Blog – Page 6 – Global Privacy Book

First Multimodal Biometric System Authorized in France

Alain Bensoussan

The CNIL has given its green light to a multimodal biometric system. Striking the right balance between security and the protection of privacy and personal data, the French data protection watchdog decided that the security measures taken satisfactorily protected personal data and that the multimodal biometric system was “adapted and proportionate to the purpose pursued”. This is the first time that a multimodal biometric system is authorized in France.

Purposes of biometric recognition systems

On May 12, 2011, the French data protection authority, the CNIL, authorized for the first time a company to deploy a multimodal biometric system combining finger vein and fingerprint recognition to control access to its workplace premises (CNIL Deliberation No. 2011-141 of May 12, 2011, in French).

Vauban Systems, an information security consulting firm, had applied for an authorization, in compliance with Article 25-I-8° of the French Data Protection Act, which provides that automatic processing comprising biometric data necessary for the verification of an individual’s identity may be carried out only after the CNIL’s authorization.

A biometric system is designed to identify individuals based on their physical, biological or even behavioral features. Biometric data is data produced by the human body, positively identifying individuals and enabling to trace them. Vein pattern is a more reliable and secure biometric method than fingerprints, which may be lifted and reproduced unbeknownst to the individual.

(more…)

France Adopts EU Telecoms Package and Amends Data Protection Act

Alain Bensoussan

France has recently adopted an ordinance implementing the EU Telecoms Package into its national law. The new ordinance introduces a series of measures related to data protection, including a data breach notification requirement, leading to the amendment of the Data Protection Act.

Adoption of the ordinance implementing the “Telecoms Package”

An ordinance implementing the European “Telecoms Package” has just been adopted by the French Council of Ministers last August 24. It came into force on August 26, 2011, date of its publication in the French Official Journal.

The ordinance is divided into three main chapters. Chapter 1 relates to the changes made by the Telecoms Package into the French Posts and Electronic Communications Code (mainly the strengthening of the powers of the French Telecommunications Regulator, ARCEP), Chapter 2 deals with the impacts in the Consumer Code (clearer contacts for consumers) and Chapter 3 focuses on the protection of data and privacy.

Regarding, in particular, the changes made to the data protection legislation, the following three concepts have been decided:

Creation of a data breach notification requirement

The ordinance amends Article 34 of the Data Protection Act by introducing an Article 34 bis. Electronic communications service providers now have to notify any personal data breach to the French data protection authority (the CNIL) and indicate the measures they have taken or intend to take to remedy the breach.

(more…)

First Keystroke Biometric System Authorized in France

Alain Bensoussan

In a deliberation dated June 23, 2011, the French data protection authority (“CNIL”) agreed to the use by a company of a behavioral biometric system based on the typing pattern of individuals, designed to strengthen the identification of individuals accessing to an information system. This is the first time that a biometric system based on keystroke dynamics is authorized in France by the CNIL.

The system requires the recording of personal data, such as the last name, first name, pseudonym and IP address.

In France, companies have to obtain the authorization of the CNIL before processing biometric data (Article 25-I-8° of the French Data Protection Act of January 6, 1978).

This authorization has been granted exclusively for a specific purpose, namely the demonstration of a product to prospects, and is subject to the implementation of stringent security measures to ensure the confidentiality of the data.

CNIL Deliberation No. 2011-183 of June 23, 2011

France: FAQ About Biometric Devices

Alain Bensoussan

Can a company legally use biometric devices in France?

YES. Businesses may use a biometric device, subject to first obtain the prior authorization of the French data protection authority, the CNIL. (Article 25 of the French Data Protection Act (Loi Informatique et libertés))

The CNIL has established simplified notification formalities for some biometric devices, such as:

Hand geometry recognition for access control, working time management and food catering at the workplace;

CNIL Deliberation No. 2006-101 of April 27, 2006

Fingerprint recognition with fingerprint exclusively recorded on an individual medium held by the data subject, designed to control access to work buildings;

CNIL Deliberation No. 2006-102 of April 27, 2006

Vein pattern recognition to control access to work buildings;

CNIL Deliberation No. 2009-316 of May 5, 2009

Fingerprint recognition to control access to professional laptops.

CNIL Deliberation No. 2011-074 of March 10, 2011

(more…)

EU Commission Launches Consultation on DBN

Alain Bensoussan

The European Commission has launched a consultation (read EU press release here) on the practical rules needed for the entry into force of the obligation requiring ISPs to inform relevant national authorities of any personal data breaches, introduced by the ePrivacy Directive 2009/136/EC of November 25, 2009.

The purpose of the consultation is to seek the views of telecoms operators, Internet service providers, Member States, national data protection authorities and consumer organizations on data breach notification (“DBN”).

Stakeholders have until next September 9 to provide their feedback and input on the issues involved.

The consultation could result in the proposal by the Commission of “technical implementing measures” to be reviewed by the EU Parliament.

Large-Scale Police Databases: Creation of a European Agency

Alain Bensoussan

An independent regulatory Agency for EU Member States

The Proposal for a Regulation of the European Parliament and of the Council establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice was reviewed on April 11, 2011, by the Council of the European Union. A political agreement was found in June 2011. (more…)

Peru Adopts New Data Protection Law

Francoise Gilbert

On July 2, 2011, Peru adopted its first “Law on the Protection of Personal Data.” The law was published in the country’s official gazette of July 3, 2011 as Law No. 29733. Inspired from the Spanish data protection law and the APEC Privacy Framework, this new law is intended to bring Peru to a level of data protection that would be satisfactory to the European Union member states and other countries that have adopted similar data protection regimes. (more…)

Israel Found to Provide Adequate Level for Data Transfers!

Alain Bensoussan

Last April 4, 2011, the EU Article 29 Data Protection Working Party issued an Opinion on the level of protection of personal data in New Zealand. This is the occasion to make a recap on the EU legal rules for transborder flows of personal data, with a focus on the latest country found to provide an adequate level —Israel.

Today, with globalization, it’s common practice for businesses to transfer personal data around the globe. This of course raises issues on the security of such data. The European Union does not allow businesses to send personal data outside its boundaries unless the recipient country provides an adequate level of protection. The last country to join the club of countries with an adequate level: Israel! (more…)

France: CNIL Concerned About the New SWIFT Agreement

Alain Bensoussan

The French data protection authority, the CNIL, expressed its concerns, in a press release on July 27, 2010, on the agreement, known as “Swift Agreement”, concluded on June 28, 2010, between the European Union and the USA to regulate the transfer of banking data between the EU and the US for the purposes of the Terrorist Finance Tracking Program (TFTP).

Despite the additional guarantees supplied, the CNIL “is in doubt as to the effectiveness of the measures taken and considers that several matters of concern remain“.

France: Proposed Legislation to Better Protect the Right to Privacy in the Digital Age

Alain Bensoussan

The European Union is planning to overhaul its data protection regime, notably because of rapid technological developments (social networking sites, blogs, cloud computing, geo-location devices, biometric devices, RFID applications, video surveillance…) and globalization have brought new challenges for the protection of personal data. A French bill has decided to take up these challenges.

Know your rights & Be your own privacy watchdog!

The French data protection framework could be changed by a French bill to better protect the right to privacy in the digital age. The bill was proposed to the Senate on November 6, 2009, and filed for first reading in the National Assembly on March 24, 2010.

This proposed legislation is mainly based on an information report on “privacy in the age of digital memories” issued in May 2009, and which recommended, among other things to enable citizens to become the actors of their own protection. To meet the new challenges of the digital era, the report calls for an increased involvement of individuals in the protection of their own privacy.

How is that to be achieved? The report suggested to educate and raise citizen awareness of their right to privacy and privacy threats from an early age, and to update the Data Protection Act of January 6, 1978 to provide stronger guarantees.

The bill thus amends the Data Protection Act to reflect the recommendations made in the report, as explained at the time by the then-current Digital Economy Secretary of State Nathalie Kosciusko-Morizet during the “Right to be forgotten” workshop in November 2009.

(more…)