it law 4 - essential en
TRANSCRIPT
SUPINFO
2009-2010 COURSE
PERSONAL DATA PROTECTION WORLDWIDE
Confidential December 16, 2009
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 2
TABLE OF CONTENTS
1. FUNDAMENTAL PRINCIPLES AND LEGAL SCOPE 6
1.1 THE NOTIONS OF “PROCESSING” AND “PERSONAL DATA” 6 1.1.1 Personal data 6 1.1.2 The notion of automatic or non-automatic processing 7 1.2 THE NOTION OF FAIR COLLECTION 7 1.2.1 Principles and limitations 7 1.2.2 Fundamental characteristics 8 1.3 THE RIGHTS OF DATA SUBJECTS 9 1.3.1 The right to obtain prior information 9 1.3.2 The right of access (right of interrogation and right of communication) 9 1.3.3 The right of rectification 10 1.4 THE CONTROLLER OF THE FILE AND HIS OBLIGATIONS 11 1.4.1 The controller of the file 11 1.4.2 The obligations to notify 11 1.4.3 Other obligations 13 1.5 THE DATA PROTECTION OFFICER 14 1.5.1 The role of the CIL: reducing formalities 14 1.5.2 The appointment of the CIL 15 1.5.3 The missions of the CIL 15
2. THE DIFFERENT INFORMATION SYSTEMS 16
2.1 THE MAIN INFORMATION SYSTEMS 16 2.1.1 Human resources information systems 16 2.1.2 Customer information systems 17 2.1.3 Purchase information systems 17 2.1.4 Archival information systems 18 2.2 TRANSBORDER FLOWS OF PERSONAL DATA 18 2.2.1 The notion of transborder flows 18 2.2.2 The protection of data subjects 18 2.2.3 The principle of prohibition of transborder data transfers outside the European Union,
except in case of sufficient protection 19 2.2.4 Countries considered as providing an adequate level of protection 19 2.2.5 Countries considered as not providing a sufficient level of protection 20 2.2.6 The exception to the principle of prohibition 20 2.2.7 Standard contractual clauses 21
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 3
3. TECHNO SURVEILLANCE 22
3.1 INTERCEPTION OF TELECOMMUNICATIONS 22 3.2 GEO-LOCATION 23 3.2.1 Legal framework of geo-location 23 3.2.2 Tracking employees 23 3.2.3 Tracking drivers 24 3.2.4 Tracking children 24 3.3 VIDEO SURVEILLANCE 25 3.3.1 Legal framework 25 3.3.2 Public security video surveillance 25 3.3.3 Private security video surveillance 26 3.4 THE TECHNO PROTECTION OF PRIVACY 27 3.4.1 Anonymization techniques 27 3.4.2 Encryption tools 27 3.4.3 Antitagging tools 27 3.4.4 Platforms for Privacy Preferences 28 3.5 WEB 2.0 28
4. IDENTIFICATION AND SURVEILLANCE TECHNOLOGIES 29
4.1 APPLICATIONS AND FUNCTIONNALITIES OF IDENTIFICATION TECHNOLOGIES 29 4.1.1 Biometrics 29 4.1.2 RFID 30 4.2 ISSUES UNDER THE FRENCH DPA 30 4.3 APPLICABLE LAWS AND REGULATIONS 31 4.4 PRECAUTIONS TO BE TAKEN 31
5. JUDICIAL FRAMEWORK 33
5.1 COMPLAINTS 33 5.1.1 Referring a matter to the CNIL 33 5.1.2 Effects 33 5.2 INSPECTIONS CARRIED OUT BY THE CNIL 34 5.2.1 The inspectors 34 5.2.2 Modalities of the inspections 34 5.2.3 The inspection procedure 34 5.2.4 Objecting to an inspection 35 5.3 THE SANCTIONS 35 5.3.1 The warning 35 5.3.2 The injunction 37 5.3.3 Financial penalties 38 5.3.4 The injunction to stop the processing 38 5.3.5 The withdrawal of the authorization 39 5.3.6 The sanction procedure 39 5.3.7 The emergency procedure before the CNIL 41 5.3.8 The summary procedure 42
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 4
6. SECTOR-SPECIFIC DATA PROTECTION RULES 43
6.1 PUBLIC SECTOR 43 6.1.1 The State 43 6.1.2 National defense 45 6.1.3 Justice 47 6.1.4 Police, gendarmerie and customs 49 6.1.5 Private organizations entrusted with a public service mission 50 6.1.6 Local authorities 50 6.2 BANK – INSURANCE SECTOR 52 6.2.1 Bank 52 6.2.2 Insurance 56 6.3 THE DIRECT MARKETING SECTOR 57 6.3.1 Direct canvassing 57 6.3.2 Behavioral databases 58 6.3.3 The use of the credit card number 59 6.3.4 The assignment of files 59 6.3.5 E-mailing charter 59 6.3.6 Fight against spamming 60
7. REGULATORY AUTHORITIES IN EUROPE 62
7.1 THE EUROPEAN UNION (EU) 62 7.1.1 The United Kingdom 62 7.1.2 Spain 62 7.1.3 Belgium 63 7.1.4 Luxembourg 63 7.1.5 Germany 64 7.1.6 Romania 64 7.1.7 Adequacy decisions of the Commission 66 7.2 THE EUROPEAN ECONOMIC AREA (EEA) 66 7.2.1 Iceland 66 7.2.2 Norway 67 7.2.3 Liechtenstein 67 7.3 SWITZERLAND 68 7.3.1 National supervisory authority 68 7.3.2 Switzerland official‟s entry into the Schengen zone 68 7.4 PERSONAL DATA PROTECTION OFFICIALS (DPOS) 69 7.4.1 Overview 69 7.4.2 The German DPO 70 7.4.3 The French DPO 70
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 5
8. REGULATORY AUTHORITIES OUTSIDE EUROPE 71
8.1 AMERICA 71 8.1.1 United States of America (USA) 71 8.1.2 Canada, Québec 71 8.1.3 Argentina 72 8.2 AUSTRALIA 73 8.3 AFRICA 73 8.3.1 Tunisia 73 8.3.2 Mauritius 74 8.3.3 Burkina Faso 74 8.3.4 Senegal 75 8.4 ASIA 75 8.4.1 China 75 8.4.2 Hong Kong 75 8.4.3 South Korea 75
9. INTERNATIONAL COOPERATION 76
9.1 THE INTERNATIONAL CONFERENCE OF PRIVACY AND DATA PROTECTION COMMISSIONERS
76 9.1.1 Accreditation 76 9.1.2 The Conference 77 9.2 THE ARTICLE 29 DATA PROTECTION WORKING PARTY 77 9.2.1 The tasks of the Art. 29 Working Party 78 9.2.2 Types of issues examined by the Art. 29 Working Party 78 9.2.3 Cooperation between data protection authorities within the EU 79
APPENDIX 1: KEY TEXTS 80
APPENDIX 2: TABLE OF PENALTIES APPLICABLE IN FRANCE FOR OFFENCES
RELATED TO PERSONAL DATA 81
APPENDIX 3: BIBLIOGRAPHY 82
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 6
1. FUNDAMENTAL PRINCIPLES AND LEGAL SCOPE
1. The legislative and regulatory framework applicable to data protection in France has been
established by:
- the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual
Liberties (referred to below as “Data Protection Act” or “DPA”), as amended on 6
August 2004,
- in accordance with the European Directive of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of
such data (referred to below as the “EC Directive”)1.
2. As a result, the French and European personal data legislations are very similar.
3. This module will outline the main principles of data protection and present the various
obligations laid down by the French legislation on data protection.
1.1 THE NOTIONS OF “PROCESSING” AND “PERSONAL DATA”
1.1.1 Personal data
4. The French Data Protection Act protects personal data. Under French law: “Personal data
means any information relating to a natural person who is or can be identified, directly or
indirectly, by reference to an identification number or to one or more factors specific to him.
In order to determine whether a person is identifiable, all the means that the data controller or
any other person uses or may have access to should be taken into consideration”. (DPA,
Art 2).
5. More specifically, according to the French data protection agency, the “Commission
nationale de l‟informatique et des libertés” (referred to below as “CNIL”), personal data is
“any anonymous information allowing to identify a specific person (for example a fingerprint,
DNA or a sentence such as „the son of the doctor residing 11 boulevard Belleville in
Montpellier is a bad student‟)”.
6. Personal data can be a family name, a social security number, a vehicle registration number
or more generally any data that, without having a direct relation to an individual (last name,
first name, address...) allows to establish a link with such individual2.
1 See Appendix 1 “Legal Texts”.
2 See case law available on http://www.alain-bensoussan.com/pages/840/
MODULE No. 1 – The Basics & The Information Systems
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 7
1.1.2 The notion of automatic or non-automatic processing
7. The French Data Protection Act primarily focuses on the notion of “processing of personal
data”, which is broader than the notions of “filing system” or “file”. The scope of application
of the DPA covers all automatic processing and non-automatic processing of personal data
that is or may be contained in a personal data filing system (DPA, Art. 2).
8. Thus, the automatic nature of the processing is not an essential condition for the application
of the DPA.
9. An automatic processing of personal data covers “any operation or set of operations in
relation to such data, whatever the mechanism used, especially the obtaining, recording,
organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination,
blocking, deletion or destruction” (DPA, Art. 2).
10. An automatic processing can be constituted by only one of the elements described in
Article 2 above, e.g. the mere collection and registration of personal data3.
11. Moreover, the DPA does not make any distinction between personal data, depending on
whether they are or not accessory to the main purpose of the processing.
12. While the French DPA governs computer science, it does not limit itself to that field. The
notion of “processing of personal data” is indeed widely defined and the DPA applies to any
new automatic processing, whatever the nature of the media or technique used, to the extent
that the data collected is or may be contained in a personal data filing system.
13. Only automatic processing of personal data carried out for “exclusively private” or
domestic activities are excluded from the DPA (diaries and other personal address books),
subject to the conditions provided for in its Article 5.
14. For example, an address book used for “professional” purposes fall within the scope of the
DPA, even if used at home and outside the working hours.
1.2 THE NOTION OF FAIR COLLECTION
1.2.1 Principles and limitations
15. Data must be obtained and processed fairly and lawfully (DPA, Art. 6, 1°).
16. The DPA does not define what an unfair or unlawful fraudulent means may be. It is
therefore up to the courts to define these notions.
17. Case law4 considers that collecting information from third parties without the knowledge
of the data subjects is an unfair maneuver, because in such case they have not the possibility
to exercise their right to object to the collection in accordance with Article 38 of the DPA.
However, penal sanctions apply only if the data collected is registered or stored unlawfully,
and not if the data is merely collected.
3 See case law available on http://www.alain-bensoussan.com/pages/840/
4 See case law available on http://www.alain-bensoussan.com/pages/844/
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 8
18. The CNIL has issued many decisions on the unfair and unlawful collection of data.
19. For example, it has decided that obtaining subscriber numbers through random selection
or through the production of sequences from a dialing code was a collection of data made via
an unfair or fraudulent means within the meaning of Article 25 of the DPA.
20. Certain data are considered as “sensitive”. Sensitive data is personal data that reveals,
directly or indirectly, the racial and ethnic origins, the political, philosophical, religious
opinions or trade union affiliation of persons, or which concern their health or sexual life5.
21. It is prohibited to collect, record or store sensitive data except in certain cases (essentially
listed in Article 8-II of the DPA) including, but not limited in to the following cases:
- the controller has received the express consent of the data subject (in writing);
- the processing is necessary for the protection of human life, but to which the data
subject is unable to give his consent because of a legal incapacity or physical
impossibility;
- a philosophical, political or trade union body keeps the list of its members;
- the processing is justified by the public interest (processing carried out by the Ministry
of Defense and of the Interior);
- the processing is necessary for the establishment, exercise or defense of a legal claim.
22. Recording or storing sensitive data other than in the above cases is considered an illegal
collection of data sanctioned by five years‟ imprisonment and a 300,000 euro fine (French
Penal Code, Art. 226-18).
23. For legal entities, the fine is multiplied by five, i.e. 1,500,000 euros, and may be
pronounced together with the sanctions set out in Article 131-39 of the French Penal Code.
1.2.2 Fundamental characteristics
24. Under French law, personal data may be managed only if they meet the six fundamental
characteristics below. Data must be:
- accurate: i.e. corresponds to the actual situation of the data subject;
- adequate: the information must not only be accurate at the time of the collection but
also when it is used; this implies that the processing is adequate, i.e. it does not distort
the data when it is aggregated and restored;
- relevant: this implies a conformity between the data and its implementation.
- legitimate: a balance is struck between the interests of the data subjects and the
interests of the data controller;
- not excessive: this remains a difficult concept to grasp. It is pragmatically defined by
the CNIL according to the nature of the personal data and the sensibility of the initial
and onward processing operations;
- complete: to avoid mistakes, data controllers must ensure that they have all the
information required for quality processing results;
- in addition, data must be maintained in operational condition: the adequate, relevant,
not excessive, and complete nature of the data must be maintained throughout their
implementation period. To this effect, the data controller must update, delete, correct
or supplement the data when required.
5 See case law available on http://www.alain-bensoussan.com/pages/846/
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 9
1.3 THE RIGHTS OF DATA SUBJECTS
25. Everyone has the right to privacy. To protect their privacy, data subjects, i.e. the
individuals to whom the data covered by the processing relate, have been granted certain
rights, including but not limited to:
- the right to obtain prior information;
- the right of access (right of interrogation and right of communication);
- the right of rectification.
1.3.1 The right to obtain prior information
26. The French Data Protection Act establishes a right to information for data subjects.
Pursuant to its Article 32-I, any data subject from whom data is directly obtained must be
provided with the following information:
- the identity of the data controller and of his representative, if any;
- the purposes of the processing for which the data are intended;
- whether replies to the questions are compulsory or optional;
- the possible consequences for him of the absence of a reply;
- the recipients or categories of recipients of the data;
- the right of objection and rectification;
- the intended transfer of personal data to State that is not a Member State of the
European Community;
- the existence of a right of access or rectification.
27. It is the responsibility of the data controller to take any measures to provide this
information to the data subjects, in particular when data is obtained via questionnaires.
28. If data is collected indirectly, e.g. via cookies on the Internet, the data subject must be
informed in a clear and complete manner by the data controller or his representative
regarding:
- the purpose of any action intended to provide access, by means of an electronic
transmission, to information stored in his connection terminal equipment, or to record
information in his connection terminal equipment by the same means;
- the means he has to object to such action (DPA, Art. 32-II).
29. Failure to comply with these provisions is sanctioned by the penalties provided for petty
offense of the fifth class under Decree No. 81-1142 of 23 December 1981.
1.3.2 The right of access (right of interrogation and right of communication)
30. The right of access is the right for data subjects (i) to know whether the personal data
relating to them form part of a processing and (ii) to be informed of said data (DPA, Art. 39).
The right of access is an essential right that puts forward the status of citizen of a data subject
before his status of member of the public.
31. The right of access allows to prevent abuse and promotes transparency in the exploitation
of the personal data processed.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 10
32. With such right, a data subject can interrogate the controller of an automatic processing on
whether the processing contains or not information about him or her. If yes, the data subject is
entitled to be provided with relevant information.
33. The right of access can be exercised only by the individual concerned and can only covers
data about him or her.
34. Data subjects who decide to exercise their right of access do not need to give any
justification. This right needs not to be motivated.
35. However, this right may be misused, e.g. data subjects can make many requests in order to
deliberately hinder the activity of the company owing the data files. This is the reason why the
CNIL has the power to release a company from its obligation to answer requests made by
individuals under with their right of access.
36. On the other hand, the CNIL reserves the right, when asked to do so by the data subject, to
demand that a company communicate data within a very short period of time, even is there is
no emergency.
37. To restrict excessive and repetitive requests of access, the DPA has established that data
subjects willing to obtain a copy of their personal data may be required to pay a sum of
money. The amount of such sum is fixed in a ministerial order.
38. Lastly, concerning sensitive data, the DPA has created an “indirect” right of access
(Articles 40 to 42). For example, access to medical data is made indirectly through a doctor.
39. Failure to comply with the right of access is sanctioned by the penalties provided for petty
offense of the fifth class, i.e. to date a fine of 1,500 euros maximum or 3,000 euros in case of
second offense6.
1.3.3 The right of rectification
40. The right of rectification is a right completing the right of access. It is not, however,
subject to the same conditions and is governed by distinct provisions (DPA, Art. 40).
41. Individuals who have made a request for access do not have not all powers on their data.
They can only complete, update, clarify their data or request their deletion.
42. While the right to information and communication does not need to be motivated, the
exercise of the right of rectification is subject to specific conditions7.
43. Failure to comply with the right of rectification is sanctioned by the penalties provided for
petty offense of the fifth class, as well as the publication of the court decision at the expense
of the losing party, where applicable.
6 See case law available on http://www.alain-bensoussan.com/pages/878/
7 See case law available on http://www.alain-bensoussan.com/pages/878/
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 11
1.4 THE CONTROLLER OF THE FILE AND HIS OBLIGATIONS
1.4.1 The controller of the file
44. According to the French Data Protection Act, the data controller is a person, public
authority, department or any other organization who determines the purposes and means of
the data processing (DPA, Art. 3, I).
45. Data controller have to fulfill a number of obligations, the most important being the
obligation to notify their processing of personal data to the data protection agency.
46. Case law has ruled that a notifying party is any individual or entity having the power to
decide the creation of a computer file, even if the exploitation of the automatic processing is
entrusted to another company8.
47. It is the individual or his representative, or the representative of the legal entity who has
the power to decide the implementation of the processing who signs the notification
formalities carried out with the CNIL.
48. In the CNIL‟s opinion, the notifying organization is the organization that implements a
processing and exploits it itself. Moreover, an organization that implements a processing, but
subcontracts its exploitation, remains the notifying party.
49. If an organization implements a processing and transfers some of the data processed to
another organization, which itself exploit them for itself, the two organizations are both
notifying parties. Each of them must therefore carry out the formalities with the CNIL
required for their own data.
1.4.2 The obligations to notify
50. Although the DPA does not specify who has to notify the processing to the CNIL, it is the
data controller who carries out the prior formalities with the CNIL, whatever the service or
organization actually exploiting the processing.
51. If the data controller is not established on French territory or in any other Member State of
the European Community, but uses means of processing located on French territory (with the
exception of processing used only for the purposes of transit), he must appoint a
representative who shall represent him for the fulfillment of the notification formalities (DPA,
Art. 5).
52. There are two types of prior notification formalities to be carried out with the CNIL,
according to the nature and purpose of the processing: (i) the notification (DAP, Art. 23 and
24) or (ii) the authorization (DPA, Art. 25, 26 and 27).
53. The notification procedure is the normal regime. It is applicable to standard processings,
i.e. processings not likely to jeopardize privacy or liberties. Notification is based on three
procedures, with different levels of complexity and formalism.
54. The notification procedure requires to build up a complete dossier describing the
functional and legal environment of the automatic processing of personal data implemented9.
8 See case law available on http://www.alain-bensoussan.com/pages/841/
9 See case law available on http://www.alain-bensoussan.com/pages/860/
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 12
55. Most common processing can be notified via a straightforward procedure based on
simplified standards adopted by the CNIL (DPA, Art. 24 I). The CNIL can also exempt from
notification certain categories of processings (DPA, Art. 24 II).
56. The authorization procedure is applicable to “sensitive” processings, i.e. processings that
may infringe privacy and freedoms in light of their purposes and characteristics (DPA,
Art. 25), as well as to certain processings carried out on behalf of the State (DPA, Art. 26 and
27).
57. Article 25 of the DPA lists eight categories of “sensitive” processings10
:
- processing, whether automatic or not, of the special categories of data mentioned in
Article 8, where they are carried out by the National Institute of Statistics and
Economic Studies (INSEE) or one of the statistical services of Ministries, or where
they may be within a short period of time, to be subject to an anonymization procedure
which the CNIL has earlier approved as compliant, or where it is justified by the
public interest;
- automatic processing of genetic data, unless carried out for preventive medicine,
medical diagnosis or the administration of care or treatment;
- processing, whether automatic or not, of data relating to offences, convictions or
security measures, except for those carried out by representatives of justice when
necessary to carry out their task of defending data subjects;
- automatic processing which may, due to its nature, importance or purposes, exclude
persons from the benefit of a right, a service or a contract in the absence of any
legislative or regulatory provision;
- automatic processing whose purpose is the combination of files of one or several legal
entities who manage a public service and whose purposes relate to different public
interests;
- processing relating to data which contain the NIR (registration number of natural
persons in the national register for the identification of individuals, i.e. social security
number) and processing that requires the consultation of this register;
- automatic processing of data comprising assessments of the social difficulties of
natural persons;
- automatic processing comprising biometric data necessary for the verification of an
individual‟s identity.
58. Articles 26 and 27 cover categories of processings carried out on behalf of the State. Such
categories of processings are subject to the authorization procedure, even if the DPA refers to
them as processing subject to a request for opinion.
10
See case law available on http://www.alain-bensoussan.com/pages/863/
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 13
59. These processings are, depending on the case, authorized by a ministerial order, a decree
subject to a prior opinion of the “Conseil d‟Etat”, or a decision of the authority concerned11
:
- processing which involves State security, defense or public safety;
- processing whose purpose is the prevention, investigation, or proof of criminal
offences, the prosecution of offenders or the execution of criminal sentences or
security measures;
- processing relating to the specific categories of data mentioned in Article 8 of the Act;
- processing relating to data containing the registration number of individuals in the
national register for the identification of individuals (“NIR”, i.e. social security
number) or that requires a consultation of the NIR without including the registration
number to this register and carried out on behalf of the State, a legal entity governed
by public law or a legal entity governed by private law that manages a public service;
- processing carried out on behalf of the State relating to biometric data necessary for
the identification or verification of the identity of individuals;
- the processing carried out by departments that have the mission, either to determine
the conditions for the creation or the scope of citizens‟ rights, to control or collect
taxation or taxes of any nature or to establish the basis for doing this, or to establish
statistics.
60. Anyone who caries out automatic processing of personal data without having notified
such processing is sanctioned by five years‟ imprisonment and a fine of €300,000.
61. Processing data or causing personal data to be processed without respecting the
formalities required by Articles 24 and 25 of the DPA is sanctioned by five years‟
imprisonment and a fine of €300,000, even where committed through negligence.
1.4.3 Other obligations
62. In addition to the notification formalities, the French Data Protection Act of 6 January
1978 also imposes on any person processing personal data other obligations linked to:
- legality12
;
- security;
- the transfer of data to third parties;
- the taking of decisions on the basis of standard profiles.
63. Firstly, the DPA states that the data controller shall take all useful precautions, with regard
to the nature of the data and the risks of the processing, to preserve the security of the data
and in particular prevent their alteration and damage, or access by non-authorized third parties
(DPA, art. 34).
64. Such security obligation applies to all automatic or non-automatic processing of personal
data within the purview of the DPA13
.
11
See case law available on http://www.alain-bensoussan.com/pages/864/ and http://www.alain-
bensoussan.com/pages/865/ 12
See § 1.2 above about fair and lawful collection. 13
See case law available on http://www.alain-bensoussan.com/pages/872/
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 14
65. Where data are processed by a processor, such processor shall offer adequate guarantees
to ensure the implementation of the security obligation (DPA, Art. 35(3)).
66. The violation of the obligation of security is sanctioned by criminal penalties: five years‟
imprisonment and a fine of €300,000 (French Penal Code, Art. 226-17). For legal entities, the
fine is multiplied by five, i.e. 1,500,000 euros, and may be pronounced together with the
sanctions set out in Article 131-39 of the French Penal Code.
67. Secondly, the assignment of personal data to third parties provided that the initial
notification, application for authorization or request for opinion referred to the assignment and
specified if the processing may be aligned, combined or otherwise related with other
processings.
68. If the assignment was not provided for in the initial notification, a company willing to
loan, lease or assign its data should promptly inform the CNIL and modify its initial
notification; otherwise it may be punished by the same sanction punishing the fact of
diverting data from its proper purpose.
69. Lastly, the DPA does not prohibit decision-making operations based on the standard
profiles. It authorizes selection operations from an automatic processing of personal data, but
regulates customer segmentation and targeting operations, for example to elaborate standard
consumer profiles.
70. However, no court decision involving the assessment of an individual‟s behavior may be
based on an automatic processing of personal data intended to assess some aspects of his
personality, and no other decision having a legal effect on an individual may be taken solely
on the grounds of automatic processing of data intended to define the profile of the data
subject or to assess some aspects of his personality. (DPA, Art. 10(1) and (2))14
.
1.5 THE DATA PROTECTION OFFICER
71. The “CIL”, i.e. “correspondant à la protection des personal data”, is the French data
protection officer.
1.5.1 The role of the CIL: reducing formalities
72. The main role of the CIL is to streamline the process and cut the red tape: a company with
a CIL is exempted from notification formalities (DPA, Art. 22).
73. However, this is only possible for standard processings governed by Articles 23 and 24 of
the DPA.
74. Besides, processings subject to the authorization procedure (DPA, Art. 25, 26 and 27) and
processings implying the transfer of data to a non-EU State are not eligible for that
exemption.
75. Public or private companies can both appoint a CIL.
14
See case law available on http://www.alain-bensoussan.com/pages/848/
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 15
1.5.2 The appointment of the CIL
76. The missions, functions and obligations of the CIL15
are described in the French Decree of
20 October 2005 enacted for the application of the DPA (as amended by Decree of 25 March
2007).
77. The appointment of a CIL must first be notified by the data controller to the staff
representative body concerned by registered letter return receipt requested, and then to the
CNIL.
78. A CIL may be an individual or a legal entity.
79. CILs are chosen among the individuals working inside the company. They may be
individuals external to the company only where less than 50 persons are in charge of the
implementation or have an access to the automatic processing.
80. Companies subject to the same control, Economic Interest Group or professional bodies of
the same branch of industry have the possibility to appoint only one single CIL.
81. The data controller or his legal representative may not be appointed as CIL.
Other functions or activities carried out simultaneously by the CIL “must not lead to conflicts
of interest in the performance of his duties as a data protection officer”.
1.5.3 The missions of the CIL
82. The CIL shall ensure compliance with the requirements of the Data Protection Act. For
this purpose, the CIL:
- may make recommendations to the data controller;
- shall be consulted about any new processing before their implementation;
- shall receive requests and complaints from the data subjects;
- shall inform the data controller of the failings noted before any notification to the
CNIL;
- shall prepare an annual report on his activities that shall be presented to the data
controller and made available to the CNIL.
83. In addition, within three months of being appointed, the CIL shall draw up the list of the
automatic processings implemented by his company. The CIL will be responsible for
providing a copy of such list to any individual who requests it.
84. The data controller shall provide the CIL with all the material that may help him draw up
and regularly update the list of automatic data processing implemented within the premises,
department or the body for which he is appointed.
85. The CIL may refer any difficulty encountered while carrying out his missions to the CNIL
at any time.
15
See Alain Bensoussan, « Le correspondant à la protection des données à caractère personnel: un maillon
important de la réforme », Gazette du Palais n° 284 à 286 du 10 au 12 octobre 2004, available on
http://www.alain-bensoussan.com/Documents/ARTICLE%20AB%20GTA%20OCTOBRE.pdf
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 16
2. THE DIFFERENT INFORMATION SYSTEMS
86. An organization or company, whether public or private, may exploit many information
systems. They may be cross-cutting (purchase, HR, invoicing, accounting, archives, etc.) or
sector-based (insurance and risks, social and health, bank and stock exchange, etc.).
2.1 THE MAIN INFORMATION SYSTEMS
87. The main information systems are relating to human resources, customer, purchase and
archives.
2.1.1 Human resources information systems
88. Human resources concerns a range activities within a company: recruitment; payroll;
management and training of staff; directories and intranets; management and controls of
access to premises; catering; relations with staff representative bodies...
89. HR information systems of public and private companies are regulated by the CNIL in a
very similar manner. HR information systems are mainly subject to the following texts:
- Recommendation No. 89 of the Council of Europe (Recommendation 89 of 18
January 1989 on the protection of personal data used for employment purposes);
- French Labor Code, in particular its Articles relating to individual and collective
liberties, to collection of information and transparency on collection devices, to
professional equality between men and women, and to the information of the staff
representative bodies.
90. HR information systems are usually guided by three principles:
- transparency;
- proportionality;
- purpose.
91. The CNIL has enacted a series of simplified standards for the prior formalities applicable
to HR information systems:
- Simplified Standard No. 46: Deliberation 2005-002 dated 13 January 2005 adopting a
standard intended to simplify the obligation to notify processings implemented by
public and private organizations for the management of their staff (amended);
- Simplified Standard No. 42: Deliberation 02-001 dated 8 January 2002 concerning the
automatic processing of personal data implemented on the workplace to manage the
control of access to the premises, of working hours and catering;
- Simplified Standard No. 47: Deliberation 2005-019 dated 3 January 2005 creating a
simplified standard concerning the automatic processing of personal data implemented
with respect to use of fixed and mobile telephony at the workplace;
- Simplified Standard No. 51: Deliberation 2006-067 dated 16 March 2006 adopting a
simplified standard concerning the automatic processing of personal data implemented
by public or private organizations in order to locate geographically the vehicles used
by their employees;
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 17
92. Moreover, the CNIL has issued exemptions and single authorizations for certain HR-
related processings:
- Exemption No. 1: Deliberation 2004-096 dated 9 December 2004 exempting from
notification processings for the management of remunerations implemented by the
State, local communities, legal entities governed by public law or legal entities
governed by private law that manage a public service;
- Exemption No. 2: Deliberation 2004-097 dated 9 December 2004 exempting from
notification processings for the management of remunerations implemented by legal
entities governed by private law other than those managing a public service;
- Single Authorization No. AU-004: Deliberation 2005-305 dated 8 December 2005 for
automatic processings of personal data implemented within the framework of
whistleblowing systems.
93. Lastly, the CNIL has also elaborated recommendations on the collection and processing of
personal data within the framework of recruitment operations (Deliberation 02-017 dated 21
March 2002).
2.1.2 Customer information systems
94. Customer information systems generally concern electronic canvassing, customer
relations, profiles, segmentation, customer loyalty, contractual difficulties (outstanding
payments and complaints) and transborder flows.
95. The CNIL elaborated in 200516
a “multisector” simplified standard for the automatic
processing of personal data relating to the management of customer and prospect data, which
has been amended by Deliberation 2005-276 dated 17 November 2005.
96. Only customer information systems from the banking and insurance sectors are excluded
from the scope of that standard. As a result, they must be notified to the CNIL according to
the ordinary procedure applicable to any processing of personal data.
2.1.3 Purchase information systems
97. Purchase information systems concern data on suppliers.
98. Concerning the prior formalities specific to purchase information systems, the CNIL has
exempted from notification files for the management of supplier data concerning individuals
(exemption No. 4), to the extent that these processings do no present apparent risk for privacy
and liberties.
99. However, these systems may also cover data on electronic purchase (purchase extranets
and electronic purchase platforms).
100. Extranets are eligible for exemption No. 4 when implemented within the limit of the
functional criteria stated in the exemption.
101. On the other hand, e-commerce activities for suppliers do not fall within the scope of the
exemption. These activities must be subject to a specific notification or incorporated into a
standard notification corresponding to the purchase information system.
16
Simplified standard No. 48, deliberation 2005-112 dated 7-6-2005.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 18
2.1.4 Archival information systems
102. In most private or public organizations, the archival of personal data is not a distinct,
separate system, and backup, storage and archives very often are mixed together.
Archival information systems are cross-cutting information systems which relate to all the
other information systems.
103. The CNIL has issued specific recommendations for the archival of certain data:
- Deliberation 88-52 dated 10 May 1988 adopting a recommendation on the
compatibility between the Act 78-17 of 6 January 1978 and the Act of 79-18 dated 3
January 1979 on archives;
- Deliberation 2005-213 dated 11 October 2005 concerning the modalities for the
electronic archiving of personal data in the private sector.
2.2 TRANSBORDER FLOWS OF PERSONAL DATA
104. Because of their nature, personal data cannot be transferred in conditions that would not
respect the privacy or fundamental rights and freedoms of data subjects. On the other hand,
nowadays the development of communications makes it necessary for most businesses to
transfer data about individuals.
2.2.1 The notion of transborder flows
105. The notion of transborder flow refers to the export and import of personal data. Despite
its importance and its role as a catalyst for universal rights, both in legal and ethical terms,
there is no definition of that concept in the EC Directive or the French Data Protection Act.
106. According to the CNIL, a transfer of personal data to a non-EU country consists in
“communicating, copying or moving personal data via a network, or communicating, copying
or moving these data from one media to another, whatever the type of media, to the extent that
these data are subject to be processed in the recipient country”.
Flows can thus be both physical (actual moving of data) and virtual (access to data and related
processings).
107. That definition must be reviewed in light of the notion of “processing”, which is “any
operation or set of operations in relation to data, especially the obtaining, recording,
organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination or otherwise making available, alignment or combination,
blocking, deletion or destruction”.
2.2.2 The protection of data subjects
108. There are a number of situations in which international transfers of data occur.
109. For example there are transborder transfers of data when a French company
communicates with partners, subsidiaries or parent companies located outside the European
Union or performs activities outside the European Union. Similarly, when a multinational
corporate group centralizes its order management, accounts receivable or human resources
databases or when a company uses the services of a foreign call center or computer
maintenance specialist, this implies the transfer of personal data beyond the borders of the
European Union.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 19
110. The French Data Protection Act has established specific rules to regulate such
transborder transfers, in particular where the non-EU recipient countries do not have a
sufficient level of protection of the privacy and fundamental rights and freedoms of
individuals.
111. Transfers of personal data to countries not belonging to the European Union are indeed
subject to special requirements under the EC Directive.
2.2.3 The principle of prohibition of transborder data transfers outside the
European Union, except in case of sufficient protection
112. Personal data may not be transferred to a country that is not a Member State of the
European Community if this State does not provide a sufficient level of protection of
individuals‟ privacy, liberties and fundamental rights with regard to the actual or possible
processing of their personal data (DPA, Art. 68(1)).
113. Transfers may not be made when the non-EU State is considered by the European
Commission as not providing a sufficient level of protection. In such case, the CNIL may
prohibit the intended transfer to that State (DPA, Art. 70).
114. The sufficient nature of the protection provided by the State is assessed taking account in
particular of the provisions in force in this State, the security measures that this State applies,
the specific characteristics of the processing, such as its purposes and duration, as well as the
nature, origin and destination of the processed data (DPA, Art. 68 (2)).
115. The European Commission determines if a country not belonging to the European
Community provides an adequate protection in accordance with requirements laid down in the
EC Directive.
116. Transfers of data to non-EU Member States short-listed by the European Commission for
their sufficient level of protection of personal data are not subject to a specific procedure. The
CNIL only has to be informed of their existence (Decree of 20 October 2005, Art. 101).
117. A table summarizing the data protection laws and regulations adopted worldwide and the
level of guarantees offered by each country under the European criteria is available online on
the CNIL‟s website17
(updated as of 2 June 2008).
2.2.4 Countries considered as providing an adequate level of protection
The European Commission has established a list of countries providing adequate protection.
Such list includes:
- the twenty-five Member States of the European Union;
- the member countries of the European Economic Area: Iceland, Liechtenstein,
Norway;
- other countries recognized as providing adequate protection: Argentina, Canada,
Guernsey, Isle of Man, Switzerland, and US companies having adhered to the Safe
Harbor.
118. Concerning more particularly the United States of America, a Safe Harbor agreement
was negotiated in 200018
.
17
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/panorama-legislation.pdf 18
Decision No. 2000/520/EC of 26 July 2000.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 20
119. Transfers of personal data to countries providing an adequate level of protection do not
have to be authorized by the CNIL. The existence of such transfers should nonetheless be
notified to the French data protection agency when the prior formalities required for the data
processing are made.
2.2.5 Countries considered as not providing a sufficient level of protection
120. Transfers of personal data to non-EU countries not providing sufficient protection are
possible only in the situations strictly listed in Section 69 of the French DPA.
121. If none of these limited situations applies, the transfer cannot be made without the
authorization of the CNIL.
122. Such authorization is granted subject to the adoption by the company of a transborder
data flow agreement or binding corporate rules offering adequate safeguards for the transfer.
123. For corporate groups, binding corporate rules (“BCR”), also known as internal rules,
codes of good conduct or charter, are an alternative to transborder data flow agreements. The
European Commission has published three model contracts 19
.
124. The advantage of BCRs is that they are adopted unilaterally by the group headquarters
and avoid entering into an agreement for each data transfer made within the group.
2.2.6 The exception to the principle of prohibition
125. Pursuant to Article 69 of the DPA, personal data may be exceptionally transferred to a
State not providing a sufficient level of protection if the data subject has expressly consented
to their transfer or if the transfer is necessary for:
- the protection of the data subject‟s life;
- the protection of the public interest;
- the meeting of obligations ensuring the establishment, exercise or defense of legal
claims;
- the consultation, in accordance with legal conditions, of a public register;
- the performance of a contract between the data controller and the data subject, or of
pre-contractual measures taken in response to the data subject‟s request;
- the conclusion or performance of a contract, either concluded or to be concluded in the
interest of the data subject between the data controller and a third party.
126. An exception to the principle of prohibition may also be decided by a decision of the
CNIL or by a decree taken upon the prior opinion of the “Conseil d‟Etat” for certain public
processings and where the processing guarantees a sufficient level of protection of
individuals‟ privacy as well as their liberties and fundamental rights.
127. Such guarantees may in particular result from contractual clauses or binding corporate
rules.
19
Decisions No. 2001/497/EC, No. 2004/5271/EC and No. 2002/16/EC.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 21
2.2.7 Standard contractual clauses
128. Concerning the transfer of personal data to non-EU countries, the European Commission
has drafted two sets of standard contractual clauses for transfer of data from a controller to
another controller in 200120
and 200421
:
129. It has also drafted one set of standard contractual clauses for transfer of data from a
controller to a processor, in French and in English22
.
130. In addition, the Article 29 Data Protection Working Party, known s “G29”, adopted in
January 2007 a standard form to submit draft Binding Corporate Rules (“BCR”) to European
supervisory authorities23
.
* *
*
20
Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third
countries, under Directive 95/46/EC, OJEC (L) 181/19 of 4 July 2001 available
in French at
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_resp__traitement_VA.pdf
in English at
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_resp__traitement_VF.pdf. 21
Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of
an alternative set of standard contractual clauses for the transfer of personal data to third countries, OJEC (C)
2004 5271 available:
in French at http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT__ICC_resp__traitement_VF.pdf
in English at
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT__ICC_resp__traitement_VA.pdf 22
Commission Decision of 27 December 2001 on standard contractual clauses for the transfer of personal data to
processors established in third countries, under Directive 95/46/EC, OJEC (L) 6/52 of 10 January 2002 available
in French at http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_ss_traitant_VF.pdf
n English at http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_ss_traitant_VA.pdf 23
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/Form-bcrWP133EN.doc (English
version).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 22
3. TECHNO SURVEILLANCE
3.1 INTERCEPTION OF TELECOMMUNICATIONS
131. The term “interceptions of telecommunications” means the collection, use and recording
of contents exchanged via electronic communication tools. The term “electronic
communications” means “the transmission, emission or reception of signs, signals, text,
images or sound by electromagnetic means” (French Posts and Electronic Communications
Code, Art. L 32 1°).
132. Interceptions of telecommunications encompasses:
- the protection of private correspondence: it is guaranteed by law and is the
implementation in the field of electronic communications of the more general
principle of the protection of privacy (Act 91-646 of 10 July 1991, Art. 1);
- the interception of electronic communications for security purposes: wiretapping is
regulated by the Act of 10 July 1991;
- the interception of electronic communications for legal purposes: it is subject to
Articles 100 to 100-7 of the French Code of Criminal Procedure for the investigation
of felonies and misdemeanors (if the penalty incurred is equal to or in excess of two
years‟ imprisonment), organized crimes and the research of certain individuals;
- the administrative interceptions of connection data: their purpose is limited to the
prevention of acts of terrorism (French Penal Code, Art. 421-1 and Art. 421-2);
- the judicial interceptions of connection data: the storage of such data and their
communication to the judicial authority is limited to the research, discovery and
prosecution of penal offences (French Posts and Electronic Communications Code,
Art. L34-1 II).
- the private interceptions: unregulated wiretapping is prohibited, unless otherwise
authorized by the individuals concerned or within the framework of cyber surveillance
operations at the workplace;
- the regulation of devices for the interception of electronic communications: the
interceptions of private telecommunications are prohibited, unless otherwise
authorized by the calling party and the called party.
133. Two administrative authorities play a key role in that domain: the National Commission
for the Control of Security Interceptions (“Commission nationale de contrôle des
interceptions” or “CNCIS”) and the Data Protection Authority (“Commission nationale de
l‟informatique et des libertés” or “CNIL”).
MODULE No. 2 – Technologies
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 23
134. All operations (manufacture, import, detention, exhibition, offer, rental, sale, installation)
on equipment designed to intercept telecommunications are prohibited (French Penal Code,
Art. 226-3). Similarly, equipments allowing to intercept, record or transmit words uttered in
confidential or private circumstances, without the consent of their speaker, or the picture of a
person who is within a private place, without the consent of the person concerned are
prohibited (French Penal Code, Art. 226-1).
135. Operators implementing the equipments mentioned above must apply for an
authorization in accordance with a list established by the Prime Minister (French Penal Code,
Art. R 226-1).
3.2 GEO-LOCATION
136. Location data is “any data processed in an electronic communications network,
indicating the geographic position of the terminal equipment of a user of a publicly available
electronic communications service”. 24
137. Geo-location services are based on the GPS system and mobile telephony of the GSM-
type.
138. These services give the position of the fleet covered by the piloting or surveillance. The
terminal installed on the vehicle transmits the position, the communications of any nature, the
condition of the vehicle, the conditions of use and the social data (optimization of the working
condition and tracking of overtime).
3.2.1 Legal framework of geo-location
139. The legal framework of geo-location is made of Directive 2002/58/EC of 12 July 2002
(Art. 9) and a recommendation issued by the CNIL on 16 March 2006 concerning the geo-
location of employee vehicles.
140. The specific prior formalities to that technology concern the simplified standard No. 51
(geo-location of employee vehicles in public and private sectors).
141. Processings using that technology are mainly designed for the geo-location of
employees, drivers or children.
3.2.2 Tracking employees
142. The CNIL has established rules for the use of geo-location within a company in a
recommendation dated 16 March 200625
.
143. It may be used for employees who have a large degree of autonomy in their organization
(sales representatives, pharmaceutical sales representatives, door-to-door sales representatives
etc.) and who cannot be tracked permanently.
144. Data is collected on the travels, the average speed and mileage. In no event the data
should enable to establish the existence of offences.
24
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector (Directive on
privacy and electronic communications), Art. 2. 25
Deliberation 2006-066 of 16 March 2006 adopting a recommendation on the implementation of devices
designed to geo-locate motor vehicles used by the employees of a private or public organization.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 24
145. The CNIL considers that the only purposes admitted in that context are:
- the surety or security of the employees or the goods or vehicles they are responsible
for (lone workers, transfer of funds and values, etc.);
- a better allocation of resources when services are to be performed in dispersed
locations (emergency interventions, taxi drivers, breakdown lorries etc.);
- the monitoring and invoicing of a service for the transport of individuals or goods, or
of a service directly linked to the use of the vehicle (school bus service, road shoulder
maintenance, snow clearing, road network patrols, etc.);
- the monitoring of working time when such monitoring cannot be made by other means
(Deliberation 2006-066 of 16 March 2006).
146. They must correspond only to the usages notified. It is possible to use the simplified
standard No. 51.
3.2.3 Tracking drivers
147. A new insurance service, entitled “Pay as you drive”, is coming on steam worldwide
thanks to geo-location technologies. The objective is to tailor the insurance services offered to
drivers according to their travels (length, itinerary) and behaviors (law-abiding, risky,
dangerous).
148. Such services have already been deployed in the USA, Israel, Dubai, Abu Dhabi, the
UK, Italy and Ireland, apparently to the general satisfaction of the contracting parties.
149. However, an offer requiring young drivers to install in their vehicle a GPS-GSM device
has been refused by the CNIL. Its objective was to collect information on the case number,
speed, places, dates, hours and length of driving, the total number of kilometers traveled and
the type of road, in order to “identify the location of the vehicle every two minutes, the speed,
the type of road on which the vehicle drives, the time of the driving and the length of the
driving (Deliberation 2005-278 of 17 November 2005, MAAF Insurances SA).
3.2.4 Tracking children
150. Applications for the tracking of children are based on the GPS-GSM technology. With
this service, parents can know where the child is via the location of his or her mobile phone
thanks to the Internet, Wap or i-mode technologies.
151. As parents are only the beneficiaries of the service, the data controller of such data
processing is the organization that supplies the service for the identification and positioning of
the cell phone.
152. That type of processing is subject to the general notification regime. The CNIL considers
that the child (aged thirteen or more) must be able to express his or her consent for that type
of service.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 25
3.3 VIDEO SURVEILLANCE
153. According to the CNIL, images of individuals captured by video surveillance cameras
are personal data allowing, at least indirectly by combination with other criteria, to identify
individuals26
.
154. The purpose of such processings is to ensure the surveillance and security of access. Data
shall be stored for a period not exceeding one month (Act 95-73 of 21 January 1995, Art. 10).
These processings are subject to the standard notification procedure.
3.3.1 Legal framework
155. Video surveillance (also known as “CCTV”) is governed by two main texts: the Data
Protection Act and the Act on Orientation and Planning on Security, referred to as “Pasqua
Act” (Act 95-73 of 21 January 1995).
156. The relation between these two texts is stated in Article 10 I of the Act of 21 January
1995 as follows:
- “Visual video surveillance recordings […] shall be submitted to the provisions below,
except for those used in automatic processings or contained in files structured
according to criteria allowing to identify, directly or indirectly, individuals, and
governed by the Act 78-17 of 6 January 1978 on Data Processing, Data Files and
Individual Liberties.”
157. Moreover, pursuant to Article 5 of a 1996 Decree: “in the event where the information
attached to the application for authorization or additional information shows that the visual
video surveillance recordings will be used to create a personal data file, the prefectorial
authority shall answer to the applicant that his application shall be sent to CNIL. It informs
the CNIL thereof”27
.
158. The purpose of that regulation is that cameras be “individual-liberties-friendly”28
.
3.3.2 Public security video surveillance
159. The legal scope of public security video surveillance is made of the Act on Orientation
and Planning on Security (“Pasqua Act”, cited above) and its application decree29
; the order
on technical standards for video surveillance systems30
; and the ministerial circular of 26
October 2006.
160. Any installation of a video surveillance system shall be authorized, except in the field of
national defense.
161. The authorization is delivered by the representative of the State in the “départements” or
by the prefect of police of Paris. It is preceded by an opinion given by a departmental
commission, chaired by judges.
26
Deliberation 94-056 of 21 June 1994 adopting a recommendation on video surveillance devices used in public
places and places open to the public. 27
Decree 96-926 of 17 October 1996 on video surveillance. 28
Circular NORINTD0600096C of 26 October 2006 pursuant to Articles 10 and 10-1 of the amended Act on
Orientation and Planning on Security No.95-73 of 21 January 1995 p. 3. 29
Decree 96-926 of 17 October 1996. 30
Order of 26 September 2006.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 26
162. The video surveillance system must conform to certain technical standards (Act 95-73 of
21 January 1995, Art. 10 III(4)).
163. The authorization identifies the individuals in charge, the modalities to view recordings,
the recipients of the data and the data storage period.
164. Except in case of investigation for flagrante delicto, preliminary inquiry or preliminary
information investigation, the recordings shall be destroyed within the deadline stated in he
authorization. Such deadline cannot exceed one month (Act 95-73 of 21 January 1995,
Art. 10 IV).
165. The public shall be informed in a clear and permanent manner of the existence of the
video surveillance system and of the authority or individual in charge (Act 95-73 of 21
January 1995, Art. 10 II(5)).
166. For example, the information on the existence of a video surveillance system filming the
public highway must be provided via a sign with a pictogram representing a camera (Decree
96-926 of 17 October 1996, Art. 13-1 I).
167. For systems installed in facilities and establishments open to the public, such information
must be provided in a clear and permanent manner via signs or small posters, which must
specify the name or title of the data controller as well as a telephone number. These data must
be sufficient to enable data subjects to access their images (Decree 96-926 of 17 October
1996, Art. 13-1 II).
3.3.3 Private security video surveillance
168. Private security video surveillance includes video surveillance at the workplace by
private organizations, public organizations or organizations which manage a public service, as
well as video surveillance of dwelling houses. Only cameras installed in private places and
used exclusively for personal purposes are excluded from the legal regime (DPA, Art 2).
169. The legal framework of private security video surveillance is made of:
- the guiding principles of the French Data Protection Act, to the extent that video
surveillance activities are not expressly referred to therein, unlike biometric
technologies for example;
- Deliberation 94-056 of 21 June 1994 adopting a recommendation on video
surveillance devices implemented in public places and places open to the public.
170. The data concerned includes filming with or without recording, and the connection with
personal data files.
171. The processing of images (collection, recording, visualization, on a real time or
prerecorded basis, and storage) is subject to the standard notification procedure.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 27
3.4 THE TECHNO PROTECTION OF PRIVACY
172. Technology systems oriented towards the protection of privacy include anonymization
techniques, encryption tools, antitagging tools and Platform for Privacy Preferences.
3.4.1 Anonymization techniques
173. The purpose of anonymization techniques is to anonymize personal data.
174. This may be required because of the necessity to store data beyond the period having
justified their collection and processing, or the necessity to analyze sensitive information.
175. Anonymization is a multifaceted notion, which varies according to its level (absolute or
relative), its usages (restricted to some, prohibited for others) or the means to be implemented
to ensure its reversibility.
176. There are three categories of anonymization techniques resulting in three types of
information:
- anonymous information: technologies that suppress all links between the information
and the data subject.
- masked information: technologies that allow a relative anonymization while enabling
to retrieve personal data according to the technology selected (encryption, hashing and
blurring).
- aggregated information: techniques with the aim of gathering groups or populations so
that it may not be possible to assign data to one individual.
177. Processes for the anonymization of sensitive data must be authorized by the CNIL. Such
authorization is subject to the compliance with the principles of legal purpose, legitimacy and
proportionality and required that data be anonymized within a short period of time (DAP,
Art. 8 III).
3.4.2 Encryption tools
178. Encryption tools are in line with the security and confidentiality rules for personal data
imposed under Article 34 of the DPA.
179. The CNIL indeed recommends, as far as possible, to encrypt certain types of personal
data.
180. For example, encryption is compulsory when medical data are transferred via the
Internet, or when medical databases are entrusted to a hosting provider.
3.4.3 Antitagging tools
181. The purpose of antitagging tools is to prohibit electronic tagging - e.g. cookie or RFID
chip (see §4.1.2) - or obtain to the consent of individuals before introducing any such
electronic tagging.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 28
3.4.4 Platforms for Privacy Preferences
182. The purpose of Platform for Privacy Preferences is to collect the preferences of data
subjects and to comply with them. To this end, an Internet user should first determine the
legal regime of the categories of his or her personal data in a questionnaire.
183. P3P version 1.0 is a protocol designed to inform Web users of the data-collection
practices of Web sites. It provides a way for a Web site to encode its data-collection and data-
use practices in a machine-readable XML format known as a P3P policy.
184. The P3P specification defines:
- a standard schema for data a Web site may wish to collect, known as the “P3P base
data schema”;
- a standard set of uses, recipients, data categories, and other privacy disclosures;
- an XML format for expressing a privacy policy;
- a means of associating privacy policies with Web pages or sites, and cookies;
- a mechanism for transporting P3P policies over HTTP;
185. The goal of P3P version 1.0 is twofold:
- allow Web sites to present their data-collection practices in a standardized, machine-
readable, easy-to-locate manner.
- enable Web users to understand what data will be collected by sites they visit, how
that data will be used, and what data/uses they may “opt-out” of or “opt-in” to31
.
3.5 WEB 2.0
186. Web 2.0 gathers several technologies and services designed to create and develop
communities and agile services based on the concept “The Network Is The Computer”.
187. With Web 2.0, the issues of digital identity, right to anonymity, and protection of private
life and digital privacy are more acute32
.
188. Technical platforms that host different communities, such as blogs or auctions, must be
subject to a notification where their technical means are located in the French territory.
189. Exchanges on such platforms are usually made with a pseudonym (User ID, alias).
Platforms organize an “anonymous personalization” where:
- it is possible to communicate with a pseudonym;
- the community members can rate each other and give their feedback;
- the real identity of community members is disclosed when transactions are completed
(brokerage in computerized auction) or with judicial authorization.
31
The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, Recommendation of World Wide Web
Consortium (W3C) dated 16 April 2002. 32
Eric Barbry, “Web 2.0: nothing changes…but everything is different”, Communications & Stratégies 1 quarter
2007 n° 65 p. 91.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 29
4. IDENTIFICATION AND SURVEILLANCE TECHNOLOGIES
4.1 APPLICATIONS AND FUNCTIONNALITIES OF IDENTIFICATION TECHNOLOGIES
4.1.1 Biometrics
190. The term of “biometrics” designates all computerized technologies enabling the
automatic recognition of an individual based on physical, biological or even behavioral
features. A badge with a digital photograph without possible processing does not fall within
the scope of biometrics. Biometric data are broken down into three categories:
- specimens derived from the human body (DNA, body odor);
- digital representations or size (fingerprint or outline of the hand);
- attitudes (handwritten signature, typing on a keyboard).
191. There is no law specially regulating biometrics. As far as data protection is concerned,
biometrics is legally regulated when used to control the identity of individuals.
192. Whatever the sector (public or private), that type of processing may be implemented only
after the authorization of the CNIL. The CNIL has established three types of single
authorizations related to biometrics and to:
- the fingerprint for access control to the work place33
;
- the hand geometry for access control, working time management and food catering at
the work place34
;
- the hand geometry for access to school cafeteria35
.
193. Considering the risks entailed, the CNIL considers that biometric data may be used only
if there are an imperative security requirement and particular circumstances limiting the risks.
194. Except specific cases, the CNIL rejects any use of biometrics simply for management or
comfort purposes. It favors technical solutions based on traceless or traceable biometrics, the
storage of identifiers on limited media under the exclusive control of the data subjects, and the
absence of trace after usage.
195. For example, it has issued a favorable opinion for:
- the implementation of a biometric control to access areas restricted for security
purposes in the Orly and Roissy airports (Deliberation 2004-017);
- a draft order from the Minister of Justice for the creation of a computer application to
check the identity of prisoners based on the recognition of hand morphology
(Deliberation 2003-027);
- the implementation by the chamber of commerce and industry of Nice-Côte d‟Azur of
an automatic processing of personal data with the purpose of managing a loyalty card
implying the use of a biometric device recognizing fingerprint (Deliberation 2005-
115).
33
Delib. 2006-102 of April 27, 2006. 34
Delib. 2006-101 of April 27, 2006. 35
Delib. 2006-103 of April 27, 2006.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 30
4.1.2 RFID
196. RFID (Radio Frequency Identification) is a technology allowing a contactless
identification: a smart tag interacts with a reader via radiofrequencies.
197. In the long run, the objective of RFID is to replace bar codes on products and enables the
emergence of new tracking and reactivity services.
198. The RFID technology maximizes the possibilities to track objects and individuals.
199. RFID contains an electronic chip, a memory incorporated into the chip and an antenna.
200. Passive RFID tags have no power source. The electric power is induced by the reader at
the time of the reading operation. In contrast, active RFID tags have a battery, and thus a
power autonomy. The different between passive and active tags is the read ranges between
RFID and readers.
201. With the digital age, the Internet of “computers” I developing into an Internet of objects.
All objects, subject to an identification standard, may interact and react according to a
detected context or an initiated actor. The impact is increased by the integration of the RFID
process into an information system, such as the production IS, the customer IS or the logistics
IS. Similarly, the integration of RFID readers into mobiles transforms it into “a universal
remote control”36
.
202. There is no law or regulation specific for RFID, as for biometrics for example.
The direct or indirect use of smart tags is subject to the general regime of prior formalities
(notification or authorization) according to the status of the data controllers or the nature of
the data and processings realized.
203. All the rights of individuals (information, access, authorization, objection, modification,
rectification and oblivion) apply to RFID technologies. The widespread use of RFID implies
the necessity to establish a right to “deactivation” in order to avoid an all-or-nothing system
regarding RFID services.
4.2 ISSUES UNDER THE FRENCH DPA
204. A recognition system is based on the alternative or cumulative modes below:
- a physical element: photograph or physical particularly such as scar, tattoo, etc.
- a device: card, USB key, letter, etc.;
- information: secret formula, first name of the mother, country and date of the last three
travels etc.
205. Biometrics is a disruptive technology because of the unicity of the mean (an element of
the human body), the universality of the technique and the efficiency of the recognition.
206. Biometric technologies have a high “invasive” potential in terms of privacy protection.
36
Serge Miranda, L‟ère des objets « vivants » au service de l‟homme, L’Expansion 719-5-2007 p. 147.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 31
207. According to the National consultative committee for sciences of life and health, because
of the paradox created between the protection of privacy and the invasions of privacy, there is
a kind of agreed confiscation of liberty. Surreptitiously, our society, in the name of the
security paradigm, is getting used to these biometric tags and everyone finally accepts, even
with indifference, to be put on files, observed, located, traced, often without being aware
thereof37
.
208. The dangers linked to the creation of huge biometric databases are the most important
issues.
4.3 APPLICABLE LAWS AND REGULATIONS
209. The legal framework of identification and surveillance technologies primarily depends
on:
- the places (public or private zones);
- the terms of use (surveillance or research);
- the field of activities (private, professional, economic, social, philosophical, etc.).
210. Identification and surveillance technologies must be subject to a notification or an
authorization, according to their nature.
211. The implementation of such technologies at the workplace is subject to:
- information of staff representative bodies on the introduction of new technologies;
- information of staff representative bodies on devices used to control and monitor
employees;
- information of the data subjects.
212. This is necessary because in most cases the introduction of a new technology extends the
scope of the controls that may be made by the employer.
4.4 PRECAUTIONS TO BE TAKEN
213. Using surveillance technologies implies the compliance with the principles of legality,
purpose, legitimacy, proportionality, adaptability and transparency.
214. The general principle in a democracy is the absence of surveillance. Surveillance can
only happen exceptionally, it must be motivated by a specific situation and realized in a
predefined legal framework.
215. Surveillance can be made only for security and protection purposes. This is in particular
the case for:
- the fight against terrorism by video surveillance in public places;
- the supervision of telecommunications networks via cyber surveillance;
- the protection of the access to sensitive zones via biometrics.
216. The security requirement is a condition that is necessary, but not sufficient. The data
controller of the processing must also legitimate the usages made under his rights and
obligations, and the places and individuals covered by the surveillance.
37
CCNE Biométrie, données identifiantes et droits de l‟homme: Avis n°98 p.16.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 32
217. According to an inviolable principle enshrined in the French Labor Code an employer
cannot place on individual and collective liberties a restriction that would not be justified by
the nature of the tasks to be performed or proportional to the purpose pursued.
218. Such principle protects employees against systematic or unjustified controls. The
compliance with the proportionality principle imposes that the data controller strikes a
balance between the different security requirements and the rights of individuals. The purpose
of such proportionality principle is to relativize the rights of the controller under the
legitimacy of his processing.
219. Such balance of interests is described by the Data Protection Act as follows:
- “the pursuit of the data controller‟s or the data recipient‟s legitimate interest, provided
this is not incompatible with the interests or the fundamental rights and liberties of the
data subject.” (DPA, Art. 7(5°)).
220. That paragraph allows to depart from the general obligation to obtain consent prior to
implementing an automatic processing of personal data (DPA, Art. 7).
221. The techno surveillance used must be adapted to the situation in case of:
- modification of the context;
- evolution in the above criteria. All the criteria must remain relevant throughout the
period during which of techno surveillance is used.
222. Lastly, the French Labor Code states that “no information concerning an employee or a
job applicant personally may be collected through a device he or she has not been informed of
in advance”. Therefore, it seems that, to be enforced against employees, the means of control
likely to be implemented must be notified to them for example in an information memo or a
computer resources acceptable use policy.
* *
*
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 33
5. JUDICIAL FRAMEWORK
223. The French data protection authority, the Commission nationale de l’informatique et des
libertés (“CNIL”), is an independent administrative authority without judicial personality.
224. The decisions of the CNIL are subject to the judicial review of the Conseil d’Etat
(French administrative Supreme Court)with an ultra vires action (recours pour excès de
pouvoir) or an action based on grounds of both facts and law (recours de pleine recours
jurisdiction).
225. Since the amendment of the Data Protection Act in 2004, the CNIL has many powers
including:
- the power to perform a posteriori inspections;
- the power to impose administrative and financial sanctions.
226. Its “jurisdictional” activity grows very rapidly both in terms of the number of actions
initiated and the amount of the sanctions applied.
5.1 COMPLAINTS
227. The CNIL receive claims, petitions and complaints (DPA, Art. 11, 2°-c). The booming of
the Internet with the general public has increased the awareness of individuals on the use
made of their personal data.
5.1.1 Referring a matter to the CNIL
228. A matter can be referred to the CNIL in many forms. The CNIL invites individuals to
contact it by simple letter; some standard letters are available online on its website
(www.cnil.fr).
5.1.2 Effects
229. The CNIL has a large power of assessment regarding whether or not to act upon a claim
referred to it, irrespective of the decision taken thereafter by the judicial authorities. It decides
whether measures should be taken further to a complaint and is only obliged to refer to the
Public Prosecutor the offences it has knowledge of. For example, it may decide to:
- establish a dialogue with the data controller;
- carry out documentary and on-the-spot inspections;
- issue an injunction against controllers;
- apply sanctions and penalties;
- refer the matter to the Public Prosecutor;
- close the file without further action.
230. In any case, the CNIL must inform the complainants of the decisions taken regarding
their complaints (DPA 1978, Art. 11, 2°-c).
MODULE No. 3 – Disputes and Sector-Specific Law
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 34
5.2 INSPECTIONS CARRIED OUT BY THE CNIL
231. The inspections carried out by the CNIL since 1978 have been reinforced and regulated
since the 2004 reform.
5.2.1 The inspectors
232. The inspectors may be the members of the CNIL and duly empowered agents from the
operational services of the CNIL.
233. The accreditation of the CNIL agents “shall not grant exemption from application of the
provisions defining the procedures authorizing access to secrets protected by law”
(DPA 1978, Art. 19). Inspectors may be assisted by experts.
234. Only a doctor may ask for communication of personal medical data contained in
processings:
- that is necessary for the purposes of preventive medicine, medical research, medical
diagnosis, the administration of care and treatment, or for the management of a
healthcare service,
- carried out by a member of the medical professions (DPA 1978, Art. 44, III).
5.2.2 Modalities of the inspections
235. Inspections may only be made between 6a.m.and 9p.m..
236. Inspectors have access to the places, premises, surroundings, equipment or buildings
used for the processing of personal data for professional purposes.
237. Article 44, I of the DPA expressly excludes “the parts of the premises used for private
purposes”.
5.2.3 The inspection procedure
238. Where the CNIL decides to conduct an inspection, it shall first inform the Public
Prosecutor in the territorial jurisdiction where the inspection is to take place.
239. No rule obliges the inspectors to inform the data controller beforehand. The controller
may be assisted by a counsel, a lawyer or a private expert.
240. As part of their mission, the inspectors may:
- ask for the communication of all the documents necessary for the performance of their
mission, whatever their medium, and take a copy of them;
- collect, on the spot or upon summons, all useful information or;
- have access to electronic data processing programs and data, and ask for their
transcription, by any appropriate process, into directly utilisable documents for the
purposes of the verification (DPA 1978, Art. 44, III).
241. A report on the verifications and visits carried out shall be established in the presence of
all parties.
242. After an inspection, the CNIL may decide to:
- inform the Public Prosecutor (DPA 1978, Art. 11, 2°-e);
- initiate a procedure to apply sanctions;
- close the file without further action.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 35
5.2.4 Objecting to an inspection
243. The person in charge of the premises may object to the inspection, provided this is not
considered as the offense of resisting or hindering the exercise of the duties entrusted to the
CNIL members and officers (délit d’entrave). Such objection may be disregarded, at the
request of chairman of the CNIL, if authorized by the President of the High Court (tribunal de
grande instance), or by a judge mandated by him, in the jurisdiction of which the premises are
located.
244. The judge shall decide by a reasoned ruling in conformity with the provisions provided
for in Articles 493 et seq. of the Code of Civil Procedure. In such case, the visit shall take
place under the authority and supervision of the authorizing judge. He may go to the premises
during the visit. He may halt or suspend the visit at any time (DPA 1978, Art. 44, II).
245. Persons (data controller included) interrogated in the context of verifications or
inspections carried out by the CNIL can raise an objection on the grounds that they are bound
by a duty of confidentiality (DPA 1978, Art. 21).
5.3 THE SANCTIONS
246. The possibility for the CNIL to directly apply sanctions has been extensively reinforced
by the reform that took place in 2004. Today, the CNIL can impose a wide range of sanctions,
such as issue a warning, block data, notify the Prime Minister and impose financial penalties.
247. The CNIL may exercise its powers in relation to the processing when the operations are
carried out, in whole or in part, on the national territory.
248. The person concerned are the data controllers established:
- in France (DPA 1978, Art. 5);
- in another Member State of the European Union (DPA 1978, Art. 48);
- in a non-EU country.
249. Only the State benefits from a special exemption (DPA 1978, Art. 45, I-1).
5.3.1 The warning
250. The CNIL may issue a warning (avertissement) to a data controller who does not comply
with the obligations resulting from the Data Protection Act. (DPA 1978, Art. 45, I(1)). In
addition, the organizations who took measures to suppress the noncompliance initially noted
by the CNIL may also receive a warning.
251. The warning is the first step to invite data controllers to abide by their obligations. A
such, the warning has no direct coercive effect.
252. In any case, the warning does not mean that the data controller will not be prosecuted in
the future.
253. Over the 2002-2006 period, the majority of the CNIL decisions issuing a warning
concerned:
- a breach of the data protection obligations;
- breaches with a possible penal nature.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 36
254. This approach does not generally make any reference to the notion of “fault”. Moreover,
there is no real scale of breach e.g. small breach, repeated small breach, average breach,
serious breach.
255. However, it seems that the CNIL now tends to define more precisely the conducts that
can lead to warning, allowing to better foresee its decisions; the following trends can be noted
in some of its deliberations issued in relation to a warning:
- serious, repeated or excessive acts (Delib. 2005-043 of March 9,2005);
- negligence or failure to take relevant precautions (Delib. 04-051 of June 3, 2004);
- absence of vigilance and diligence (Delib. 2005-085 of May 10, 2005).
256. Similarly, to date, the CNIL does not systematically take into account the notion of
damage, and in particular the seriousness of the data subjects‟ right infringement and the
possible related damages.
257. The CNIL may make public its warnings (DPA 1978, Art. 46(2)). That publicity may be
made by all means of communication available to the CNIL, such as:
- a press conference;
- a notification on its website;
- a notice in its monthly newsletter;
- a special paragraph in the annual activity report.
258. The communication to the public of the warning is distinct from the publicity by way of
publication or newspapers, which is reserved for others sanctions.
259. The CNIL decides whether or not to publicize the warning depending on the
circumstances of the case. Contrary to the publicity by way of publication or newspapers, the
decision to make a warning public does not require the prior establishment of bad faith on the
part of the data controller.
260. In practice, the majority of the warnings that have been publicized states that the data
controller had an abnormal conduct. This is for example includes:
- the cure period;
- the failure or slowness to answer the question asked by the CNIL;
- the seriousness of the breach.
261. In practice, the warning is not secret. The CNIL does not publicize simple warnings but
that does not mean that they remain secret.
262. The CNIL may issue:
- a warning, which may be made public;
- a related injunction, in order to put an end to the breach referred to in the warning
(Delib. 2006-208 of September 21, 2006).
263. Where the data controller has not complied with the injunction, the CNIL may decide:
- that sanctions should be issued;
- to issue a warning, which may be made public.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 37
5.3.2 The injunction
264. The 2004 reform gave the CNIL stronger powers to better regulate the situation. From
1978 to 2004, an impressive number of organizations broke the law.
265. In conjunction with or independently from the warning, the CNIL may also order a data
controller to cease the breach within a time period that it determines.
266. If the injunction (mise en demeure) is not complied with, the CNIL may impose special
penalties on the data controller (DPA 1978, Art. 45).
267. The injunction is subject to a dated and numbered deliberation. The CNIL notifies the
injunction via registered letter return receipt requested.
268. The cure period is fixed by the CNIL according to:
- the seriousness of the breach;
- the urgency;
- the period necessary for the data controller to cure the breach.
269. The deliberation to issue an injunction is taken by the restricted committee of the CNIL.
270. The demands stated in injunctions may be broken down into four categories:
- the compliance with law;
- the implementation of good practices in order to prevent repeated offenses;
- the education and awareness raising of data subjects;
- the development of an audit and monitoring policy.
271. The data controller must prove that he has cured the breach within the time period stated
by letter or memorandum containing:
- the requests made by the CNIL;
- the answers given by him;
- any related supporting documents.
272. At the end of the time limit stated in the injunction, the CNIL may, after having studied
the situation:
- issue a warning, which may be made public;
- impose a financial penalty;
- issue an injunction to stop the processing;
- withdraw the authorization for each processing previously authorized;
- close the file without applying any sanction.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 38
5.3.3 Financial penalties
273. All data controller may be imposed financial penalties (sanctions pécuniaires) except in
cases where the processing is carried out by the State (DPA 1978, Art. 45, I-1).
274. The amount of the financial penalty is fixed by the CNIL in proportion to the gravity of
the breaches committed and the profits obtained from the breach by the controller.
275. For example, when applying penalties, the CNIL has taken the elements below into
consideration:
- non-compliance with an injunction (Delib. 2006-173 of June 28, 2006);
- answer not appropriate to the requests made by the CNIL (Delib. 2006-174 of June 28,
2006);
- failure to provide documents requested by the CNIL (Delib. 2006-245 of November
23, 2006);
- no guarantee “allowing the CNIL to consider that the breaches established may not be
repeated again in the future” (Delib. 2006-245 of November 23, 2006);
- lack of cooperation and transparency (Delib. 2006-281 of December 14, 2006).
276. Financial penalties have a double threshold (DPA 1978, Art. 47)
(i) in case of a first breach, the penalty may not exceed €150,000;
(ii) in the event of a second breach within five years, the penalty may not exceed:
- €300,000;
- or, in case of a legal entity, 5% of gross turnover for the latest financial year, within a
maximum of €300,000.
277. The five year period is computed from “the date on which the preceding financial
penalty becomes definitive”(DPA 1978, Art. 47(2)).
278. The financial penalties are collected “as State debts, other than taxes and income from
State assets” (DPA 1978, Art. 47, al. 4).
279. Whenever the CNIL issues a financial penalty that is final before the criminal court has
definitely judged the same or related facts, the criminal court may order the deduction of the
financial penalty from the fine that it imposes (DPA 1978, Art. 47(3)).
5.3.4 The injunction to stop the processing
280. For processing subject to a notification, an authorization regime or an exemption from
the prior formalities, the CNIL may, if the injunction is not complied with, issue an injunction
to stop the processing (injunction de cessation) (DPA 1978, Art. 45, I-2°).
281. For example, the CNIL has issued an injunction to stop processing in the following
cases:
- research of debtors by a investigation firm (Delib. 2007-186 of June 28, 2007);
- direct marketing (Delib. 2006-279 of December 14, 2006; Delib. 2006-290 of
December 14, 2006);
- list of bad payers in the real estate sector (Delib. 2007-111 of May 30, 2007).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 39
282. The deletion of the data is expressly provided for in the 2004 reform. Previously, the
CNIL had the possibility to “order security measures that may go as far as the destruction of
the information media” (DPA 1978, former Art. 21, 3°).
283. That option has never been used by the CNIL. During the parliamentary debates, this
was suppressed, because:
- such action was serious and irreversible;
- such action was introduced in Article 226-22-2 of the Penal Code.
284. In such sanction is imposed, the officials of the CNIL “are authorized to verify the
deletion of such information” (Penal Code, Art. 226-22-2).
5.3.5 The withdrawal of the authorization
285. If an injunction is not complied with within the relevant time period, the CNIL may
withdraw the authorization (retrait de l’autorisation) for each processing previously
authorized.
286. The processing must be stopped as soon as the withdrawal is ordered as it no longer has
any legal basis.
5.3.6 The sanction procedure
287. Three procedures can be followed to impose sanctions:
- the ordinary procedure (DPA 1978, Art. 45, I);
- the emergency procedure (DPA 1978, Art. 45, II);
- the summary procedure for serious and immediate violation of fundamental liberties (DPA 1978, Art. 45, III).
288. The procedure before the CNIL is the same for each of the four categories of sanctions
below:
- the warning (DPA 1978, Art. 45, I);
- the financial penalty (DPA 1978, Art. 45, I-1°);
- the injunction to stop the processing (DPA 1978, Art. 45, I-2°);
- the withdrawal of the authorization (DPA 1978, Art. 45, I-2°).
289. Fair proceedings are held and both sides are heard at every step of the procedure from its
opening to the issuance of sanctions.
290. The procedure is divided into four steps:
- the inquiry;
- the report;
- the decision;
- the appeal.
291. The duration of the first step (the inquiry) may vary. It includes different phases such as
the building up the file and at least:
- an analysis of the situation;
- evidence that a breach has been committed.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 40
292. The second step (the report) is mandatory. It includes the designation of a committee
spokesman (rapporteur) in charge of drafting a report. The rapporteur is designated by the
president appointed by the chairman of the CNIL from among the members not belonging to
the restricted committee. The report will serve as the basis on which sanctions may be issued.
The report is notified to the data controller.
293. The data controller may consult and copy the documents of the file after having sent a
letter to the CNIL.
294. The data controller may present remarks on the report. Those remarks are contained in a
memorandum, which must be submitted to the CNIL within one month from the receipt of the
report (Decr. 2005-1309 of October 20, 2005, Art. 75).
295. The third step (the decision) concerns the sanctions strictly speaking. Sanctions are
imposed by the restricted committee (DPA 1978, Art. 17). The data controller may be assisted
or represented at every step of the procedure.
296. The government commissioner (commissaire du gouvernement) attends the debates but
does not participate in the vote. When it comes to penalties, he may not require a second
deliberation.
297. Under Article 46 of the Data Protection Act, the committee spokesman may present oral
remarks to the CNIL. Pursuant to the principles of fair proceedings and equality of arms, the
data controller should be able to:
- hear the oral observations of the rapporteur;
- reply and presents in remark, in the same form and in the same conditions.
298. The rapporteur does not participate in the deliberations (DPA 1978, Art. 46(1)).
299. The CNIL may hear any person who may usefully contribute to its inquiry (DPA 1978,
Art. 46(1)).
300. The hearing takes place as follows:
- the remarks of the rapporteur;
- the remarks of the government commissioner;
- the oral arguments of the data controller.
301. The decision is made by a majority. It shall be reasoned (DPA 1978, Art. 46(3)).
302. In case of bad faith on the part of the data controller, the CNIL may order the publication
of any other penalties imposed in such publications, newspapers or other media as it
designates. Publication is at the expense of the persons sanctioned (DPA 1978, Art. 46(2)).
Publication is not available in case of warnings.
303. An appeal against the penalty on grounds of both facts and law may be made before the
Conseil d’Etat.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 41
5.3.7 The emergency procedure before the CNIL
304. The emergency procedure (procedure d’urgence) requires that two conditions be met
(DPA 1978, Art. 45, II):
- an emergency;
- the proof that the processing or the use of processed data leads to a violation of the
fundamental rights and liberties referred to in Article 1 of the Data Protection Act, i.e.
human identity, human rights, privacy, or individual or public liberties.
305. Measures can be taken on only during fair proceedings where both sides are heard.
306. The emergency measures may:
- interrupt the implementation of the processing;
- block certain data.
307. The processing may be interrupted for a maximum period of three months (DPA 1978,
Art. 45, II-1°).
308. Interruption may not be decided for processing carried out for the State concerning:
- State security, defense or public safety (DPA 1978, Art. 45, II-1° referring to
Article 26, I-1°);
- the investigation, or proof of criminal offences, the prosecution of offenders or the
execution of criminal sentences or security measures (DPA 1978, Art. 45, II-1°
referring to Article 26, I-2°);
- the management of prohibited data authorized by a decree subject to a prior opinion of
the Conseil d’Etat (DPA 1978, Art. 45, II-1° referring to Article 26, II itself making
reference to Article 8 concerning racial and ethnic origins, the political, philosophical,
religious opinions or trade union affiliation of persons, or which concern health or
sexual life);
- use or consultation of the national register for the identification of individuals
(DPA 1978, Art. 45, II-1° referring to Article 27, I-1°);
- biometric data (DPA 1978, Art. 45, II-1° referring to Article 27, I-2°);
- taxes (DPA 1978, Art. 45, II-1° referring to Article 27, II-2°);
- statistics (DPA 1978, Art. 45, II-1° referring to Article 27, II-2°).
309. The processing may be blocked for a maximum period of three months (DPA 1978,
Art. 45, II-2°).
310. Blocking may not be decided for processing carried out for the State which involve:
- State security, defense or public safety (DPA 1978, Art. 45, II-1° referring to
Article 26, I-1°);
- the prevention, investigation, or proof of criminal offences, the prosecution of
offenders or the execution of criminal sentences or security measures (DPA 1978,
Art. 45, II-1° referring to Article 26, I-2°);
- the management of prohibited data authorized by a decree subject to a prior opinion of
the Conseil d’Etat (DPA 1978, Art. 45, II 1° referring to Article 26, II itself making
reference to Article 8).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 42
311. For processings excluded from the interruption and blocking measures taken under an
emergency procedure, a special procedure is organized as follows:
- notification of the Prime Minister on the violation of the fundamental rights and
liberties;
- reply from the Prime Minister within fifteen days of receiving the notification
indicating the steps that have been taken.
5.3.8 The summary procedure
312. The summary procedure (known as référé liberté) may be applied in case of serious and
immediate violation of the rights and liberties mentioned in Article 1 of the Data Protection
Act (violation of human identity, human rights, privacy, or individual or public liberties) at
the initiative of the chairman of the CNIL.
313. The emergency procedure will fall either within the jurisdiction of the judicial courts if
the data controller acts for private interests, or within the jurisdiction of the administrative
courts if the controller acts on behalf of the State, a public establishment or a local authority
or in the course of the performance of a public service mission (Alex Türk Rapport, Senate
Doc. No. 218 of March 19, 2003 p. 139).
314. It concerns all processing operations, whether public or private.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 43
6. SECTOR-SPECIFIC DATA PROTECTION RULES
6.1 PUBLIC SECTOR
315. Public sector includes:
- the general presentation of the activities of the State;
- national defense;
- justice;
- police, “gendarmerie”(constabulary) and customs;
- state education;
- the activities of public establishments and those of private organizations entrusted
with a public service;
- local authorities.
6.1.1 The State
316. Further to the 2004 reform, processing carried out for the State are subject to:
- a special authorization regime (DPA 1978, Art. 26 and 27);
- the general regime for authorizations and notifications (DPA 1978, Art 25).
317. The main categories of processing carried out for the State may be classified as follows:
- processing linked to State sovereignty: State security, defense or public safety;
- processing related to the prevention, investigation, or proof of criminal offences, the
prosecution of offenders or the execution of criminal sentences or security measures;
- processing related to state education;
- processing for staff management;
- e-government;
- processing for public statistics purposes.
318. Staff management
319. This category of processing may be subject to:
- an exemption from notification for the management of remunerations (Delib. 2004-
096 of December 9, 2004 (State, local authorities, public establishments and private
legal entities in charge of a public service);
- a simplified standard for the staff management function (Delib. 2005-002 of January
13, 2005).
320. e-government
321. e-government gathers all of the dematerialized administrative activities.
322. Special regimes concern:
- the processing of on-line e-government services using the registration number of
individuals (“NIR”) in the national register for identification or any other identifier of
individuals (authorization);
- the dematerialization of public procurements (exemption from notification).
323. e-government activities with identity managed by NIR or another identifier must be
subject to a prior authorization.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 44
324. The demateralization of public procurements
325. Processings implemented by public organizations under the dematerialization of public
procurements are exempted from notification on the basis of deliberation 2005-003 of January
13, 2005. The exemption covers all activities lined to the dematerialization of public
procurements.
326. “The only functions of the processing must be:
- the publication, the transmission and the provision via electronic means of documents
relating to public invitations to bid realized by publics organizations governed by the
Public Procurement Contracts Code;
- the receipt by such organizations of bids and answers related to the conclusion of a
public procurement contract;
- the establishment, by the public organizations governed by the Public Procurement
Contracts Code, of a register that may include: the notice that the invitation to bid has
been put online, the tender regulations, the consultation dossier of companies and any
modifications made thereto, the list of the persons who have downloaded the
documents, all information exchanged with those persons, the references of the
applications and bids received;
- the secure management of applications, bids, notifications and letters required to
award a public procurement contract.
Any use of personal data for direct marketing shall be prohibited” (Delib. 2005-003 of
January 13, 2005, Art. 2).
327. Automatic processings that imply the transmission of personal data to non-EU countries
are not eligible to the exemption, including when such transmission is made for
subcontracting purposes (Delib. 2005-003 of January 13, 2005, Art. 9).
328. Public statistics
329. Public statistics are mainly governed by the Act related to obligations, co-ordination and
confidentiality as regards statistics (Act 51-711 of June 7, 1951 related to obligations, co-
ordination and confidentiality as regards statistics).
330. The guiding principles are:
- an authorization regime;
- a secrecy period that may not exceed a hundred year;
- a segmentation of uses;
- an obligation to answer, any failure leading to a fine per each offense;
- a general prohibition to use the results for tax audit or sanction purposes.
331. In that domain, the CNIL, has adopted three simplified standards for:
- statistical processing of personal data related to individuals and their status as
individual entrepreneurs or family support carried out by public services and
organizations governed by Act 51-711 of June 7, 1951, as amended (Delib. 81-017 of
February 24, 1981; NS no 18);
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 45
- automatic statistical processing of personal data extracted from surveys related to
individuals carried out by the State and public administrative establishments
(Delib. 81-028 of March 24, 1981; NS no 19);
- automatic statistical processing made, on the basis of management documents or files
containing personal data on individuals, by services producing statistical information
within the meaning of Decree 84-628 of July 17, 1984 (Delib. 84-038 of November
13, 1984; NS no 26).
332. Decree 84-628 has been cancelled and superseded by Decree 2005-333 of April 7, 2005,
related to the National Council for Statistical Information and the Committee of IT secrecy.
333. State education and teaching
334. The processings of that sector are organized as follows:
- management of pupils in nursery schools and elementary schools;
- schools and secondary education establishments;
- management of Crous (students‟representative body);
- geo-location of children.
335. Processing related to the management of pupils in nursery schools and elementary
schools are governed by simplified standard No. 33 “Nursery Schools and Elementary
Schools” and simplified standard No. 27 “Pupils and Local Services”.
336. Processing related to schools and secondary education establishments are governed by
simplified standard No. 29 3Schools and Secondary Education Establishments3.
337. Processings related to the social action and statistical data on the activities of the social
services of Crous implement data on possible social difficulties. Those processing operations
are subject to the authorization regime (L 1978, art. 25, 7°). The CNIL has adopted a single
authorization No. AU-002 for them.
6.1.2 National defense
338. The activities involved in the sector of national defense, State security and public safety
are subject to a specific legal regime with regard to:
- the prior formalities;
- the rights of data subjects;
- the CNIL‟s right to supervise.
339. Processing linked to State sovereignty do not fall within the scope of Directive 95/46/EC
of October 24, 1995 (Dir. 95/46, 13th
recital).
340. Processing linked to State sovereignty are subject to an authorization regime based on:
- an order;
- a decree subject to a prior opinion of the “Conseil d‟Etat” when sensitive date are
used.
341. Requests for opinions related to those processings may not have to “include all the
elements” defined in Article 30, such as the identity of the controller, the purpose, the data
used, etc.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 46
342. The following processings are eligible to that derogation:
“1. Decree for the application to files managed by the direction de la surveillance du territoire
of the provisions of Article 31 (3rd
paragraph) of the Act No. 78-17 of January 6, 1978;
2. Decree for the application of the provisions of Article 31 of the Act No. 78-17 of January 6,
1978, to personal data files implemented by the direction générale de la sécurité extérieure;
3. Decree for the application of the provisions of Article 31 of the Act No. 78-17 of January 6,
1978, to files of the direction de la protection et de la sécurité de la défense;
4. Decree for the application of the provisions of Article 31 of the Act No. 78-17 of January 6,
1978, to the personal data file implemented by the direction du renseignement militaire;
5. Order relating to the automatic processing of personal data implemented by the direction de
la protection et de la sécurité de la défense;
6. Order relating to the automatic processing of personal data “fichier de la DGSE”
implemented by the direction générale de la sécurité extérieure;
7. Order relating to the automatic processing of personal data “fichier du personnel de la
DGSE” implemented by the direction générale de la sécurité extérieure;
8. Order relating to the automatic processing of personal data of foreigners implemented by
the direction du renseignement militaire.” (Decr. 2007-914 of May 15, 200, adopted for the
application of Article 30 I) of the DPA 1978, Art. 1).
343. For the processings listed above, Decree of May 15, 2007, expressly provides that the
request for opinion of the CNIL should at least contain the following information:
- “the identity and address of the data controller;
- the purposes of the processing, if applicable, the title of the processing;
- the service(s) responsible for carrying out the processing;
- the service where the indirect right of access stated in Article 41 of aforementioned
Act of January 6, 1978, is exercised as well as the measures adopted to facilitate the
exercise of that right;
- the categories of persons who, due to their functions or for the needs of their
department, have a direct access to the registered data;
- the authorized recipients or categories of recipients to whom the data may be
disclosed;
- if necessary, the combinations, the alignments or any other form of relation with other
processing” (Decr. 2005-1309 of October 20, 2005, as amended by Decree 2007-451
of March 25, 2007).
344. Processings linked to State sovereignty which are subject to an authorization regime
under an order or a decree subject to a prior opinion of the “Conseil d‟Etat” may be exempted
from the publication of the regulatory document authorizing them (DPA 1978, Art. 26, III).
The same applies to the aforementioned processings (Decr. 2007-914 of May, 15, 2007,
Art. 2).
345. Processing related to national defense, State security, or public safety are subject to an
indirect access, except otherwise stated in the authorization.
346. Processing related to State security are exempted from the supervision of the CNIL. Such
exemption must be stated in a decree subject to a prior opinion of the “Conseil d‟Etat”
(DPA 1978, Art. 44, IV).
347. The same applies to the automatic processing of personal data of foreigners carried out
by the direction du renseignement militaire (Decr. 2007-914 of May 15, 2007, Art. 3).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 47
6.1.3 Justice
348. Courts, within the limit of their legal missions, have the possibility to collect and
process:
- sensitive data (data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, trade-union membership and concerning health or sex life);
- personal data on offences, convictions and security measures.
349. The authorization regime applies to the following processing:
- the investigation, proof of criminal offences and the prosecution of offenders;
- the management of criminal sentences or security measures.
350. Court decisions involving the assessment of an individual‟s behavior based on an
automatic processing of personal data intended to assess some aspects of his personality are
prohibited.
351. Processing whose purpose is the prevention, investigation, or proof of criminal offences
are subject to an indirect access where the authorization express provides for such indirect
access (DPA 1978, Art. 42).
352. Such processings are organized as follows:
- the national automated criminal record;
- processing by the representatives of the law;
- processing of notaries;
- processing of bailiffs;
- electronic supervision.
353. The national automated criminal record
354. The national automated criminal record is run under the authority of the Minister of
Justice (Code of Criminal Procedure, Art. 768).
355. It concerns:
- individuals born in France, after a check of their identity through the national
identification register for natural persons has been made; such identification number
may in no case be used as the basis for an identity check (Code of Criminal Procedure,
Art. 768);
- legal entities;
- individuals born abroad (Code of Criminal Procedure, Art. 771);
- individuals whose birth certificates have not been found or whose identity is doubtful
(Code of Criminal Procedure, Art. 771).
356. Processing by the representatives of the law
357. Processing by the representatives of the law are subject:
- for processing of personal data relating to offences, convictions and security measures,
to the notification regime, by derogation from the authorization regime applicable to
that type of processing ;
- for processing implementing other personal data, to the general regime (authorization
or notification) according to the nature of the data, information systems or
technologies used.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 48
358. Processing by notaries
359. Notarial activities and the drafting of documents by notaries (notaires) are subject to the
authorization regime given:
- the nature of the data (sensitive, offences, convictions and security measures);
- the “combination of files of one or several legal entities who manage a public service
and whose purposes relate to different public interests” (DPA 1978, Art. 25 I 5), e.g.
the processing Télé@ctes” (IT system between mortgage notaries and registries).
360. They are regulated by the single authorization No. AU-006.
361. Processing by baillifs
362. Processing by baillifs (huissiers de justice) are subject:
- for processing of personal data relating to offences, convictions and security measures,
to the notification regime, by derogation from the authorization regime applicable to
that type of processing;
- for processing implementing other personal data, to the general regime (authorization
or notification) according to the nature of the data, information systems or
technologies used.
363. As part of their service or enforcement operations, bailiffs may hold personal data on the
privacy of individuals.
364. The collection and use of these data must comply with the fundamental principles of
fairness, accuracy, proportionally, purpose and dignity.
365. Electronic supervision
366. The placement under electronic supervision concerns:
- an alternative to the enforcement of a custodial sentence;
- a supervision to evaluate or prevent the commission of a new offense.
367. The penalty enforcement judge may provide that the penalty will be enforced via the
placement under electronic supervision such as set out in Article 132-26-1 of the Penal Code,
either in case of sentence to one or more custodial sentences for a total period that may not
exceed one year, or when the convicted person still has to serve one or more custodial
sentences for a total period that may not exceed one year, or when the convicted person has
been admitted to release on parole, subject to have been placed under electronic supervision
on a probationary basis for a period that may not exceed one year.
368. The purpose of processing of personal data on individuals placed under electronic
supervision is to :
- remotely control their location and monitor them;
- research and arrest them in case they breach their obligations” (Order of January 15,
2007, Art. 1).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 49
6.1.4 Police, gendarmerie and customs
369. The authorization regime applies to the following processings:
- the investigation, the proof of criminal offences or the prosecution of offenders;
- the execution of criminal sentences or security measures.
370. The rights of data subjects: processings whose purpose is the prevention, investigation,
or proof of criminal offences are subject to an indirect access right, when the authorization
expressly provides for such derogation (DPA 1978, Art. 42).
371. Most police files are justified by the following reasons:
- security reasons requiring an “electronic” answer to the main categories of criminality;
- refusal to crease a mega database inventorying all fraudulent behaviors (offenses of
any nature, possession of arms, generic technology, etc.).
372. Each file must meet the seven criteria below:
- legality (legal authorization);
- purpose (scope: fight against criminality);
- legitimacy;
- proportionality;
- limitation of uses and destructions;
- regulation and traceability of uses;
- deletion of offences after a legal period.
373. Lastly, the purpose of that segmentation is to organize the separation between judicial
police offences and administrative police offences.
374. The main specific processings in that sector are organized as follows:
- the criminal offences processing system (Stic);
- the judicial system of documentation and ‟exploitation known as “Judex”;
- the Ariane project;
- the file on repeated offences;
- the file on wanted individuals;
- the file of Renseignements Généraux (security branch of the police force);
- the stolen vehicle file;
- the file on fingerprints and palm print (Faed);
- the automated genetic fingerprint file (Fnaeg);
- the computer file of terrorism (FIT);
- the national judicial file on the authors of sexual or violent offences (Fijais);
- the Schengen Information System;
- interceptions of telecommunications ;
- the file on the fight against illegal immigration;
- the PNR Agreement with the USA;
- the issuance of a biometric visa.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 50
6.1.5 Private organizations entrusted with a public service mission
375. The regime of that sector is based on the following guidelines:
- an authorization regime concerning the processing subject to Article 27;
- a general regime according to the type of processing carried out or the technology
used.
376. The obligations depend on the information systems carried out, e.g. a human resources
information system, or on the technologies used, e.g. video surveillance or geo-location.
6.1.6 Local authorities
377. Local authorities manage a vast number of processings, which may be divided into three
categories:
- information systems;
- implementation technologies;
- specific processings detailed in that chapter.
378. The data collected must be used for the purposes corresponding to the missions of the
local authorities.
379. Towns must:
- only hold data that is relevant in relation to the purposes;
- separate the data between services and avoid the creation of a unique database;
- limit the use to the missions concerned.
380. Except special cases, under the Data Protection Act, the mayor is responsible for the
computer files carried out by the town.
381. Processing related to local authorities may be organized as follows:
- registers of birth, marriage and death;
- electoral files;
- administration of populations;
- town planning;
- taxation;
- e-government;
- schooling;
- culture.
382. Registers of birth, marriage and death
383. Towns are obliged to establish a register of birth, marriage and death (registre d’état
civil); as a result, citizens may not object to its establishment. That processing may be subject
to a simplified notification.
384. In such case, the processing for the establishment of registers of birth, marriage and
death should be subject to a standard notification. For most common processings, there is also
a simplified standard No. 43 entitled “Registers of Birth, Marriage and Death”.
385. The online service designed to request extracts from the register of birth, marriage and
death is subject to a single regulatory instrument (RU-002; Order of February 6, 2006).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 51
386. The regulatory instrument RU-001 allows local authorities to manage requests for
validation of certificates for the accommodation of foreigners (Delib. 2005-052 of March 30,
2005).
387. Electoral files
388. The electoral roll includes:
- the last name, first name, domicile or residence of all voters (Electoral Code,
Art. L 18);
- the date and place of birth of each voter (Electoral Code, Art. L 19).
389. “Any voter, any candidate and any party or political group may access and make a copy
of the Electoral Code” (Electoral Code, Art. L 28).
390. The CNIL considers that the mayor:
- may use that list to send letters to citizens, such as the town bulletin;
- must ensure transparency on the origin of the information used;
- must enable the recipients to suppress, if they so wish, their contact details from the
file created to that end.
391. There are two simplified standards (No. 24 and 38) on the electoral file.
392. Administration of populations
393. The main processings related to the administration of populations concern:
- the management of populations;
- the information of populations;
- the communication of information on the populations administered.
394. It may be subject to the simplified standard No. 32 (Delib. 87-119 of December 1, 1987,
on the automatic processing of personal data implemented by towns whose population does
not exceed 2,000 habitants for the management of their; NS No. 32).
395. There is also a simplified standard No. 31 dealing with the information of populations.
396. Town planning
397. The simplified standard No. 44 “Land Registry” regulates the management of land
registry and town planning.
398. Concerning the communication of information, the principles are the following:
- the public has no direct access to the consultation software;
- the communication supposes that the requesting party signs a personal commitment
document on “the limits of use and risks incurred” in case of non-compliance;
- privacy data (date and place of birth of the owner, reason for exemption, elements
related to financing etc.) may not be disclosed;
- the address of the domicile of the owner may be given only on legitimate grounds
(Guide for local authorities, Cnil, 2004).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 52
399. Taxation
400. Processings related to taxation are regulated by simplified standards No. 45 “Direct
Taxes”, No. 49 “Vacant housing” and No. 10 “Taxes”.
401. Online government services
402. Processing related to e-government and online services benefit from an exemption No. 5
“Control of Legality”.
403. Schooling
404. The management of children of school age by towns may be subject to the simplified
standard No. 33.
405. The management of services to pupils may be subject to the simplified standard No. 27.
406. Culture
407. The cultural sector includes:
- libraries;
- conservatoires;
- local theaters;
- the organization of events.
408. The management of loans to users may be subject to the simplified standard No. 9.
409. Processings related to the activities of conservatoires must be subject to a standard
notification or to the simplified standard “Management of clients”.
410. Concerning local theaters, the rules applicable are similar to those applying to
conservatoires. The management of the ticket office is subject to a special presentation.
6.2 BANK – INSURANCE SECTOR
6.2.1 Bank
411. The banking industry is carefully monitored by the CNIL, as demonstrated by the many
controls carried out and sanctions issued by the data protection authority. Over a long period,
the banking sector is the sector that has been most often subject to penalties from the CNIL
(warnings and sanctions included).
412. Companies working in the banking sector are excluded from simplified standard No. 48
“Management of Clients”.
413. Prior formalities related to customer information systems are organized as follows:
- the management and keeping of accounts (general notification or simplified
notification under standard No. 12);
- the management of credits to individuals (general notification or simplified
notification under standard No. 13);
- the assessment of risk and scoring technique (authorization or single
authorization AU 005).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 53
414. Considering the difficulties faced in that sector by non-professional individuals to
exercise their right of access, the CNIL has drafted a specific guide (“Le droit d‟accès dans le
secteur bancaire”, Cnil December 2004, available on the CNIL website, section
“Approfondir”, “dossier Banque-Finance”).
415. Processings in that sector can be divided into the main categories below:
- the management of the customer information system;
- the assessment of the risks and the scoring techniques;
- the Central Check Register (FCC);
- the National Register of Irregular Checks (FNCI);
- the Register on (CB) Credit Card Withdrawals;
- the National Register of Household Credit Repayment Incidents (FICP);
- the Aeras convention;
- the fight against money laundering;
- the list of insiders;
- the management of financial instruments;
- the Swift network;
- the bank insurance.
416. Assessment of risks and scoring techniques
417. The CNIL has adopted a single authorization AU-005 (Delib. 2006-019 of February 2,
2006) for the assessment of risks and scoring techniques.
418. The scoring techniques are, legally speaking, automated decisions governed by Art. 10 of
the Data Protection Act.
419. Central Check Register
420. The Central Check Register (FCC) is a mean to crack down on bad checks. More than a
record on default, the purpose of that system is to organize a dissuasion system and prevent
the issuance of bad checks or, at least, to limit the reiteration of such economic defaults
(Monetary and Financial Code, Art. L 131-85 and R 131-26).
421. The Bank of France is in charge of centralizing all of this information.
422. National Register of Irregular Checks (FNCI)
423. The purpose of that register is to enable each beneficiary of a check to verify the validity
of said check (Monetary and Financial Code, Art. L 131-86).
424. Data relates to all information on the regularity of the check (loss, theft, closed account,
etc.), except for the name of the account holder.
425. Processing operations are carried out by the Bank of France (Monetary and Financial
Code, Art. L 131-86).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 54
426. Register on CB Credit Card Withdrawals
427. The Register on CB Credit Card Withdrawals is based on a contractual agreement
between the Bank of France the Groupement des Cartes Bancaires, which has been subject to
a decision of the general council of the Bank of France (Decision of July 16, 1987, adopted by
the general council of the Bank of France, Art. 1).
428. The Bank of France is in charge of centralizing all of this information.
429. National register of Household Credit Repayment Incidents (FICP)
430. The National Register of Household Credit Repayment Incidents lists information on
instances of deliberate non-payment of loans granted to natural persons for non-professional
purposes. The register is administered by the Bank of France (Consumer Code. Art. L 333-4).
431. The credit institutions referred to in Act 84-46 of January 24, 1984, relating to the
activities and supervision of credit institutions, are required to report all such instances of
non-payment to the Bank of France. The cost of making such reports shall not be charged to
the individuals concerned (Consumer Code, Art. L 333-4).
432. The Bank of France is the only one authorized to centralize the information referred to in
paragraph above. Only professional bodies and central bodies representing institutions
referred to in the second paragraph are authorized to keep registers relating to instances of
non-payment. The Bank of France is released from professional secrecy in regard to the
transmission of personal information contained in the register to credit institutions and the
aforementioned financial services. The Bank of France and the credit institutions are
prohibited from providing copies of information contained in the register to anyone, in any
form whatsoever, including the person concerned when he exercises his right of access
pursuant to Article 39 of Act No. 78-17 of January 6, 1978, under pain of the penalties
provided for in Articles 226-22 and 226-21 of the Penal Code (Consumer Code, Art. L 333-
4)..
433. Aeras Convention
434. The Aeras (“Assurer et Emprunter avec un Risque Aggravé de Santé”) convention
improve access to insurance and credit for individuals who present an aggravated health risk
or disability. Its legal framework is found in Article L 1141-2 of the Public Health Code.
435. In addition to the obligations stated in the Data Protection Act in regard to health data ,
the Aeras convention establishes special obligations to organize:
- the confidentiality of the access to the health information and questionnaires, when the
data are collected in the agency;
- the obligation to let the data subject act alone.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 55
436. The fight against money laundering
437. That type of processing is subject to the authorization regime, to the extent that a
profiling results in excluding “persons from the benefit of a right, a service or a contract”.
(DPA 1978, Art. 25, 9-4°).
438. The CNIL has established a general framework (a single authorization) to combat money
laundering and terrorist financing.
439. In the event where the banking institution is not eligible to said single authorization, a
request for special authorization must be submitted.
440. The authorization determines a special framework based on these limitations
(Delib. 2005-297 of December 1, 2005 adopting a single authorization for certain processing
of personal data carried out in financial organizations to combat money laundering and
terrorist financing; AU-003).
441. The fight against fraud and inconsistencies
442. The purpose of that type of processing is to search elements revealing abnormal
behaviors on the basis of different sources of information, such as:
- successive elements provided by customers or prospects;
- public records (register of commerce);
- inconsistencies in the information provided.
443. To the extent that the analysis may result in an exclusion of a right or a contract, that
type of processing is subject to the authorization regime (DPA 1978, Art. 25, I-4°).
444. That type of processing falls within the category of profiles. A manual evaluation is
required before rejecting any loan or carrying out any financial operation.
445. Swift network
446. The Swift (Society for Worldwide Interbank Financial Telecommunication) network is a
Belgian company subject to the supervision of the Banking, Finance and Insurance
Commission of Belgium.
447. The CNIL, in cooperation with the Art. 29 Working party, has launched investigations in
order to determine if a monitoring contrary to the Data Protection Act was realized after the
9/11/2001 attacks.
448. According to the CNIL, such monitoring:
- covers not only financial transfers to the USA, but also all transactions worldwide,
including within the European Union;
- has been realized without prior consultation with the European and national public
authorities;
- is made outside the legal framework of intergovernmental cooperation.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 56
449. Bank insurance
450. Banking and insurance activities tend to be close in several areas, such as:
- the investment activities;
- the coupling of financial products with insurance products, in particular for life
insurance contracts.
451. Those two activities are subject to different legal status and are respectively governed by
the Monetary and Financial Code and the Insurance Code.
452. Generally, the brakes for the exchange of personal data result from:
- the protection of the banking sector;
- the general data protection principle of the sectorization of personal data.
6.2.2 Insurance
453. The insurance and risk information system includes the management of:
- insurance policies;
- risks;
- loss.
454. The management of insurance policies
455. Personal data is generally limited to the contact persons of insurance organizations
(internal services of the organization, relations with brokers, insurers and reinsurers).
456. Despite the secondary role played by personal data in these processings, a notification
should nonetheless be filed.
457. The management of risks
458. In most cases, processing for risk management related to infrastructures and resources do
not directly involved personal data.
459. A notification to the CNIL must be made for processing involving personal data such as:
- the contact person in charge of claims (internal and external relations);
- the list of key individuals;
- private data for individuals on stand-by or alert duty in case a risk occurs (address and
home number of the person or of a next of kin, of a second or holiday home, etc.);
- the personal data of the crisis unit members.
460. The management of claims
461. The management of claims may be divided into to main categories:
- the technical insurance management, which supervised by the insurance and risk
department;
- the management of the claim, which is generally supervised by the litigation
department.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 57
462. Those processings must be linked to:
- the notification of the insurance and risk IT system, if no offences, convictions or
security measures is recorded;
- the authorization corresponding to the management of disputes.
6.3 THE DIRECT MARKETING SECTOR
463. The concept of direct marketing includes the following subsectors:
- the sector of distance sale;
- the activities of direct marketing related to the services of other economic activities.
464. The main specific processing in that sector are organized as follows:
- direct canvassing;
- behavioral databases;
- the use of the credit card number;
- the assignment of personal data files;
- the right against spamming.
6.3.1 Direct canvassing
465. Direct canvassing may be made via different vectors, whether manual or electronic: call
centers, e-mails, SMS, EMS, MMS, etc.
466. Each of these forms, considering their more or less intrusive effects into privacy, are
subject to specific rules. Legally speaking, “constitutes direct canvassing the sending of any
message intended to promote, directly or indirectly, goods, services or image of an individual
selling goods or supplying services” (Posts and Electronic Communications Code, Art. L 34-
5(3)).
467. “It is prohibited to directly canvass, using automatic calling machines, fax machines or
emails, which use, in any form, the contact details of an individual who has not given prior
consent to receive direct canvassing by said means” (Posts and Electronic Communications
Code, Art. 34-5(1)).
468. Consent is defined as “any specific and informed manifestation of free will by which a
person agrees to personal data relating to himself being used for direct canvassing”. (Posts
and Electronic Communications Code, Art. L 34-5(2)).
469. Said manifestation should be specific (opt-in), e.g. via:
- a box to be ticked in a form;
- notices in bold or in block letters in the terms of sale or terms of service.
470. According to the CNIL, “the consent to be canvassed must be „informed‟. For example,
the fact of accepting terms of sale does not mean that you have given your consent to be
canvassed” (Guide Cnil, “Halte aux publicités”, January 2005 p. 8).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 58
471. “In compliance with the provisions of the Data Protection Act No. 78-17 of January 6,
1978, direct canvassing via email is authorized if the contact details data of the recipient were
supplied directly by the latter during a sale or the provision of goods if the direct canvassing
concerns similar products or services supplied by the same natural person or legal entity, and
if the recipient is explicitly and unambiguously offered the option of refusing the use of his
personal data, at no cost except those involved in transmitting the refusal and in a simple
manner, and every time a canvassing email is sent to said recipient” (opt-out) (Posts and
Electronic Communications Code, Art. L 34-5(4)).
472. In addition to the general right to object, “it is forbidden to send messages for direct
prospecting via automatic calling machines, fax machines, and emails without listing the valid
contact details to which the recipient may usefully address a request for said communications
to cease without any costs other than the costs incurred by the transmission of the request”.
Posts and Electronic Communications Code, Art. L 34-5(5)).
473. There are special list where individuals can register to express their objection to direct
marketing:
- the list of unlisted number;
- the list of objection to canvassing for telephone directories;
- the list of objection to reverse phone directory for fixed and mobile telephones.
6.3.2 Behavioral databases
474. The creation and use of behavioral databases on the consumer habits of households for
direct marketing purposes have been subject to a recommendation from the CNIL (Delib. 97-
012 of February 18, 1997).
475. Generally, the collection is made on the basis of anonymous questionnaires, in order to :
- obtain data on behavioral habits (more than a hundred questions);
- optionally collect the contact details of individuals in exchange of advantages such as
premiums, gifts or discounts vouchers.
476. While that practice is legal, the CNIL has made the following recommendation on the
presentation of the questionnaires sent:
- it must be unambiguous on the purpose of the data collection and, in particular, it
should be avoided to use any term or name that may create a likelihood of confusion
in the mind of the public, such as the terms “Institute” or “survey” and that may make
people inaccurately think that it has a statistical, or even an official purpose, or that
may have the purpose of dissimulating the actual business nature of the operation,;
- it must be unambiguous on the purpose of the databases which are built from the
answers given by consumers, so that such consumers are clearly aware that their
answers will be used in direct marking databases;
- it must be made in such manner that the individuals concerned, when they are incited
to answer them in exchange for various offers (gifts, gift tokens or discount coupons)
are clearly informed of the conditions in which they will be able to benefit from those
offers; the foregoing should particularly be the case when the offers are reserved
exclusively for those individuals who did not object to the assignment of their data to
external companies (Delib. 97-012 of February 18, 1997).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 59
6.3.3 The use of the credit card number
477. The recommendation on the storage and use of the credit card number expressly refers to
the distance sale sector (Delib. 03-034 of June 19, 2003).
478. However, the principles apply to data controllers of other sectors when they carry out
similar actions.
479. To the extent that the credit card number is related to an ongoing transaction, all other
uses imply:
- to obtain consents to integrate information in the database;
- to give information on the subsequent and independent uses of the transaction, on
which the initial delivery of the credit card number is based;
- to provide clear information on the right to objection.
6.3.4 The assignment of files
480. In practice, the term “assignment of files” includes many assignment contracts, e.g.
invoices, leasing, provision of addresses, exploitation of databases...
481. Those activities imply:
- a legal collection when data are recorded;
- special information on the realization of that type of information ;
- the possibility to simply exercise a right to object.
6.3.5 E-mailing charter
482. The code of good conduct on the use of electronic contact details for marketing purposes
(available on Fevad website, http://www.fevad.com) has been established by the French
Union of Direct Marketing (UFMD) whose members include:
- Fédération des entreprises de vente à distance (Fevad);
- Union des annonceurs (UDA);
- Association des agences conseils en communication (AACC);
- Mobile marketing association (MMA);
- Union nationale des organismes faisant appel à la générosité du public (Unogep);
- Syndicat des producteurs de cadeaux d‟affaires et d‟objets publicitaires (Syprocaf);
- Bureau de vérification de la publicité (BVP);
- Cercle du marketing direct (CMD);
- Institut européen du marketing direct (IEMD);
- La Poste.
483. The code has been recognized by the CNIL as compliant with the Data Protection Act.
484. The code of good conduct contains:
- principles enshrined in the Data Protection Act;
- modalities to apply those principles;
- examples.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 60
485. There are additional obligations concerning:
- the consent;
- the subject of the message;
- the addresses of the members of a legal entity;
- the contact details of minors;
- information on the code.
6.3.6 Fight against spamming
486. Spamming is an electronic mailing process of unsolicited messages distributed from
electronic address files:
- collected automatically on Internet services (web, forum, chat, etc.) ;
- composed artificially via automatic rules, e.g. family name-first name, followed by the
address of the company sated in directories;
- obtained from personal files, personal or professional directories obtained in an unfair
manner.
487. The use of robot researching e-mail addresses on the Internet, combined with the sending
of e-mails on the fly, without building a file, has been considered as unfair to the extent that
such use of electronic addresses hindered the exercise of the right to object (Cass. crim.,
March 14, 2006 No. 05-83.423).
488. The CNIL has applied a policy to combat spamming and help Internet users who are
victims of spamming since 2002.
489. The spam box located at [email protected] was designed to provide Internet users with a tool
to transfer unsolicited messages to the CNIL so that it may:
- size up the phenomenon (importance and nature of the messages);
- take actions under its supervision powers;
- notify to the Public Prosecutor serious spamming operations.
* * *
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 61
490. Regulatory authorities worldwide:
491. Governments across the world, whether in Europe (France, Belgium, Switzerland,
Luxembourg, Romania…), North America, Canada… have rapidly implemented their own
personal data protection system.
492. While some countries have both adopted personal data laws and set up authorities to
ensure that protection, others only have data protection laws or only data protection
authorities without specific laws, and others have none.
493. Most countries have decided to entrust “independent bodies” with the mandate of
ensuring the respect of rights and principles set out in their legislation on the protection of
personal data in order to tackle the following question:
494. How to ensure the respect of the private sphere with the development of the new
technologies?
- the authorities in Europe (EU, EEA and Switzerland);
- the authorities outside Europe;
- the cooperation of these authorities to ensure a protection of personal data at the
international level.
MODULE N°4 –Regulation (e-learning available on iTuneU)
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 62
7. REGULATORY AUTHORITIES IN EUROPE
7.1 THE EUROPEAN UNION (EU)
7.1.1 The United Kingdom
495. Name of the authority:
- Information Commissioner‟s Office38
(ICO). The Information Commissioner is an
independent official appointed by the Crown. The Commissioner‟s decisions are
subject to the supervision of the Court and the Information Tribunal39
.
496. Legislation :
- Data protection Act 199840
.
497. Missions and powers:
- promote good practice and give information and advice ;
- resolve complaints from people who think their rights have been breached ;
- use legal sanctions against those who ignore or refuse to accept their obligations.
7.1.2 Spain
498. Name of the authority:
- Agencia Espanola de proteccion de datos41
or AEDP (Spanish Data Protection
Agency).
499. Legislation:
- Organic Act on Data Protection of December 13, 199942
.
500. Missions and powers:
- ensure compliance with the legislation on data protection and ensure its application ;
- consider the complaints from the data subjects ;
- impose administrative sanctions and penalties ;
- issue authorization, draw reports.
501. Composition:
502. The Agency is managed and represented by the Director of the Data Protection Agency.
The Director of the Data Protection Agency shall be assisted by a Consultative Council.
38
http://www.ico.gov.uk/ 39
Information tribunal is a tribunal non-departmental public body in the United Kingdom. It hears appeals from
notices issued by Information Commissioner under two Acts of Parliament - the Data Protection Act 1998 and
the Freedom of Information Act 2000 - and two related Statutory Instruments - the Privacy and Electronic
Communications Regulations 2003 and the Environmental Information Regulations 2004. 40
http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1 41
https://www.agpd.es/portalweb/index-ides-idphp.php 42
https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/Ley_Orgaica_15-99_ingles.pdf
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 63
7.1.3 Belgium
503. Name of the authority:
- Commission pour la protection de la vie privée43
(CPVP), under the supervision of the
Belgian House of Representatives (Privacy Commission)
504. Legislation:
- Law of 8 December 1992 on Privacy Protection in relation to the Processing of
Personal Data implemented by Royal Decree of 13 March 200144
.
505. Missions and powers:
- ensure the protection of privacy during the processing of personal data;
- independent supervisory body.
506. Composition:
507. The Privacy Commission is made of sixteen members:
- a chairman;
- a vice-chairman;
- six other full members;
- eight substitute members.
508. Sectorial committees have been set up within the Commission to monitor that the
personal data processing made in specific sectors do not infringe privacy. Such committees
are composed of Commission members and experts chosen for their knowledge of the sector
concerned. To date, six sectorial committees have been set up.
509. A secretariat divided into 5 sections assists the Commission in fulfilling its missions.
7.1.4 Luxembourg
510. Name of the authority:
- Commission nationale pour la protection des données45
(CNDP) (National Data
Protection Commission)
511. Legislation:
- Law of 2 August 2002 on the Protection of Persons with regard to the Processing of
Personal Data46
;
- Law of 30 May 2005 on specific provisions applicable in the electronic
communications sector47
.
43
“Commission pour la protection de la vie privée” (CPVP) in French or “Commissie voor de bescherming van
de persoonlijke levenssfeer” (CBPL) in Dutch http://www.privacycommission.be/fr 44
Loi du 8 décembre 1992 relative à la protection de la vie privée à l‟égard des traitements de données à
caractère personnel mis en œuvre par l‟arrêté royal du 13 mars 2001 portant exécution /Wet tot bescherming van
de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens. 45
http://www.cnpd.lu/fr/ 46
Loi du 2 août 2002 relative à la protection des personnes à l‟égard du traitement des données à caractère
personnel 47
Loi du 30 mai 2005 relative aux dispositions spécifiques applicables dans le secteur des communications
électroniques
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 64
512. Missions and powers:
- promote and inform on the protection of personal data;
- establish an annual report for the members of the government;
- control and check the legality of the processing of personal data, keep a register only
for the processing of data actually involving particular risks;
- ensure the compliance with the protection of privacy in the electronic communications
sector and its implementation regulations;
- take legal actions, issue deliberations, draft reports, conduct investigations, review
complaints, impose administrative sanctions.
513. Composition:
- public authority in the form of a public establishment;
- composed of three full members and three substitute members.
7.1.5 Germany
514. Name of the authority:
- Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit48
(Federal Commissioner for Data Protection and Freedom of Information)
515. Legislation:
- Federal Data Protection Act of 27 June 200649
.
516. Missions and powers:
- monitor the implementation of personal data laws and regulations;
- keep a register;
- conduct investigations, issue recommendations, follow up and transfer complaints to
competent authorities.
7.1.6 Romania
517. Name of the authority:
- Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal50
(National Supervisory Authority for Personal Data Processing)
518. Legislation:
- Law of 12 December 2001 for the Protection of Persons concerning the Processing of
Personal Data and Free Circulation of Such Data (amended in 2006)51
.
519. Mission and powers:
- guarantee and protect the natural persons‟ fundamental rights and freedoms, especially
the right to personal, family and private life, concerning the processing of personal
data;
- information and control of the compliance with the personal data protection laws and
regulations;
- issue opinions, recommendations, conduct investigations, realize controls.
48
http://www.bfdi.bund.de/ 49
Bundesdatenschutzgesetz (BDSG) 50
http://www.dataprotection.ro/ 51
LEGE nr. 677 din 21 noiembrie 2001 pentru protectia persoanelor cu privire la prelucrarea datelor cu caracter
personal si libera circulatie a acestor date
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 65
520. Composition:
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 66
7.1.7 Adequacy decisions of the Commission
521. The Council and the European Parliament have given the Commission the power to
determine, on the basis of Article 25(6) of directive 95/46/EC whether a third country ensures
an adequate level of protection by reason of its domestic law or of the international
commitments it has entered into. The adoption of a (comitology) Commission decision based
on Article 25.6 of the Directive involves:
- a proposal from the Commission ;
- an opinion of the group of the national data protection commissioners (article 29
Working party) ; - an opinion of the Article 31 Management committee delivered by a qualified
majority of member states ; - a thirty-day right of scrutiny for the European Parliament, to check if the
Commission has used its executing powers correctly. The European Parliament, if it
considers appropriate, issue a recommendation ; - the adoption of the decision by the College of Commissioners.
522. The effect of such a decision is that personal data can flow from the 25 EU member
states and three EEA member countries (Norway, Liechtenstein and Iceland) to that third
country without any further safeguard being necessary. The Commission has so far
recognized Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of
Commerce's Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record
to the United States' Bureau of Customs and Border Protection as providing adequate
protection.
7.2 THE EUROPEAN ECONOMIC AREA (EEA)
7.2.1 Iceland
523. Name of the authority:
- Persónuvernd52
(Data Protection Agency)
524. Legislation:
- Act of 1981 on the Recording of Personal Data;
- Act of 10 May 2000 on the Protection of Privacy as regards the Processing of Personal
Data53
.
525. Mission and powers:
- protect data and monitor the compliance with laws and regulations.
526. Adequate level of protection:
- YES.
52
http://www.personuvernd.is/ 53
Lög nr. 77/2000 um persónuvernd og meðferð persónuupplýsinga
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 67
7.2.2 Norway
527. Name of the authority:
- Datatilsynet54
(The Data Inspectorate)
528. Legislation:
- Data Register Act of 197855
;
- Act of 14 April 2000 No. 31 relating to the processing of personal data (Personal
Data Act)56
.
529. Missions and powers:
- verify that statutes and regulations which apply to the processing of personal data are
complied with;
- issue opinions, decisions and authorizations, conduct investigations, keep a register.
530. Adequate level of protection:
- YES.
7.2.3 Liechtenstein
531. Name of the Authority:
- Datenschutzbeauftragter des Fürstentums Liechtenstein57
(Data Protection Commissioner of the Principality of Liechtenstein)
532. Legislation:
- Data Protection Act of 14 March 200258
533. Mission and powers:
- implement processings and regulations on personal data protection.
534. Adequate level of protection:
- YES.
54
http://www.datatilsynet.no/ 55
Lov om personregistre mm av 9 juni 1978 nr 48 56
LOV 2000-04-14 nr 31: Lov om behandling av personopplysninger (personopplysningsloven). 57
http://www.sds.llv.li/ 58
Datenschutzgesetz (DSG) vom 14. März 2002.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 68
7.3 SWITZERLAND
7.3.1 National supervisory authority
535. Name of the Authority:
- Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB )
59
(Federal Data Protection and Information Commissioner (FDPIC)
536. Legislation:
- Federal Act on Data Protection of 19 June 199260
;
- Federal Act on the Principle of Freedom of Information in Public Administration
(Freedom of Information Act, FIA) of 17 December 200461
.
537. Missions and powers:
- supervise federal bodies, private bodies, control the possibility to access data;
- give recommendations, opinions, draw reports, act as mediator.
538. Adequate level of protection:
- YES.
7.3.2 Switzerland official’s entry into the Schengen zone
539. Switzerland became the 25th member of the Schengen free zone on December 12, 2008.
540. Switzerland has abolished the identity checks on the borders for the benefit of the
information system and unique system, i.e the Schengen Information System also called
“SIS”, which is a major tool of the judicial and policy cooperation between the members
states of the Schengen zone.
541. The Schengen Information System, also called “SIS”, is a secure governmental database
system used by several European countries for the purpose of maintaining and distributing
information related to border security and law enforcement. The data collected concern
certain classes of persons and property.
542. In July 2008 the entire SIS system held over 27 million entries. The majority of these –
26 million – related to stolen property, such as weapons, cars, registered bank notes, identity
cards, and certain documents such as stolen passport forms. The system holds nearly a million
data records on individuals. Some 730,000 of these records relate to refusals of entry to the
Schengen countries, 70,000 to wanted persons, and 23,000 to extradition proceedings.
Switzerland itself has entered data for only about 1,200 wanted persons, and 21,000
individuals are not permitted to enter Switzerland. Stolen property accounts for 280,000
records. According to estimates, the SIS data entered by the Swiss authorities has resulted in
3,000 hits abroad, and an equal number of hits in Switzerland as a result of searches instigated
abroad.
59
“Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter” in German or “Préposé fédéral à la protection
des données ” in French http://www.edoeb.admin.ch/index.html?lang=en 60
Bundesgesetz vom 19. Juni 1992 über den Datenschutz (DSG) / Loi fédérale du 19 juin 1992 sur la protection
des données. Bundesgesetz vom 17. Dezember 2004 über das Öffentlichkeitsprinzip der Verwaltung (Öffentlichkeitsgesetz,
BGÖ / Loi fédérale du 17 décembre 2004 sur le principe de la transparence dans l‟administration.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 69
7.4 PERSONAL DATA PROTECTION OFFICIALS (DPOS)
7.4.1 Overview
543. Legal basis:
- Directive 95/46/EC, Article 18(2).
544. Member States may provide for the simplification of notification only the data protection
supervisory authority where the controller appoints a personal data protection official.
545. The personal data protection official (DPO) must be independent, i.e.:
- have a freedom of action;
- be trustworthy;
- not be subject to conflict of interests.
546. Missions and powers:
- provide advice and recommendation to the responsible for treatement for the
implementation of the treatment of personal data ;
- play and educational role with the employees of the responsible for treatment, which
could be the writing of an effective code of conduct ;
- issue alerts and warnings;
- act as mediator;
- conduct audits.
547. DPOs must know:
- in-depth the data protection laws and regulations;
- adequately technological standards;
- the basics of company management sciences;
- specifically how their company and data processing work.
548. The DPO system has been adopted by various countries, such as France (correspondant à
la protection des données à caractère personnel, or “Cil”), Germany (datenschutzbeauftragte,
or “DSB”), the Netherlands (functionaris gegevensbescherming, or “FG”), Luxembourg
(chargé à la protection des données) and Sweden (personuppgiftsombud, or “PUO”).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 70
7.4.2 The German DPO
549. Legal basis :
- § 4.f of the Federal Data Protection Act (BDSG)
550. Missions :
551. The law required the German DPO to possess the necessary expertise and reliability.
High standards apply especially to his/her expertise :
- he/ she shall be able to apply the data privacy laws of the federation and the federal
states (of Germany) and all other regulations concerning data privacy) ;
- he / she shall understand the organizational structures of the business concerned, and
shall understand current IT applications ;
- it is expected that the DPO shows sensitivity in relating to people, be able to present
himself and have organizational talents ;
- he / she shall be able to resolve conflicts related to his / her person, position and
function in a reasonable way.
552. As a result, the DPO should preferably have a lot of experience with general business
procedures, and should not be limited to one field, like IT specialist or lawyer.
7.4.3 The French DPO
553. Legal basis :
- Article 22-III of the French Law n°2004-801 of August 6th
2004 on Data protection
554. Missions :
555. The officer shall be a person who shall have the qualifications required to perform his
duties. He shall keep a list of the processing carried out, which is immediately accessible to
any person applying for access, and may not be sanctioned by his employer as a result of
performing his duties. He may apply to the “Commission nationale de l‟informatique et des
libertés” when he encounters difficulties in the performance of his duties.
In order to ensure this “independence” and the DPO‟s faculty to exercise effective oversight
of his own employer‟s data protection practices, French law provides that :
- in terms of employment law, the status of DPO has the same level of protection
against affair dismissal as trade union representatives ;
- in case the DPO fails in his duties, he can be dismissed only upon request, or prior
consultation of the CNIL.
556. The 25th
annual Report of the French Data Protection Authority (the CNIL), dated April
2005, stipulates that the DPO cannot exercise managerial functions nor management of
human resources nor administration of the information system nor any function in a
department processing sensitive data (e.g.: marketing).
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 71
8. REGULATORY AUTHORITIES OUTSIDE EUROPE
8.1 AMERICA
8.1.1 United States of America (USA)
557. Name of the Authority:
- Federal Trade Commission (FTC)62
558. Legislation:
- Privacy Act of 1974.
559. Missions and powers:
- inform and educate on the importance of personal data and privacy;
- protect consumers.
560. Adequate level of protection:
561. An agreement known as “Safe Harbor” has been signed between the European
Commission and the United States. The Safe Harbor is a set of rules and principles fixed by
the US Department of Commerce.
562. US companies having voluntarily decided to join the Safe Harbor undertake to comply
with the data protection principles established by the European Union. A list of the US
companies having adhered to the safe harbor framework is kept by the US Department of
Commerce.
563. The level of protection of corporations that have self-certified to the safe harbor
framework is considered as adequate.
8.1.2 Canada, Québec
564. Name of the Authority:
- Commission d‟accès à l‟information (CAI)63
(Information Access Commission)
565. Legislation:
- Act respecting Access to documents held by public bodies and the Protection of
personal information of 22 June 198264
.
- Act respecting the protection of personal information in the private sector of 199465
62
http://www.export.gov/safeharbor/ 63
http://www.cai.gouv.qc.ca/ 64
Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels. 65
Loi sur la protection des renseignements personnels dans le secteur privé.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 72
566. Missions and powers:
567. In 1982 the Quebec National Assembly passed legislation encompassing both access to
information and the protection of personal information in the public sector. It entrusted the
supervision of the two parts of the new law to the “Commission d‟accès à l‟information”
(CAI). In 1994, its mission is extended to the protection of personal information in the private
sector.
- make recommendations on any bill or regulation;
- its prior intervention is mandatory in some personal information exchange projects
between departments or agencies;
- its advice is not binding on the government, but if disregarded, it must be published in
the “Gazette officielle du Québec”.
568. Composition:
569. The CAI is a collegial, complex and plural organization: administrative tribunal,
advisory body and monitoring body all at once. The President and the four other CAI
members are elected for a five-year term by a vote of two thirds of the National Assembly.
570. The Commission is made up of two distinct sections: a jurisdictional section and a supervisory section.
8.1.3 Argentina
571. Name of the Authority:
- Dirección Nacional de Protección de Datos Personales66
(National Directorate for Personal Data Protection)
572. Legislation:
- Personal Data Protection Act of 2 November 200067
573. Missions and powers:
- ensure the security and control the legality of processings;
- impose administrative sanctions, issue authorizations, opinions and deliberations,
draw reports.
574. Adequate level of protection:
- YES68
.
66
http://www.protecciondedatos.com.ar/ 67
LEY 25.326. Protección de los Datos Personales. 68
http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/decision-c2003-1731/decision-argentine_en.pdf
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 73
8.2 AUSTRALIA
575. Name of the Authority:
- Office of the Federal Privacy Commissioner69
576. Legislation:
- Privacy Act (first for public sector, then extended to private sector in 2000).
577. Mission and powers:
- control exclusively public bodies, private bodies in a specific sector (credit,
e-commerce);
- conduct investigations, issue authorizations, give opinions, pronounce withdrawals,
draw reports.
578. Adequate level of protection:
- NO.
8.3 AFRICA
8.3.1 Tunisia
579. Name of the Authority:
- Instance nationale de protection des données à caractère personnel (“INPDCP”)
(National personal data protection authority)
580. Legislation:
- Organic Law of 27 July 2002 on personal data protection70
581. Missions and powers:
- grant authorizations, receive notifications to implement processings of personal data,
or withdraw them in the cases provided for by law;
- receive complaints made within its jurisdiction;
- determine the fundamental guarantees and adequate measures to protect personal data;
- access and monitor personal data subject to processing, collect information
indispensable for the performance of its missions;
- give its opinion on any subject related to data protection laws and regulations;
- elaborate rules do conduct for the processing of personal data;
- participate in the research, training and study related to the protection of personal data
and generally any activity related to its domain;
- has legal personality and financial autonomy;
- conduct investigations in the premises and places where processing are performance,
except in dwelling houses;
- perform its missions with the assistance of accredited agents of the minister in charge
of communication technologies conduct research and specific appraisals, or judicial
experts or any other individuals it deem useful;
- inform the public prosecutor territorially competent of any offences it is aware of
within the framework of its activities. Professional secrecy cannot be opposed to it.
69
http://www.privacy.gov.au/ 70
Loi organique du 27 juillet 2002 portant sur la protection des données à caractère personnel
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 74
582. Composition (15 members):
- a president chosen among the competent personalities in that domain;
- a member chosen among the members of the Chamber of Deputies;
- a member chosen among the members of the Chamber of Counselors;
- a representative of the Prime Minister;
- two judges of the third rank;
- two judges of the administrative tribunal;
- a representative of the Minister of the Interior;
- a representative of the Minister of National Defense;
- a representative of the Minister in charge of Communication Technologies;
- a researcher of the Minister in charge of Scientific Research;
- a doctor of the Minister in charge of Public Health;
- a member from the High Committee for Human Rights and Fundamental Freedoms;
- a member chosen among the experts in communication technologies.
8.3.2 Mauritius
583. Legislation:
- Data Protection Act of 27 December 2004 (public and private sectors).
8.3.3 Burkina Faso
584. Name of the Authority:
- Commission de l‟informatique et des libertés (CIL)
(Data Processing and Liberties Commission)
585. Legislation:
- Personal Data Protection Act of 20 April 200471
586. Missions and powers:
- inform and advise data subjects and data controllers on their rights and obligations;
- answer requests for opinions made by public bodies and courts;
- control the creation and implementation of processings;
- monitor changes in information and communication technologies and made public its
evaluation of the consequences of such changes on the protection of liberties and
privacy;
- submit to public authorities any proposals to modify laws and regulations that it thinks
relevant to improve the protection of individuals with regard to the processing of their
data;
- draw reports, issue decisions, give opinions, realize controls.
587. Composition (9 members appointed by decree taken by the Council of Ministers):
- two representatives of the high courts, i.e. the “Conseil d‟Etat” and the “Cour de
cassation” (judges);
- two representatives of the legislative power (deputies);
- two representatives of national associations working in the field of human rights;
- two representatives of national associations of IT specialists (computer experts);
- one individual appointed by the President of Burkina Faso.
71
Loi du 20 avril 2004 sur la protection des donnés à caractère personnel.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 75
8.3.4 Senegal
588. Legislation:
- Personal Data Protection Act of 15 January 2008 (public and private sectors)72
589. It provides for the creation of a commission for the protection of personal data, the
formalities to implement personal data and the obligations to be respected. The Senegalese
DPA also contains provisions on the combination of files containing personal data.
8.4 ASIA
8.4.1 China
590. Name of the Authority:
- Bureau of Legal Affairs, related to the Ministry of Justice
591. Legislation:
- China is planning legislation for the protection of personal data. The outline of the law
provides for the prior authorization of the data subject before disclosure of data to a
third person.
592. Adequate level of protection:
- NO.
8.4.2 Hong Kong
593. Name of the Authority:
- Privacy Commissioner for Personal Data (PCPD)73
594. Legislation:
- Data protection is not regulated by governmental laws. There are only ambiguous
directives (e.g.: Personal Data (Privacy) Ordinance) concerning the accessibility and
use of data by third parties and transborder transfers of data.
595. Adequate level of protection:
- NO.
8.4.3 South Korea
596. Name of the Authority:
- Korea Information Security Agency74
597. Legislation:
- Protection of Personal Information maintained by Public Agencies Act of 29 January
1999;
- Promotion of Information, and Communication Network Utilization and Information
Protection Act of 31 December 2001.
598. Adequate level of protection:
- NO.
72
Loi du 15 janvier 2008 sur la protection des données à caractère personnel.
73 http://www.pcpd.org.hk/
74 http://www.kisa.or.kr/english
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 76
9. INTERNATIONAL COOPERATION
599. The international cooperation for the personal data protection is based on :
- the International Conference of Privacy and Data Protection Commissioners
- the Article 29 Working Party set up by the Directive 95/46/EC of 24 October 1995.
9.1 THE INTERNATIONAL CONFERENCE OF PRIVACY AND DATA PROTECTION
COMMISSIONERS
9.1.1 Accreditation
600. Data protection authorities that wish to participate in the International Conference of
Privacy and Data Protection Commissioners (“the Conference”) must be accredited.
601. Accredited data protection authorities are, by virtue of their broad functions and depth of
experience, the premier experts on the principles and practice of data protection and privacy
in their jurisdiction. They have the clear mandate to promote and protect data protection and
privacy across a wide sphere of activity and all the necessary legal powers to carry out their
tasks.
602. Criteria and rules for credentials committee (“the committee”) :
- a credentials committee considers applications from data protection authorities that
wish to be accredited to participate in the Conference ;
- the committee is composed of three members. The committee may not contain more
than 1 member from the same country at any time ;
- to fill vacancies occurring between Conferences the committee may co-opt a member
or members (not exceeding 2) from accredited authorities ;
- any authority that wishes to be accredited must write to the committee explaining its
case in terms of the accreditation principles. Applications should be made at least 3
months before the annual Conference ;
- the committee will offer a recommendation to the Conference in respect of each
application received and will propose a resolution to recognize the credentials of each
approved authority within a national or sub national category ;
- the committee may adopt whatever procedure it deems appropriate ;
- the normal term for committee members is 2 years. Co-opted members serve only
until the following Conference. No member may serve consecutively for more than 4
years ;
- members will bear their own costs ;
- the committee may, at the request of any accredited authority, review the position of
any previously accredited authority and offer a recommendation as to whether that
accreditation should be continued.
603. Accreditation criteria:
- the data protection authority must be a public body established on an appropriate legal
basis;
- the data protection authority must be guaranteed an appropriate degree of autonomy
and independence to perform its functions;
- the law under which the authority operates must be compatible with the principal
international instruments dealing with data protection and privacy;
- the authority must have an appropriate range of functions with the legal powers
necessary to perform those functions.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 77
9.1.2 The Conference
604. The aim of the International Data Protection and Privacy Commissioners‟ Conference is
to:
- develop cooperation between regulatory authorities;
- improve technical expertise;
- promote a positive image of the protection of personal data;
- promote “a universal right to data protection and privacy”.
605. This Conference, held annually, brings together 78 data protection authorities and
privacy commissioners from every continent. It is open to all those active in the economic
world, the public sector and civil society and constitutes the only major opportunity dedicated
to personal data protection and privacy75
.
606. The 30th
International Data Protection Conference was held in Strasbourg (France) on
15-17 October 2008.
607. On that occasion, the data protection authorities of 60 countries called on website
operators to adapt their privacy policies to the needs of children and users of social networks.
608. The Conference also highlighted the importance of increased cooperation between the
data protection community and the business sector.
609. The 30th
Conference took in particular the following resolutions:
- Resolution on the privacy of minors on the Internet;
- Resolution on the protection of privacy on social networks;
- Resolution on the working group in charge of establishing the realization and details
of an international data protection award.
9.2 THE ARTICLE 29 DATA PROTECTION WORKING PARTY
610. The Data Protection Working Party - commonly referred to as “Art. 29 Working Party”,
“WP” or “G29” - has been established by Article 29 of Directive 95/46/EC of 24 October
1995 on the protection of individuals with regard to the processing of personal data and on the
free movement of such data. It is composed of a representative of the supervisory authorities
of each Member State.76
611. The mission of the Working Party is to contribute to the elaboration of European
standards by giving recommendations intended to achieve a uniform application of the
Directive within the European Union, by giving opinions on the level of protection in non-EU
countries and by advising the Commission on any other proposed measures affecting such
rights and freedoms of individuals with regard to the processing of personal data.
612. It meets several times a year in plenary session for one or two days and adopts
recommendations (video surveillance, electronic surveillance of employees…).
75
http://www.privacyconference2008.org/ 76
Art. 29 Working Party website:
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_en.htm
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 78
9.2.1 The tasks of the Art. 29 Working Party
613. The tasks of the Article 29 Working Party are to:
- examine any question covering the application of the national measures adopted under
the Directive 95/46/EC in order to contribute to the uniform application of such
measures;
- give the Commission an opinion on the level of protection in the Community and in
third countries;
- advise the Commission on any proposed amendment of the Directive, on any
additional or specific measures to safeguard the rights and freedoms of natural persons
with regard to the processing of personal data and on any other proposed Community
measures affecting such rights and freedoms;
- give an opinion on codes of conduct drawn up at Community level (Dir. 95/46,
Art. 30).
614. If the Working Party finds that divergences likely to affect the equivalence of protection
for persons with regard to the processing of personal data in the Community are arising
between the laws or practices of Member States, it shall inform the Commission accordingly
(Dir. 95/46, Art. 30(2)).
615. Furthermore, the Working Party may, on its own initiative, make recommendations on
all matters relating to the protection of persons with regard to the processing of personal data
in the Community (Dir. 95/46, Art. 30(3)).
616. The Working Party draws up an annual report on the situation regarding the protection of
natural persons with regard to the processing of personal data in the Community and in third
countries. This report is transmitted to the Commission, the European Parliament and the
Council and is made public (Dir. 95/46, Art. 30).
617. The Working Party elects its chairman. The chairman‟s term of office is two years. His
appointment is renewable. The Working Party adopts its own rules of procedure. It considers
items placed on its agenda by its chairman, either on his own initiative or at the request of a
representative of the supervisory authorities or at the Commission‟s request (Dir. 95/46,
Art. 29). The Working Party‟s secretariat is provided by the Commission.
9.2.2 Types of issues examined by the Art. 29 Working Party
618. The Article 29 Working Party has dealt with many data protection issues, such as:
- Air passengers‟ data / PNR (“Passenger Name Record”): it reviewed the objective of
curbing illegal immigration by improving checks on EU-bound flights as set out in
Council Directive 2004/82/EC by taking account of the data protection principles
enshrined in Directive 95/46/EC.
- Electronic communications, Internet and news technologies: it studied the filtering of
online communications against viruses and spam under the data protection legislation.
It also gave its opinion on the retention of data generated or processed in connection
with the provision of publicly available electronic communications services under
Article 8 of the European Convention on Human Rights.
- Accounting, internal accounting controls, financial matters: it provided guidance on
how internal whistleblowing schemes could be implemented in compliance with the
EU data protection rules enshrined in Directive 95/46/EC.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 79
9.2.3 Cooperation between data protection authorities within the EU
619. Pursuant to the French Data Protection Act, the French data protection agency (CNIL)
may, at the request of an authority that exercises similar powers in another Member State of
the European Community:
- undertake verifications;
- pronounce sanctions, except in the case of processing for State security and criminal
offences.
620. These powers are the same as those exercised when the CNIL acts on its own initiative.
621. The CNIL is authorized to disclose the information that it obtains or that it holds to the
other data protection authorities in other EU Member States at their request. (French DPA,
Art. 49).
* *
*
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 80
APPENDIX 1:
KEY TEXTS
1. French texts
The French legal framework is made up of the following texts:
the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual
Liberties, which has been significantly amended by the Law of 6 August 2004;
the Decree of 20 October, 2005, such as amended by the Decree of 25 March 2007
Many other texts refer to data protection, e.g. the Penal Code, the Civil Code, the Public
Health Code, the Posts and Electronic Communications Code, the Labor Code etc.
2. Community texts
The Community legal framework is made up of the following texts:
Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to
the processing of personal data and on the free movement of such data;
Directive 2000/31/EC of 8 June 2000 on certain legal aspects of information society
services, in particular electronic commerce;
Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and
the protection of privacy in the electronic communications sector;
Charter of Fundamental Rights of the European Union (Art. 8).
3. International texts
The international legal framework is made up of the following texts:
Statements of the United Nations General Assembly, in particular the guidelines for
the regulation of computerized personal data files;
OECD texts (recommendations and declarations) on the protection of privacy and
transborder flows of personal data and the declaration on transborder data flows;
Convention for the protection of individuals with regard to automatic processing of
personal data of 28 January 1981 of the Council of Europe (convention 108);
Recommendations and resolutions of the Council of Europe.
4. The CNIL
Right from the start, the French data protection authority (“Commission nationale de
l‟informatique et des libertés” or “CNIL”) has developed a specific doctrine, according to:
the nature of the techniques used;
potential risks to liberty.
Many recommendations have been issued by the CNIL in the form of “Deliberations”.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 81
APPENDIX 2:
TABLE OF PENALTIES APPLICABLE IN FRANCE
FOR OFFENCES RELATED TO PERSONAL DATA
Themes Articles Penalty
Collection
Illegal collection 226-181
5 years‟ imprisonment
€ 300,000 fine
Prior Formalities
Absence of prior formalities 226-161
5 years‟ imprisonment
€ 300,000 fine
Absence of authorization 226-16-1-A1
Non-compliance with the simplified
standards 226-16-1-A
1
Non-compliance with the exclusion
standard 226-16-1-A
1
Diversion of purpose 226-211
Personal Data
Illegal use of the registration numbers of
natural persons in the national register for
the identification of individuals (i.e. social
security number)
226-16-11
5 years‟ imprisonment
€ 300,000 fine Non-compliance with provisions applicable
to the processing of prohibited data and
data on offences, convictions or security
measures
226-191
Illegal manual processing operations 226-231
Rights of Data Subjects
Non-compliance with the right to object 226-18-11
5 years‟ imprisonment
€ 300,000 fine
Indirect canvassing by electronic mail 226-18-1
1 and
R. 10-12
Non-compliance with the right to oblivion 226-201
Disclosure of personal data 226-221
Hindrance of the CNIL action 513
1 year imprisonment
€ 15,000 fine
Failure to provide information to data
subjects on the existence of the right of
access and rectification
Decree
No. 81-1142
of 23 Dec.
19814
Petty offence of the fifth
class: € 1,500 max
Liability of Legal Entities
226-241
5 years‟ imprisonment
€ 300,000 fine
Security
Non-compliance with security rules 226-171
5 years‟ imprisonment
€ 300,000 fine
Health
Illegal processing of medical data 226-19-11
5 years‟ imprisonment
€ 300,000 fine
1 Penal Code.
2 Posts and Electronic Communications Code.
3 Data Protection Law.
4 Decree No. 81-1142 of 23 December 1981, OJ of 26 December 1981.
SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009
Page 82
APPENDIX 3:
BIBLIOGRAPHY
Books:
- Alain Bensoussan, "Informatique et libertés", Editions Francis Lefebvre, 2008,
http://www.alain-bensoussan.com/pages/14/
- CNIL‟s 28th
activity report:
http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL-
28erapport-2007.pdf
- CNIL‟s guide on the French data protection officer: "Le guide du correspondant
informatique et libertés", Cnil 2006:
http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_Guide_co
rrespondants.pdf
- CNIL‟s guide on the transfer of data outside the EU: "Le Guide pratique
transfert d'informations hors Union européenne", Cnil 2008:
http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/Guide
-tranfertdedonnees.pdf
Websites:
- Law firm Alain Bensoussan, thematic database on data protection
(“Informatique et libertés”). The database contains a version of the French Data
Protection Act commented article per article as well as case law since 1981:
http://www.alain-bensoussan.com/pages/99/
- CNIL: http://www.cnil.fr/
- Article 29 Data Protection Working Party:
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_fr.htm
- European Community portal:
http://ec.europa.eu/justice_home/fsj/privacy/index_fr.htm
- Council of Europe:
http://www.coe.int/T/F/Affaires_juridiques/Coopération_juridique/Protection_d
es_data/
- Europol JSB:
http://europoljsb.consilium.europa.eu/home/default.asp?lang=FR
- Eurojust: http://europa.eu/agencies/pol_agencies/eurojust/index_fr.htm