Priority topics for investigations in 2023: "smart" cameras, mobile apps, bank and medical records

21 March 2023

The CNIL carries out checks on the basis of complaints received, current events, but also annual priority topics. In 2023, it will focus on the use of "smart" cameras by public actors, the use of the file on personal credit repayment incident, the management of health files and mobile apps.

Each year, the CNIL conducts hundreds of investigations (345 in 2022) which may be the result of complaints, data breaches report or events in the news.

The CNIL also defines priority themes in order to direct its investigation policy towards subjects of high public interest and to assess the compliance of the chosen sectors.

The use of “smart” cameras by public actors

The development of so-called "smart" cameras, particularly by local authorities, is the subject of numerous questions regularly asked to the CNIL. The use of these devices is planned in particular in the context of large-scale sporting events scheduled in 2023 (Rugby World Cup) and 2024 (Olympic Games).

The CNIL has made the use of "smart" cameras a priority in its 2022-2024 strategic plan. As a result, the CNIL initiated a series of actions that include support for private and public players, but also investigations.

Thus, the CNIL organized a public consultation after which it took a position on this technology. The CNIL then decided to make this subject a priority for its investigations in 2023. This will enable it to verify compliance with the legal framework by public players.

The use of the personal credit repayment incidents file

The Banque de France's file on personal credit payment incidents (FICP) records information on payment incidents linked to overdrafts and loans granted for non-business purposes, as well as information on overindebtedness. It is mandatory for banks to consult it, particularly before granting credit.

Entries in this file therefore represent a particularly strong challenge, since they can hinder individuals in their subsequent actions and their relations with banks. The accuracy of the data contained in the file, the length of time it is kept and compliance with the conditions for managing the file are therefore crucial.

The checks will focus on the conditions under which banks access the file, extract information from it and keep it up to date after payment incidents have been cleared.

Access to the electronic patient record in health care institutions

In recent years, the CNIL and the ministry in charge of health have exchanged a great deal of information on health data security, for example concerning the general policy on the security of health information systems (PGSSI-S), the shared medical file (DMP), the health professional card (CPS-eCPS), the "pro Santé connect" service, etc. These various systems have been the subject of numerous requests for advice and opinions.

The security of health data, which had already been selected as a 2020 and 2021 CNIL’s topics for investigation, remains an issue that the CNIL still encounters in a large number of cases and that concerns all health establishments.

The CNIL already initiated checks on access to the computerised patient file in 2022 and will continue in 2023.  

This choice was made following complaints received by the CNIL about unauthorised third-party access to the patient file in health establishments.

The checks will also examine all the measures put in place to ensure data security.

User tracking by mobile applications

Phone manufacturers provide application publishers with identifiers that allow users to be tracked for advertising, statistical or technical purposes (Apple IDFA, IDFV, Google AAID, etc.). The systematic use of these identifiers, the "mobile" equivalent of the massive use of cookies on websites, is often carried out without the information or consent of users.

Following the amendment of the recommendation on the use of cookies and other tracking devices, several checks have already been carried out on applications that access identifiers generated by mobile operating systems in the absence of user consent. The CNIL will continue its investigations in 2023.

As a reminder, the CNIL is conducting parallel work on good practices in the development of mobile applications.

Data Protection Officer (DPO): EU-wide investigations in 2023

Following a first coordinated enforcement framework of the European Data Protection Board on the cloud in 2022, the CNIL and its counterparts will organise a similar action in order to check the appointment and of a data protection officer (DPO).

Indeed, DPOs play an essential role in ensuring effective compliance with data protection legislation and promoting the rights of data subjects. They must therefore be provided with sufficient and appropriate resources to carry out their tasks.

Read the EDPB press release