On 28 May, the Monegasque Association of Financial Activities (AMAF) hosted Mr. Guy Magnan, Chairman of the Commission de Contrôle des Informations Nominatives (CCIN) (the Data Protection Authority of Monaco). It was an opportunity to enlighten the financial centre on the Commission’s role as regards attractiveness.
Can you clarify the CCIN’s task for us?
Our task, in compliance with the law, is to verify and ensure the protection and use of personal data, check their legality, and thereby ensure strict respect for individual privacy.
Our assignments also lead us naturally to be close to public and private organizations which use these data.
Today, the economic and social dimension of our area of competence is at the heart of our common concerns.
Computers and electronic communications technology are now part of all aspects of our private and professional life.
They are essential to the work and economic development of all countries, and Monaco already has undeniable strengths in this area.
In this respect we can count on skilled and recognised economic players present in our country.
You mention your inspection and verification role. Does that not lead to hesitation – or even mistrust – by some local institutions?
Nationally, I attach particular importance to continuing, establishing or re-establishing an ongoing dialogue with Monaco’s various institutions.
This allows the sharing of knowledge and a global vision of issues which raise questions in interaction with data protection.
While the CCIN’s often legal approach to law no. 1165 of 23 December 1993, as amended, is a prerequisite to any reflection, it requires social, economic and cultural analysis of the issues submitted to it.
So you assist institutions in understanding the law
The new Commission I preside over is motivated by an approach marked by prevention, education and dialogue with all data controllers in both the public and private sectors.
This exchange dimension also seems essential to a Commission which fully assesses the task it faces and the plurality of objectives to be reconciled. The Commission shows pragmatism.
However, that pragmatism should not lead to a reorientation of data protection standards.
All public and private sectors are very concerned with Monaco’s attractiveness; how can a control body be part of that attractiveness?
We are fully aware of the CCIN’s role in Monaco’s attractiveness through allowing new investors to establish their business there competitively.
Internationally, the Principality of Monaco has enough potential to affirm the recognition of an adequate protection level, which would have a dual benefit: data transferred to Monaco would be handled in accordance with equivalent guarantees to those imposed in Europe, and communication of data to countries outside Monaco would also be carried out in accordance with those same guarantees.
In summer 2012, Working Party 29 of the European Commission gave its favourable opinion on this recognition, highlighting some recommendations without coming up against major obstacles. Those recommendations included strengthening the Commission’s coercive powers.
Meanwhile, the Supreme Court cancelled the CCIN’s investigative powers, depriving it of any possibility to verify the application of the law.
It is therefore imperative that the Commission be again provided with a legislative framework which allows it to perform its tasks to the full.
The question of recognition of an adequate level of protection is a competitive advantage necessary for the movement of data between European Union countries and Monaco.
Privacy and data protection are intimately linked. Can you give us an example?
We have read that Swiss vaults are now being transformed into digital safes to ensure the accommodation and safeguarding of paperless data (some have alluded to a 63% increase in the storage supply in Switzerland from 2011 and 2016).
Wherever the “secret” concept is crumbling, the “confidentiality” market is developing with dizzy levels of growth. And I do not mean only for banking data. All lifetime data are managed with the same care as financial data, and while that parallel may seem conceptually audacious, the areas of integrity and safeguarding of genetic data and financial data demand equally high requirements.
Without recognition of an adequate protection level, Monegasque players are now being penalised in the development of the digital market and they will be further penalised in the future.
What is the CCIN’s relationship with the AMAF?
As regards more specifically the work already initiated by the CCIN and AMAF, I can only welcome the dialogue which they have developed and their will to move forward on common issues in banking law and data protection.
On the Bloomberg problems, these exchanges have helped lead to a consensus which has allowed the establishment of formalities incumbent on the Bloomberg company and on the banks and financial institutions involved, respectively. In this regard, the CCIN has already taken up the matter with the Bloomberg company, which has committed in a letter of intent to take the necessary prompt action.
Within banks, the compliance function is being strengthened - do you have work projects in common?
Concerning ‘breaches of compliance’, the CCIN and the AMAF are united on the need to create safeguards in order to give employees sufficient guarantees, while allowing banks to implement the processing inherent to the needs of their profession or in some cases linked to their belonging to a corporate group. In this respect, the CCIN is currently in contact with the Labour Directorate to perfect its understanding of the labour law issues which such processing is likely to generate.
As for the retention periods, the Commission is anxious to harmonise them, as far as possible. Our exchanges have established a modus operandi imbued with pragmatism and consisting in the preparation of a table listing the most common processing retention periods, in order that the AMAF may circulate it and obtain its members’ comments. This project will be drawn up as soon as possible and sent to the AMAF in order that it meet our respective needs and expectations.
This meeting was also an opportunity to discuss the proposed amendments to the provisions of law no. 1165 of 23 December 1993, which the AMAF expressed the desire to join.
In addition, I tasked the CCIN Secretary General with making the secretariat officers aware of the importance of their educational role with data controllers.
Furthermore, work to revise CCIN forms has been undertaken in order to simplify them and allow them to be filled in online eventually with optimum security and privacy.
In conclusion, could it be said that the CCIN is, and will be, a support instrument for the public and private sectors so they may better understand “the mind of the law” on data protection?
I can confirm that the CCIN is not insensitive to the needs, and in some cases wishes, of public and private sector operators in Monaco.
Every effort will be made such that the CCIN acronym no longer be associated with the term “coercion” but rather with “opportunity”.
However, this active approach of the CCIN can only be carried out with the investment of everyone, as this challenge is now the challenge of all Monaco’s data protection players, since it includes the ambitious project of the subtle symbiosis of the right to privacy (a fundamental right), economic dynamism without unnecessary barriers, and promoting virtuous technological innovation.
This project, which I believe many of us here share, will not happen without responsibility and discernment.