2017 THE CNIL IN A NUTSHELL Protect personal data Accompany innovations Preserve civil liberties www.cnil.fr
The CNIL in 2016 ADVISING AND REGULATING 3 078 ADOPTED DECISIONS AND DELIBERATIONS OF WHICH: 190 AUTHORISATIONS 145 REQUESTS FOR AN OPINION The CNIL supports the development of new technologies on a daily basis and takes part in the construction of a digital ethic. 1 976 TRANSFER AUTHORISATIONS 54 000 SIMPLIFIED FORMALITIES ACCOMPANYING COMPLIANCE 102 629 FORMALITY FILES 14 734 DECLARATIONS PROCESSED REGARDING VIDEO SURVEILLANCE SYSTEMS 97 PRIVACY SEALS DELIVERED 316 BIOMETRIC SYSTEM AUTHORISATIONS PROTECTING CITIZENS 7 703 COMPLAINTS, OF WHICH: 33 % relate to prospecting 410 COMPLAINTS following the refusal of a request to be de-listed by search engines INVESTIGATING 430 INVESTIGATIONS 100 online investigations 4 379 REQUESTS FOR ACCESS to police files, surveillance files, FICOBA, etc. 7 909 INSPECTIONS CARRIED OUT 94 INVESTIGATIONS REGARDING VIDEO SURVEILLANCE 7 370 DECLARATIONS PROCESSED REGARDING GEOLOCATION DEVICES RENDERING ORDERS AND ISSUING SANCTIONS 82 ORDERS RENDERED THE CNIL WORKFORCE 195 JOBS 63 % female 17 725 ORGANISATIONS HAVE APPOINTED A DATA PROTECTION OFFICER 13 SANCTIONS ISSUED: 9 WARNINGS 4 FINANCIAL SANCTIONS 37 % male
What is personal data? Personal data is any information relating to a natural person who may, directly or indirectly, potentially be identified by an identification number (i.e., social security number) or by one or more elements which are unique to that individual (i.e., first name and surname, date of birth, biometric elements, finger prints, DNA, etc.). STATUS & COMPOSITION AN INDEPENDANT ADMINISTRATIVE AUTHORITY Created in 1978, the CNIL is an independent administrative authority that exercises its functions in accordance with the French Data Protection Act dated 6th January 1978, amended on 6th August 2004. The CNIL s independence is guaranteed by its composition and its organisation. The eighteen members that form the commission are for the most part elected by the assemblies or jurisdictions to which they belong. The CNIL elects a Chair among its members and does not receive any instructions from any other authority. Isabelle Falque-Pierrotin, State council member, has been Chair of the CNIL since 2011. The CNIL s services are made up of 195 contract agents. 4 parliamentarians (2 assembly members, 2 senators). 2 members of the French Economic, Social and Environmental Council. 6 representatives of high jurisdictions (2 State council members, 2 members of the Court of cassation, 2 members of the Court of Audits). 5 qualified experts appointed by the President of the National Assembly (1 expert), the President of the Senate (1 expert), the French Cabinet (3 experts). The mandate of the commissioners is for 5 years, or, for parliamentarians, for an identical term to that of their mandate. The Chairman of the Freedom of Information Commission (CADA) (Commission d accès aux documents administratifs). FUNCTIONING PLENARY SESSIONS The members of the CNIL hold a plenary session once a week according to an agenda set by the Chair. A substantial part of these sessions is dedicated to the review of draft legislation and decrees submitted by the government for an official CNIL opinion. In addition, the CNIL also authorises highly sensitive processing operations, including those requiring the use of biometrics. It also analyses the consequences of new technologies on citizens private lives. RESTRICTED COMMITTEE The CNIL s restricted committee includes 5 members and a Chairman separate from the Chair of the CNIL. This committee can impose various sanctions on data controllers who do not respect the law. Financial sanctions can reach up to 3 million euros. These financial sanctions can be made public.
INFORMING, EDUCATING The CNIL has the general mission of informing individuals of the rights afforded to them by the French Data Protection Act. The CNIL responds to requests made by individuals and companies alike. In 2016, it received more than 166,500 phone calls. The CNIL leads communication campaigns which target the general public by means of either the press, its website, its presence on social networks or by providing learning resources. As well as being directly consulted by many organisations, companies or institutions for the purposes of conducting awareness campaigns and training programmes on the Data Protection Act, the CNIL also takes part in conferences, trade shows, and workshops in order to inform and be informed. It brings together a collective of over 60 organisations which run campaigns in favour of educating the public about digital technologies. PROTECTING CITIZENS RIGHTS Any individual can contact the CNIL upon experiencing difficulties in exercising their data protection rights. The CNIL ensures that citizens can effectively access their data contained in any processing operation. In 2016, the CNIL received 7,703 complaints regarding e-reputation (requests for the removal of internet content); commerce (objections to receiving email marketing); human resources (supervision mechanisms: video surveillance, geo-location of vehicles); banks and loans (contesting their registration within the files of the Banque de France). Need help is available on cnil.fr This service offers 500 useful questions and answers as well as the opportunity to submit a request (over 12,000 requests received in 2016). WHAT ARE YOUR RIGHTS? The right of access You may ask the data controller directly if they possess information on you, and request that they disclose all of this data to you. The right to request rectification You may request the rectification of incorrect details about yourself. The right to request rectification complements the right of access. The right to object You may object to the filing of your data on legitimate grounds. You may also object to the distribution, transmission or storage of your data. The right to be de-listed You may request that a search engine de-list a website associated with your first name and surname. The right of access to Police files, surveillance files, FICOBA, etc. When it is not possible for you to request access to your data directly from the police, surveillance services or the tax authorities, the right of access is exercised indirectly through the CNIL.
Correspondant Informatique et Libertés ADVISING AND REGULATING Various tools are used to regulate personal data: authorisations for implementation of sensitive data processing, official opinions on the government s draft legislation involving data protection or the creation of new files, legal frameworks setting out good practices in certain domains, recommendations allowing the CNIL to justify its doctrine in different domains, requests for advice from data controllers, in increasing numbers, and notably through the medium of data protection officers. ACCOMPANYING COMPLIANCE The objective is to propose a compliance toolbox by using the different means of action at the CNIL s disposal: data protection officers (Correspondants Informatique et Libertés) who form the authoritative network of experts, development of privacy seals and BCR (Binding Corporate Rules) which govern the transfer of personal data within multinational companies outside the European Union, the creation of compliance packages that are sector-based reference models covering an entire sector or professional branch. Privacy Seals The CNIL is able to deliver privacy seals for products or procedures which deal with the protection of personal data. The activity report for 2016 demonstrates a sharp increase in activity in comparison with the previous year, with 3 078 ADOPTED DECISIONS AND DELIBERATIONS The CNIL privacy seal allows a company to set itself apart from others by the quality of its services. For users, it is a confidence indicator for certified products, procedures and organisations which allows users to identify and favour organisations that guarantee a high level of protection for their personal data. Registered data protection officers 18,000 organisations have already appointed officers, of which there are 5,000. Their role as compliance managers is established by the European regulation. The appointment of a data protection officer (DPO) will be mandatory for numerous organisations, and particularly public bodies, in May 2018. WP29 guidelines (group of European data protection authorities) specify the criteria set out by the regulation on this new officer function. The CNIL helps DPOs to prepare for changes in their roles through dedicated tools: become an officer section on cnil.fr, new information workshops.
ANTICIPATING Within the framework of the CNIL s innovation and foresight activities, it strives to combine two objectives: the taking into consideration, at a very early stage, of new subjects such as trends, technologies or upcoming uses for data; and, the assessment of case studies and analyses through innovative projects and tools. LINC A new medium dedicated to digital innovation In order to contribute to discussions on digital technologies, the CNIL launched LINC, Laboratoire d Innovation Numérique de la CNIL (The CNIL Laboratory for Digital Innovation). Insights and forward thinking, sharing and experimenting are at the heart of this editorial space. INSPECTING AND SANCTIONING Ex-post investigations are considered to be a favoured method of intervention for personal data controllers. They allow the CNIL to ensure concrete implementation of the law. The investigations programme is established according to current events and core issues (current events, new technologies) which are brought before the CNIL. Regarding investigations or complaints, the CNIL s restricted committee (composed of 5 members and a Chairman separate to the CNIL s Chair) can issue various sanctions which include: A warning, which can be made public. If the Chair of the CNIL has already rendered an order, and the data protection officer did not conform to said order, the restrictive committee, through adversarial proceedings, may issue: A financial sanction (except for Government data processing) up to a maximum of 3 million euros. This sanction can be made public; moreover, the restricted committee can also demand that the sanction be published in the press at the costs of the sanctioned organisation. The total amount paid under the sanctions will be collected by the Public Treasury and not by the CNIL. A cease-and-desist injunction on data processing. A withdrawal of the prior authorisation given by the CNIL. The laboratory The CNIL created, within its walls, a laboratory with dedicated IT resources for the testing and experimentation of innovative products and applications. Through this laboratory, it is possible to obtain products as far ahead of their commercialisation as possible, in order to test their functions and evaluate their potential impact on the protection of privacy. In keeping with privacy by design, the CNIL intends to reinforce its consulting role for companies with regards to the integration of personal data protection requirements within their technological development processes. Finally, the CNIL aims to contribute to the development of technological solutions that protect citizens private lives. ETHICS AND DIGITAL TECHNOLOGY A new mission for the CNIL The Foresight Committee Comprised of 15 members from outside the CNIL, this committee strives to stimulate the CNIL s discussions on societal and ethical issues regarding digital technologies in order to better grasp their impact on the rights and freedoms of citizens. It is a constructive space for exchanges. In 2017, it will notably study the place of citizens in a Smart City. Since 2016, legislation has entrusted the CNIL with the mission to give further thought to ethical issues arising from the evolution of digital technologies. In 2017, the CNIL has decided to concentrate its thoughts on algorithms and artificial intelligence by calling for concerned parties to organise public debates, workshops or meetings. 30 partners participate in this CNIL initiative.
THE EUROPEAN REGULATION The European regulation on general data protection was published on 4th May 2016. It shall provide for Europe s adaptation to the new realities of digital technology and be applicable from 25th May 2018 in all European Union countries. It reinforces European citizens rights and gives them more control over their personal data. It also simplifies formalities for companies and provides them with a unified framework. The reform of data protection rules has three objectives: Reinforce citizens rights, particularly by creating a right to data portability and provisions specific to minors; Holding data protection officers accountable (data controllers and data processors); Lending credibility to regulation through reinforced cooperation between data protection authorities, who will, notably, be able to make joint decisions regarding transnational data processing and issue reinforced sanctions. What will change for professionals While organisations requirements with regards to the French Data Protection Act rest primarily on prior formalities (declaration, authorisation), the European regulation on general data protection is based on accountability and transparency. This concept of accountability translates into: The taking into account of data protection, by default, right from the design of a service or a product; The implementation of an organisation, measures and tools, in-house, which guarantee an optimal protection of individuals whose data is being processed. In practice, the organisations will need to: Conduct an inventory of any data processing carried out; Assess practices and implement procedures (notifications of data protection offences, management of claims and complaints, etc.); Identify risks associated to data processing operations and take necessary measures to prevent their occurrence. Maintain documentation ensuring the traceability of measures taken. New tools for compliance From an operational viewpoint, compliance with the European regulation rests on various tools: Processing records and internal documentation; Privacy Impact Assessments (PIA) for processing presenting a risk; The notification of data protection offences. Implementation of these tools implies, in advance, the appointment of an internal manager: the data protection officer, a true conductor of data protection within the organisation. Beyond this, the principle of accountability must translate into a change in internal culture and mobilise internal or external skills (CIOs, providers, legal services, trade services). To assist in the coordination of organisations, the CNIL offers a dedicated section, a method and tools to prepare for the regulation in 6 steps. This allows organisations to ensure that they have anticipated and implemented the essential parts of the measures necessary in order to be ready in 2018. What will change for private individuals The European regulation consolidates the central role of the individual and reinforces the individual s control over his or her data. It shall apply as soon as a European resident is substantially affected by data processing. Global players will therefore be subject to European law if they offer a product or service to a European citizen, even remotely. This criterion, called targeting, represents a significant evolution: henceforth, the territoriality of European law regarding data protection is built around the individual, and no longer solely around a company s place of establishment. The regulation recognises the right of individuals to: Clearer and more accessible information; Reinforced protection of children by obtaining parents consent; A new right to data portability which allows individuals to retrieve their data in an easily reusable manner, and to then transfer that data to a third party; The right to compensation for material or moral damage, particularly as part of group actions. FRANCOPHONE COUNTRIES For about ten years, the CNIL has engaged itself in a data protection promotional campaign within francophone countries. These actions have given way to the creation of the Association Francophone des Autorités de Protection des Données Personnelles (Association for Francophone Data Protection Authorities) in 2007, in partnership with the International Organisation of La Francophonie (OIF), and has brought about the adoption of legislation regarding the right to privacy by francophone countries such as Burkina Faso, Tunisia, Morocco, Madagascar, and Mali. In 2016, 59 Francophone countries out of 84 have legislation on data protection and 51 have appointed a data protection authority. WP29 Since February 2014, the CNIL s Chair has presided over WP29, the working party which brings together the 28 European data protection authorities. In particular, the working party develops the guidelines which unify and clarify the interpretation of the regulation s essential provisions.
Contact the CNIL Commission Nationale de l Informatique et des Libertés 3 place de Fontenoy TSA 80715 75334 PARIS CEDEX 07 FRANCE Tel. +33 (0)1 53 73 22 22 Fax +33 (0)1 53 73 22 00 www.cnil.fr www.educnum.fr http://linc.cnil.fr https://twitter.com/cnil https://fr-fr.facebook.com/cnil/ https://fr.linkedin.com/ AGENCE LINÉAL - 03 20 41 40 76