In the annual activity report it pubslihed in July, CNIL underlines that the proposed regulation on protection of personal data the European Commission published early in 2012 cuts too much of the national DPA’s power with regard to transnational processing.
HLdataprotection.com reviews the report and writes that the proposed new European regulation drew criticism in the CNIL’s report on three points. First, the CNIL expressed concern that making a single data protection authority responsible for the European-wide activities of an enterprise could result in a significant decrease in the level of protection of individuals. Citing the example of a social network whose main establishment is located in another European member state, the CNIL said it was inappropriate to reduce the role of the French data protection authority (“DPA”) to a simple mailbox to forward complaints to the principal DPA responsible for the social network’s activities. According to the CNIL, a French user who is harmed by the activities of an enterprise doing business in France should be able to look to the French regulator for redress.
The second point on which the CNIL diverges from the Commission is on the issue on international data transfers. The CNIL believes that transfers to countries that have not been recognised as providing adequate protection should be based on contractual clauses or BCRs that have been approved in advance by the CNIL. Under the proposed regulation, an international transfer based on standard contractual clauses will not require the prior approval of the DPA.
Finally, the CNIL made the point that the new accountability measures included in the draft regulation should not be viewed as a form of self-regulation, or as a trade-off for less regulatory supervision. Instead, the accountability measures should be viewed as a supplement to existing regulatory principles and enforcement practices.
You can find CNIL’s report here: http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/RA2011_CNIL_FR.pdf
You can also find the rest of the HLdataprotection.com’s review HERE.