Privacy & Information Security Law Blog

On January 16, 2013, the French Data Protection Authority (“CNIL”) released its opinion on the draft report issued by Jan Philipp Albrecht, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Report”). The Report included detailed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) submitted by various stakeholders which Rapporteur Albrecht consolidated and distilled into a single text. The CNIL’s Report welcomes these amendments and in particular, the following:

Criteria for Jurisdiction of Supervisory Authorities

The CNIL is pleased that jurisdiction may be based on the individual’s residence, not just the location of the data controller’s main establishment. According to the CNIL, this helps avoid an excessive distance between the individuals concerned and the authority, and reduces the risks of forum-shopping.

Single Point of Contact

The CNIL also welcomes the fact that the lead authority designated as the single point of contact for data controllers and processors that are located in multiple EU Member States will not have exclusive competences, but will have to ensure consistency with other authorities involved in such cases.

Role of the European Data Protection Board (“EDPB”)

In the CNIL’s view, the Report allows for a uniform application of the European rules by proposing a new consistency mechanism and by considerably strengthening the EDPB’s role, in particular by giving the EDPB some decision-making powers with respect to draft decisions of a supervisory authority.

Other proposed amendments praised by the CNIL include:

• eliminating the option of using non-binding instruments for transferring personal data outside the EU;
• including “pseudonymisation” and anonymization techniques; and
• providing data subjects with the right to object to the processing of personal data free of charge in all cases.