RSS CNIL in english CNIL's latest news (EN) fr 250 44 TYPO3 - get.content.right Tue, 18 Mar 2014 17:03:00 +0100 EU Regulation and citizens’ surveillance : steps forward at the European Parliament On 12 March, the European Parliament adopted its position in plenary on the draft EU Regulation as well as on the draft ‘Police and Justice’ Directive. It also adopted a resolution on the mass surveillance of European citizens by the NSA.]]> The Albrecht report on the draft data protection Regulation was adopted at a large majority, as well as the Droutsas report. By adopting simultaneously both reports, the European Parliament confirms its attachment to a package approach to legislation in the area of data protection. By voting before the European elections of May 2014, the European Parliament consolidates the work it has achieved since the European Commission presented its proposals in January 2012, before the renewed assembly takes over and negotiations start with the EU Council. The CNIL shall continue to monitor the legislative process and in particular progress in the Council on the draft Regulation. In doing so, the CNIL shall promote an ambitious approach to the protection of the data of European citizens. Moreover, at the Plenary of 12 March, the European Parliament also adopted a resolution warning that its approval of the EU-US free trade agreement (TTIP) would be linked to a ceasing of the NSA activities of mass surveillance of European citizens. The fight against terrorism cannot justify such practice, the members of the European Parliament said. The same resolution calls for a suspension of Safe Harbor. The WP29, the group of the European data protection authorities, is actually assessing the safeguards offered by Safe Harbor in response to a Communication of the European Commission. The WP29 is also preparing an opinion on mass surveillance activities which should be published in May. Already, the CNIL welcomes the introduction by the Parliament in the text of the Regulation of prior control by data protection authorities of requests made to companies by administrative or judicial authorities of third countries to access the data of European citizens.]]> News EN Tue, 18 Mar 2014 17:03:00 +0100 International data transfers: the WP29 and the APEC developed a practical tool for multi-national organisations On 27 February 2014, the WP29 adopted a favourable opinion on a practical referential mapping the requirements of BCR and CBPR. This document was also endorsed by APEC Member Economies on 27 and 28 February 2014.]]> The Article 29 Working Party (“WP29”) developed Binding Corporate Rules (“BCR”) to govern international data transfers within companies or groups of companies. These rules can be seen as a code of conduct which defines the company policy on data transfers. This framework aims at adducing adequate safeguards to data transferred from the European Union to third countries within a same company or group of companies.  Recently, the Member Economies of the Asia-Pacific Economic Cooperation (“APEC”) have developed a policy framework for international transfers of personal information, called the Cross-Border Privacy Rules (“CBPR”), and designed to provide guarantees to data transfers. Such guarantees are based in particular on certifications by APEC recognized accountability agents. The EU BCR system and the APEC CBPR system are based on a similar approach, namely codes of conduct for international transfers developed by companies and approved a priori by EU Data Protection Authorities (for BCR) or by APEC recognized accountability agents (for CBPR). The WP29 analysed the CBPR system in order to identify their similarities and differences with the BCR system. On the basis of such comparison, the WP29 and APEC Member Economies developed a referential on the personal data protection and privacy requirements of BCR and CBPR (WP212). This practical tool is aimed at helping multi-national organisations that operate both in Europe and the Asia-Pacific and identifies in a single document the elements both required in the BCR and CBPR systems. This useful tool lists all of the elements that are required in both systems, as well as the respective additional elements that are specific to each system. In any case, such additional elements must be taken into account by multi-national organisations applying for a BCR approval with data protection authorities in the EU on the one hand, and for a CBPR certification by an APEC CBPR recognized Accountability Agent on the other hand. The WP29 welcomes the result of this joint work with APEC Member Economies, which is the first one with the APEC, and is a great example of cooperation. Indeed, this practical tool sets out global solutions for multi-national organisations wishing to develop personal data protection and privacy policies compliant with both BCR and CBPR systems, and thereby obtain both certifications.]]> News EN Fri, 07 Mar 2014 12:04:00 +0100 Isabelle Falque-Pierrotin elected Chair of the WP29, group of the EU national data protection authorities On 27 February 2014, the CNIL President, Isabelle Falque-Pierrotin, was elected to chair the Article 29 Working Party (WP29) for two years, starting from now. ]]> The WP29 groups the representatives of the data protection authorities of the 28 Member States of the European Union and the European Data Protection Supervisor, as well as other European data protection authorities as observers. Isabelle Falque-Pierrotin takes over as Chair from Jacob Kohnstamm, the President of the Dutch data protection authority, who chaired for the four years. Also elected today by the WP29 Plenary are two new Vice-Chairs: Wojciech Rafal Wiewiórowski (Poland) and Gérard Lommel (Luxembourg). They replace Christopher Graham (United Kingdom) and Igor Němec (Czech Republic). Isabelle Falque-Pierrotin represents the French data protection authority in the WP29 since her election as President of the CNIL on 21 September 2011. Under Isabelle Falque-Pierrotin's mandate, the WP29 will face two major challenges: preparing the transition toward the new governance contemplated in the draft EU data protection regulation and developing co-operation between data protection authorities in the wider international scene.]]> News EN Thu, 27 Feb 2014 15:05:00 +0100 The Conseil d’Etat rejected Google’s request for a suspension of CNIL’s publication order On 14 January 2014, Google requested the partial suspension of the decision issued by CNIL’s Sanctions Committee on 3 January 2014. The judge of the Conseil d’Etat rejected the claim in a preliminary ruling handed down on 7 February 2014.]]> On 3 January 2014, the CNIL’s Sanctions Committee issued a decision against  Google for infringing several provisions of the French Data Protection Act. It consequently ordered the company to pay an administrative fine of 150.000 € and to publish a communiqué referring to its decision on the homepage « ». The company had requested the Conseil d’Etat (the French High Administrative Court) to  suspend this publication order. In a ruling dated 7 February 2014, the judge rejected this request. Google must publish this communiqué for a period of 48 hours in accordance with the modalities set by the Sanctions Committee. This decision does not prejudice the final claim against the decision that is still pending in the Conseil d’Etat. ]]> News EN Fri, 07 Feb 2014 15:15:00 +0100 The CNIL's Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc. On 3 January 2014, the CNIL's Sanctions Committee issued a 150 000 € monetary penalty to GOOGLE Inc. upon considering that the privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. It ordered the company to publish a communiqué on this decision on its homepage, within eight days as of its notification.]]> On 1 March 2012, Google decided to merge into one single policy the different privacy policies applicable to about sixty of its services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google Maps, etc. Nearly all Internet users in France are impacted by this decision due to the number of services concerned. The « G29 » (the Working Group of all EU Data Protection Authorities) then decided to carry out an assessment of this privacy policy. It concluded that it failed to comply with the EU legal framework and correspondingly issued several recommendations, which Google Inc. did not effectively follow-up upon. Consequently, six EU Authorities individually initiated enforcement proceedings against the company. In this context, the CNIL's Sanctions Committee issued a monetary penalty of 150 000 € to Google Inc. on 3 January 2014, upon considering that it did not comply with several provisions of the French Data Protection Act. In its decision, the Sanctions Committee considers that the data processed by the company about the users of its services in France must be qualified as personal data. It also judged that French law applies to the processing of personal data relating to Internet users established in France, contrary to the company's claim. On the substance of the case, the Sanctions Committee did not challenge the legitimacy of the simplification objective pursued by the company’s merging of its privacy policies. Yet, it considers that the conditions under which this single policy is implemented are contrary to several legal requirements:
  • The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
  • The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
  • It fails to define retention periods applicable to the data which it processes.
  • Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws. This financial penalty is the highest which the Committee has issued until now.  It is justified by the number and the seriousness of the breaches stated in the case. Furthermore, the Sanctions Committee ordered Google Inc. to publish a communiqué on this decision on the website, during 48 hours, within eight days as of the notification of the decision. This publicity measure is justified by the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights.]]>
News EN Wed, 08 Jan 2014 16:54:00 +0100