The beginning of the New Year gives us an opportunity to reflect on the evolution of privacy in France over the past twelve months and also to consider the new challenges and opportunities that will develop in 2011.
2010 was a year of evolution for the French data protection authority, the Commission Nationale de l’Informatique et des Libertés - "CNIL" and 2011 promises to bring further changes and evolutions. Formal changes came with evolution in the management of formalities with a new online platform for the completion of formalities, which seems to bring a much needed improvement in the delays for management of files. Policy evolutions also resulted from the adoption of documents providing guidance to data controllers with regards to the security of data or with the amendment of the general authorization of certain whistleblowing systems, which although it was needed could be regarded as slightly disappointing.
In France, 2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high profile cases such as the Google StreetView controversy or the decision acknowledging the legitimacy of the dismissal of an employee on the basis of comments posted on his Facebook page.
The review of the past year also allows us to anticipate some of the CNIL’s points of focus for 2011. Firstly, the evolution of technologies will still be at the forefront of data protection discussions during the coming year. In 2010, the CNIL approved a number of processes involving biometric data and the development of these technologies will continue to raise questions and issues this year. In 2011, the CNIL will also focus on the development and implentation of a major project: certification labels for products and services, which could become an important and discriminating factor to attract customers in the short and long term.
Evolution of formalities
In 2010, the CNIL decided to take a steep turn in the management of formalities which any data controller has to comply with in France. In France, unless a limited number of exceptions apply, any processing of personal data must either be declared or authorized by the CNIL.
Until 2010, all such formalities had to be completed by submitting paper hard files. This system changed when the CNIL introduced new notification and request for authorization forms which were also made available for electronic filing. The CNIL has clearly taken a turn towards increased dematerialization of formalities with the obvious objective to reduce notifications or requests for authorizations in paper format to a minimum.
While filings using paper hard files are still possible, they are clearly not encouraged and the delays for the handling of paper submitted formalities now appear much longer than those for documentation submitted through the CNIL online interface.
The new forms which now have to be used have not fundamentally changed the obligations imposed on data controller. However, a couple of their features should be pointed out.
Firstly, the new form for the notification of a processing is a simplified version of the previous one. In this respect, it does not require anymore the listing of the exact types data actually processed by the data controller anymore (even through general categories of data still have to be listed). This modification however calls for greater attention for data controllers internally to ensure that they do know the extent of their processing.
The second feature worth mentioning concerns the data controller’s undertakings. Now, the data controller, when submitting its notification or request for authorization has to certify that "the processing is conducted in accordance with the requirements" of French data protection legislation by ticking a box. This new wording potentially puts a greater level of liability on the data controller to ensure that, at all times, the processing is fully compliant with French law.
Finally, it should be underlined that practice to date has revealed that use of the online system offers a greater reactivity in the management of files and especially of requests for authorization. Such progress could only be welcomed.
Recommendation on security measures
Even though it mentions the obligation for data controllers to implement appropriate technical and organizational security measures for the protection of personal data, French legislation does not provide for any instrument setting out the specific framework defining those measures deemed appropriate (as opposed, for instance, to Italy).
Fully aware of this void, the CNIL had already issued recommendations regarding security measures relating to health data or electronic votes. In order to further address this situation, the CNIL issued a "Guide on security" (.PDF) in October 2010.
This guide, divided in 17 sections, addresses various issues in the field of security, ranging from the management of outsourcing to maintenance, archiving, anonymization or encryption.
The CNIL’s "Guide on security" should therefore progressively become a tool used to set a minimum standard for technical and organizational security measures required for the implementation of any processing of personal data subject to French law.
It should also be noted, in the same vein, that the CNIL adopted a working document on the issues potentially associated with the outsourcing of processing of data outside the European Union.
Modification of the whistleblowing general authorization
In 2005, the CNIL had adopted a general authorization for the implementation of whistleblowing systems in France. Indeed, given the potential risks perceived by the CNIL as associated with whistleblowing systems, French law requires that whistleblowing systems are subject to prior authorization by the CNIL. In order to address the majority of systems implemented by French companies in order to comply with the requirements of the Sarbanes-Oxley Act, the CNIL had issued a general authorization whereby all whistleblowing systems complying with its requirements were pre-authorized and only subject to the filing of a mere undertaking of compliance.
The general authorization only covered systems allowing the reporting of alleged misconducts in the fields of accounting, finance and banking. Due to an ambiguous paragraph included in the original version of the general authorization, it was however thought that, in cases where the vital interests of the company were at stake, the whistleblowing systems covered by the general authorization could be used. However, in 2009, the French Supreme Court denied this analysis and considered the terms of the general authorization as being restricted to the three main fields mentioned above.
In order to clarify this ambiguous situation and align with the position of the French Supreme Court, the CNIL revised, late in 2010, the terms of the original general authorization.
The new amended version of the general authorization (in French) now encompasses whistleblowing systems implemented for the reporting of potential frauds to accounting, auditing and banking rules but also intended at being used to fight against corruption. In addition, the CNIL deleted the misleading section which previously made reference to the potential protection of the vital interests of the company.
As previously, all other whistleblowing systems (having wider or different scopes, etc.) will still have to be individually authorized by the CNIL.
One can regret that the CNIL decided to opt for a conservative road and therefore expressly strictly limit the scope of the general authorization as described above. Given both the already existing limitations to such systems (requirement of subsidiarity, limitations on anonymity, etc.) and the practice of whistleblowing systems in France, one could have hoped that the CNIL could have broadened the scope of the general authorization to the protection of certain vital interests of the company or to legally sanctioned misconducts (e.g. discrimination, harassment, etc.).
Development of processes involving biometric data
Use of biometric systems is increasing sensibly in France and the CNIL’s activity clearly reflects this trend. This has been evidenced by decisions involving both the use of fingerprints and palm-vein or finger-vein technology.
The use of fingerprints has been approved by the CNIL in February 2010 in the context of the provision of medical treatment. More specifically, the technology was used in connection with patients treated by radiotherapy in a hospital located in the north of France. The system was deemed acceptable in consideration of a number of factors. First, the CNIL noted the potential public health considerations connected with the potential misadministration of radiotherapy treatments. Indeed, the system is intended at identifying patients to ensure that they receive the radiotherapy treatment required and thus avoid medical errors. In addition, amongst the relevant elements to evaluate the appropriateness of the system, the CNIL mentioned the fact that use of the system was subject to prior informed consent of the data subject and that the biometric data was retained solely for the period of the treatment.
Another interesting element was the fact that the CNIL noted that as well as the fact that palm-vein or finger-vein could not be used in this specific case due to the alterations caused by the radiotherapy treatment.
This information is all the more relevant that the CNIL seems to be inclined to favour palm-vein or finger-vein technology over fingerprints or other biometric systems. The CNIL refers to these new biometric technologies as "no-touch" biometrics and considers that they raise less issues than older systems: such technologies do not involve "exterior" attributes of the data subject and cannot be collected without the data subject’s knowledge (as opposed to fingerprints which can be collected without the data subject’s knowledge on any object he or she touches).
This favourable analysis was evidenced in April 2010 by the CNIL’s authorization of a payment system using finger-vein technology in connection with a no-contact payment card.
It should be noted that in both cases of biometric technology mentioned above, the CNIL only granted authorizations for experimentations, respectively for 1 year and 6 months. However, this underlines possibilities offered to providers and users of biometric technologies in France, provided, naturally, that appropriate security measures are implemented.
Controls, sanctions and case-law
In 2010, the CNIL has continued the development of the exercise of its controlling and sanctioning powers as previously announced.
In this respect, it showcased the variety of its powers by imposing, for instance:
- a warning, published on its website, of the leader in tuition services in France in consideration of the existence of illegitimate and "excessive" comments which appeared in its client database;
- the immediate and urgent suspension of a video-surveillance system allowing a company to constantly monitor its employees’ activities;
- the suspension of a fingerprint access control system implemented by a company which had been denied the authorization to implement the system in 2007 in the absence of any security imperative;
- a €10,000 fine on two bailiff offices which had failed to comply with their undertaking to amend their processes of personal data taken after an initial control conducted by the CNIL;
- a €15,000 fine to a clothing retail company, which had been previously sanctioned in 2007 for similar facts, for the illicit sending of unsolicited advertising faxes.
French courts have also applied the provisions of data protection legislation. In September 2010, the Dijon Court of appeal held the termination of an employment contract as wrongful because the employer had failed to comply with data protection legislation. In this case, the employee had been dismissed because of an alleged use of the company’s car for personal use. To evidence this fact, the employer had installed a geolocation tracking device in the vehicle without informing the employee of this processing and without declaring it to the CNIL. Both in first instance and in appeal, the dismissal was considered wrongful. In addition, the Court of appeal sentenced the employer to €1,000 in damages to the employee for "unfair performance of the employment contract".
On the other hand, it should also be mentioned that, late in 2010, the dismissal of an employee was found to be legitimate when grounded on the fact that said employee had posted derogatory comments about its employers and hierarchy on its Facebook wall. The posts being accessible to all on the person’s Facebook profile, the Employment Tribunal did not consider that they should have been treated as private correspondence.
Finally, it should also be mentioned that the CNIL exercised its controlling powers in the wake of the collection of personal information by Google Streetview vehicles. Further to the disclosure of this information by Google on 14 May, the CNIL conducted an onsite control on 19 May. In the absence of satisfactory answers, on 26 May, the CNIL ordered Google to provide, within 7 days, all relevant and specific information regarding the information collected. This request was then met by Google on 4 June 2010. The CNIL investigations on this matter are still not closed to date.
Certification labels: one of CNIL’s top priorities for 2011
When modified in 2004, French data protection legislation provided for the possibility for the CNIL to award labels to products or procedures aimed at ensuring protection of personal data.
Due to procedural impediments (the required implementation decree was never adopted), this power was never effectively used. However, thanks to the passing of a new law in 2009, the CNIL now can fully exercise this power and intends to make of the definition of the criteria and award of the first labels one of its main topics for 2011.
The CNIL intended to have the first labels awarded to training and auditing services in the first quarter of 2011. It seems that keeping up with this calendar will be extremely difficult for the CNIL. Indeed, even though consultations on the matter with training and auditing services providers have started, the final version of the methodology, content and format of the services eligible for labels have not been communicated yet.
In a second step, the CNIL intends to award its labels to software providing a satisfactory degree of protection to personal data.
The development of these certification labels will therefore be one of the main topics to be followed upon over the coming year in France. This new project could become of interest for companies in the longer run. Indeed, with increased awareness of the requirements of data protection and privacy in the general public, a product or service enjoying the benefit of a CNIL certification label might gain a competitive advantage over others.