CNIL (France) - Délibération 2023-076
|CNIL - Délibération 2023-076|
|Relevant Law:||Article 14 GDPR|
Article 22 GDPR
Article 35 GDPR
Article 36 GDPR
|National Case Number/Name:||Délibération 2023-076|
|European Case Law Identifier:||n/a|
|Original Source:||CNIL (in FR)|
The French DPA approved a draft decree and data protection impact assessment carried out by the French Ministry of Interior. The draft decree outlined plans for the development and implementation of a system of algorithmic processing of images collected by aerial video surveillance, to be used during the 2024 Olympic Games for the purpose of identifying terrorism risks.
English Summary[edit | edit source]
Facts[edit | edit source]
The Minister of Interior (the controller) requested the French DPA for an opinion on a draft decree made pursuant to Act No. 2023-380 of 19 May 2023. Article 10 of this Act establishes a framework for the development and implementation of a system of algorithmic processing of images collected by aerial video surveillance, to be used during the 2024 Olympic Games for the purpose of identifying terrorism risks. The controller sought to rely on Article 6(1)(e) GDPR (public interest) as a legal basis for the processing, which to be lawful must be regulated either by Union law or Member State law to which the controller is subject (Article 6(3) GDPR).
In the present case, Act No. 2023-380 of 19 May 2023 is the domestic law which regulates the processing, pursuant to the requirements of Article 6(3) GDPR. Article 10 of Act No. 2023-380 provides that for the processing to be lawful, it first must be authorised by a decree made after obtaining the opinion of the French DPA (CNIL). In pursuit of this, the Ministry of Interior conducted a data protection impact assessment (DPIA) as required by Article 35 GDPR and submitted it alongside the draft decree to the French DPA for approval as necessitated by Article 36 GDPR.
Holding[edit | edit source]
The CNIL issued a favourable opinion on the draft decree and accompanying data protection impact assessment made pursuant to Act No. 2023-380 of 19 May 2023. The CNIL approved the use of algorithmic processing of images collected by aerial video surveillance as the measures outlined by the controller were deemed to sufficiently mitigate the risks that could arise from the high-risk processing.
The controller exhaustively listed in the draft decree and DPIA, the predetermined events which the algorithmic processing was permitted to detect. The system was designed to mainly detect abandoned objects and only detect persons in the instance of a disruptive event through a disturbance of the premises, it was not permitted to detect and process images of persons who were seated on a continuous basis (Article 3 of Act No. 2023-380 of 19 May 2023).
Moreover, Article 2 of the draft decree guaranteed that the data collected would not be used for monitoring or re-identifying persons through biometric and non-biometric data (for example clothing recognition).
Lastly, the CNIL approved the draft decree and DPIA as the controller had ensured the appropriate safeguards under Article 22(3) GDPR, as the controller ensured the inclusion of human intervention in the systematic identification of alerts.
In addition to approving the processing on the above grounds, the French DPA made the following recommendations.
The CNIL requested that the data processed under the design phase systematically be subject to pseudonymisation and blurring techniques to the extent possible. Moreover, the CNIL requested that during the algorithm’s the design phase, the Ministry of Interior ensure that the disclosure obligations under Article 14 GDPR were communicated through the controller’s website, paying particular attention to disclosing the place and date of the filmed event, as well as the purpose and potential re-use of the images. The CNIL acknowledged that communications under Article 14 GDPR were not legally necessary, as in the present case, Article 23 GDPR restrictions were applicable. Article 23 GDPR establishes that Union or Member State law to which the controller is subject, may restrict the scope of obligations and rights provided for in Articles 12-22. In this case, domestic national security legislation provided for such restrictions. Nevertheless, they argued that the Ministry should communicate the above information to ensure “greater transparency and loyalty to the public.”
The CNIL also recommended that during the implementation phase, that the Ministry pays particular attention to the principle of data minimisation (Article 5(1)(b) GDPR) and limits the number of staff authorised to access the data processed. Moreover, it strongly recommended that during the design and implementation phase, no data collected is transferred outside of the EU and that no access to the data collected is granted to foreign authorities.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.