A stricter regime for profiling07 June 2016
CNIL Annual Report Shows Regulatory Interest in Connected Cars and Smart Cities
The CNIL reported that it received over 5,000 complaints in 2014 and conducted over 400 investigations, including 146 remote investigations (the CNIL is empowered since March 2014 to conduct remote investigations). It also issued 62 cease and desist letters, ordered eight monetary fines and seven warnings in 2014.
In addition, the CNIL revisited the actions it took in 2014, including the publication of "compliance packs" for certain industry sectors, such as the insurance sector (see our blog post of December 2014), the adoption of an accountability standard (see our blog post of January 2015) and the creation of a hub within the CNIL which is dedicated to BCRs.
The CNIL annual report also includes a section with topics that the CNIL intends to address in the upcoming year. For 2015, the CNIL has listed five topics which it will tackle, namely the use of personal data by online companies providing cultural content (such as books, music and videos), digital identity, mobile cameras, connected cars and "smart cities".
In relation to the last two topics, the CNIL indicated in its report that it plans to work with relevant data controllers to ensure that they receive guidance from first implementation of their new products so that these products comply with French data protection law.
With respect to connected cars – cars which are connected to data centers in order to enhance the car's operation, maintenance and safety as well as the convenience and comfort of drivers and passengers – the CNIL said it is aware of the strategic stakes involved in the development of connected vehicles. Consequently it wishes to contribute its expertise as part of developing the ecosystem for connected cars. As part of this, the CNIL is currently conducting a collective "think tank" exercise with organizations involved in the creation of connected vehicles in order to establish suitable compliance tools with the cooperation of such organizations.
Like connected cars, the aim of smart cities is to enhance people's quality of life through the use of new technologies. The CNIL explained that its objective is to work with data controllers, including by encouraging a "privacy by design" approach, so that data protection and privacy considerations are built into the design and manufacturing process of new technologies. Indeed, one of the issues raised by smart cities is that personal data will be collected in public spaces and may be made available to the general public or to a targeted audience. In various other sectors, such as telecoms, transportation and energy, the CNIL has already taken steps to address this issue by proposing measures to ensure the anonymity of individuals in those cases where individuals did not consent to the collection of their data.
The CNIL listed a series of questions raised by smart cities that it will try to respond to in 2015, including:
- how will citizens be able to identify the actors involved (the entity collecting their data vs. the entities further processing their data) in order to exercise their rights under French data protection law (rights of access, modification, deletion of their personal data and right to oppose the processing of their personal data);
- how will citizens be provided with all of the notification information which data controllers are required to provide to data subjects under French law;
- how can organizations create a service which complies with the other aspects of French data protection law;
- how can organizations engage in a privacy by design process and conduct Privacy Impact Assessments.
The comments and questions raised by the CNIL in relation to connected cars and smart cities echo several provisions of the draft new EU Data Protection Regulation which contains very specific responsibilities for businesses operating in Europe or with European-based customers. These provisions require the adoption of policies and principles, such as "privacy by design" and "privacy by default", to ensure that organizations take into account the nature, impact and risk of their data processing activities before those activities take place and consequently deploy suitable privacy and data protection tools to address that risk.
The Regulation aims to strengthen the rights of individuals. It does so by retaining rights that already exist under the Data Protection Directive and introducing the new rights of data...06 June 2016
Grounds for processing03 June 2016