CNIL's latest news (EN)

RSS CNIL in english CNIL's latest news (EN) http://www.cnil.fr/ fr http://www.cnil.fr/fileadmin/templates/images/contenu/logo.gif http://www.cnil.fr/ 160 28 TYPO3 - get.content.right http://blogs.law.harvard.edu/tech/rss Mon, 19 Mar 2012 14:34:00 +0100 GOOGLE’s new privacy policy: CNIL sends a detailed questionnaire to Google http://www.cnil.fr/nc/la-cnil/actualite/article/article/googles-new-privacy-policy-cnil-sends-a-detailed-questionnaire-to-google/ As announced on February 28, the CNIL sent Google a detailed questionnaire on its new privacy policy. ]]> The questionnaire includes 69 precise questions and aims at clarifying the consequences of this new policy for Google’s users, whether they have a Google Account, are non authenticated users, or are passive users of Google’s services on other websites (advertising, analytics, etc.). Google’s answers will serve to assess if the combination of data across services complies with the European data protection framework.
The CNIL asked Google to provide written responses by April 5.
The CNIL prepared this questionnaire on behalf of and in cooperation with the Article 29 Working Party, that gathers the EU data protection authorities. The CNIL has been designated to lead the investigation in Europe regarding the new privacy policy. ]]> News EN Mon, 19 Mar 2012 14:34:00 +0100 Google’s new privacy policy raises deep concerns about data protection and the respect of the European law http://www.cnil.fr/nc/la-cnil/actualite/article/article/googles-new-privacy-policy-raises-deep-concerns-about-data-protection-and-the-respect-of-the-euro/

The Article 29 Working Party invited the CNIL to take the lead in the analysis of Google’s new privacy policy. Preliminary findings show that Google’s new policy fails to meet the requirements of the European Data Protection Directive (95/46/CE) regarding the information that must be provided to data subjects. Moreover, the CNIL and the EU data protection authorities are deeply concerned about the combination of data across services and will continue their investigations with Google’s representatives. The CNIL reiterated its request to Google to postpone the application of the new policy, on behalf of the Article 29 Working Party. By letter of 2 February 2012, the Article 29 Working Party invited the CNIL to take the lead in the analysis of the announcement by Google of a new privacy policy that will be effective on 1 March 2012.
The CNIL and the EU data protection authorities regret that Google did not accept to delay the application of this new policy which raises legitimate concerns about the protection of the personal data of European citizens.
While the CNIL and the EU data protection authorities welcome Google’s initiative to streamline and simplify its privacy policies, they firmly believe that this effort should not be conducted at the expense of transparency and comprehensiveness. By merging the privacy policies of its services, Google makes it impossible to understand which purposes, personal data, recipients or access rights are relevant to the use of a specific service. As such, Google’s new policy fails to meet the requirements of the European Data Protection Directive (95/46/CE) regarding the information that must be provided to data subjects. Google should supplement existing information with processing- and purpose-specific information. Moreover, rather than promoting transparency, the terms of the new policy and the fact that Google claims it will combine data across services raise fears and questions about Google’s actual practices. Under the new policy, users understand that Google will be able to track and combine a large part of their online activities thanks to products such as Android, Analytics or its advertising services. For instance, the new policy would allow Google to display on Youtube ads that are related to the user’s activity on its Android phone (personal number, calling party numbers, date and time of calls) and to its location data. The impact on privacy and data protection is all the more important, given that Google represents more than 80% of the European search engine market, around 30% of the European smartphones market, 40% of the global online video market and more than 40% of the global online advertisement market; Google Analytics is also the most popular analytics tool in Europe. In addition, the use of cookies (among other tools) for these combinations raises issues related to Google’s compliance to the principle of consent laid down in the revised ePrivacy Directive (2002/58/CE).
The CNIL and the EU data protection authorities are deeply concerned about the combination of data across services and have strong doubts about the lawfulness and fairness of such processing. They intend to address these questions in detail with Google’s representatives. As a preliminary step, the CNIL has sent a letter to Google exposing these concerns. Considering the preliminary findings of the investigation, the CNIL reiterated the request to Google to postpone the application of the new policy, on behalf of the Article 29 Working Party. ]]> headline Tue, 28 Feb 2012 11:34:00 +0100 French Data Protection Officers are ready for the European Data Protection Day http://www.cnil.fr/nc/la-cnil/actualite/article/article/french-data-protection-officers-are-ready-for-the-european-data-protection-day/

The celebration of the European Data Protection Day – the 6th edition held on January 28, 2012, will give the Data Protection Authorities an opportunity for all independent authorities in the EU to remind everyone of their elementary right to privacy. This year, the CNIL has developed a “Communication tool-kit” designed for their Correspondant Informatique et Libertés (CIL - French Data Protection Officer) in order to promote the law and their profession.]]> Cover of the CIL KIT

French Data Protection Officers regularly express their wish to be supported and helped by the CNIL to promote the Data Protection Act and their profession through communication actions. This need is particularly acute on the eve of the European Data Protection Day, organized every year on January 28 since 2007.

In that context, the CNIL has attempted to meet their expectations by providing them with a "communication tool-kit". This Kit includes posters, stickers and postcards dedicated to the CIL duties and to the European Data Protection Day.

These tools pursue a double objective:
• to make the CIL more visible within its organization;
• to diffuse the Data Protection culture as widely as possible.

In that regard, a questionnaire on Data Protection in daily practice is also available to French DPO. It is aimed at raising the awareness of their colleagues, clients, family or friends, in a playful and interactive manner.

This "communication tool-kit" comes in addition to the tools provided by the CNIL on its website and to those exclusively dedicated to CIL available on the extranet.

It will usefully contribute to improving the compliance with the Data Protection Act and the rights granted by it to any person whose data are processed.]]> News EN Wed, 01 Feb 2012 18:08:00 +0100 Draft EU Regulation on data protection: the defense of data protection driven apart from citizens http://www.cnil.fr/nc/la-cnil/actualite/article/article/draft-eu-regulation-on-data-protection-the-defense-of-data-protection-driven-apart-from-citizens/

Data protection and privacy have been for several years a major issue of public policy for France and the European Union. Globalization and the rise of digital technology make it necessary to review the existing EU legal framework. On 25th January, the European Commission has therefore adopted draft EU Regulation and Directive reforming the EU framework of data protection. The moment we are living being historic, it is essential to take the full measure of it as it will be the new landscape of...]]>

The CNIL recognizes that the proposed regulation provides substantial improvements that were expected and necessary. Citizens' rights are thus largely strengthened: recognition of a right to be forgotten, right to the portability of data and clarification of the rules relating to consent and to the exercise of rights. At the same time, companies benefit from a simplification of administrative burdens while being subjected to increased obligations as the draft regulation intends to impose companies to designate Data Protection Officers and to implement internal procedures to ensure the implementation of data protection principles (audits, registers, privacy by design ...). The CNIL also welcomes the strengthening of powers of sanctions of national data protection authorities as well as the call for an increased cooperation at the European level. However, the CNIL considers that the proposed procedures to implement the system is not optimal and will not ensure an effective implementation of the suggested improvements. The CNIL is particularly concerned about the risk of an increased distance between European citizens and their national authorities. Indeed, by proposing that the competent authority is the one where the main establishment of a company is located, regardless the targeted public by its activity, national authorities are reduced to play a role of mailbox. In practice, this means that where an web user has a problem with a social network which main establishment is in another member state, the complaint will be handled by the authority of the later. Such a reform will strengthen the bureaucratic and distant image of the European institutions and will deprive widely the citizens of the protection offered by their national authority. The CNIL is strongly opposed to such a criterion which will constitute a real regression towards the citizens’ rights. It would be paradoxical that the rights of citizens for data protection would finally be less protected than those he benefits of under consumption law which privileges a competence based on the place of residence of the consumer. Broadly speaking, the CNIL considers that the scheme proposed by the European Commission leads to a centralization of the regulation of privacy in the hands of a limited number of authorities. The European Commission will also benefit from an important normative power. ]]> headline Tue, 31 Jan 2012 15:06:00 +0100 Smartphone and privacy: Best Friends Forever? http://www.cnil.fr/nc/la-cnil/actualite/article/article/smartphone-and-privacy-best-friends-forever/

IPhone, Android phone, Windows Phone, BlackBerry ... These smart devices already were already bought by 17 million people in France, attracted by their varied features and by price discounts offered by operators. CNIL, the French data protection authority tried to better understand the way the French citizens use these new technological devices. What kind of personal data do they store on them (pictures, contacts info, bank details, PINs, medical information)? Are people aware of the...]]>

Key findings:

The smartphone, a universal device that adapts to each of us

Each age has its requirements and favorite activity: 15-17 years for connection to their network and entertainment (30%), “multitasking” for 25-49 (30%) and “simple” communication for 50 and over (35%).
22% of users store pictures on their smartphone and yet think it might be embarrassing to do so.
Half of smartphone owners are interested in the possibility to store loyalty cards and coupons (51%) or medical data (46%), especially for 50 and over (54%). Attractive new uses (for comfort or safety needs) seem very hungry for personal data: this issue will be a lasting one.

A companion for every moment

7 out of 10 never turn their smartphone off...
... and more than 1/4 turn it off only to go to sleep!

Which kind of data?

89% store contact details and data, 86% multimedia data (photos / videos for 75%, calendar for 52%, notes and to-do lists for 41 %...)
40% of smartphone owners store somehow “secret” data (bank info for 7%, PINs for 17%, access codes to buildings for 17%, medical information for 3%).
Globally, smartphone owners limit the storage of data if they consider them sensitive, such as bank details, codes or confidential files. In contrast, photos, videos or contact data are subject to fewer precautions.

A global lack of protection

65% of smartphone owners think that the data stored in their phones are not well protected.
But 30% say they have no access code on their phone at all.
64% do not see the point or think that it is not possible to install an antivirus on smartphone (20% of Android-phones owners have already installed one).

Opacity of personal data uses

51% believe that data from a mobile phone can’t be stored or transmitted without their consent.
46% think that the geolocation info will not be communicated without their consent.
Nearly half of respondants checks, at the time of downloading, which kind of data an application requires... but 71% rarely or never read general terms and conditions of use.

Focus on geolocation issues

55% of smartphone owners have already used a geolocation service of some kind, especially for the practical aspects of service: traffic info, maps, directions, location-based services...
97% of users of location-based services deem important to know how their location data are used.
And 65% of parents would likely use a feature to localize their children…

Actually, are teens an example to follow?

82% of 15-17 year olds believe it is a bad practice to register their secret codes (against 76% on average).
37% of 15-17 year olds use a specific lock code (against 31% on average).
30% have finely tuned access to information they post on social network services (against 19% in average).

SECURITY AND CONTROL: CNIL’s 10 privacy tips

Do not record confidential information (PINs, access codes, bank account ...) in your smartphone (to avoid risks of theft, hacking, identity theft ...).
Do not disable the PIN code and change the operator’s default one. Choose a somehow “complicated” code. Not your birthday!
Set up an autolock time for the phone. In addition to the PIN, it will lock the phone after a while. This prevents the access to data in the phone if lost or stolen.
When possible, enable encryption of the phone’s backups on your computer. For this, use the settings of the platform with which you connect the phone. This action will ensure that no one will be able to use your data stored on the computer without the password you set.
Install an antivirus when possible.
Write down the "IMEI" number of your phone. It can be used to remotely lock your telephone, if lost or stolen.
Do not download application from unknown sources. Prefer official platforms.
Check as closely as possible what data an application you’re installing will have access.
Read the terms and conditions of service before installing an app. And user’s reviews may also be useful!
Adjust the settings in the phone or in the location-based applications (Twitter, Foursquare, Plyce ...) to always control when and by whom you want to be geolocated. Turn off the GPS or WiFi when you do not use one location-based application.

Closing comments by Isabelle FALQUE-PIERROTIN, CNIL chairwoman: “Given their increasing role in everyday life, smartphones will represent a major subject of interest for CNIL in 2012. We want to inform users to help them better secure and control their personal data. We will also analyze and understand this particular ecosystem to provide manufacturers and application developers with best practices helping them offer more privacy-friendly products and services.”]]> News EN Tue, 03 Jan 2012 17:53:00 +0100