TrustArc Blog

CNIL comments on first findings from Cookie Sweep

October 15, 2014

Speaking at the Compliance Week Europe Conference in Brussels yesterday Sophie Narbonne, Deputy Director of Legal Affairs at the CNIL was one of the first to comment publicly following the recent European Cookie Sweep. Clarifying that they are still working on the results she said “It is clear that there is now a first layer of information (on websites) but the next stage is not clear enough and doesn’t give the right information for people to refuse cookies.” Following the coordinated inspections by European Data Protection Authorities last month, this is an interesting indication of what the CNIL, and wider European response will be to the findings.

Cookies were not the only hot topic of conversation as Sophie Narbonne addressed a packed house of Compliance Officers. As well as dealing with the inevitable questions about the Right to Be Forgotten, and progress with the EU Data Protection Regulation she used her keynote presentation to focus on two data protection concepts: accountability and interoperability.

Alongside strengthened powers of enforcement and sanctions in the proposed new EU Data Protection Regulation she welcomed a new “middle layer of accountability”. Sanctions are important – and she didn’t mince her words calling the current maximum of 150K euros “ridiculous” and stating that the amount would “drastically increased as it is not credible otherwise.” But she was clear that this wasn’t enough: “You can’t regulate by sanctions you need something else and I welcome the new approach of accountability – not self-regulation but co-regulation.”

Highlighting the CNIL’s support for Binding Corporate Rules (BCR), she focused on the second key concept of interoperability. While it had been possible to achieve “mutual recognition” for the BCRs process in the EU as countries have the same legal heritage outside of the EU she said it was important to “build bridges” with programs such as the APEC Cross Border Privacy Rules (CBPRs) which are similar but different to BCRs. She welcomed the new bridges such as the APEC-EU Referential earlier this year that have started to join the principles and the applications of these two approaches.

As privacy experts from across the globe gather in Mauritius for the 36th International Conference of Data Protection and Privacy Commissioners the weather may not be the same as Brussels but with a conference strapline of a “World Order for Data Protection” the conversations are likely to have a similar focus on interoperability and building bridges.

To keep up-to-date with latest privacy developments, follow TRUSTe on LinkedIn, Google+.