Privacy and Security TidBits

Privacy and Data Protection in the EU: The grass is not always greener on the other side of the pond

According to the annual report of the French Association of Data Protection Officers (AFCDP), published on 28 January 2011, 82% of French enterprises do not abide by the French Data Protection Act of 2004 (La Loi Informatique & Libertés).

The AFCDP is a professional organisation that represents French privacy professionals.  The AFCDP works to develop privacy best practices and to build relationships with the French National Data Protection Commission (CNIL).

Following French Data Protection Act, an individual may request that an entity that holds personal data about him, share that personal data with him. After a request is made, the entity has two months to provide full information to the person who made the request, free of charge. In certain circumstances, the individual may then request that the personal information be deleted or that it be brought up to date.

The AFCDP published a  second “Access Right Index”. It is intended to help French entities, both private and governmental, prepare themselves to respond to these information requests and to help educate individuals about their rights. The Index provides some insight into the manner in which entities are currently complying with the law.

To complete the study, access to personal data requests were sent to a panel of more than 220 French entities. In the Index, the AFCDP indicates which sectors were the best and worst in terms of compliance, and also provides anonymous, real examples of wrongdoing and guidance as to best practices.

Here are some results of that study:

Only 18% of the polled organisations responded in a legally satisfactory manner to information access requests.

31% did not respond within the legal time frame. ( two months).

51% responded within the legal time frame, but not in a legally satisfactory manner: Some responded as follows: “The requested information cannot be communicated because it is the property of the company.”

The French Data Protection Act of 2004 provided, among others, the creation of a Data Protection Correspondent role in public and private organizations, the Correspondants Informatique & Libertés (CIL) . The appointment of CILs is not obligatory, but it facilitates the procedures for processing of personal data for the companies that do appoint a CIL.

Even among the companies that have opted to appoint a CIL, the compliance numbers are far from satisfactory: only 40% of the polled companies with CILs have responded to access requests in a law abiding manner. For example, some of these companies sent a gift to the requesting party, instead of the data. Others sent an announcement that the data were deleted, followed by an announcement of miraculous recovery plus a demand for a significant “recovery fee” to access the information.

The CNIL is, like so many of its counter parts in other EU member states, currently under significant pressure to cut operating expenses.

If it does not enforce the Data Protection Act, what use is it?

This very useful survey by the AFCDP illustrates how the passing of data protection acts alone is totally useless, unless these laws actually get enforced.

And if legislation does not even guarantee significant compliance, what kind of compliance will “self-regulation” achieve?

Congress, take note!