Speaking at the Compliance Week Europe Conference in Brussels yesterday, Sophie Narbonne, Deputy Director of Legal Affairs at the CNIL was one of the first to comment publicly following the recent European Cookie Sweep.
Following the coordinated inspections by European Data Protection Authorities last month, this is an interesting indication of what the CNIL and wider European response will be to the findings.
Cookies weren’t the only hot topic of conversation as Sophie Narbonne addressed a packed house of Compliance Officers. As well as dealing with the inevitable questions about the Right to Be Forgotten and progress with the EU Data Protection Regulation, she used her keynote presentation to focus on two data protection concepts: accountability and interoperability.
Data Protection Focus: Accountability and Interoperability
Alongside strengthened powers of enforcement and sanctions in the proposed new EU Data Protection Regulation, she welcomed a new “middle layer of accountability.” Sanctions are important – and Sophie didn’t mince her words calling the current maximum of 150K euros “ridiculous” and stating that the amount would “drastically increase as it is not credible otherwise.”
But she was clear that this wasn’t enough: “You can’t regulate by sanctions. You need something else, and I welcome the new approach of accountability – not self-regulation but co-regulation.”
Highlighting the CNIL’s support for Binding Corporate Rules (BCR), she focused on the second key concept of interoperability. While it had been possible to achieve “mutual recognition” for the BCRs process in the EU as countries have the same legal heritage outside of the EU, Sophie said it was important to “build bridges” with programs such as the APEC Cross Border Privacy Rules (CBPRs) which are similar but different to BCRs.
She welcomed the new bridges, such as the APEC-EU Referential, earlier this year that has started to join the principles and the applications of these two approaches.