By Pascale Gelly and Elisabeth Quillatre

CNIL annual report 2008

The French data protection authority (CNIL) issued its 29th annual report on May 13. The 2008 report outlines the key topics addressed by the authority last year, such as peer-to-peer, video surveillance, processing activities around fraud, the G29 presidency, and more. The CNIL also presented data protection challenges, wondering whether privacy is an endangered sphere; how to best protect and assist businesses, considering whether there should be no limit to European and international police cooperation, and whether surveillance of vulnerable people is justified. The authority also stressed its role in assisting businesses facing e-discovery requests.

The CNIL increased its staff resources to 120 last year and hopes for 132 staff members by the end of 2009.

In 2009, the authority wants to work on its financing sources, and is very much in favor of having businesses that process personal data contribute to its funding.

The authority received 4,244 claims and completed 218 investigations in 2008, a 33 percent increase over the previous year. Twenty-five percent of investigations resulted from individuals’ claims. The CNIL issued 126 injunction letters to infringers. Most infringements have been resolved since only 10 entities were sanctioned (from mere warnings, to up to 30.000-Euro fines).

The report states that onsite investigations will remain a priority in 2009.

In addition, 3,679 organizations have appointed data protection officials (correspondants à la protection des données personnelles) leading to a total number of 989 DPOs, some being shared resources.

Intelligent advertising screens under CNIL’s authority

The CNIL conducted an onsite investigation of “intelligent” advertising LCD screens managed by the RATP (Paris public transportation company) and installed in one of the most frequented Paris subway stations at the beginning of this year. (See April 2009 Privacy Advisor, Global Privacy Dispatches, “Behavioral video surveillance in the Paris subway.”)

These “intelligent” devices broadcast ads and measure audience reaction via closed-circuit television (CCTV) cameras, enabling them to count the number of people stopping by and to calculate the time people spend looking at the ads.

During its investigation, the CNIL found that only statistical data were processed, and that images were neither recorded nor transferred to third parties, nor seen by providers.

Yet, the CNIL believes that this activity could be considered as processing of personal data, therefore subject to data protection law. The mere fact that statistics are issued after analyzing images of citizens’ identifiable faces, which are considered personal data under the European Directive 95-46-EC, supports this.

Thus, the CNIL considers itself competent to assess the legitimacy of these audience-measurement devices, as well as to assess the relevance of the data collected and to ensure that the rights of data subjects are guaranteed.

Data transfer: a faster authorization process will come

The law “simplification and clarification of the law; simplification of procedures” has finally been passed.

Previously, the CNIL individually examined requests for transfer authorizations during plenary sessions and authorized them by an express deliberation.

With this new law, the CNIL now gives its president the authority to authorize data transfers outside the European Union. The CNIL hopes this fast-track process will be used for routine types of data transfers.

Additionally, this new law lets the CNIL publish its opinion on bills at the request of the president of one of the Parliament’s permanent committees. It also simplifies the CNIL process to deliver a quality label for products and procedures intended to protect individuals’ privacy.
For more on this law, see the Privacy Advisor, March 2009, Global Privacy Dispatch article “Hope for a fast(er) data transfer authorization process.”

Online store sanctioned for spam

CDiscount, one of Europe’s most successful online discount retailers, has been sanctioned by the CNIL for non-compliance with a data subject’s right to object to the use of personal data for direct marketing purposes.

According to Article 38 of the French Data Protection Act, any natural person “is entitled to object, at no cost to himself, to the use of the data relating to him for purposes of canvassing, in particular for commercial ends, by the controller of a current or a further data processing.”
After failed attempts to unsubscribe from CDiscount mailing lists using the opt-out means provided by this data controller, several Internet users filed complaints with the CNIL. CDiscount claimed that technical problems with its software module were to blame, and that those problems had been resolved. Yet the CNIL continued receiving claims from Internet users who tried unsubscribing not only by clicking on the link, but also by e-mail, postal mail, and via a surcharged phone number, in vain. The CNIL then sent a formal notice to CDiscount. The notice went unanswered. The company said it was not delivered to the appropriate person in the company.

As a consequence, the CNIL imposed a e30.000 fine, stating that the Internet users’ requests were unfulfilled.

The CNIL acknowledged CDiscount’s commitment to appointing a data protection correspondent.

HADOPI

A High Authority for the distribution of works and the protection of rights on the Internet was created by the so-called HADOPI law, passed by the Senate on May 13.

One of its missions is to protect copyrighted works from infringement committed over electronic communications networks.

It is entitled by law to obtain the data retained and processed by operators, as well as the identity and contact details of subscribers whose network access has been used to reproduce or provide protected works without authorization.

In case of infringement, the subscriber may receive a warning letter through the ISP. In case of a repeat infringement within six months, the commission may send a second recommendation. If another infringement takes place within the year following the last letter, then after contradictory proceedings, the commission may request the suspension of the network access (two months to a year) or issue an official injunction to prevent repeated infringements, unless a settlement is found with the subscriber.

Secondary legislation is necessary before this HADOPI law can be implemented in order to address, in particular, the means of appeal and the specificities of the data processing the High Authority may carry out.

This HADOPI law has given rise to controversies. Therefore, it is no surprise that this test is now challenged before the constitutional court.

Pascale Gelly and Elisabeth Quillatre of the French law firm Cabinet Gelly can be reached at pg@pascalegelly.com.