At the head of France’s data protection authority – the CNIL – since February, Marie-Laure Denis has already put her encyclopaedic knowledge of the world of data regulation to good use. This quality, allied to her undoubted tech savviness, has made Denis the figurehead of data protection in the country – a policing role she carries out with grace and aplomb. Leader’s League legal correspondent Marine Calvo caught up with the Paris native.
Last winter the new president of the CNIL moved into her office across the road from UNESCO in Paris’ 7th district, succeeding Isabelle Falque-Pierrotin, one of the chief architects of the General Data Protection Regulation. “It was a swift handover and I was immediately thrown in at the deep end,” recalls the distinguished civil servant. A handover which she nevertheless took in her stride, confirming the adaptability of ENA graduate.
It should be stressed that Denis is no stranger to the workings of administrative authority. A lawyer by profession, she began her career at the French Council of State, where she was tasked with providing legal counsel to the government, before going on to occupy a number of senior positions in various government ministries. In the last decade and a half, she has worked in regulation, serving in the regulatory authority for electronic communications (Arcep) and the higher audiovisual council (CSA), among other roles. It is no surprise then that her name rose to the top of the list when the search for the successor to Falque-Pierrotin got underway.
Law meets economic reality
For a number of years, the 51-year-old has had a particular appetite for regulatory matters since “it is at the crossroads of law and economic reality.” After having been in contact with a range of companies from the AV and telecoms sectors, Denis pronounces herself satisfied with the progress she has been able to make in the first six months in the job. “The missions of the CNIL are varied, and it’s not just about representing the position of the government, but also the position of millions of companies. We must juggle defending the right to protect personal data and carrying out effective economic oversight.” Just two weeks after becoming president of the CNIL, she found herself having to deal with a case relating to the thorny subject of facial recognition, a particularly high-stakes issue according to Denis. At the same time she continues to invest a great deal of time and effort into carrying on the work of her predecessor to ensure the smooth implementation of the GDPR.
A period of transition
“Data has taken on a central role in the life of the modern economy.” Her statement is all the more true since the entry into force of the GDPR less than a year and a half ago, in the extent that the new piece of legislation provides a raft of new rights to the citizens of the European Union, such as those regarding data portability and minors. “There has been a GDPR effect among our citizens,” which is one reason why the CNIL continues to have a double role for companies, advising them where possible and sanctioning them when needed. “It’s up to directors to ensure their companies are in compliance with the GDPR. For the CNIL, GDPR compliance must be approached in the same way a business would competition, commerce or security, because we are talking about a strategic and reputational issue.”
But the time for pointing companies toward the right path is coming to an end. Now it’s up to business owners to take action. In this regard, 2019 can be viewed as the end of the period of leniency for companies which had, after all, been expected to be in compliance with the GDPR since May of 2018.
“The goal here is not, however, to start smacking knuckles here, there and everywhere. Obviously, we have to hand out punishment where it is merited, but we will always provide advice on the best way forward,” states the mother of four. To date, the biggest fine handed down by the CNIL for non-compliance with the GDPR came in January, under the mandate of the former president, when Google was slapped with a $56m fine. “Policy-wise, I am very much following in the footsteps of Isabelle Falque-Pierrotin. The protection of personal data must continue to be upheld using the historic powers afforded by the GDPR.” In order to be able to implement the regulation to the fullest, Denis is able to rely on a brain-trust of 17 other high-ranking experts at the CNIL. “The CNIL has over 200 highly trained, dedicated staff. I really feel that we are working in unison toward a wonderful goal.”
Fourth-most-active data protection authority in Europe
Marie Laure Denis has a clear set of objectives for her five-year mandate. Priority no.1 remains the rigorous application of the GDPR so that Europe’s citizens remain as protected and well informed as possible. “The stronger the engagement of public and private stakeholders with the GDPR, the more trust the general public will have in the digital economy," she insists.
Within the CNIL’s innovation lab, teams of experts are working hand in hand formulating a framework to regulate new forms of technology, such as cloud computing and voice activated virtual assistants, for which the issue of data portability is crucial. “Faced with the boom in connected devices, now more than ever data protection needs to be more comprehensible to the general public. Fortunately, the CNIL has technological expertise that is the envy of many. Our teams are equipped with the best IT experts and we are always careful not to disassociate legal aspects from technological ones so that we are in a position to regulate new uses of data as they come up.”
Marie-Laure Denis intends to consolidate the CNIL’s position as a leading player on the world ‘data diplomacy’ stage, as she puts it. This practice has become an ever more key aspect of geopolitics. To achieve the CNIL’s aims, Denis cooperates with counterparts across Europe on the European Data Protection Board. Common decisions at a European level are now the norm, which helps to ensure data protection is applied evenly across the continent. The GDPR is designed to ensure that, irrespective of whether or not a business is based in Europe, they must comply with the GDPR if they have Europeans as customers. The president also salutes the scale of the actions led by the CNIL, the fourth-most-active data protection authority in Europe, after Ireland, Germany and Luxembourg. Faced with the emergence of the Natu (Netflix, Airbnb, Tesla and Uber) hot on the heels of the challenges posed by the Gafa, Denis is keen to stress that “the GDPR takes into account the notion of risk that exists for users of these services, as regards the treatment of their personal data. The bigger the company, the greater the onus and obligation is on it to provide adequate personal-data security solutions. The regulation is a useful tool and one which the Natu will have to accept.”