France

Meet the New CNIL Chairwoman

Alain Bensoussan
 
The CNIL’s new Chairwoman, Isabelle Falque-Pierrotin, presents her priorities, both in French and in English in a video posted online, that can be viewed here.
 
Ms. Falque-Pierrotin was elected on September 21st, 2011, after CNIL’s previous Chairman, Mr. Alex Türk, who was also a member of the French Senate, proactively resigned to comply with a recent legal provision that will soon prohibit the CNIL’s Chairman from holding any other elected office or public position.
 
In the video, the new boss of the French data protection regulator stresses that in an evolving and global environment, CNIL must innovate and become more open to resolutely step into the digital world. She firmly believes that cooperation with the private sector is important and thinks “the EU revision [of the data protection framework] will be a wonderful occasion to demonstrate that we are able to have a competitive protection but also a modernized protection” of personal data.

(more…)

Read More

French Court Suspends US Company’s Whistleblowing System

Alain Bensoussan
 
Whistleblowing systems have been a hot issue in France for several years. In a ruling dated September 23, 2011, the Court of Appeals of Caen confirmed a lower court’s decision to suspend the whistleblowing system of a U.S. company on the grounds that it did not comply with French whistleblowing law. In light of this ruling, U.S companies are advised to audit the compliance of their whistleblowing systems with French data protection law.
 
France’s whistleblowing rules
 
Normally, companies have to apply for the authorization of the French data protection authority, the CNIL, before setting up a whistleblowing system in France. But obtaining the CNIL’s authorization may be a long process.
 
In an effort to ease the burden on companies and cut through red tape, the CNIL adopted in 2005 a document, known as the Single Authorization No. AU-004. If a whistleblowing system meets all the requirements laid down in the Single Authorization, a company can avoid going through the standard, cumbersome authorization process and is eligible for a simplified procedure: it only has to submit a declaration of conformity to certify that its system complies with the Single Authorization.

(more…)

Read More

CNIL’s Data Security Guide Now Available in English!

Alain Bensoussan

The French data protection authority, the CNIL, recently published a translated version of its Guide on Personal Data Security.
 
The Guide is designed to help data controllers meet their obligations under French law regarding the security of the personal data they collect, use and maintain.
 
The French Data Protection Act N°78-17 of January 6,1978, requires data controllers to take “all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties” (Art. 34 of the Act). Failure to guarantee the security of the data is punished by five years’ imprisonment and a €300,000 fine (Article 226-17-1 of the Penal Code).
 
This Guide should be of interest not only to controllers established in France but more generally, to any entity that directly or indirectly uses IT systems in France.

(more…)

Read More

CNIL Issues Data Protection Guide for Health Professionals

Alain Bensoussan

French data protection authority, the CNIL, recently published a Guide for Heath Professionals (Guide des professionnels de santé), available online (view here in French).

The first pages of this Guide remind the core principles of the French Data Protection Act, the missions of the CNIL and the role of data protection officers (“CIL”).

The second part is divided into practical, easy-to-read fact sheets designed to give health professionals the basic information and guidelines they need when processing personal and health data.

(more…)

Read More

First Multimodal Biometric System Authorized in France

Alain Bensoussan

The CNIL has given its green light to a multimodal biometric system. Striking the right balance between security and the protection of privacy and personal data, the French data protection watchdog decided that the security measures taken satisfactorily protected personal data and that the multimodal biometric system was “adapted and proportionate to the purpose pursued”. This is the first time that a multimodal biometric system is authorized in France.
Purposes of biometric recognition systems
On May 12, 2011, the French data protection authority, the CNIL, authorized for the first time a company to deploy a multimodal biometric system combining finger vein and fingerprint recognition to control access to its workplace premises (CNIL Deliberation No. 2011-141 of May 12, 2011, in French).

Vauban Systems, an information security consulting firm, had applied for an authorization, in compliance with Article 25-I-8° of the French Data Protection Act, which provides that automatic processing comprising biometric data necessary for the verification of an individual’s identity may be carried out only after the CNIL’s authorization. 

A biometric system is designed to identify individuals based on their physical, biological or even behavioral features. Biometric data is data produced by the human body, positively identifying individuals and enabling to trace them. Vein pattern is a more reliable and secure biometric method than fingerprints, which may be lifted and reproduced unbeknownst to the individual.

(more…)

Read More

France Adopts EU Telecoms Package and Amends Data Protection Act

Alain Bensoussan

France has recently adopted an ordinance implementing the EU Telecoms Package into its national law. The new ordinance introduces a series of measures related to data protection, including a data breach notification requirement, leading to the amendment of the Data Protection Act.

Adoption of the ordinance implementing the “Telecoms Package”

An ordinance implementing the European “Telecoms Package” has just been adopted by the French Council of Ministers last August 24. It came into force on August 26, 2011, date of its publication in the French Official Journal. 

The ordinance is divided into three main chapters. Chapter 1 relates to the changes made by the Telecoms Package into the French Posts and Electronic Communications Code (mainly the strengthening of the powers of the French Telecommunications Regulator, ARCEP), Chapter 2 deals with the impacts in the Consumer Code (clearer contacts for consumers) and Chapter 3 focuses on the protection of data and privacy.

Regarding, in particular, the changes made to the data protection legislation, the following three concepts have been decided:

Creation of a data breach notification requirement 

The ordinance amends Article 34 of the Data Protection Act by introducing an Article 34 bis. Electronic communications service providers now have to notify any personal data breach to the French data protection authority (the CNIL) and indicate the measures they have taken or intend to take to remedy the breach.

(more…)

Read More

First Keystroke Biometric System Authorized in France

Alain Bensoussan

In a deliberation dated June 23, 2011, the French data protection authority (“CNIL”) agreed to the use by a company of a behavioral biometric system based on the typing pattern of individuals, designed to strengthen the identification of individuals accessing to an information system. This is the first time that a biometric system based on keystroke dynamics is authorized in France by the CNIL.

The system requires the recording of personal data, such as the last name, first name, pseudonym and IP address.

In France, companies have to obtain the authorization of the CNIL before processing biometric data (Article 25-I-8° of the French Data Protection Act of January 6, 1978).

This authorization has been granted exclusively for a specific purpose, namely the demonstration of a product to prospects, and is subject to the implementation of stringent security measures to ensure the confidentiality of the data.

CNIL Deliberation No. 2011-183 of June 23, 2011

Read More

France: FAQ About Biometric Devices

Alain Bensoussan

Can a company legally use biometric devices in France?  

YES. Businesses may use a biometric device, subject to first obtain the prior authorization of the French data protection authority, the CNIL. (Article 25 of the French Data Protection Act (Loi Informatique et libertés))

The CNIL has established simplified notification formalities for some biometric devices, such as:

  • Hand geometry recognition for access control, working time management and food catering at the workplace;

CNIL Deliberation No. 2006-101 of April 27, 2006

  • Fingerprint recognition with fingerprint exclusively recorded on an individual medium held by the data subject, designed to control access to work buildings;

CNIL Deliberation No. 2006-102 of April 27, 2006

  • Vein pattern recognition to control access to work buildings;

CNIL Deliberation No. 2009-316 of May 5, 2009

  • Fingerprint recognition to control access to professional laptops.

CNIL Deliberation No. 2011-074 of March 10, 2011

(more…)

Read More

France: CNIL Concerned About the New SWIFT Agreement

Alain Bensoussan

The French data protection authority, the CNIL, expressed its concerns, in a press release on July 27, 2010, on the agreement, known as “Swift Agreement”, concluded on June 28, 2010, between the European Union and the USA to regulate the transfer of banking data between the EU and the US for the purposes of the Terrorist Finance Tracking Program (TFTP). 

Despite the additional guarantees supplied, the CNIL “is in doubt as to the effectiveness of the measures taken and considers that several matters of concern remain“.

Read More

CNIL Exempts Foreign Based Companies from Filing Notifications with Respect to Certain Processing

Francoise Gilbert

A “Deliberation” of the CNIL (French Data Protection Authority) published in the February 16, 2011 Official Journal of the Republic of France as “Deliberation No. 2011-023” should ease the burden on companies that have no operations in France, and engage France-based subcontractors (or cloud service providers) in order to process their data on the French territory. This is the case, for example for US based companies that hire French service providers to process their payroll or manage databases of client information, where the concerned individuals (employees or customers) are located outside of France. (more…)

Read More