation Proposal: The French CNIL defends its turf
This article is also available in:
Deutsch: ENDitorial: EU-Entwurf zur Datenschutzverordnung – Französische Dat...
The French CNIL was one of the first national Data Protection Authority (DPA) to react to the publication, by the European Commission, of its Data Protection Framework Proposal on 25 January 2012. In a very negative press release published the day after, while quickly welcoming "substantial improvements that were expected and necessary", the CNIL develops surprising arguments to justify its particular concern, namely that "the defence of data protection" would be "driven apart from citizens". CNIL's anger is directed at Article 51 provision, defining the competent DPA. This article provides that the competent supervisory authority shall be the one "of main establishment of the data controller or processor".
When examining CNIL's arguments, one might wonder whether it has carefully and entirely read the proposed Regulation before showing such a reaction. This impression is even strengthened when learning about CNIL's intense lobbying towards the French Parliament and Government, which need to provide their opinion during the EC proposal discussion process. Actually, the European Affairs Commission of the French National Assembly has already adopted a resolution in line with the CNIL's opinion, and the Constitutional Laws Commission of the French Senate is currently conducting hearings (inviting inter alia French EDRi- ember IRIS to provide its views on 14 January), before adopting its own resolution on the proposed EC Data Protection Framework (this French Parliament quick process is determined by next Presidential elections, meaning that the Parliament will have to stop its work early March 2012).
Arguments put forward by the CNIL could easily be refuted, especially since some of them are based on a wrong or partial interpretation of the proposed Regulation.
The CNIL claims that the provision "will reduce the national DPAs role to that of a mailbox"; "will deprive widely the citizens of the protection offered by their national authority"; "will constitute a real regression of citizens' rights", which "would finally be less protected than consumer rights" given that consumer laws allows for the competence of the consumer's jurisdiction. Interestingly enough, the CNIL gives as example "a web user having a problem with a social network which main establishment is in another member state". Furthermore, the CNIL fears that the provision will lead to "forum shopping" practices by companies when they decide on their country of main establishment, a situation that would end not only in "dumbing down" of citizens' data protection, but also in putting at risk the French economy! Finally, the CNIL "considers that the proposed scheme leads to a centralization of the regulation of privacy in the hands of a limited number of authorities", and that "the European Commission will also benefit from an important normative power".
It is true that the EC will play an important role, that could be balanced through improving the powers, independence and processing of the European Data Protection Board (Chapter VII of the Regulation) and the national Supervisory Authorities (Chapter VI) as well as, of course, the substantive provisions of the data protection principles themselves, as EDRI pointed out in its initial comments and will detail further in the process.
However, the CNIL seems to ignore the difference between a Regulation and a Directive! The very reason for the EC choice for the former is indeed the fact that a Regulation goes far beyond simply harmonizing the national laws, to rather impose the same law to all Member States, requiring in addition that same independence and powers be allowed to all national DPAs. Given this new situation, why a French citizen would be less protected by, say, the German DPA than by the CNIL? Especially since, even currently, French citizens and privacy defenders would have appreciated to see the CNIL taking the position of other Member States DPAs on some particular issues.
Moreover, through the European Data Protection Board proceedings, European citizens could only benefit from the emulation among DPAs: they will have to be accountable to and controlled by each other. The national DPA would certainly not be "reduced to a mailbox" in this game, since its role will be essential here, and is guaranteed by provisions of Articles 55-56 and 66. Moreover, Article 73-75 provides for better democratic control and recourses not only by citizens, but also by non profit associations such as privacy watchdogs or human rights organizations acting in their names.
The example provided by CNIL of a social network as the data controller and processor is particularly misleading and perverse: as a matter of fact, while Article 51 provision only concerns companies established in the EU, many French Members of Parliaments already interpreted this example as the future impossibility for the CNIL to impose penalty on major US companies, such as Facebook (or Google which it already sanctioned).
Furthermore, the "forum shopping" risk is ridiculous: who on earth could reasonably think that a company will choose its country of main establishment according to data protection law (which, again, will in addition be the same in all EU countries), rather than on the basis of taxation and labour laws and practices?! Who on earth could reasonably think that French economy would be put at risk by the CNIL's "superpowers"?!
Many other counter-arguments can be found in the text of the proposed Regulation itself (such as the provided exceptions in Articles 80-83 and other provisions as well). The fact is that, rather than raising sound arguments towards improving the current proposal (and this is indeed much needed), the CNIL currently seems to only be busy defending its turf. Ungloriously.
CNIL - Draft EU Regulation on data protection: the defense of data
protection driven apart from citizens (31.01.2012 original in French on
CNIL - Draft EU regulation: the CNIL welcomes the French Parliament
commitment (only in French, 08.02.2012)
French National Assembly - EU Affairs Commission Resolution on Draft EU DP
Framework (only in French, 07.02.2012)
French Senate - Oral Question and public discussion on privacy and data
protection (only in French, 08.02.2012)
EDRi - Initial Comments On The Proposal For A Data Protection Regulation
(Contribution by Meryem Marzouki, EDRI-member IRIS - France)