The CNIL, a trusted ally in French citizens’ digital daily lives

In 2016, the CNIL provided itself with a three-year strategic plan with two main goals: making the CNIL – which was faced with major quantitative and qualitative pressure due to far-reaching changes in society as it entered the digital age – an agile, comprehensive regulator committed to joint regulation and inter-regulation, and creating a project to cover an unprecedented period in the Commission’s history – the years in which the European General Data Protection Regulation (GDPR) was adopted and came into force.

The plan enabled it to better prepare for the new legal framework’s enactment and carry out its missions to good effect over the course of 2018, a remarkable year due to the switchover to the new framework, a new, largely Europeanised mode of personal data governance, and a consequent considerable increase in referrals to the CNIL on the part of private individuals and professionals alike.

Major steps have also been taken in 2019. The new legal framework is now in place and European cooperation has become a reality. Nonetheless, there is still some way to go to complete the transformation and become a fully shared “information technology and civil liberties” culture disseminated across the country.

In March 2019, a month after Marie-Laure Denis was appointed to the Presidency of the CNIL and a new board established, the CNIL started to give thought to development of fresh orientations for the period running from mid-2019 to 2021.

The new roadmap’s common thread is appropriation and achievement, for one and all (private individuals, professionals and the European collective alike), of all the GDPR’s promises and potentialities. The new period up to 2021 will be decisive in lending credibility to the new legal framework and making the ambitious European challenge it embodies an operational success. Civil society and economic actors have high expectations. The new model helps raise awareness and lays the groundwork for design of regulatory frameworks across the world. In order to remain an effective and pragmatic data regulator in this new context and play its role to the full at national and European level alike, the CNIL must test out theories in practice and continue to modernise. It has identified five strategic focuses to guide its action up to 2021. The roadmap is accompanied by a series of operational measures concerning all the CNIL’s services.

1. Giving priority to digital issues in everyday life

Protection of individual rights, further strengthened by the GDPR, has been a key CNIL goal since the Act of 6 January 1978. But the context has undergone far-reaching changes, marked by unprecedented scaling up, proliferation and diversification of personal data processing, along with changes in individual behaviours. Priority must therefore be given to whatever affects citizens’ lives most directly, with a view to making the CNIL a trusted ally in their digital daily lives.

2. Ensuring balanced data protection regulations in the era of the GDPR

The CNIL’s “repressive” actions have gained added momentum with enactment of the GDPR, and the CNIL must commit itself fully in this respect. At the same time, the CNIL must ensure that data protection becomes part and parcel of professionals’ behaviour and everyday culture, a condition essential to the GDPR’s success and the legal security of its actions. The CNIL will therefore continue to “walk on both feet” in a balanced and coordinated way, by providing support and taking repressive action.

3. Promoting data diplomacy

The GDPR requires the CNIL to be fully committed to the European cooperation. Active participation in the European collective’s work is both a legal and a political necessity: the new European data governance model is the key to true European sovereignty in this area and also reinforces the impact of actions taken at national level. The CNIL must therefore contribute to the European collective’s success by promoting its own vision, based on its long experience as regulator. Reaching beyond the European circle itself, and within the limits of its resources, the CNIL must play an active part in international data geopolitics in concert with French diplomacy.

4. Providing up-to-the-minute public expertise on digital technology and cybersecurity

The CNIL must take an active part in the implementation of new forms of IT regulation, in which data protection is of key importance. It possesses acknowledged expertise in such regulation, and the CNIL will further develop it. In order to bring more complete responses to the challenges it encounters, as well as to provide the State as a whole with an overall capacity for effective response, it must promote and participate in the networking of expertise and tools with other components of the digital State. Overall, regulation cannot be based on legal and technological expertise alone: the CNIL will carry on with its commitment to involve other approaches such as economic and ethical approaches in particular.

5. Embodying an innovative public service that holds fast to its values

The CNIL must be exemplary in the performance of its missions as well as in its dealings with its employees. Entrusted with the protection of fundamental rights, its actions must reflect the humanist values of its DNA, especially at a time when digital technology is transforming social and professional relationships and is creating new opportunities and seeing new risks emerge.. The CNIL must also build on the advantages provided by the digital technology in developing  internal tools and in strengthening its relationship with the public. These imperatives form the cornerstone of the CNIL’s actions, essential to perform  its public service mission.