The increasing digitization of economic and social life, along with the onset of the pandemic, has heightened risks to privacy. Furthermore, the omnipresence of major digital services raises new regulatory challenges. In this context, personal data is more than ever the common thread of our digital daily lives.
Given these observations, it is essential that the GDPR, through European cooperation between authorities, fully plays its role as an offensive compliance lever and ensures the effective respect of individuals’ rights and fair competition among economic actors. It is within this dynamic that the new strategic orientations of the CNIL for the period 2022 to 2024 are set.
This plan outlines the CNIL’s strategic orientations in 3 main axes, each broken down into specific objectives.
Axis 1 aims to enhance individuals’ control and rights in the field through 4 objectives:
Strengthening information and awareness to promote the exercise of rights:
The CNIL aims to improve its communication and provide tools to facilitate the exercise of rights. This may potentially lead to an increase in rights requests, posing a greater risk for companies that are not in compliance.
Increasing the effectiveness of enforcement actions:
This will involve adapting its inspection, injunction, and sanction procedures. The processing of complaints is a priority, as well as reducing investigation time. This initiative has recently materialized through a call for tenders to outsource the handling of simpler cases (those that do not raise new legal issues and do not involve state entities).
Strengthening CNIL’s European role and the effectiveness of collective European action:
The goal is to enhance the efficiency of the one-stop-shop mechanism and relationships between supervisory authorities. This concerns cross-border data processing (Article 4.23 GDPR) and businesses established in the EU, through a single point of contact (lead supervisory authority) for controllers or processors operating in multiple European countries. This single point of contact is determined based on the location of the company’s main establishment, as per Article 4.16 of the GDPR.
Prioritizing actions to protect everyday digital uses by raising citizens’ awareness of digital tools, freedom, privacy issues, and associated risks while providing them with practical tools.
A significant portion of enforcement actions has focused on the priority issue of cookies: 89 decisions involved violations related to the use of trackers (including 84 dedicated entirely to this issue).
Axis 2 promotes the GDPR as a trust-building asset for data controllers (DCs) through 5 objectives:
Enhancing legal security for DCs through clear and practical guidelines:
This involves clarifying the legislation (doctrine) to better align with business needs for a smoother adoption of data protection measures.
Developing certification tools and codes of conduct:
This enables DCs to manage their compliance in a way that is tailored to their industry. The goal is to simplify tools and strengthen relationships with compliance partners (code of conduct sponsors and certification bodies).
Making GDPR compliance the best prevention against cyber risks:
The CNIL is reinforcing its role in public authorities’ responses to cyber risks, as well as its regulatory and technical advisory role.
Strengthening and evolving the support strategy:
To meet DCs’ needs with transparent, accessible, and business-oriented tools for better data protection adoption.
Assuming the role of a regulator with economic impact:
By taking into account business models and the economic impact of CNIL’s actions.
Axis 3 highlights CNIL’s priorities in response to the intensification of personal data usage, focusing on:
Augmented cameras (combined with predictive algorithms) and their applications:
This raises concerns about large-scale surveillance of individuals. Actions are planned regarding government services and commercial activities, with phases of support in implementing such systems to prevent excessive and disproportionate monitoring.
Data transfers in cloud computing:
The continuous deployment of cloud solutions creates security and compliance risks, particularly with major digital players. The goal is to secure personal data transfers to non-EU countries based on the “Schrems II” ruling.
Collection of personal data in smartphone applications:
Given the opacity and variability of practices in this area, the CNIL seeks to improve data flow visibility and strengthen mobile application compliance.
Understanding Adequacy Decisions: Key to Smooth Data Transfers
An adequacy decision is a crucial determination made by the European Commission. It assesses whether a non-EU country offers a sufficient level of personal data protection, closely aligning with EU standards.
The Importance of Adequacy Decisions
When a country receives this positive evaluation, it indicates that the country has a solid data protection framework. This includes:
National Legislation : The country must have robust privacy laws that protect individuals’ personal information. Independent Data Protection Authorities : An effective supervisory body must exist to enforce data protection laws and address violations. International Commitments: The country must demonstrate a willingness to respect data protection through international agreements and partnerships.
Implications for Data Transfer
An adequacy decision simplifies the process of transferring personal data from the EU to the designated third country. Here’s how:
No Additional Guarantees : Companies and organizations can transfer data without needing special authorizations or implementing additional security measures. Streamlined Operations: Businesses benefit from fewer legal obstacles, enabling cross-border transactions and more fluid data flows.
In essence, an adequacy decision builds a bridge of trust, fostering international cooperation while protecting individuals’ data rights. This decision allows personal data owners and processors to engage in global markets with confidence.
How Explicit Consent Enables Data Transfer Outside the EU?
When it comes to data transfers beyond the European Union, the explicit consent of the data subject is a crucial factor that can simplify this process.
What is Explicit Consent ?
Explicit consent involves a clear and voluntary agreement by the individual, where they recognize and accept potential risks associated with transferring their personal data to other jurisdictions.
The Role of Informed Consent
Before obtaining consent, it is essential that the individual fully understands what they are consenting to. They must be informed of all potential risks related to transferring their data outside the EU, such as differences in data protection standards.
Facilitating the Transfer Informed Agreement: By ensuring individuals are well-informed, organizations can proceed ethically and legally with data transfers. Regulatory Compliance: Obtaining explicit consent demonstrates compliance with GDPR requirements, thus avoiding potential legal issues. Trust Reinforcement: Transparent communication regarding data processing helps strengthen trust between the organization and the data subject.
In summary, explicit consent is more than a mere formality — it is a legal and ethical pathway that facilitates the legitimate transfer of personal data outside the European Union, ensuring that both parties are informed and protected.
What Additional Measures Should Be Taken If There Is a Risk?
If there are concerns that data protection guarantees are not sufficient, the data exporter must implement additional measures to strengthen protection. Here are the key considerations:
Strengthen Data Encryption
Ensure that data is encrypted during transit and when stored, using robust encryption protocols to prevent unauthorized access.
Regular Security Audits
Conduct frequent security audits to identify and address vulnerabilities in the data management process.
Access Controls
Implement strict access controls to limit data access only to those who need it, ensuring unauthorized personnel cannot access sensitive information.
Data Minimization
Adopt a data minimization policy, collecting only essential data necessary for processing activities.
Employee Training
Regularly organize training sessions for employees on data protection practices and the importance of maintaining these guarantees.
Legal Contracts
Update contracts with third parties to include strict data protection clauses, ensuring all parties are responsible for maintaining data security standards.
Data Transfer Impact Assessments
Conduct comprehensive assessments to evaluate risks associated with data transfers and adjust strategies if necessary.
Real-Time Monitoring
Establish real-time monitoring systems to detect and quickly respond to potential data breaches.
By integrating these measures, data exporters can enhance the effectiveness of data protection guarantees and more effectively protect sensitive information.
