Commission Nationale De L'informatique ET Des Libertés
Total Page:16
File Type:pdf, Size:1020Kb
activity report COMMISSION NATIONALE DE L’INFORMATIQUE ET DES LIBERTÉS coMMISSioN NatioNALE DE L’INForMatiQUE et DES LIBertÉS ACTIVITY REPORT 2011 As provided by Article 11 of the Law of 6 January 1978, amended by the Law of 6 August 2004 In pursuance with the Law of 11 March 1957 (Article 41) and the Code of Intellectual Property of 1 July 1992, any reproduction, whether wholly or partially, of this publication for collective usage is strictly prohibited without the express authorization of the publisher. As a reminder, the abusive and collective use of photocopies jeopardizes the economic balance of the book publishing industry. © Direction de l’information légale et administrative – Paris, 2012 ISBN 78-2-11-008039-4 DECISIONS AND DELIBERATIONS 11 2 REJECTED WAIVERS OF AUTHORIZATIONS NOTIFICATION 1,969 249 93 1 DECISIONS & AUTHORIZATIONS, OPINIONS ISSUED, RECOMMENDATION DELIBERATIONS INCLUDING 6 SINGLE INCLUDING ON POLITICAL ADOPTED AUTHORIZATIONS 1 OPINION ON A COMMUNICATION (+ 25.5% versus 2010) SINGLE REGULATION 2011 KEY FIGURES NOTICES TO COMPLY & SANCTIONS PRIOR FORMALITIES 65 5 5,993 4,483 NOTICES TO COMPLY FINANCIAL FINES NOTIFICATIONS ON NOTIFICATIONS ON VIDEO-SURVEILLANCE GEOLOCATION SYSTEMS SYSTEMS (+33.5 versus 2010) 13 2 (+37% versus 2010) WARNINGS ACQUITTALS 744 AUTHORIZATIONS ON BIOMETRIC DEVICES (+5.4% versus 2010) COMPLAINTS & REQUESTS FOR INDIRECT RIGHT OF ACCESS CONTROLS & AUDITS 5,738 2,099 COMPLAINTS REQUESTS FOR INDIRECT 385 151 (+19% versus 2010) ACCESS TO POLICE AND AUDITS VIDEOPROTECTION INTELLIGENCE RECORDS (+25% versus 2010) AUDITS (+12% versus 2010) CORRESPONDENTS 8,635 ORGANIZATIONS HAVE APPOINTED A DATA PROTECTION OFFICER (CIL) (+25% versus 2010) TABLE OF COntents Foreword for the President A word from the Secretary General 1. NEW Missions Vidéo-surveillance audits: status assessment and action plan 10 5. CONSULT AND INNOVATE CNIL certification labels 13 WiFi, iPhone and geolocation 50 Notification of personal ZOOM data breaches 16 Consultation on Strategic forward-planning at CNIL: Cloud Computing 51 initial work, first publications 19 ZOOM Smartphone and privacy: 6. ProtECT AND INSPECT a priority for analysis and action 23 Record number of complaints 58 Right of indirect access 59 2. INFORM Audits 63 The CNIL informs you daily 30 Replies to public enquiries 34 7. SAnction Data protection officer 35 Summary report on the 2011 activity of the Sanction Select Committee 66 3. ADvice AND PROPose National Consumer Credit Register 38 8. TOPics OF investigAtion ZOOM Comments on the bill relative to IN 2012 identity protection 40 Revision of EU Directive: A successful data protection Union 70 4. REGULATE ZOOM APPENDICES Ethical Business Alert CNIL membership 76 (Whistleblowing) 46 CNIL: Means & Resources 77 4 activitY repOrt 2011 Faced with the complexity of the “digital ecosystem, the regulator’s challenge is to build relays ” FOrewORD FROM THE President THE CNIL READY FOR COMBAT oday, the CNIL has reached a decisive step in It is true that our powers of regulation and sanction T its development. Confronted to structural muta- are indeed mighty, and we shall not hesitate to use them tions linked to the growth of the digital society, the as needed. Nevertheless, these enforcement instruments Commission sits at the core of the international debate will not be sufficient to establish a rule of law in this on data protection in the 21st century; a unique era that new digital universe. Indeed, we can no longer afford to invites us to revisit our action. simply issue general guidelines and verify their applica- Structural changes first and foremost, as this is indeed tion a posteriori. Confronted with the complexity of the a change of era driven by the digital age. Within just a few digital ecosystem, the regulator’s challenge consists in years, the digital world has become pervasive: with the building relays; relays allowing for the engagement and increasing dematerialization of industries and services, we accountability of all stakeholders, whether public, private have shifted from a rather static, domestic world of physical or individual, in order to ultimately share the burden of records to an international, fluctuating universe of virtual regulation with them. data with multiple players involved. Data are pervasive and omnipres- ent everywhere, produced and con- sumed by individuals, enterprises and public authorities alike; and tomorrow, these data will increas- ingly deal with objects. They now represent a considerable merchant worth, at the heart of the economic challenges of the 21st century. Confronted to this new ecosys- tem, my priority consists in con- solidating the adjustments already initiated, and ensuring that the CNIL enters the digital era on a solid footing. This new environ- ment can no longer be regulated the same way as in the past. We therefore need to rethink our action and revisit our operational tools in order to process these data flows and address increasingly Isabelle Falque-Pierrotin, diversified stakeholders. CNIL President Foreword 5 To this purpose, we need to work closer to the field, to Gradually, the issue of data protection is overstep- the various players and their specific business features. ping the mere scope of legal or IT corporate departments Such a novel approach will require making new tools to invest the dimensions of marketing, sales or human available to them, to help them implement in practice and resources. as early as possible the principles of the “Informatique & Yet it should also start spreading to the level of top Libertés” Act on Privacy and Data Protection. A tool box corporate management since tomorrow’s innovations and already exists, but we need to supplement and refresh it, growth are increasingly linked to data processing issues. in cooperation with professionals. Whether Codes of Good Just think about automobiles, smart meters or home Conduct, Charters, Certification Labels or Data Protection automation... many business sectors will need to take into Officers or Correspondents (“CIL” or “Correspondants consideration the issue of personal data management as a Informatique & Libertés” in France), all such levers must tool for customers to take ownership of their products and be in the service of corporate compliance with the Privacy services, and therefore a means conducive to the sustain- & Data Protection Act. able development of their business activities. Enforcement and oversight of compliance will lie at the Similarly, consumers have matured: even though many core of the CNIL’s actions over the coming years. still fail to understand how and by whom their personal data are actually used, both consumers and web users, This evolution also corresponds, I believe, to a new who represent a volatile but hard-to-please population, phase in the maturity of the stakeholders themselves. are demanding more transparency from businesses. They Under pressure from consumers and youngsters, data want to know about or even control such uses! protection is starting to be perceived not just from the Businesses, and more generally digital-related players simplistic prism of a legal constraint, but rather as a com- are confronted to these new demands; they cannot afford petitive edge, or even a social advantage. Enterprises are to disappoint them, at the risk of losing their customers’ of course concerned with limiting the legal risk, but they contact and trust. also wish to arouse trust from their target public, whether internal (employees) or external (customers, web users) The CNIL must also adapt to the new social demand, and, in the event of problems, to mitigate any image- and offer to the public at large educational guidance on related damage. solutions, by providing insights for a responsible and con- trolled use of personal data. The CNIL needs to fully play its role as a guide to digital life. This is one of the reasons why we decided to conduct a survey on smartphones, our new everyday-life instrument that contains numer- ous personal data, including sensitive data, yet lacking any specific protection. Based on the study findings, we developed ten recommendations to help better secure smartphones, in the form of a video tutorial. In the same Enforcement didactic spirit on best practices, the CNIL also innovated with the production of an interactive video clip entitled and oversight of Share the Party intended to raise the awareness of young- “ sters about the videos or photos they publish on social compliance will lie at networks. the core of the CNIL’s In order to anticipate on new uses, we can increas- ingly rely on the initiatives and works produced by our actions over the Department of Research, Innovation and Foresight. The many discussions initiated by the Department attest to coming years ” our determination to establish an open dialogue with 6 activitY repOrt 2011 highly diversified stakeholders, with exchanges of views example illustrating how credibility can be boosted by a that fuel and enrich our thinking, and sometimes even proactive collective action. incite us into rethinking our models. In this context of fierce international competition, the world is turning to Europe, in search of the continent’s These structural changes occur in a highly turbulent ability to modernize its data protection model, while reas- international environment which is not conducive to an serting privacy as a fundamental right. Because not eve- easy readjustment process. rything is merely about growth! The idea is to reconcile Europe, USA and Asia are wrestling to develop legal growth with a humanistic vision of fundamental rights, frameworks of personal data protection that will be as an approach specific to Europe, yet finding wide echoes efficient as possible in terms of economic growth. On a in the French-speaking world in particular. European scale, I am thinking of the Draft Regulation In order to assert its existence and have real clout on reforming the European Directive of 1995 relative to data the international scene, Europe therefore needs to show protection.