Skip to main content
SpringerLink
Log in

The French Privacy Seal Scheme: A Successful Test

(Le schéma français des labels de protection des données: un essai réussi)

  • Chapter
  • First Online:
Privacy and Data Protection Seals

Part of the book series: Information Technology and Law Series ((ITLS,volume 28))

Abstract

With nearly one hundred CNIL privacy seals delivered, France has emerged as a trailblazer in this domain. Realising the importance of changing attitudes and behaviours regarding data protection very early on, the French legislature authorised its supervisory authority to create a new indicator of compliance in this area. The French Data Protection Authority readily admits that its privacy seal is still in the early stages. However, the progress made over the past four years has shown that the experiment was worth pursuing, with a view to creating a lasting scheme. CNIL is now equipped with a proven procedure, elevating its privacy seal to the status of a “guarantee of Ethical Data Protection”, in line with CNIL’s latest reference standard, the seal on Governance Procedure.

Johanna Carvais-Palut is Data Protection Officer in a French Insurance Company. This chapter was authored in 2016 when Johanna was Head of the Privacy Seals Unit, Compliance Directorate, CNIL [label@cnil.fr].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Commission Nationale de l’Informatique et des Libertés (CNIL) is the French Data Protection Authority. Created in 1978, CNIL is an Independent Administrative Authority that exercises its functions in accordance with the French Data Protection Act.

  2. 2.

    French Act 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (French Data Protection Act).

  3. 3.

    French Data Protection Act of 1978 amended 6 August 2004.

  4. 4.

    Decision n° 2011-249 of 8 September 2011 (now amended by Decision n° 2013-175 of 4 July 2013).

  5. 5.

    www.cnil.fr/en/privacy-seals; www.cnil.fr/fr/les-labels-cnil. Accessed 30 April 2017.

  6. 6.

    Act 2014-344 of 17 March 2014 (French Consumer Protection Act). The Hamon Act also explicitly introduced into the French Data Protection Act (Article 11-3c) a provision for CNIL to be able to verify that the conditions for receiving the privacy seal are maintained, and to withdraw the privacy seal if necessary.

  7. 7.

    Data protection training is a process intended to produce and develop knowledge, know-how and behaviour necessary to compliance with the French data protection act. The said process may take place over several days and include several modules which are independent of each other. The standard defines the criteria and resources enabling the data protection authority to determine whether the training courses for which a privacy seal is requested, achieve such an objective. It includes two parts corresponding to both phases of the evaluation performed by the data protection authority and which cover: the training activity (requirements concerning the method) and the content of the training course (with a main module of fundamental knowledge that the training course must at least include in its curriculum to apply for certification and supplementary modules, that the training course may also include in its curriculum).

  8. 8.

    A “Data Protection” audit is an audit whose criteria enable judgement of the compliance of processing personal data with the Act No. 78-17 dated 6 January 1978 (French data protection act) amended by the Act No. 2004-801 dated 6 August 2004. The scope of such an audit concerns the processing of personal data implemented within a defined scope, not only in terms of places, organisational units, activities, processes or time periods covered, but also in terms of types of processing or specific processing. The audit procedure describes the conduct, management and content of audits, as they are implemented by the applicant. The complete terminology is presented in the following pages. To this end, the present standard defines the criteria for evaluation relating to the manner of conducting an audit and the processing of personal data during the audit.

  9. 9.

    The digital safe box, as understood in this standard, covers offers made to individuals concerning services for the dematerialised and secure storage of data, the aim of which is to keep documents on digital media. Digital safe boxes must ensure the integrity, availability and confidentiality of stored data and implement appropriate security measures. A digital safe box is distinguished from an ordinary storage space by the fact that the data retained, including stored documents and their meta data, is accessible only to the holder of the safe box and, where applicable, natural persons whom the holder has specifically authorised for this purpose. The present standard describes the procedures for creation and management, and the content of digital safe boxes. It defines the criteria and the resources allowing the Data Protection Authority to determine whether the digital safe boxes subject to the privacy seal request reach the target objective, namely: the secure retention and protection of personal data contained in a safe box, which will be accessible only to its user and natural persons specifically mandated by the latter.

  10. 10.

    The governance of personal data protection, also known as “Privacy Governance”, establishes the set of measures, rules and best practices that allow for the application of laws and regulations on the handling of personal data as well as provide the specific liabilities inherent to this handling. This privacy seal intends to help private and public organisations implement personal data protection measures and help them be accountable accordingly for their measures. This standard defines the assessment criteria and the means at the Commission’s disposal for the assessment of privacy governance procedures’ effectiveness in protecting personal data, which is the objective of this privacy seal. 

  11. 11.

    See Sect. 4.6.

  12. 12.

    Application processing is the second step in the scheme.

  13. 13.

    See implementation orders for French Act 2000-321 of 12 April 2000 on citizens’ rights in their dealings with public bodies (referred to in France as the “DCRA” Act).

  14. 14.

    See Decree 2014-1278 of 23 October 2014.

  15. 15.

    It could be rejected if CNIL’s plenary session considers that the application does not fulfill all the mandatory requirements.

  16. 16.

    A seal could be withdrawn if the conditions that allowed for the accordance of the privacy seal are no longer fulfilled.

  17. 17.

    www.cnil.fr. Accessed 30 April 2017.

  18. 18.

    In August 2016, CNIL delivered 88 seals in total for 110 applications received.

  19. 19.

    Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC; Article 5.2.

  20. 20.

    Opinion 3/2010 on the principle of accountability adopted in 13 July 2010 by the Article 29 Data Protection Working Party.

  21. 21.

    Group of European Data Protection Authorities.

  22. 22.

    French Regulations governing use of the Collective Mark “CNIL seal” approved by CNIL on 14 June 2012.

  23. 23.

    Such as a better acknowledgment of the expertise in the industry.

  24. 24.

    As the seal is increasingly being well-recognised, a lot of tender procurement policies for data protection trainings or audits now require the CNIL seal.

  25. 25.

    In France, we have an equivalent called a “Correspondant Informatique et Libertés (CIL)”.

  26. 26.

    French Regulations governing use of the Collective Mark “CNIL seal” approved by CNIL on 14 June 2012.

  27. 27.

    Different sizes and different colors (blue, white and red or black and white) for several uses.

  28. 28.

    Ibid.

  29. 29.

    Small and Medium-sized Enterprises.

  30. 30.

    Seventy-six people completed the survey. It was launched between September and November 2014.

  31. 31.

    Note: 20% of the respondents did not answer this question.

  32. 32.

    French Act 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (French Data Protection Act).

  33. 33.

    Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

  34. 34.

    Article 42 and Recital 100 of the Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.

  35. 35.

    The European Data Protection Board will be set up as an independent body of the Union with legal personality. It will replace the Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Directive 95/46/EC. It will consist of the head of a supervisory authority of each Member State and the European Data Protection Supervisor or their respective representatives. The Board will contribute to the consistent application of the GDPR throughout the Union, including by advising the Commission, in particular on the level of protection in third countries or international organisations, and promoting cooperation of the supervisory authorities throughout the Union.

Author information

Authors and Affiliations

  1. CNIL, Paris, France

    Johanna Carvais-Palut

Authors
  1. Johanna Carvais-Palut
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Johanna Carvais-Palut .

Editor information

Editors and Affiliations

  1. Trilateral Research Ltd., London, United Kingdom

    Rowena Rodrigues

  2. Law, Science, Technology & Studies (LSTS), Society VUB (Vrije Universiteit Brussel), Brussels, Belgium

    Vagelis Papakonstantinou

Rights and permissions

Reprints and permissions

Copyright information

© 2018 T.M.C. Asser press and the authors

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Carvais-Palut, J. (2018). The French Privacy Seal Scheme: A Successful Test. In: Rodrigues, R., Papakonstantinou, V. (eds) Privacy and Data Protection Seals. Information Technology and Law Series, vol 28. T.M.C. Asser Press, The Hague. https://doi.org/10.1007/978-94-6265-228-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-94-6265-228-6_4

  • Published:

  • Publisher Name: T.M.C. Asser Press, The Hague

  • Print ISBN: 978-94-6265-227-9

  • Online ISBN: 978-94-6265-228-6

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation