A new stage has been reached in relation to the creation and future use of “CNIL” labels as safety guarantees.
The possibility that CNIL would label products or procedures to mark their compliance with the provisions of the Data Protection Act was first introduced into the French data protection law in 2004.
However, as a result of a lack of enforcement legislation, a lack of staff and the inability to bring in external exerts, CNIL had no real means of delivering the labels.
The law of 13 May 2009 (on the simplification and qualification of the law) removed the main obstacles which were preventing the delivery of the CNIL labelling system and gave CNIL the right to “use independent, qualified persons” to evaluate products and procedures and stated that “the cost of this evaluation would be borne by the company which is requesting the label”.
More recently, Decision 2011-249 of 8 September 2011, which modified CNIL’s internal regulations, finally codified its ability to label products and procedures with its seal of approval. It also sets out in detail how this will be implemented.
Finally, on 3 November 2011 the first two sets of requirement catalogues have been published. They bear respectively on audit and on training in relation to processing of personal data.
The way is now open to the awarding of labels.
The first stage: the creation of the label
• Labels will be created at the request of a professional organization or an institution whose members are primarily data controllers. CNIL’s President, acting on the advice of its “Labelling Committee”, will decide whether or not to create the requested label. The fist two labels have been created at the request respectively of the EBIOS club (community of risks management experts) and the AFCDP (French association of privacy officers).
• In such cases, CNIL will put together a reference system that will specify the characteristics that a product or procedure must have and how the compliance of that product or procedure will be assessed (as well as any possible additional checks that will have to be made after the label is issued). In putting together the reference, CNIL may ask for input of stakeholders and, notably, associations or bodies which represent professionals and users.
The decision to create a label will be taken by CNIL in plenary session.
The second stage: the awarding of the label
• Once a reference system has been issued, the company which would like to be awarded with a label must fill out a form which will be made available on the CNIL website. The CNIL has created a dedicated web page to access where the forms are accessible : www.cnil.fr/la-cnil/labellisation.
• CNIL will have two months to consider the admissibility of the application. If CNIL fails to respond, the application will be deemed to have been refused.
• If the application is declared admissible, CNIL will notify the company of the time it will take to process the application.
• The decision to award a label will be made on the basis of a report from the Labelling Committee and CNIL may request that the applicant discloses all relevant documents to CNIL and that it attends a hearing, if necessary. CNIL will check that the procedure which is operated by the applicant complies with the provisions of the reference which was made. If the product or procedure is particularly complex, the President may ask for the opinion of an independent expert.
• A company can withdraw its application for a label at any time.
• The cost of the evaluation process will be borne by the company which requested the label.
• The label is awarded in plenary session.
• Once awarded, the label will be valid for a period of three years.
• The company can then display the “CNIL label” logo.
The post-award stage
• The label can be revoked at any time if the provisions of the reference are not complied with.
• CNIL must be notified of any changes which are made to the product or the process.
• To renew the label, a renewal application must be made at least six months before the expiry date.
• The company will be informed of the appeal procedure to be used in relation to applications which are refused.
What type of products and services does the labelling system relate to?
As indicated the first two labels adopted at the beginning of November 2011 relate to:
• Auditing procedures; and
• Data protection training.
In the later stages, CNIL intends to implement a labelling process for software and computer systems which will give specific guarantees in relation to data protection.
On its website, CNIL has suggested that “the ability to award labels is a great opportunity for CNIL. It allows it to position itself as a reference point in the economic and technological landscape. It will transform CNIL into a true economic regulator that can steer the market towards the best data protection solutions”.
Indeed, it is likely that, in the future, the CNIL label will be viewed as a hallmark of quality and even a competitive advantage.
CNIL may be following in the footsteps of the European project “EuroPriSe” ( www.european-privacy-seal.eu), in which CNIL has participated, and which has also been involved in issuing data protection seals. The search engine “lxquick”, the online banking service “BGNetPlus” and the services for activating and managing Microsoft software have already been awarded the EuroPriSe seal of approval.
It remains to be seen what the actual cost of obtaining such a certification will be (the cost of the CNIL procedure as well as the cost of designing a compliant product and preparing the application file) and if CNIL wants this labelling procedure to become a source of income.
There is a current trend of labelling and seals on the internet: Hadopi (the independent administrative body which deals with the protection of copyrights and works of art on line and fights against piracy) has launched a label, “PUR”, which identifies offerings on the culture market that comply with law.
__________________________________________________________________________________________________________________________
This article was first published in BNA International World Data Protection Report vol.11, number 11, November 2011.