Herrmann joined the CNPD in 2012  Photo: Guy Wolff/Maison Moderne

Herrmann joined the CNPD in 2012  Photo: Guy Wolff/Maison Moderne

Appointed in September as commissioner of the national commission for data protection (CNPD), Alain Herrmann talks about the institution’s focal points heading into 2022.

How does the increasing importance of GDPR and data protection translate into the work you’re doing?

A.H.: The GDPR introduces… accountability, so it means that companies have to make their own decisions about comply[ing] with the GDPR... There is also a wish on [the] European level to develop data sovereignty, based on the values of Europe, data protection [being] one of the big ones, and which really concerns when you process data because you already process quite quickly personal data. Companies had to be forced, I would say, to comply with those elements. So, of course, it raises the knowledge [and] interest on the topic; there are more professionals in this domain.

One other element, maybe a bit more negative, [which] also pushed the interest to data protection is now our power to investigate and to maybe give some fines depending on the investigations. This also moves companies, even if I think that it’s not something that should move a company. The first purpose would be to respect data protection rules… If you set up your process, programmes, services by respecting those rules, it can create value also for these services, create trust…

Something I worked on before I was commissioner, and I will continue now, is certification… we are very [close] to be able to adopt a certification scheme under GDPR, and we would be the first ones doing this in Europe. If everything [goes] well, we should be able to have this in the first trimester of next year.

The codes of conduct are another kind of tools. In Luxembourg, they have to be developed by the sectors themselves… I will also push to promote these kinds of tools [that] are recognised by the CNPD to help companies to comply…

Could you give me a snapshot on the breaches notified to the CNPD this year?

We have between 30 and 35 notifications of data breach a month--quite stable since the GDPR entered into force. Not all data breaches have to be notified, only the [ones] where there is a risk or high risk for the data subjects… A bit more than 60% of the breaches are linked to user mistakes. About 25% of them are breaches linked to hacking. Often, people who have access to financial data, or to the possibility to perform payments, are targets.

There was a record issuance of fines in 2021 [including a €746m fine for Amazon]. Do you envision a stricter agenda heading into 2022?

Well, that’s a question I cannot answer personally… What I can say is that we will continue business as usual for the moment… There are several factors that could trigger an investigation. If you receive a complaint, it could trigger an investigation--it doesn’t mean that, if we received a complaint, there is an investigation… Or if we receive a group of complaints for a specific company, this could also trigger an investigation. We can choose to perform a campaign on a specific topic, which was already done by the CNPD in the last years. And also, as commissioners, we can propose to open an investigation for a specific matter or company, if there’s a need to do it.

Could you talk about some of the challenges that are coming for the CNPD? Linked to AI, for example?

Of course, there [are] a lot of new regulations that are coming… you mentioned AI regulation, there are all these data governance and the [Digital] Services Act and [Digital] Markets Act. Indeed, all these regulations will generate a lot of new potential missions for us [and increase] the work we have…

This article first appeared in the December 2021 edition of .