CNIL - MED-2019-027

From GDPRhub
CNIL - MED-2019-027
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 24(1) GDPR

Article 24(2) GDPR

Article 25(1) GDPR

Article 25(2) GDPR

Law "informatique et libertés"

Order of 13 October 2004

Type: Investigation
Outcome: Violation found
Decided: 12.11. 2019
Published: 4.12.2019
Fine: None
Parties: French Ministry of Internal Affairs
National Case Number: MED-2019-027
European Case Law Identifier: n/a
Appeal: Conseil d'Etat
Original Language:

French

Original Source: CNIL (in FR)

The Ministry of Internal Affairs has been ordered to ensure a sufficient level of security regarding the personal data collected by automatic speed camera.

English Summary[edit | edit source]

Facts and questions arising[edit | edit source]

A speed camera calculates the average speed of a vehicle with checkpoints placed on the road equipped with an automatic vehicle licence plate recognition system ("LAPI"), which records car plates and the exact time cars passage.

If the maximum speed limit is exceeded, the LAPI automatically sends the data to the relevant public authority which then sends a fine.

Thus, these speed cameras process data on all the vehicles passing by the checkpoints, regardless of their speed. This information constitutes personal data on the drivers. Therefore, these devices must comply with the GDPR and the French law "Informatique et Libertés".

The CNIL carried out investigations focusing on the data collection and on the implementation of the principle of data protection by design and default.

Holding[edit | edit source]

The CNIL ordered the Ministry to comply with Article 24 and 25 GDPR regarding the collection and further processing of personal data linked to vehicles flashed by automatic speed cameras. First, It found that the mechanism used for the processing of the driver’s personal data did not guarantee a sufficient level of security. Secondly, it found that the personal data were stored beyond the time limits provided for by the Order for the creation of automated control system database on 13 October 2004.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the French original for more details.

 Decision MED-2019-027 of 12 November 2019
 
Print

National Commission for Information Technology and Civil Liberties
Decision n°MED-2019-027 of November 12, 2019
Decision No MED 2019-027 of 12 November 2019 giving formal notice to the Ministry of the Interior
Status: EFFECTIVE

The President of the National Commission on Information Technology and Civil Liberties,

Having regard to Convention No. 108 of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data ;

Having regard to Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data and repealing Council Framework Decision 2008/977/JHA ;

Having regard to the Criminal Code ;

Having regard to the Code of Criminal Procedure, in particular Article 9 thereof;

Having regard to the Highway Code, in particular Article L. 130-9, paragraph 4 thereof;

Having regard to Law No. 78-17 of 6 January 1978 as amended relating to data processing, data files and liberties, in particular Article 20 thereof;

Having regard to decree n° 2019-536 of 29 May 2019 taken for the application of law n° 78-17 of 6 January 1978 relating to data processing, files and liberties;

Having regard to the amended Order of 13 October 2004 creating the automated control system ;

Having regard to deliberation n° 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Civil Liberties;

Having regard to the deliberation n° 2013-215 of July 11, 2013 giving an opinion on a draft order modifying the order of October 13, 2004 creating the automated control system;

Having regard to Decision n° 2018-071C of 30 March 2018 of the President of the National Commission for Data Processing and Liberties to instruct the Secretary General to carry out or to have carried out a mission to verify the compliance with the law of 6 January 1978 as amended of the automated control processing implemented by the Ministry of the Interior and provided for by the Order of 13 October 2004 as amended, creating the automated control system as well as any related processing ;

Having regard to the control reports n° 2018-071/1 of 6 September 2018, n° 2018-071/2 of 17 October 2018 and n° 2018-071/3 of 4 December 2018 ;

Having regard to the other documents in the file;

On the operation of the radar-slices

The average speed field equipment (hereinafter referred to as ETVM or radar-trunking equipment) calculates the average speed of a vehicle between two points on a section of roadway, in accordance with Article L. 130-9, paragraph 4, of the Highway Code.

The implementation of radar chips involves the collection and processing of data relating to all vehicles travelling on the section being monitored, and not only those of vehicles in breach of the law.

Indeed, the radar-slices are composed of two checkpoints placed several kilometres apart on the roadway, at the entrance and exit of the controlled section. These bollards are equipped with an automatic vehicle licence plate recognition (AVLR) system that reads the licence plates and records the exact time of passage.

At the exit point, a software program calculates the average speed of each vehicle on the section based on the distance travelled in relation to the time of passage.

If the maximum authorised speed is exceeded, the ETVM automatically sends the data of the vehicles concerned to the National Automated Control Processing Centre in Rennes (hereafter the CNT ), which is responsible for sending the ticket.

On the framework for the processing of personal data collected by the radar-switches by the order of 13 October 2004

The processing of personal data carried out by the radar-slices is governed by Article 2-1 of the Order of 13 October 2004 creating an automated control system.

The Ministry of the Interior asked the Commission nationale de l'informatique et des libertés (hereinafter the CNIL or the Commission) for an opinion on the amendment of the aforementioned order and issued a decision on 11 July 2013.

Article 2-1 I of the Order of 13 October 2004 stipulates that the radar-slices collect the following information: photographs of the vehicle and its passengers, the place, date and time of the photographs, the vehicle's lane of travel and the vehicle's registration number.

Processing of personal data by competent authorities for the purpose of the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties shall fall within the scope of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 (hereinafter referred to as Directive (EU) 2016/680 ).

Directive (EU) 2016/680 has been transposed into French law by Act No. 2018-493 of 20 June 2018 within Chapter XIII of the Act of 6 January 1978.

By Order No. 2018-1125 of 12 December 2018, the Government proceeded to rewrite the whole of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms.

As a result, since the transposition of the above-mentioned directive and the entry into force of the above-mentioned ordinance on 1 June 2019, the processing of personal data from radar-slices is covered in particular by Articles 87 et seq. of Title III of the Act of 6 January 1978. As provided for by the aforementioned Article 87, such processing also remains subject to the other relevant provisions of the Law of 6 January 1978, subject to the special provisions contained in Title III of the said Law.

III- Failures to comply with the provisions of the Act of 6 January 1978

Pursuant to Decision No. 2018-071C of 30 March 2018 of the President of the Commission, a delegation from the CNIL carried out three on-site inspections: on 6 September 2018 at the CNT, on 17 October 2018 at the service provider responsible for operational maintenance of the radar-slices and on 4 December 2018 on the departmental road 213 in Saint-Nazaire equipped with a radar-slice.

Failure to comply with the obligation to observe a data retention period proportionate to the purpose of the processing operation.

In application of the law of 6 January 1978, personal data may only be kept for a period of time strictly proportionate to the purpose of the processing implemented.

In this sense, article 4-5° of the law of 6 January 1978 provides that personal data must be kept in a form that allows the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed. Article 87 of the Law of 6 January 1978 also provides that the processing shall ensure, in particular, the proportionality of the storage period of personal data, taking into account the purpose of the file and the nature or seriousness of the offences recorded.

Furthermore, Article 2-1 III of the Order of 13 October 2004 provides that when no offence against the maximum authorised speed is recorded, the data collected and the corresponding calculated average speed shall be deleted as soon as possible, within a maximum period of 24 hours. Furthermore, in the event of an infringement, Article 3 of that Order stipulates that the data may not be kept for more than ten years ... .

With regard to retention periods, the Delegation of Supervision was informed that all number plates collected from the LAPI system of radar-slices are kept in the MCTs in their entirety for 24 hours and then truncated by the second and penultimate characters of the registration number. The data are sent back to the CNT twice a day.

The delegation was informed that the retention of the truncated licence plate number is carried out for technical maintenance purposes and, more specifically, for the analysis of the matches made between the data collected by the input and output terminals in order to ensure the proper functioning of the system.

Firstly, the delegation noted that complete and truncated licence plate numbers which do not concern infringing vehicles have been kept on the ETVM checked since 26 November 2017 for complete numbers (i.e. for more than 13 months) and since 9 July 2014 for truncated numbers (i.e. for more than 4 years).

However, the registration plate numbers of vehicles that are not in breach must not be kept for more than 24 hours in accordance with the provisions of the Order of 13 October 2004 as amended. Article 2-1 of the Order provides that Where no infringement of the maximum authorised speed is detected, the data collected and the corresponding calculated average speed shall be deleted as soon as possible, within a maximum period of 24 hours.

On this point, in its opinion of 11 July 2013, the CNIL considered that the data must be deleted as soon as possible after the vehicles that have not committed an offence pass in front of the exit terminal and noted that the data relating to vehicles that have not committed an offence are not transmitted to the National Processing Centre (CNT) and are therefore not recorded in the automated control system, as provided for in draft Article 2-1 (III) of the amended Order of 13 October 2004. Article 3 of the said Order is also amended to expressly mention that only data relating to offending vehicles are recorded in the automated control system. It had also noted that data relating to vehicles that are not in breach are stored locally for 24 hours in the speed camera terminals. If the hard disk capacity of the speed camera bollards allows for storage for seven days, an automatic process is used to delete the data after 24 hours by means of a line deletion command. Each time the system is restarted (every 24 hours), it checks that the deleted data has been purged.

The CNIL points out that truncated license plate numbers constitute personal data, as long as they are coupled, as in this case, with a timestamp and the location of the truncated radar and are likely to be cross-checked with other data, in particular photos of the vehicle and its passengers. Thus, the 24-hour retention period applies both to full registration plate numbers and to truncated registration plate numbers of the second and penultimate characters, since the amended Order of 13 October 2004 does not make any distinction on this point.

Secondly, during the check on 6 September 2018, the delegation noted the presence of messages relating to offences, containing data on vehicles that had exceeded the authorized speed limit, transmitted to CNT to give rise to a ticket, which had been kept at CNT since 1 September 2005 (i.e. for more than 13 years).

However, the amended Order of 13 October 2004 provides that the data must not be kept for more than 10 years. Article 3 provides that data may not be kept for more than ten years, without prejudice to the possibility for the driver of a vehicle to request their erasure under the conditions laid down in Article L. 130-9 of the Highway Code .

Thirdly, the delegation noted the presence of messages relating to offences that had failed to be sent to the CNT and which had been kept on the ETVM checked since 2 January 2015, i.e. for more than three years.

However, the data constituting an offence message not sent to the CNT should not be kept for more than one year after the photograph was taken, after which time tickets are time-barred, pursuant to article 9 of the Code of Criminal Procedure, and the vehicle data can therefore no longer be used to issue a ticket.

All of these facts constitute a breach of the obligations provided for in Articles 4-5° and 87 of the Act of 6 January 1978, which stipulate in particular that the data controller is required to ensure the proportionality of the storage period for personal data, taking into account the purpose of the file and the nature or seriousness of the offences recorded.

Failure to comply with the obligation to ensure the security of personal data

Pursuant to the law of 6 January 1978, it is the responsibility of the data controller to ensure the security of personal data.

Thus, article 4-6° of the law of 6 January 1978 provides that personal data must be processed in such a way as to ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, or access by unauthorised persons, using appropriate technical or organisational measures .

In addition, Article 99 of the Act of 6 January 1978 provides that I. - In order to demonstrate that the processing is carried out in accordance with this title, the data controller and its processor shall implement the measures provided for in Articles 24 and 25 (1 and 2) of Regulation (EU) 2016/679 of 27 April 2016 and those appropriate to ensure a level of security appropriate to the risk, in particular with regard to the processing of special categories of personal data mentioned in I of Article 6 of this Act.

II. - With regard to automated processing, the data controller or its processor shall implement, following a risk assessment, measures designed to :

1° Prevent any unauthorized person from accessing the installations used for processing ;

2° Prevent data carriers from being read, copied, modified or deleted in an unauthorised manner;

3° Prevent the unauthorised input of personal data into the file, as well as the unauthorised inspection, modification or deletion of recorded personal data;

4° Prevent the use of automated processing systems by unauthorized persons using data transmission equipment;

5° To ensure that persons authorized to use an automated processing system can only access the personal data to which they are authorized to have access;

6° Guarantee that it is possible to verify and establish to which bodies personal data have been or may be transmitted or made available by data transmission equipment;

7° Guarantee that it is possible to verify and establish a posteriori which personal data have been entered into automated processing systems and when and by whom they were entered;

8° Prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data and during the transport of data carriers;

9° Ensure that the systems installed can be restored in the event of an interruption;

10° To guarantee that the system functions work, that operating errors are reported and that the personal data stored cannot be corrupted by a system malfunction.

Finally, Article 101 of the Act of 6 January 1978 provides that the data controller shall establish for each automated processing operation a log of the collection, modification, consultation and communication operations, including transfers, interconnection and deletion, relating to such data.

The logs of consultation and communication operations make it possible to establish the reason, date and time. They shall also make it possible, as far as possible, to identify the persons consulting or communicating the data and the recipients of the data.
The logbook shall be used only for the purposes of verification of the lawfulness of the processing, self-monitoring, ensuring data integrity and security and for the purposes of criminal proceedings .

In the light of these provisions, the Delegation noted three series of shortcomings, which could affect the security of the personal data processing operations implemented in the context of the radar-switches: a lack of robustness of the passwords for connection to the ETVM, unsatisfactory traceability of the accesses, as well as insufficient management of the access rights to the application by the provider of the Ministry of Interior.

A detailed description of these shortcomings is provided in the Annex.

Consequently, the Ministry of the Interior, located at Place Beauvau - 75008 Paris, shall be given formal notice, within three (3) months of notification of this Decision and subject to any measures it may have already adopted, to :

    delete data kept beyond the period necessary for the purposes for which they are processed, in particular as defined in Article 2-1 of the Order of 13 October 2004;

    in the future, ensure compliance with the retention periods provided for in the Order of 13 October 2004 and put in place a purging mechanism (e.g. by using an automated purging system) making it possible to guarantee compliance with the retention periods provided for in the aforementioned Order, in particular by deleting the following data ;

    data relating to vehicles which have not committed an offence within a maximum period of 24 hours ;
    data relating to vehicles that have committed an offence within a maximum period of one year when they have not been the subject of a fine;
    data on vehicles that have committed an offence within a maximum of ten years where they have been ticketed;

    take all necessary measures to guarantee the security of the personal data processed and in particular those referred to in the annex to this formal notice ;

    justify to the CNIL that all of the aforementioned requests have been complied with within the time limit set.

At the end of this period, if the Ministry of the Interior has complied with the present formal notice, it will be considered that the present procedure is closed and a letter will be sent to it to this effect.

Conversely, if the Ministry of the Interior has not complied with this formal notice, a rapporteur will be appointed who may ask the restricted formation to take one of the corrective measures provided for in Article 20 of the Law of 6 January 1978.

The President

Marie-Laure DENIS
Date of publication on legifrance: 4 December 2019