On 24 March the CNIL adopted its annual Inspection Programme for 2011, under which it plans to conduct 400 investigations. In addition to the priority areas of concern for the CNIL, this year is marked by the extension of the CNIL’s powers to investigate video surveillance use.
CCTV
Since the law on the Introduction and Planning of Interior Security (LOPPSI) was adopted on 14 March, the CNIL is now responsible, as an independent watchdog, not only for CCTV use in private areas but also in places open to the public with the aim of ensuring the uniform development of video surveillance throughout the country. The CNIL is taking these new powers seriously and has planned to conduct 150 investigations on video surveillance alone.
Security of health related data
This is a very topical subject in France and the CNIL has issued several statements over the last few months on various processing procedures bearing this type of data.
Investigations will notably cover the following themes:
• Tele-diagnosis, which is rapidly increasing in use;
• Entities that provide hosting services for health data;
• Use of data from the PMSI System (Programme of Medicalisation of IT Systems);
• Registers: i.e. files made available for the purposes of monitoring the health of the population;
• Medical research.
Clients/Prospective Clients: can tracking be avoided?
Investigations in this domain would relate to processing such as, for example, audience measurement methods (advertisement boards and email solicitation) and profiling of data subjects (web sites, social networks, etc.).
There will also be investigations of specialist providers of fraud detection systems on the web (issue of “black lists”) who collect a large amount of information on Internet shoppers.
Collection Agencies / Private Detectives
This has already been on the agenda for past investigation programmes of the CNIL, raising issues such as unfair collection of data, excessive data retention periods and lack of fair notice to the persons targeted by the investigations. The CNIL sees merit in regularly verifying that these professions are complying with the law.
Transborder Data Flow
The rapid development over the past few years of transborder data flow has lead the CNIL to investigate, a posteriori, such data flow to ensure that French citizens benefit from the maximum protection.
These investigations will be bases on three principal axes:
1. Investigating company compliance with the Safe Harbor principles where recipients of data are Safe Harbor certified.
2. Investigating (i) companies which have entered into EU model clauses to safeguard transfers to data processors outside the EEA, as well as (ii) companies who have not adopted such clauses (and not filed their processing with the CNIL) even though it is likely that they are transferring data internationally. (International groups appear to be the most obvious targets).
3. Investigating companies using statutory derogations. The aim is to verify that there is not an abusive use of these exceptions as they should be used in exceptional circumstances only, and do not apply to repetitive, large or structural transfers.
The statutory derogations are: free and informed consent of the data subject, or transfers necessary:
• To save the life of the data subject;
• Public interest reasons;
• To recognise, exercise or defend a legal right;
• For a public register;
• To perform a contract between the data controller and the data subject (or pre-contractual measures taken at the request of that person);
• To conclude or perform a contract in the interest of the data subject, between the data controller and a third party.
These investigations will take place not only on French companies who export data but also companies outside of France who import data relating to French data subjects.
Finally the CNIL will, as usual, devote part of its investigation programme to complaints which have been raised with them and to verifying compliance with obligations entered into by those in charge of data processing which has been the object of a formal notice.