Last week, the French Data Protection Authority (“CNIL”) launched the second round of a public consultation on the General Data Protection Regulation (“GDPR”). The first public consultation was launched in June 2016 and addressed the requirements in the GDPR relating to data protection officers, data portability and privacy seals and certifications. The outcome of the June 2016 consultation was integrated by the Consortium of the European data protection authorities (“WP29”) into WP29’s recent guidance.
Similarly, the new public consultation launched by the CNIL is aligned with ongoing discussions at WP29’s level; more specifically, it intends to address some of the key questions identified by WP29 in its action plan for 2017. Companies and individuals are invited to comment on the following provisions of the GDPR:
- Breach notification: the questions submitted to public consultation pertain to (i) the person/function within an organization who is responsible for filing a breach notification, (ii) circumstances where a notification to the CNIL is not required, (iii) timing of notification, (iv) the elements that must be included in a notification, and (v) circumstances where individuals must be notified.
- Consent: the questions submitted pertain to (i) the definition and characteristics of consent, (ii) consent for minors, (iii) consent for collection of sensitive data, (iv) consent tracking and evidence, and (v) consent withdrawal.
- Profiling: the questions submitted pertain to (i) the identification of profiling activities of companies, (ii) the rights of the individuals, (iii) the implementation of privacy-by-design and privacy-by-default, and (iv) the requirements applying to profiling for certain sectors (e-commerce, telecoms, banks, online advertising).
Any concerned individual may comment on those questions by March 24, 2017 via the CNIL’s website. The questions are open-ended, which means that individuals can highlight specific concerns, make remarks as to their understanding of interpretation of the GDPR and even propose some recommendations. Comments are made public (subject to moderation by the CNIL). Once the consultation will be closed, the CNIL will release a report summarizing the answers gathered. It is expected that WP29 will bring this one step further in upcoming guidelines relating to the three subject matters at stake.
Examples of the types of comments made can be found (in French) here.
Alston & Bird is closely monitoring the implementation of the GDPR in various EU countries and is advising companies with operations in EU countries on how to comply with the GDPR. For more information, contact Jan Dhont, Jim Harvey, or David Keating.