Embed Size (px)
Citation preview
The CNIL in a Nutshell
PROTECT PERSONALDATA, ACCOMPANY
INNOVATION, PRESERVECIVIL LIBERTIES
Created in 1978, the CNIL is an independent administrative authority that
exercises its functions with accordance to the French Data Protection Act
of the 6th of January 1978, amended the 6th of August 2004.
The CNIL’s independence is guaranteed by its composition and its organi-
sation. The seventeen members that form the commission are for the most
part elected by the assemblies and jurisdictions to which they belong.
The CNIL elects its chair amongst its members and does not receive any
instructions by any other authority to the election of the chair.
4 Parliamentarians (2 Assembly members,2 Senators).2 members of the French Economic, Socialand Environmental Council.6 representatives of high jurisdictions (2 StateCouncil members, 2 members of the Court ofCassation and 2 members of the Audit Court).5 qualified public figures appointed by:the President of the National Assembly (1 publicfigure), the President of the Senate (1 publicfigure), the French Cabinet (3 public figures).The mandate of the commissioners is for 5 years,or, for parliamentarians, as long as the durationof their mandate.
AN INDEPENDENT ADMINISTRATIVE AUTHORITY
Plenary SessionThe members of the CNIL congregate in plenary sessions once a week on an agenda pre-established by the Chair. A major part of these sessions is devoted to the assessment of bills and draft decrees that are submitted by the government for an official CNIL opinion. Additionally, the CNIL gives authorisations for the processing of sensitive data including, but not limited to, those requesting the use of biometrics. It also analyses the consequences of new technologies on citizens’ private life.
Restricted CommitteeSince the law of the 6th of August 2004, the CNIL’s restricted committee, which is composed of 5 members and a Chair other than the CNIL’s Chair, can render diverse sanctions on data controllers who do not respect the law. The amount of the penal sanctions can reach up to €300,000. These penal sanctions can also be made public.
INSTITUTIONAL PROCEEDINGS
2,277ADOPTEDDECISIONS ANDDELIBERATIONS
100OPINIONS
390AUTHORISATIONS
ADVICE AND REGULATION
401BIOMETRIC SYSTEMAUTHORISATIONS
6,123GEOLOCALISATIONDEVICEDECLARATIONS
14,441ORGANISATIONS WITH ADATA PROTECTION OFFICER
COMPLIANCE MONITORING
92,663PROCESSED FILES
11,892DECLARATIONSPROCESSED REGARDINGVIDEO SURVEILLANCESYSTEMS
44CNIL PRIVACY SEALSDELIVERED
STATUS & COMPOSITION
THE CNIL’S FACTS AND
THE CNIL’S MISSIONS
68%OF INDIVIDUALS KNOW ABOUT THE CNIL
36,000 FOLLOWERS ON TWITTER
INFORMING & EDUCATING
The CNIL has the general mission of informing
individuals of their rights accorded to them
by the French Data Protection Act. The CNIL
responds to requests made by individuals
and companies alike. In 2014, it received
almost 133,000 telephone requests for
advice or further information. The CNIL leads
awareness campaigns targeting the general
public by means of the press, its website,
social networks and target workshops.
While being directly requested for leading
training programmes on the Data Protection
Act within many organisations, companies,
or institutions, the CNIL participates also
in conferences, seminars, and workshops in
order to inform and be informed. It brings
together a collective of over 60 organisations
that lead campaigns in favour of education on
the digital world.
1
PROTECTING THE RIGHTS OF CITIZENS
Any individual can contact the CNIL, when
they are experiencing difficulties in exercising
their data protection rights. The CNIL ensures
that citizens can effectively access their data
contained in any processing. In 2014, the CNIL
received 5,825 complaints which included:
e-reputation (requests for the erasure of data
on the internet); commerce (requests to stop
publicity by mail); human resources (super-
vision mechanisms like video surveillance or
the geolocalisation of vehicles); and banks and
loans (objection to their registration within the
files of the Banque de France).
2
FOCUS
Filling out Complaints OnlineThe CNIL offers on its website an online complaint service for handling
of complaints in the sectors of banking and credit, work, business
and internet.
Mobile version of cnil.fr
IT’S YOUR RIGHT!The Right to Access,to Object and to RectifyEveryone has the right to be informed of all
data stored in a file by contacting directly
those who have created and store the file.
Moreover, they have the right to obtain a copy
of the datawith the costs of doing so remaining
equal to that of the reproduction of the data.
Any individual has also the possibility to object
to the processing of their personal data on
legitimate grounds. They can refuse the filing
of their data without having to justify themselves,
if the information requested will be used for
commercial purposes.
Everyone can rectify, complete, update, block
or erase information about them, when this
information is declared to be erroneous or
inexact; moreover, this also extends to cases
of prohibitions on the collect, utilisation, com-
munication or conservation of said data.
5,825COMPLAINTS RECEIVED
The Right to Access National Security,Defence and Public Security FilesOn the behalf of citizens, the CNIL can access
national security, defence, and public security
files that contain their data-especially sur-
veillance and judicial police files. This type
of access is called an indirect access. When
requesting the CNIL to consult these files,
one must write a letter to the CNIL indicating
precisely their address and their telephone
number as well as including a photocopy of
their identity card.
The regulation of data protection is brought
about by differing tools:
authorisations that implement data proces-
sing;
official opinions on the government’s draft
legislation that will impact data protection or
create new files;
REGULATING & ADVISING
legal frameworks simplifying the completion
of prior formalities;
recommendations allowing the CNIL to esta-
blish its doctrine in different domains;
requests for advice from data controllers,
which are being sent in higher quantities and
notably by data protection officers.
3
ACCOMPANYING THE COMPLIANCE
4The objective is to propose a compliance “ tool-
box” by using the different means of action at
the CNIL’s disposal: the data protection officers
(Correspondants Informatique et Libertés)
who form a privileged network of experts; the
development of privacy seals and Binding
Corporate Rules that frame transfers of personal
data within multinational companies outside
the EU; the creation of “ compliance packages ”
that are sector-based reference models covering
an entire sector or professional branch.
The Privacy SealsThe CNIL now has the power to deliver privacy
seals for products, procedures or governance
process that deal with data protection.
The “ CNIL privacy seal ” allows a company to
distinguish itself from others by the quality of
their services. For the users, it is a trust indi-
cator on products, procedures and governance
process that allows users to identify and favour
organisations that guarantee a high level of
protection for their personal data.
Data Protection Officers(CILs)At an era where the digital world is inherent
to our daily lives, the data protection
officers (CILs) have become absolutely
essential actors within public and private
organisations which deal with personal
data.
Ensuring an optimal level of protection
for personal data is not only a legal
obligation, but also a question of the
company’s credibility regarding the users
or the clients. In 2014, almost 14,500
organisations chose to appoint a data
protection officer in order to reinforce
the technical and legal security of their
informational heritage.
Correspondant In
form
ati
qu
e et Libertés
Le L@bo CNIL
CookievizMORE THAN 100,000
DOWNLOADS ON CNIL’S WEBSITE
Mobilitics
ANTICIPATING INNOVATION
In the framework of the CNIL’s innovation and
prospective, it strives to consolidate two objec-
tives: the taking into consideration, at a very
early stage, of new subjects like tendencies,
technologies or upcoming uses for data; and,
the assessment of case studies and analyses
brought about by innovative tools and projects.
The LaboratoryThe CNIL constructed a laboratory within its walls
that is dedicated to the testing and experimenta-
tion of cutting-edge products and applications.
This laboratory has provided for the possession of
products at their beta stages in order to test their
functions and evaluate their potential impact on
the private lives of citizens. With keeping “ privacy
by design” in mind, the CNIL strives to reinforce
its consulting role for companies in regards to
the integration of personal data requirements
within their technological developments. Finally,
the CNIL aims to contribute to the development
of technological solutions that protect citizens’
private life.
The Prospective CommitteeIn order to reinforce its mission to elaborate and
reflect on potential prospects, the CNIL created
in 2012 the Prospective Committee that brings
together six external experts. This committee
strives firstly to be the coordination committee
of scientific studies led by the CNIL. The two
main missions of the Prospective Committee
are the annual establishment of the studies led
by the CNIL and the exploration of new fields
of studies.
5
N°XXXX-XXXXEXPIRE : XX/XX/XXXX
THE CNIL WORLDWIDE
The European Union adopted in 1995 a directive aiming
at harmonising amongst the 15 Member States (now
28 Member States) the guaranteed protection to every
person wherever in Europe their data is being processed.
A reform package on the data protection regime was
presented in by the European Commission in January 2012.
WP29: since February 2014, the CNIL’s Chairwoman has
presided as Chair over the Article 29 Working Party—the
working party that assembles once every two months
representatives from the 28 European and independent
data protection authorities.
This body’s objective is:
to contribute to the establishment of European norms
by adopting recommendations;
to render opinions on the level of protection guaranteed
by countries outside the EU;
to advise the European Commission on all projects having
an impact on data protection rights and liberties.
The CNIL, as a representative at the International
Conference of Data Protection and Privacy Commissioners,
participates regularly in collaboration with other
international actors:
the OECD: the CNIL participates in the working group
on the revision of guidelines regarding privacy rights
and transfers of personal data as well as represents itself
at the international Conference of Data Protection and
Privacy Commissioners;
the Council of Europe: the CNIL follows the moder-
nisation of the Convention 108 and attends the activities of
the Consultative Committee of the Convention 108 (T-PD)
as an observer acting as representative of the International
Conference of Data Protection and Privacy Commissioners;
the APEC: the Asian-Pacific Economic Cooperation
zone brings together 21 countries; moreover, it aims at
facilitating the cross-border commerce as well as the
development of e-commerce within the zone. The CNIL
participates in the working group on privacy rights as
representative of the International Conference of Data
Protection and Privacy Commissioners as well as in the
Committee for the interoperability of the APEC Cross
Border Privacy Rules-EU Binding Corporate Rules as
member of the WP29.
FrancophoneFor about ten years, the CNIL has engaged itself in a data
protection promotional campaign within francophone
countries. These actions have given way to the creation
in 2007 of the Association Francophone des Autoritésde Protection des Données Personnelles (Association for
Francophone Data Protection Authorities), which partners
with the International Organisation of La Francophonie (OIF).
Its success has also brought about the adoption of privacy
rights legislation by countries within the francophone zone
including Burkina Faso, Mali, Madagascar, Morocco and Turkey.
FOCUS
INSPECTING AND SANCTIONINGThe ex-post inspections are considered to be the
favoured method of intervention by the CNIL for
the data controllers. It allows for the CNIL to
verify the concrete implementation of the law.
The programme of interventions is established
in function of the current events and the high
level issues (new technologies, problematic
current events and revelations) for which the
CNIL is called upon to inspect.
The CNIL has the competence to inspect video
surveillance systems established within the
French territory. It has performed 88 video
surveillance inspections in 2014 alone.
Regarding inspections or complaints, the CNIL’s
restricted committee (composed of 5 members
and a Chair other than the CNIL’s Chair) can render
various types of sanctions which include:
a warning, which can be made public.
Hypothetically, if the CNIL’s Chair has already
officially rendered an order and if the data
controller does not changed its practices to
conform to the order, the restricted commit-
tee can render more coercive sanctions after
respecting the contradictory principles within
administrative procedures;
a monetary sanction (except for Government
data processing) of up to €150,000 and up
to €300,000 for repetitive violations. This
sanction can be made public; moreover, the
restricted committee can demand the sanction
be published in the press at the costs of the
sanctioned organisation. The total amount for
the sanctions will be collected by the Public
Treasury and not by the CNIL;
a cease-and-desist injunction on the data
processing;
a withdrawal of the prior authorisation given
by the CNIL.
In cases of immediate and grave violations on
fundamental rights and freedoms, the CNIL’s
Chair can refer a request to the competent
jurisdiction to order any necessary security
measure. It can also denounce any violations
of the French Data Protection Act to the State
Prosecutor.
Online investigationsSince March 2014, the CNIL has a new
investigatory power that allows it to be
more reactive and efficient regarding digital
practices. From now on, investigations can be
carried out from CNIL’s offices without data
controller being present, who will be informed
once the verifications are performed.
6
NUMBERS IN 2014
The CNIL walks hand-in-hand with the rapiddevelopment of new technologies and participates
in the construction of a code of digital ethics.”
Beyond raising awareness and sharing infor-
mation on data protection culture, the CNIL
has an advisory power, an onsite and offsite
investigatory power as well as an administra-
tive sanctioning power. It has established and
coordinates the network of Data Protection
Officers (also known as the “ Correspondants Informatiques et Libertés”). The CNIL analyses
the consequences of new technologies on
citizens’ private life. Finally, it collaborates
closely with its European and international
counterparts.
“What is personal data? Personal data is any information
concerning a natural person that can
directly or indirectly, potentially identify
by referencing an identification number
(i.e., social security number) or one or
more elements that only concern a single
person (i.e., first and surname, date
of birth, biometric elements, digital
imprint, DNA, etc.).
ADDITIONALINFORMATION
421INVESTIGATIONS
58ONLINE INVESTIGATIONS
88INVESTIGATIONSREGARDING VIDEOSURVEILLANCE
PROTECTING CITIZENS
INVESTIGATING
5,825COMPLAINTS
5, 246REQUESTS FOR ACCESSTO PERSONAL DATAWITHIN: POLICE FILES,SURVEILLANCE FILES,FICOBA, ETC.
62ORDERS RENDERED
7WARNINGS
8FINANCIAL SANCTIONS
3ACQUITTALS
RENDERING ORDERS & SANCTIONS
Contact the CNILCommission nationale de l’informatique et des libertés8, rue Vivienne CS 30223 75083 Paris Cedex 02 France Tel: 01 53 73 22 22 Fax 01 53 73 22 00
www.cnil.fr
Follow the CNIL on...
20
14
06
26
