THE TRIBUNE – The RGPD is one year old. What do you think is its impact on society and businesses?
MARIE-LAURE DENIS – The RGPD has increased the awareness of everyone, companies as individuals, national and local governments, about the issues around data protection. A poll conducted with Ifop for CNIL shows that 70% of French people say they are sensitive to data protection, against 66% in November. The RGPD brings collective awareness. Its impact is massive because it concerns not only the 500 million Europeans, but also all companies and organizations around the world that deal with the personal data of European citizens.
How does the CNIL manage its new post-RGPD obligations?
The Cnil site registered 8 million unique visitors last year, an increase of 80% over one year. There were also more than 300,000 Q & A consultations (+ 60%) and nearly 190,000 telephone calls (+ 20%), including 25,000 in the month of May 2018 alone, that of the entry into force of the RGPD.
This awareness of the French is also reflected in a record number of complaints: 11,077 were sent to the Cnil in 2018 (+ 32.5%), a third denounce the dissemination of data on the Internet and 20% concern the marketing sector and trade, including SMS prospecting and e-mail advertising. 373 search engine dereferencing requests were received. The CNIL has also been auditioned 30 times in Parliament on various texts and bills and issued 120 notices, one notice every three days, which shows the cross-cutting issues of protection of personal data. The role of the CNIL in the public space has increased.
As soon as a company has to process data on a large scale, it must have a Data Protection Officer (DPO), which can be internalized, outsourced or shared with other companies. How many DPOs are there today in France?
There are 17,000 DPOs in France. Through pooling, they act on behalf of more than 51,000 companies and organizations.
There are therefore 4 million companies in France, but only a little more than 50,000 have an internal or shared DPO. It's very little, no?
Virtually all companies are concerned by the RGPD because there are data processing everywhere. But not everyone is required to have a DPO. Only public enterprises and those that process large-scale data or "sensitive" data are affected. It is estimated that France needs 80,000 DPOs. So there is still work to do, but it's a good start.
RGPD experts believe that CAC40 companies are generally in compliance, but that VSEs and SMEs are very late. How to solve this problem ?
The big change in the RGPD is the principle of accountability: everyone manages their own compliance and must be able to prove it. The Cnil is therefore a lot of pedagogy. Our action is directed towards those who have the least means, that is to say, VSEs, SMEs, startups and local public actors such as municipalities.
Many tools are available on our site: a special guide for SMEs; an open source software, downloaded 150,000 times and spontaneously translated by the community in 18 languages, which facilitates the realization of impact studies; a simplified registry template; examples of information statements for users; insights into key concepts such as profiling, consent or data transfers. For a month, we have also launched a Mooc on the key principles of the RGPD: 27,500 people have created an account and 10% continue until obtaining a certificate.
Quid Sanctions ?
310 controls were carried out by the CNIL in 2018. These resulted in 48 formal notices, 13 of which were made public. And 11 sanctions, including 9 pecuniary, were pronounced. The CNIL has voluntarily shown patience and tolerance because the RGPD is a profound change. But even though it only came into effect a year ago, the regulation was adopted in 2016, three years ago. I consider that we must now show more firmness. Our regulatory action will be effective only if we operate in equal parts the two levers at our disposal, that is to say the pedagogy on one side, and the control with possibly sanctions on the other.
You punished Google for a fine of 50 million euros last January. The amount is a record, but it represents only 0.04% of its global turnover, while the RGPD authorizes to go up to 4%, that is, in the case of Google, 5.4 billion euro …
As we explained in our decision, the sanction relates to a particular breach that concerns the French market. I recall that before the RGPD, sanctions were capped at 250,000 euros, so although 50 million may seem little for Google, this amount is still unpublished.
Is this a message sent to the giants of the Net and other major groups meaning that Cnil will not hesitate to use the weapon of sanctions?
The big groups and the giants of the Net have a duty of exemplarity and a great societal responsibility. The CNIL will therefore be very vigilant. Nor does it mean that we will focus our controls only on large companies. Our goal is obviously not to complicate the lives of small businesses and SMEs, but they must be in compliance if they handle large volumes of data. I do not underestimate the complexity – financial and technical – of their compliance. But, with all the tools that we make available and the work done with the head-ends in a sectoral logic, it is possible to get in compliance without too much constraints.
The sanction against Google is the result of a group action led by the NGO None of your business (NOYB) and La Quadrature du Net. Has civil society seized this new opportunity allowed by the RGPD?
Group actions are a chance because they reduce the atomization of the individual in the digital world and give a social dimension to data protection. Their treatment is a priority within the framework of the cooperation between the European Cnil, although, inevitably, it takes time. The CNIL has received group actions against Google, Apple, Facebook, Amazon, LinkedIn and Criteo. The one against Google has already been subject to sanctions from the CNIL because Google had not yet designated its main establishment, which is now located in Ireland. But the others – with the exception of Criteo also treated in France – are treated by the Cnil where these companies have located their processing responsibility in Europe, so in Ireland for Apple, Facebook and LinkedIn, and Luxembourg for Amazon.
What are your control priorities for 2019?
The first axis is respect for all the rights of individuals, such as the right of rectification, opposition, forgetting, dereferencing, etc. The second is the control of subcontractors, all sectors combined, which must also comply, even if they are not dealing with the final consumer, working in particular with the head of the network in each sector. The third axis is the protection of the rights of minors on the Internet, on social networks, in particular. Finally, I hope that CNIL will make greater use of citizens' complaints to respond as quickly as possible, knowing that 20% of the complaints received are the subject of European cooperation.
The RGPD introduces the notion of free and informed consent. But, in fact, many sites force this consent by requiring the user to accept data processing under penalty of not being able to access the service. This is the case for Facebook and Twitter, among others. Are you going to crack down?
The sanction against Google illustrates the desire of the CNIL to require a truly informed consent. In this case, we sanctioned the lack of clarity: the information was too scattered, there were pre-checked boxes … It is clear that the way some sites get the consent of the user is problematic. We have all been confronted with "consent fatigue", the moment when we press the "I accept" button out of weariness. But we must be able to access the service while refusing to use the data for advertising purposes. Care must be taken that, over time, these practices do not favor a two-speed Internet: on the one hand, a free Internet where users are traced and where consent is forced, and on the other, an Internet paying safe in terms of data protection.
The search for free consent will be subject to checks and possibly sanctions. In addition, as much as possible should be "privacy by design", which brings actors to take into account the issues around the data from the conception of the digital services.
By forcing companies to notify data breaches within 72 hours, Cnil has also become a player in cybersecurity …
Yes. This obligation of transparency and reaction within 72 hours is important to protect people's data. In 2018, we received more than 1,100 reports, almost four per day. Several people in the Technology Directorate are on the alert to provide a rapid response to these reports, with the possibility of sanctioning serious violations.
Why not make public all the formal notices and sanctions that you pronounce?
The goal is not to make "Name and shame". If the breach ceases, if it concerns a small company, with a limited impact, why mediate it? If the breach is significant, if it involves hundreds of thousands of people, if the organization has not shown good faith or willingness to remedy it, and if the publicity can have an impact on any a profession, so it's important to mediate. The media coverage of sanctions must have a pedagogical purpose.
Last year, your predecessor, Isabelle Falque-Pierrotin, denounced the "lack of resources" of the CNIL to properly carry out its missions, including the control of the application of the RGPD. Do you share his observation?
There is indeed an under-sizing of the Cnil's workforce in relation to the stakes and the reinforcement of its missions, both for accompaniment and for control and sanctions. The CNIL also needs the means to continue to be a key player in the diplomacy of data in Europe. At the end of 2019, the Cnil will have 215 employees, compared to 200 at the end of 2018. So, this is a beginning of response, which must be welcomed and which, I hope, will be amplified in 2020.
Is the CNIL suffering from a talent crisis? With the RGPD, many former employees are recruited in the private sector to become DPOs or set up their own compliance support structure. Do you have problems recruiting?
It is normal to have a turn-over in a structure of 215 people. I also see a positive aspect because, if we debauch talents, it is that the Cnil has talents. Subject to the respect of the code of ethics, it is rather a good thing that a person with a "Cnilian" vision of data protection, spreads good practices in business, even if it creates internal constraints.
Nevertheless, the Cnil remains attractive. Our legal positions motivate a lot of candidates because a visit to the Cnil is a great business card in a career. We are having a harder time recruiting engineering jobs, but it is a problem that also affects other public structures.
What are your ambitions for your mandate at the head of the CNIL, which you started in February?
I do not intend to reinvent the light because the missions of the CNIL are well engaged. A marker of success for our mission will be building the trust of digital users, and that companies are approaching the RGPD not as a constraint but as an opportunity and a comparative advantage. I also hope that Cnil helps to reconcile the legitimate interests of security with the imperative of data protection and respect for privacy. Cnil's expertise in digital uses must also be strengthened: we have projects to make data protection issues more visible in design, voice assistants, the cloud and the Internet of Things.
Interviewed by Sylvain Rolland