FRANCE—The CNIL concerned about its future territorial competence

 

The leaked draft regulation for the protection of personal data in the EU provides for rules governing the territorial jurisdiction of data protection authorities (DPA).

According to these rules, when a controller carries out data processing in the EU and is established in several Member States, the authority located in the Member State of the controller’s main establishment is competent for the supervision of the processing activities in all Member States (Article 50).

The CNIL has recently expressed publicly that these rules raise concerns for several reasons. (Source:

with CNIL President Isabelle Falque-Pierrotin.)

The CNIL noted that the main players of the digital economy are located in Ireland, the UK and Luxemburg. A practical consequence of the text would be to transfer regulatory powers on this sector on the DPAs of these countries.

Also, groups of companies may be tempted by forum shopping and set their main establishment in the more “understanding” Member States.

The role of DPAs located in other Member States than the one of the main establishment of the data controller will be extremely reduced: cooperate and provide assistance to the competent DPA.

The competent DPA will have to analyze the compliance of the data processing in light of applicable laws of other Member States; e.g., assessment of the lawfulness of the processing in light of sectorial laws such as banking laws; such analysis will probably be complex and time-consuming for the competent DPA, even with the cooperation of the other DPAs.

In the end, the CNIL believes that the level of data protection in the EU may potentially suffer from these rules on territorial competence.

“The CNIL wishes to implant a cookie in your computer … in order to make anonymous audience statistics.”

So begins the banner displayed on the CNIL website in order to implement the new provisions of Article 32 of the French Data Protection Act, as modified by the implementation of the so-called “Telecom package” directives last summer (see GPD Oct 2011 Volume 11 n°8).

It continues, “You may delete it [the cookie] at any time or obtain more information by reading the following section on statistics” and provides for two choice boxes: NO THANK YOU and ACCEPT, under which one can read in small print, “We will memorize your choice in a cookie.”

What can we derive from it?

It confirms the CNIL’s strict reading of the rule. Consent must be

It also shows that some of the most basic cookies, the ones that all websites use to make website traffic statistics, are considered as falling under the opt-in rule. They are indeed not needed to provide the online communication service.

The CNIL at some point considered that the website had to offer the website visitor three different choices: to accept the cookie, to refuse the cookie and to repeat the request at each visit and to refuse the cookie and to memorize the refusal by installing a “rejection cookie.”

In practice, it seems the CNIL simplified its approach and offers only two choices, both memorized in cookies—whether positive or negative.

A barcode device to access health data authorized by CNIL

When an accident occurs, having immediately available and accurate health information about the patient is crucial for the professionals of emergency services and can save lives.

Two people, including an engineer, have created an “emergency barcode,” printed on a sticker that provides remote access to medical data needed in case of an accident. This system is more specifically designed for people wearing a helmet, as the sticker can be stocked on it; e.g. moto drivers, workers on a construction site.

Among the medical data to which the emergency code provides access can be mentioned the blood group, the allergies, the previous medical history and the choice of the owner of the sticker concerning organ donation. A photograph and anthropometric data will also be stored to avoid any mistake concerning the identity of the sticker owner. The medical data will be checked by a doctor and then regularly updated.

The data security is ensured by a flashcode composed of a 2D barcode, combined with a secret number, readable with an iPhone only by doctors of emergency services. Once the code is recognized by the iPhone, the doctors can remotely access online health data stored securely by a certified health data host provider. When necessary, the data may also be accessed via the Internet by other doctors, such as the doctor in charge of the medical follow-up of the concerned person.

The data subject is informed that she must not lend her helmet. If the helmet is stolen, the initial code is deactivated and replaced by a new one.

The CNIL authorized the experimentation of this emergency code  in two French counties, Loire Atlantique and Sarthe, on November 10, 2011. The emergency code is expected by the manufacturer to be commercialized at the beginning of 2012.

A certified health data host provider sanctioned by the CNIL

In France, health data host providers must be certified. The decision of granting the certification is taken by the Ministry of Health after the opinion of a certification committee and the CNIL on the application.

The applicant must demonstrate that it complies with the guarantees required by the Code of Public Health concerning the confidentiality and the security of health data. Among others, the applicant must ensure that health data are encrypted.

At the beginning of 2011, the CNIL made an audit on the site of the host provider and noticed that, contrary to what the company indicated in its application, health data were not encrypted and were available to the administrators of IT systems, who should have not been authorized to access such sensitive data.

As a consequence, the CNIL considered that health data were not lawfully processed and issued a warning to the concerned company.