On October 15, 2009, the French Data Protection Authority, the CNIL, issued a white paper regarding the privacy risks of nanotechnologies. In its white paper, the CNIL attempts to identify the privacy risks associated with RFID tags which are so small they can be injected into the human body. The CNIL mentions RFID tags used to trace Alzheimer patients, which the CNIL considers would satisfy the proportionality test set forth in French law. Other tags, such as an RFID tag injected under the skin which permits nightclub users to pay for their drinks, are more problematic.
The risks outlined in the CNIL document are not unlike those already identified in connection with RFID devices and the “Internet of things.” Of particular concern are the small size and potential ubiquity of tracing devices, both of which make it difficult for citizens to control the personal data that is collected about them. The CNIL recommends application of Privacy by Design methodology to nanotechnologies so that privacy is incorporated into nanotechnology applications from the time of their initial design. The same recommendation applies to security associated with these devices. In fact, the CNIL emphasizes the security risks of potential viruses or malware which could be introduced into nanotechnologies so as to permit them to be used for improper purposes. To prevent such, the CNIL recommends integrating security by design in nanotechnologies in a multi-disciplinary and cooperative approach.
The CNIL mentions several key principles that should guide any nanotechnology application, such as the right for citizens to “turn off” the device thereby guaranteeing the right to “be forgotten” and to remain anonymous.
In its white paper the CNIL also recommends clear labeling of nanotechnology applications, comparing nanotechnologies to genetically modified foods for which France has required special labeling which informs consumers about the product being purchased before actual purchase. The CNIL further suggests that French law should be broadened to ensure that the CNIL has responsibility to implement these general principles, although it does not suggest specific language or legislation.
In conclusion, the CNIL’s consultation document regarding nanotechnologies is not fundamentally different from the European Commission’s recommendations on RFIDs, except that the CNIL puts more emphasis on bio-ethic issues, undoubtedly due to the fact that many of the nanotechnology applications will somehow be linked to the human body, which obviously raises significant privacy issues.
The CNIL’s paper was issued as part of a national debate on nanotechnologies, organized by the French government in the Spring of 2009.