ENDitorial: EU DP Regulation Proposal: The French CNIL defends its turf

By EDRi · February 15, 2012

This article is also available in:
Deutsch: [ENDitorial: EU-Entwurf zur Datenschutzverordnung – Französische Datenschutzbehörde CNIL verteidigt ihr Revier | https://www.unwatched.org/EDRigram_10.3_ENDitorial_EU-Entwurf_zur_Datenschutzverordnung_Franzoesische_Datenschutzbehoerde_CNIL_verteidigt_ihr_Revier?pk_campaign=edri&pk_kwd=20120221]

The French CNIL was one of the first national Data Protection Authority
(DPA) to react to the publication, by the European Commission, of its Data
Protection Framework Proposal on 25 January 2012. In a very negative press
release published the day after, while quickly welcoming “substantial
improvements that were expected and necessary”, the CNIL develops surprising
arguments to justify its particular concern, namely that “the defence of
data protection” would be “driven apart from citizens”. CNIL’s anger is
directed at Article 51 provision, defining the competent DPA. This article
provides that the competent supervisory authority shall be the one “of main
establishment of the data controller or processor”.

When examining CNIL’s arguments, one might wonder whether it has carefully
and entirely read the proposed Regulation before showing such a reaction.
This impression is even strengthened when learning about CNIL’s intense
lobbying towards the French Parliament and Government, which need to provide
their opinion during the EC proposal discussion process. Actually, the
European Affairs Commission of the French National Assembly has already
adopted a resolution in line with the CNIL’s opinion, and the Constitutional
Laws Commission of the French Senate is currently conducting hearings
(inviting inter alia French EDRi- ember IRIS to provide its views on 14
January), before adopting its own resolution on the proposed EC Data
Protection Framework (this French Parliament quick process is determined by
next Presidential elections, meaning that the Parliament will have to stop
its work early March 2012).

Arguments put forward by the CNIL could easily be refuted, especially since
some of them are based on a wrong or partial interpretation of the proposed
Regulation.

The CNIL claims that the provision “will reduce the national DPAs role to
that of a mailbox”; “will deprive widely the citizens of the protection
offered by their national authority”; “will constitute a real regression of
citizens’ rights”, which “would finally be less protected than consumer
rights” given that consumer laws allows for the competence of the consumer’s
jurisdiction. Interestingly enough, the CNIL gives as example “a web user
having a problem with a social network which main establishment is in
another member state”. Furthermore, the CNIL fears that the provision will
lead to “forum shopping” practices by companies when they decide on their
country of main establishment, a situation that would end not only in
“dumbing down” of citizens’ data protection, but also in putting at risk the
French economy! Finally, the CNIL “considers that the proposed scheme leads
to a centralization of the regulation of privacy in the hands of a limited
number of authorities”, and that “the European Commission will also benefit
from an important normative power”.

It is true that the EC will play an important role, that could be balanced
through improving the powers, independence and processing of the European
Data Protection Board (Chapter VII of the Regulation) and the national
Supervisory Authorities (Chapter VI) as well as, of course, the substantive
provisions of the data protection principles themselves, as EDRI pointed out
in its initial comments and will detail further in the process.

However, the CNIL seems to ignore the difference between a Regulation and a
Directive! The very reason for the EC choice for the former is indeed the
fact that a Regulation goes far beyond simply harmonizing the national laws,
to rather impose the same law to all Member States, requiring in addition
that same independence and powers be allowed to all national DPAs. Given
this new situation, why a French citizen would be less protected by, say,
the German DPA than by the CNIL? Especially since, even currently, French
citizens and privacy defenders would have appreciated to see the CNIL taking
the position of other Member States DPAs on some particular issues.

Moreover, through the European Data Protection Board proceedings, European
citizens could only benefit from the emulation among DPAs: they will have to
be accountable to and controlled by each other. The national DPA would
certainly not be “reduced to a mailbox” in this game, since its role will be
essential here, and is guaranteed by provisions of Articles 55-56 and 66.
Moreover, Article 73-75 provides for better democratic control and recourses
not only by citizens, but also by non profit associations such as privacy
watchdogs or human rights organizations acting in their names.

The example provided by CNIL of a social network as the data controller and
processor is particularly misleading and perverse: as a matter of fact,
while Article 51 provision only concerns companies established in the EU,
many French Members of Parliaments already interpreted this example as the
future impossibility for the CNIL to impose penalty on major US companies,
such as Facebook (or Google which it already sanctioned).

Furthermore, the “forum shopping” risk is ridiculous: who on earth could
reasonably think that a company will choose its country of main
establishment according to data protection law (which, again, will in
addition be the same in all EU countries), rather than on the basis of
taxation and labour laws and practices?! Who on earth could reasonably think
that French economy would be put at risk by the CNIL’s “superpowers”?!

Many other counter-arguments can be found in the text of the proposed
Regulation itself (such as the provided exceptions in Articles 80-83 and
other provisions as well). The fact is that, rather than raising sound
arguments towards improving the current proposal (and this is indeed much
needed), the CNIL currently seems to only be busy defending its turf.
Ungloriously.

CNIL – Draft EU Regulation on data protection: the defense of data
protection driven apart from citizens (31.01.2012 original in French on
26.01.2012)
http://www.cnil.fr/english/news-and-events/news/article/draft-eu-regulation-on-data-protection-the-defense-of-data-protection-driven-apart-from-citizens/

CNIL – Draft EU regulation: the CNIL welcomes the French Parliament
commitment (only in French, 08.02.2012)
http://www.cnil.fr/la-cnil/actualite/article/article/projet-de-reglement-europeen-la-cnil-salue-lengagement-du-parlement-francais/

French National Assembly – EU Affairs Commission Resolution on Draft EU DP
Framework (only in French, 07.02.2012)
http://www.assemblee-nationale.fr/13/propositions/pion4227.asp

French Senate – Oral Question and public discussion on privacy and data
protection (only in French, 08.02.2012)
http://www.senat.fr/seances/s201202/s20120208/s20120208_mono.html#Niv1_SOM3

EDRi – Initial Comments On The Proposal For A Data Protection Regulation
(27.01.2012)
http://www.edri.org/CommentsDPR

(Contribution by Meryem Marzouki, EDRI-member IRIS – France)