Marie-Laure Denis
  • President
  • CNIL
France
Marie-Laure Denis

Marie-Laure Denis

  • President
  • CNIL
France

Data has progressively become an element at the heart of our current debates. Digital transformation now touches upon so many fields of society, from the economy to geopolitics and diplomacy, but also legal, societal and ethical questions. This wide impact of the digital revolution on our society is probably one of the reasons that led me to advance in this field, not only as a lawyer, but also as a citizen.

For almost 20 years now, I have been involved in digital regulation, in particular as a member of the audio-visual regulator and then of the telecoms regulator in France. This has offered me the opportunity to experience directly the growing and central role of personal data processing in our current digital ecosystem.

It is also with a particular interest, as a State Counsellor, that I am now directly involved in the implementation of one of the major EU regulations in the digital field, which still raises numerous legal questions and challenges. Personal data protection is certainly a field of law where there is no routine!

In terms of career highlights so far, in addition to having been a judge within the French highest administrative jurisdiction (Council of State), I would say that my career has regularly offered me the opportunity to address challenges with a direct and concrete impact on the matters I was in charge of.

For example, I joined the board of the French audio-visual regulator in 2004 at a crucial time for the audio-visual landscape in France, with the launch of the new generation of digital television and the attribution of new radio frequencies. I have been negotiating conventions and obligations with media operators that concretely contributed to the change of the TV and radio landscape in France. That was also the case in 2011 as a member of the telecoms regulator, as the French market evolved significantly with the entry of a new telecom operator.

Having been appointed as the head of CNIL in early 2019, a few months after the effective application of the GDPR, I have also been at the forefront of the implementation of this new European standard for the processing of personal data. And we can say that the GDPR influence went even beyond our European borders, with a real impact worldwide.

During my current mandate, CNIL has adopted its biggest fines, directed to major digital players. We have also focused our efforts on being a regulator protecting individuals in their daily digital uses, with specific actions towards web cookies for example, which led to concrete changes in the digital ecosystem. I am proud that our current mission also contributes to the promotion of the European model through the protection of personal data and, more generally, to our digital sovereignty.

One of the specificities of personal data protection, as a regulatory area, is that it is first grounded on the protection of a fundamental right. It implies a specific regulatory approach, different from internal market or competition regulation. Of course, it is not isolated and operating in a silo; it has to take into account the digital ecosystem in which it is applied, and we see more and more interactions between the different regulatory fields. This is sometimes a challenge, but that also makes the protection of personal data a very particular and stimulating area of law, where fundamental rights principles have to be articulated with new technologies and the development of the digital economy.

There is one goal: the preservation of individuals’ fundamental right to the protection of personal data – and one particular context with the digital transformation of our society. That certainly makes personal data protection a regulatory area which is somehow unique, and for which we need to advance collectively.

My list is certainly not exhaustive but I would like to mention a few challenges which we are facing and addressing at the moment.

First, the digitalisation of our society and our economy, accelerated by the covid-19 crisis, has placed the processing of personal data at an even more central point of our daily lives, of our economic exchanges and of our societal system as a whole. This context means that data protection law and regulators have to apprehend this constant transformation, and act with proportionality and discernment given our limited capacity, in order to obtain an optimal result for the preservation of fundamental rights. This is for sure a challenge and one of our priorities: to ensure that, in our current context, individuals’ rights are protected on the ground.

More specifically, CNIL has also decided, as part of its strategic plan for 2022-2024, to focus on regulatory action targeted at issues with a crucial privacy impact. We identified three specific areas.

First, augmented cameras and their uses. The accelerated development in the field of so-called augmented cameras, often coupled with predictive algorithms, raises the question of the necessary and proportionate nature of these devices and runs the risk of surveillance on a large scale of people. CNIL will implement an action plan that will concern both public sector and commercial uses and which will include a support phase for the various actors on the ground.

Second, data transfers in cloud computing. Personal data transfers to third countries are a real security and compliance issue for users of IT solutions integrated in cloud computing services provided by major digital players, but it is also an issue of digital sovereignty for Europeans. The CNIL action plan on this subject, in cooperation with its EU counterparts, will allow, in light of the Schrems II ruling, to secure transfers of personal data of individuals to countries outside the European Union.

Third, personal data collection in smartphone apps. Faced with the opacity of technologies and the heterogeneity of practices, CNIL’s objective is to make data flows visible and to strengthen the compliance of mobile apps and their ecosystems and to better protect the rights of smartphones’ users. Our future action plan will include targeted intervention themes, user awareness and a European follow up of our approach.

CNIL has always been keen on anticipating new trends and identifying emerging issues from a prospective point of view. This is actually part of our mission as a data protection authority.

I could mention a couple of topics which we are currently following closely, such as personal data processing by artificial intelligence systems, the development of the metaverse, biometric identification or our increased reliance on connect devices and object, and the cybersecurity risks it can entail.

While key themes are sometimes dominating our policy agenda, I think it is important to keep a particular attention at data protection from a ‘daily life’ point of view. We are keen on ensuring, including for the most basic personal data processing, that the exercise of individuals’ rights is facilitated and complied with. As already mentioned, this is one of our key priorities and we work constantly on raising awareness and on accompanying a wide range of data controllers to promote compliance.

Another issue, which is not overlooked but sometimes disconnected from personal data protection, is cybersecurity. The GDPR imposed new obligations on data controllers in terms of data security, which is one of our key principles, already enshrined in our initial data protection law of 1978. As such, CNIL is an actor of cybersecurity, in particular with the thousands of data breach notifications it receives each year. We want to continue to raise awareness in this field and promote cooperation with cybersecurity agencies, given the rapid evolution of threats in this field.

I am not sure there are gender equity challenges which are specific to the field of personal data protection. But of course, addressing the gender pay gap, promoting equal opportunities and fighting discriminations are certainly areas which need to be constantly prioritised, across the professional environment in general.

In this regard, I am very proud that CNIL is even more than gender-balanced: women represent more than 60% of our staff, with positions at all levels including within top management, and we also count with talented and committed women in fields where they are usually less represented such as technological expertise or innovation. We need to continue promoting a gender-balanced approach in all fields of expertise. Once again this is not specific to personal data protection, but it is for sure a priority which needs to be upheld.

As a woman, I may have had a particular sensitivity to specific initiatives in the field of personal data protection, considering that the field of IT is still very much male-dominated. I have, for example, been keen on developing action in the field of education and awareness-raising, in order to reach out to the widest audience possible and inform all individuals about their rights.

I am also particularly vigilant and attentive about issues such as bias and discrimination, which are at the core of the current challenges raised by algorithmic processing and artificial intelligence.

We have certainly seen a change over the last decade, with more and more women involved in this field, including at top level positions. If you take the example of the European Data Protection Board, more than half of the head of data protection authorities composing the board are women. This may not have been the case more than 10 years ago. It is certainly an encouraging signal.

More generally, and beyond the changes for women professionals, personal data protection has moved over the past decade from a static compliance issue, sometimes considered only as an IT question, to a real dynamic process and governance matter within each organisation, involving all services concerned.

My main advice would be to remain committed and focused, and above all, to remind that obstacles are only here to be overcome!

Unlock unlimited access to all Global Data Review content