Privacy Advisor

Global Privacy Dispatches- France- CNIL Annual Report

July 1, 2008

By Pascale Gelly

CNIL Issues its Annual Report

In 2007, the number of complaints received by the CNIL increased by 25 percent to 4,455. The areas in which most complaints were filed include: credit-banking, direct marketing, employment and telecommunications.

The CNIL issued 214 authorizations and rejected 26 applications for authorizations for so-called "sensitive data processing activities," which are subject to CNIL prior authorization. It also issued 1,682 authorizations for transfers of data outside the European Union.
The report emphasizes that 2,438 entities have appointed a data protection correspondent (80 percent in the private sector). This is an interesting trend, considering the number of correspondents (CIL) in 2006 was only 650.

CNIL President Alex Türk pointed out the particular effort on behalf of the French government, which agreed to increase the budget in 2008 and to appoint 15 new employees.
Even if the budget of the CNIL increased in 2008 (11.4 million euros as opposed to 9.9 millions euros in 2007), during a press conference on the annual report Alex Türk expressed his wish for CNIL's independence from government subsidies. He proposed that each company, administration or local community that processes personal data provide a 50-60 euro yearly contribution to the CNIL. This financing system stems from the UK, where 600,000-700,000 contributors pay yearly fees. Türk foresees a budget of 20-22 million euros, which would ease CNIL activities and the creation of regional offices.

CNIL Enforcement Actions in 2007

The CNIL conducted 164 onsite investigations in 2007, 40 percent of which resulted from individual claims. They mainly targeted areas such as biometrics, CCTV, and human resources management databases.

In most cases, the CNIL did not issue sanctions. Still, nine companies were ordered to pay fines ranging from 5,000 to 50,000 euros. Mostly banks, telecom operators, Internet Web sites and debtors searching companies were sanctioned by the CNIL. The CNIL also published in its report a list of the companies controlled by sectors.

Apart from sanctions, the CNIL issued 101 formal notices and five warnings. It also referred five cases to the public prosecutor.

Data Privacy Written Into the French Constitution?
During his annual report press conference, CNIL President Alex Türk indicated a strong wish to introduce data protection rights in the preamble of the French Constitution, as is the case in 13 of the 27 European Union Member States. Mr. Türk justified his proposal by pointing out the worrying generalization of mechanisms tracking individuals' every move, from wake up until bed time.

Unsolicited Commercial Fax: 5,000 Euros Fine

The CNIL fined a fabric company for sending thousands of commercial ads by fax. Despite individuals' requests to have their names deleted from the company's database, the company continued their aggressive campaign. The company argued that technical problems prevented them from complying with the requests. This did not move the CNIL, which viewed it as an acknowledgement of poor implementation of the data protection law. It is to be reminded that consent of individuals is required in France prior to sending marketing faxes.

Anti-theft Devices for Newborn Babies
Several maternity hospitals have implemented a system for attaching electronic bracelets onto babies' ankles in order to prevent kidnappings. Reviewing these devices in light of data protection principles, the CNIL, although understanding of parents' concerns, raised the issue of their proportionality with regard to the risks at stake. The CNIL fears that legitimizing these systems by putting forward the babies' vulnerability could lead our societies to expand such systems to other stages of children's lives, such as kindergarten and schools, which would subject any human being from their earliest age to constant tracking.

Because of the difficulty of the issues raised by these new devices, also contemplated for elderly people, the CNIL has created a working group to think of the implications of electronic watching devices for vulnerable persons.

This topic will also be addressed by the other European DPAs in particular during the thirtieth worldwide conference of data protection commissioners to be held in Strasbourg in October.

Archives of Google Groups
A woman using Google groups services, such as Usenet discussions, sued both Google Inc. USA and Google France because her contributions dating back to 1998 were still available through searches on Google tools. She has tried to obtain their removal by Google but she considered that the device made available online was not deleting all of her contributions. She claimed the application of the French data protection law, including non compliance, with her objection right.

The court of first instance, in an emergency proceeding, concluded that Google France was not involved in the delivery of the services at stake, which were provided by Google Inc., and that the applicable law was the law of the State of California, where the messages are archived. The fact that California's constitution includes the protection of privacy in its section 1.1 played an important role in the decision, as the court considered that it was not obvious that the fundamental values of French law would be compromised by the application of a foreign regulation.

Pascale Gelly is a partner at Cabinet Gelly. She may be reached at pg@pascalegelly.com.