CNIL (France) - SAN-2023-076
From GDPRhub
| CNIL - Délibération 2023-076 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 14 GDPR Article 22 GDPR Article 35 GDPR Article 36 GDPR |
| Type: | Other |
| Outcome: | n/a |
| Started: | |
| Decided: | 15.06.2023 |
| Published: | 08.09.2023 |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | Délibération 2023-076 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNIL (in FR) |
| Initial Contributor: | n/a |
The French DPA approved a draft decree and data protection impact assessment carried out by the French Ministry of Interior. The draft decree outlined plans for the development and implementation of a system of algorithmic processing of images collected by aerial video surveillance, to be used during the 2024 Olympic Games for the purpose of identifying terrorism risks.
English Summary
Facts
The Minister of Interior (the controller) requested the French DPA for an opinion on a draft decree made pursuant to Act No. 2023-380 of 19 May 2023. Article 10 of this Act establishes a framework for the development and implementation of a system of algorithmic processing of images collected by aerial video surveillance, to be used during the 2024 Olympic Games for the purpose of identifying terrorism risks. The controller sought to rely on Article 6(1)(e) GDPR (public interest) as a legal basis for the processing, which to be lawful must be regulated either by Union law or Member State law to which the controller is subject (Article 6(3) GDPR).
In the present case, Act No. 2023-380 of 19 May 2023 is the domestic law which regulates the processing, pursuant to the requirements of Article 6(3) GDPR. Article 10 of Act No. 2023-380 provides that for the processing to be lawful, it first must be authorised by a decree made after obtaining the opinion of the French DPA (CNIL). In pursuit of this, the Ministry of Interior conducted a data protection impact assessment (DPIA) as required by Article 35 GDPR and submitted it alongside the draft decree to the French DPA for approval as necessitated by Article 36 GDPR.
Holding
The CNIL issued a favourable opinion on the draft decree and accompanying data protection impact assessment made pursuant to Act No. 2023-380 of 19 May 2023. The CNIL approved the use of algorithmic processing of images collected by aerial video surveillance as the measures outlined by the controller were deemed to sufficiently mitigate the risks that could arise from the high-risk processing.
The controller exhaustively listed in the draft decree and DPIA, the predetermined events which the algorithmic processing was permitted to detect. The system was designed to mainly detect abandoned objects and only detect persons in the instance of a disruptive event through a disturbance of the premises, it was not permitted to detect and process images of persons who were seated on a continuous basis (Article 3 of Act No. 2023-380 of 19 May 2023).
Moreover, Article 2 of the draft decree guaranteed that the data collected would not be used for monitoring or re-identifying persons through biometric and non-biometric data (for example clothing recognition).
Lastly, the CNIL approved the draft decree and DPIA as the controller had ensured the appropriate safeguards under Article 22(3) GDPR, as the controller ensured the inclusion of human intervention in the systematic identification of alerts.
In addition to approving the processing on the above grounds, the French DPA made the following recommendations.
The CNIL requested that the data processed under the design phase systematically be subject to pseudonymisation and blurring techniques to the extent possible. Moreover, the CNIL requested that during the algorithm’s the design phase, the Ministry of Interior ensure that the disclosure obligations under Article 14 GDPR were communicated through the controller’s website, paying particular attention to disclosing the place and date of the filmed event, as well as the purpose and potential re-use of the images. The CNIL acknowledged that communications under Article 14 GDPR were not legally necessary, as in the present case, Article 23 GDPR restrictions were applicable. Article 23 GDPR establishes that Union or Member State law to which the controller is subject, may restrict the scope of obligations and rights provided for in Articles 12-22. In this case, domestic national security legislation provided for such restrictions. Nevertheless, they argued that the Ministry should communicate the above information to ensure “greater transparency and loyalty to the public.”
The CNIL also recommended that during the implementation phase, that the Ministry pays particular attention to the principle of data minimisation (Article 5(1)(b) GDPR) and limits the number of staff authorised to access the data processed. Moreover, it strongly recommended that during the design and implementation phase, no data collected is transferred outside of the EU and that no access to the data collected is granted to foreign authorities.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Go to content
Go to menu
Go to search
Update information Cookie management Contact us
French Republic. Liberty, Equality, Fraternity.
Home Légifrance.fr - the public service for the dissemination of law
National law
in force
Publications
official
Around
of the law
Codification
Annual reports of the Higher Codification Commission
Concordance tables
Legislative and regulatory
Legislative files
Law impact studies
The opinions of the Council of State delivered on draft laws
Law enforcement
Impact sheets for ordinances, decrees and orders
Standard Statistics
Orthotypographic charter of the Official Journal
Independent authorities
Independent administrative authorities and independent public authorities falling under the general status defined by Law No. 2017-55 of January 20, 2017
Authorities not covered by the general statute of independent administrative authorities
Businesses
Tables and timelines of common effective dates
AFNOR standards of mandatory application
Legistics Guide
SVA “Silence equals agreement”
Law and jurisprudence
of the European Union
Right
international
ECHR case law
International jurisdictions
HomeAround the lawAuthoritiesIndependent administrative authoritiesDeliberation 2023-068 of June 15, 2023
Search in:
All contents
In all fields
Search for a word, an expression, a reference… Ex.: L. 121-1, CGI, 10-15056, fraud, protected adults
to research
advanced search
Highlight search terms
To print
Copy text
Deliberation 2023-068 of June 15, 2023
National Commission for Information Technology and Liberties
Nature of the deliberation: Opinion
Legal status: In force
Date of publication on Légifrance: Friday September 8, 2023
NOR: CNIX2323373V
Deliberation No. 2023-068 of June 15, 2023 relating to an opinion on a draft decree relating to the modalities for implementing algorithmic processing on images collected by means of video protection systems and cameras installed on aircraft, taken in application of the Article 10 of Law No. 2023-380 of May 19, 2023 relating to the 2024 Olympic and Paralympic Games and containing various other provisions (request for opinion No. 23006451)
Date of notice: June 15, 2023
Deliberation number: 2023-068
Opinion request number: 23006451
Single regulatory act number: RU-75
Text concerned: Draft decree relating to the modalities for implementing algorithmic processing on images collected by means of video protection systems and cameras installed on aircraft, taken in application of article 10 of law no. 2023-380 of May 19, 2023 relating to the 2024 Olympic and Paralympic Games and containing various other provisions
Themes: 2024 Olympic and Paralympic Games, “augmented” cameras, algorithmic processing.
Basis for the referral: Article 10, V. of Law No. 2023-380 of May 19, 2023 relating to the 2024 Olympic and Paralympic Games and containing various other provisions
The essential :
The draft decree, taken in application of article 10 of the law relating to the 2024 Olympic and Paralympic Games which introduces the possibility of implementing “augmented” camera devices, aims to list the predetermined events that an algorithmic processing may aim to detect.
The system considered is broken down into three phases: design phase, operation phase and improvement and correction phase.
Furthermore, the CNIL recalls that, both for the design phase and for the operation phase, informing people is an essential element to ensure the fairness of processing with the aim of transparency towards the public. This is why it recommends in particular that the exemptions from the right to information provided for during the exploitation phase be particularly limited and specified in the draft decree.
Finally, the CNIL notes that the ministry has carried out, as provided for by law, an abstract impact study relating to data protection (AIPD) of the risks and advantages of the devices which will be tested. She emphasizes that these impact studies must be completed when the systems are chosen and put in place, before their operational deployment.
THE NATIONAL COMMISSION FOR COMPUTING AND FREEDOMS,
Submission by the Minister of the Interior of a request for an opinion concerning a draft decree relating to the modalities of implementation of algorithmic processing on images collected by means of video protection systems and cameras installed on aircraft, taken into account application of article 10 of law no. 2023-380 of May 19, 2023 relating to the 2024 Olympic and Paralympic Games and containing various other provisions;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing the Directive 95/46/EC (general data protection regulation or GDPR);
Considering law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms;
Considering the internal security code, in particular its articles L. 251-1 to L. 255-1, L. 242-1 to L. 242-8, L. 722-1;
Considering article 10 of Law No. 2023-380 of May 19, 2023 relating to the 2024 Olympic and Paralympic Games and containing various other provisions;
After having heard the report of Mr. Claude CASTELLUCCIA, commissioner, and the observations of Mr. Benjamin TOUZANNE, Government commissioner,
ADOPTS THE FOLLOWING DELIBERATION:
I- The referral
A. The context
Law No. 2023-380 relating to the 2024 Olympic and Paralympic Games and containing various other provisions was promulgated on May 19, 2023 (hereinafter the “Law”). Its article 10 establishes an experimental framework allowing the implementation of algorithmic processing for automated analysis of images coming from video protection devices and cameras installed on aircraft in order to detect and report predetermined events in real time.
These treatments cannot be implemented:
that for the sole purpose of ensuring the security of sporting, recreational or cultural events which, by the scale of their attendance or by their circumstances, are particularly exposed to the risk of acts of terrorism or serious attacks on peoples' security ;
only by the national police and gendarmerie services, the fire and rescue services, the municipal police services and the internal security services of the SNCF and the RATP within the framework of their respective missions, which will assume the quality of data controllers.
The CNIL ruled on December 8, 2022 in its deliberation no. 2022-118 on this bill; it noted in particular that the use of these devices raises new and substantial issues in terms of privacy, but nevertheless considered that the guarantees provided make it possible to limit the risks of harm to data and the private lives of individuals and are in line with the meaning of the recommendations formulated in its position on “augmented” cameras published in July 2022.
In its decision of May 17, 2023, the Constitutional Council judged article 10 of the law to be consistent with the Constitution - with a reservation of interpretation - in that it disregards neither the freedom to come and go, nor the principle of safeguarding the dignity of the human person, nor the freedom of collective expression of ideas and opinions, nor the right to security, nor the principle of equality before the law, nor any other constitutional requirement.
B. The subject of the referral
V of article 10 of the law provides that the use of algorithmic processing, referred to in I of the same article, must be authorized by a decree, taken after consulting the CNIL. This decree must set the essential characteristics of the processing and indicate in particular "the predetermined events that the processing is intended to signal, where applicable the specificities of the situations justifying its use, the services mentioned in the same I likely to implement it, the possible conditions of their financial participation in the use of the treatment and the conditions of authorization and training of the agents who can access the treatment reports".
It is in this context that the CNIL was informed by the Ministry of the Interior and Overseas of this draft decree.
It appears from the draft decree that the use of algorithmic processing is broken down into several phases:
The design phase: in accordance with article 4 of the draft decree, this phase must make it possible to identify indicators and relevance criteria characterizing predetermined events likely to present or reveal a risk of acts of terrorism or serious attacks on personal safety. During this phase, configuration can be carried out on the images coming from video protection devices and cameras installed on aircraft with the aim of adapting the algorithm to real conditions of use. As such, the CNIL requests that the wording of article 4 of the draft decree be clarified to be more understandable and accessible. It takes note of the Government's desire to add a new purpose aimed at "configuring tools allowing the detection and reporting in real time, from these images, of predetermined events".
Processing for design purposes is implemented by the State or by a subcontractor in accordance with the provisions of Chapter II of the draft decree. The State, however, has the possibility of acquiring algorithmic solutions which have already been the subject of a design phase by a third-party solution provider. In this hypothesis, article 11 of the draft decree provides that the State must ensure that the processing has been designed in compliance with the requirements of VI of article 10 of the law.
The operation phase: the authorized services implement algorithmic processing in order to detect and report predetermined events in real time under the conditions provided for in Chapter IV of the draft decree. This is a warning, the devices cannot be the basis for an individual decision or prosecution.
The improvement and correction phase: if during the operation phase, a need is identified to improve the quality of detection of predetermined events, the biases or errors can be corrected under the conditions provided for in Chapter II of the draft decree.
The provisions of the draft decree call for the following observations.
II- The opinion of the CNIL
A. On the general provisions
On predetermined events
Article 3 of the draft decree lists the predetermined events that algorithmic processing, referred to in I of Article 10 of the law, is authorized to detect. The CNIL notes that this article clearly provides, in accordance with the aforementioned decision of the Constitutional Council, that such events can only be detected in that they are likely to present or reveal a risk of an act of terrorism or serious threat to personal safety.
The list of predetermined events in article 3 of the draft decree is restrictive such that no algorithmic processing can be designed, acquired by the State or implemented in the operational phase to detect other events. than those listed there.
The predetermined events listed in article 3 appear relevant in the context of the experiment. Their definition calls for the following observations:
Firstly, the CNIL notes that the detection of abandoned objects only aims to identify the abandonment of these objects and therefore does not make it possible to track individuals.
Secondly, with regard to the detection of "non-compliance with the direction of traffic by a person", the CNIL considers that this use case only applies in the hypothesis where a direction of traffic would be imposed on the people. It takes note of the Government's commitment to complete the decree in this regard.
Thirdly, the CNIL considers that the detection of a person on the ground should only concern cases where they have fallen, whatever the cause (for example an accident, discomfort or shock), and not cases where a person sits on the ground continuously. It takes note of the Government's commitment to clarify the decree in this regard.
Subject to the reservations stated above, the CNIL considers that the list of predetermined events falls within the framework of the law.
On common guarantees
Article 2 of the draft decree recalls the guarantees provided by law: processing operations cannot use any biometric data or any facial recognition technique, they cannot carry out any reconciliation, interconnection or automated linking with other processing operations. or even base, by themselves, any individual decision or automated prosecution.
The CNIL takes note of the Government's commitment that the processing will not allow the tracking or re-identification of people, even using data other than biometric (for example through clothing recognition).
The CNIL once again emphasizes the importance of these guarantees, as the Constitutional Council did in its aforementioned decision, indicating that "if such processing has neither the aim nor the effect of modifying the conditions in which these images are collected, it nevertheless carries out a systematic and automated analysis of these images likely to considerably increase the number and precision of the information which can be extracted from them. Therefore, the implementation of such surveillance systems must be accompanied by specific guarantees likely to safeguard the right to respect for private life.
B. On the implementation of processing during the design phase when the latter is carried out by the State or on its behalf
On the legal regime applicable during the design phase
The Government specified that having regard to the purposes pursued:
processing for algorithm design purposes falls under the GDPR;
the processing implemented as part of the exploitation phase falls under Title III of the “data processing and freedoms” law concerning the provisions applicable to processing covered by the “police-justice” directive, with the exception of those implemented implemented by fire and rescue services which are governed by the GDPR.
The CNIL notes in this regard that a decision of the Council of State no. 451653 of July 22, 2022, considered that the processing implemented in this case during the design and learning phase of a system of artificial intelligence responded to the same legal regime (namely Title III of the “Informatics and Liberties” law) as those implemented during the exploitation phase of the system on the grounds that the tools thus designed were aimed exclusively at research of criminal offenses. The Council of State thus seems to consider that the operational use of algorithmic processing in the operating phase being precisely identified from the design phase, the processing operations carried out in the two phases satisfy one and the same overall purpose and must fall under the same regime. legal.
The CNIL, however, takes note of the Government's position considering that the design phase of algorithmic processing will be unique, regardless of who is responsible for the processing in the operating phase and that it cannot be determined during this design phase of the algorithmic processing. whether it will ultimately be used by competent authorities within the meaning of Title III of the “information technology and freedoms” law during the exploitation phase.
On the guarantees implemented and security measures
Paragraph VI of Article 10 of the law provides that the processing must meet a certain number of requirements (on the data used to train the algorithms, on the implementation of traceability measures, prevention of bias, on the terms of interruption of treatment at any time etc.).
In this regard, article 6 of the draft decree provides that only the requirements provided for in the second to fifth paragraphs of VI of article 10 of the law are applicable to the design phase. However, and in accordance with VI of Article 10 of the law, all of the requirements provided for in the same VI (paragraph 1° to 5° inclusive) are applicable to treatments acquired or designed by the State directly or on its behalf. The CNIL takes note of the Government's commitment to modify the draft decree to this effect.
Finally, the CNIL requests that the data processed as part of the design phase be systematically subject to pseudonymization or blurring operations when such operations do not compromise the technical quality of the processing. The CNIL notes the Government's commitment to follow this request as far as possible.
On the information of the persons concerned
Informing people is an essential element to ensure the fairness of processing with the aim of transparency, right from the design phase of algorithmic processing.
Article 10 of the draft decree provides, for the design phase, information for the persons concerned on the basis of Article 14 of the GDPR. The CNIL insists on the need, for the Ministry of the Interior as data controller during this phase, to provide the persons concerned, at least on its website, with all the information referred to in Article 14 of the GDPR and particularly the location, date of the event filmed and the purpose of reusing the images.
The CNIL emphasizes the usefulness of anticipating, as much as possible, the identification of events for which images from video protection devices and cameras installed on aircraft could be useful in the design of algorithms. Indeed, in this hypothesis the persons concerned could be informed in advance, by the data controllers having implemented these video protection devices or these cameras installed on aircraft, in accordance with article 13.3 of the GDPR, of the reuse, by the Ministry of the Interior, images concerning them for the purposes of designing algorithmic processing. Such anticipation and the prior nature of the information given to people would ensure better transparency and loyalty towards the public. In this hypothesis, if the Government would not be required to inform people in accordance with article 14.5.a) of the GDPR, the CNIL recommends that it provide people with general information containing at least the place and date of the events. concerned and the purpose of the reuse.
In any case, the CNIL insists on the need to provide understandable and accessible information in order to enable the persons concerned to become aware of the precise conditions under which their data may be collected and for what purposes.
C. On the implementation of treatments during the operating phase
On buyers
Article 15 of the draft decree lists the agents of the various services responsible for processing who are authorized to access reports of the algorithmic processing implemented.
If only individually designated and specially authorized agents within the limits of their need to know will be able to access these reports, in practice, the number of these accessors could quickly increase.
In this regard, taking into account the innovative nature and high technicality of these algorithmic treatments, the risks that they may inherently imply for individual freedoms and their unprecedented deployment in real conditions, the CNIL recommends:
to limit the number of authorizations granted to what is strictly necessary, for example by raising the level of authorization;
to expand the training of agents for the purposes of being authorized, provided for in II of article 15 of the draft decree, at least in the operational and technical functioning of the tool made available. The CNIL takes note of the Government's commitment to clarify the draft decree in this regard;
to provide a doctrine for the use of algorithmic processing to the services responsible for processing and to authorized agents.
If the content of the training cannot be defined in the decree, the CNIL considers in the state of the project that the requirement of V of article 10 of the law according to which the decree must indicate "the conditions of authorization and training of agents who can access processing reports" is not entirely satisfied. Indeed, these training methods present major challenges given the unprecedented nature of the deployment of these systems.
Finally, III of Article 15 of the draft decree provides that “processing reports are subject to control by staff responsible for supervising the implementation of the processing”. This provision is particularly imprecise, particularly as to the type of control carried out, their purpose and the personnel targeted. The CNIL notes the Government's commitment to specify the nature of the control in the draft decree.
On possible access to data outside the European Union
It appears from the opinion of the ministry's data protection delegate on the AIPD transmitted by the Government that:
for processing covered by Title III of the “information technology and freedoms” law, no transfer of data outside the European Union is authorized in accordance with the regulations;
for processing subject to the GDPR, transfers of personal data outside the European Union may take place in the event of hosting of the algorithm or the data resulting from it (processing carried out outside the EU by a subcontractor) or via the use of a subcontractor located in the EU but subject to third-party extraterritorial law (access in the event of data requisition by foreign authorities).
This opinion indicates in this regard that it will be necessary to add to the AIPD a firm warning against the risks of transfer or potential transfer without appropriate guarantees. The CNIL considers that this warning alone cannot be sufficient and recalls that:
possible transfers of data to a country not subject to an adequacy decision by the European Commission cannot take place without being strictly supervised by appropriate guarantees or justified with regard to the exemptions authorized by Article 49 of the GDPR. In the absence of such guarantees, these transfers cannot take place;
those responsible for algorithmic processing using a subcontractor subject to third-party extraterritorial law must ensure that the latter provides sufficient guarantees in accordance with Article 28 of the GDPR, in particular by checking whether local legislation and practices are likely to allow foreign authorities to access data stored on the territory of the European Union.
In any case, the CNIL strongly recommends, given the sensitivity and unprecedented nature of the algorithmic processing envisaged, that no transfer of data outside the EU or access to data by foreign authorities can take place, as long as both in the design and operational phases.
On the information of the persons concerned
As the CNIL recalled in its deliberation on the bill on the 2024 Olympic and Paralympic Games, informing people “is essential to allow the deployment of “augmented” camera devices in a climate of confidence in the with regard to public authorities.
In this regard, public information is provided for in Article 17 of the draft decree (in application of Articles 104 of the “Informatics and Freedoms” law or 14 of the GDPR depending on the deployment considered and the applicable legal regime). However, these articles are applicable in cases where the personal data would not have been
Furthermore, the CNIL recalls, as it explained in its July 2022 position on the conditions for deployment of “augmented” cameras that, if it is necessary for this information to be provided in clear and simple terms in accordance with the GDPR and the “information technology and freedoms” law, such information will not be sufficient. Indeed, this will have to be adapted to the contactless and innovative nature of these technologies. Therefore, a simple update of the display panels of a video protection or drone system is not enough. It will be essential to bring to the attention of those concerned the central information of the system, which resides in the "augmented" nature of the cameras and also to explain the characteristics and scope of such an analysis. The CNIL therefore strongly emphasizes the need to systematically provide information methods directly at the locations where images are captured and on suitable media (dedicated information panels, videos, QR codes, ground markings, sound announcements, etc.). ). Finally, when the State acquires an algorithmic solution from a third-party supplier, the CNIL recommends that information be provided on this acquisition in order to allow the persons concerned to become aware of the conditions under which the algorithm was designed.
If the law provides for the possibility of excluding information from individuals in cases where such information would conflict with the purposes pursued, the CNIL nevertheless considers that the implementation of these processing operations cannot in principle be carried out at the same time. unknown to the public given the unprecedented nature of the deployment of these devices. The transparency and fairness of these treatments, ensured by clear and accessible information to the public, constitute for the CNIL an essential guarantee of this experiment. The CNIL therefore recommends that the hypotheses in which the exclusion of people's information would prove necessary must be particularly limited and expressly specified in the draft decree. As such, the CNIL takes note of the Government's clarification according to which the law has provided for this exclusion in order to coordinate with the legislative provisions relating to cameras installed on aircraft and that consequently the information of persons will not be excluded. only in cases where aircraft are themselves deployed in conditions which exclude the information of people.
In any case, it will be up to the data controller to ensure, where applicable, the conditions under which the right to information could be excluded with regard to the applicable regime. It will be up to him in particular to verify whether partial information, relating to the principle of using “augmented” cameras, can be considered without compromising the security of the event.
On the data protection impact assessment (DPIA)
In accordance with V of article 10 of the law, the decree is accompanied by an AIPD which sets out in particular:
the expected benefit of the use of algorithmic processing with regard to predetermined events giving rise to reporting by the system;
the possible risks created by the use of “augmented” camera devices;
the measures envisaged in order to minimize them and make them acceptable during their operation.
The CNIL recalls that the creation of such a so-called “framework” AIPD is intended to constitute the reference base of the minimum guarantees to be implemented by all the data controllers referred to in I of Article 10 of the law, with regard to the risks identified in the context of the use of algorithmic devices. It notes, however, that the risk analysis carried out by the Government within this "framework" AIPD is necessarily limited at this stage, in the absence of knowledge of the precise characteristics of the algorithmic solutions which will be acquired from third parties or developed in-house. .
This is why the CNIL notes that the “framework” AIPD which was submitted to it will be completed in two stages:
first of all by the Government following the call for tenders from solution providers (in particular on the parts relating to subcontracting and the security of operation of the solution), before transmit it again to the CNIL and the data controllers;
then, and in accordance with article 13 of the draft decree, by the data controllers who must complete this AIPD "framework" with the particular characteristics of each of the algorithmic processing operations implemented.
The CNIL also notes that the AIPD "framework" for algorithmic processing must be carefully articulated with those of other processing subject to AIPD: on the one hand an AIPD "design" which will be carried out by the Ministry of the Interior on the design algorithmic processing; on the other hand and above all, the AIPD applicable to video protection systems whose images will be used by algorithmic processing. In particular, the CNIL notes that the risks linked to the compromise of images are mainly dealt with in the video protection AIPD and not in that on algorithmic processing.
In this context, the CNIL draws the attention of data controllers to the fact that it will not only be a question of informing some particularities of implementation within the "framework" AIPD, but of assessing the risks created by each algorithmic solution and the measures considered to minimize them. It will be the responsibility of data controllers in particular to complete the AIPD concerning the implementation of algorithmic processing in connection with the AIPD on the implementation of processing originating from video protection systems, concerning:
technical and organizational measures for consulting images relating to detected events, their recording and possible unloading of video content;
specific organizational measures for the intervention of subcontractors who will install and configure the solutions and ensure that they are maintained in operational conditions.
In this regard, the CNIL notes the Government's commitment to provide an employment doctrine to the services responsible for processing, referred to in I of Article 10 of the law, concerning in particular:
the content of the reports made and the action taken;
the content of people’s information;
the methods of human control of reports.
The CNIL invites the government to adapt the employment doctrine according to the recipient services, to remind everyone of the specificities of the legal framework that applies to them and the particularities of use of the system in the context of their missions.
The president
Marie-Laure DENIS
Return to top of page
About this version Legal notices Privacy policy Site map Open data and API Accessibility: partially compliant
service-public.fr vie-publique.fr data.gouv.fr Digital labor code government.fr
Your opinion
