CNIL (France) - SAN-2021-003: Difference between revisions

From GDPRhub
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 34: Line 34:
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-19/
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-19/


|Party_Name_1=Ministry of the Interior
|Party_Name_1=Ministry of Interior
|Party_Link_1=https://www.interieur.gouv.fr/
|Party_Link_1=https://www.interieur.gouv.fr/
|Party_Name_2=
|Party_Name_2=
Line 59: Line 59:


===Facts===
===Facts===
During March 2020 , the press reported to use of drones equipped with cameras by the police forces in several places, in order to monitor compliance with lockdown measures.
During March 2020 , the press reported the use of drones equipped with cameras by the police forces in several places, in order to monitor compliance with COVID-19 lockdown measures.


The French DPA questionned the Ministry of the Interior on the subject. In absence of reply, the DPA initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area before an arrest, surveillance of a drug traficking,  of demonstrations and road transport. An on-site control then established that the camera used were efficient enough to allow for facial identification of individuals.
The French DPA questionned the Ministry of the Interior on the subject. In absence of reply, the DPA initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area before an arrest, surveillance of a drug traficking,  of demonstrations and road transport. An on-site control then established that the camera used were efficient enough to allow for facial identification of individuals.


In this context, the report concluded to several violations of data protection law and proposed a sanction. The Ministry's main line of defence was that, since August 2020, a face-blurring program has been implemented. As a result, the data were anonimized, and data protection regulations not applicable.
In this context, the report concluded to several violations of data protection law and proposed a sanction. The Ministry's main line of defence was that, since August 2020, a face-blurring program has been implemented. As a result, data were allegedly anonimized, and data protection regulation not applicable.


===Dispute===
===Dispute===
Is recording of images by drones equipped with cameras a personal personal data according Article 4 GDPR ?
Is the recording of images by drones equipped with cameras a personal personal data in the sense of Article 4 GDPR ?
Did the Ministry of Interior comply with European and French data protection regulation inmplementing DIrective (UE) 2016/680 ?
Did the Ministry of Interior comply with the [https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-19/ French Data Protection Act] implementing [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0680 Directive (EU) 2016/680] ?


===Holding===
===Holding===
The DPA issues a public call to order against the Ministry of the Interior, on the following grounds.
The DPA issues a public call to order against the Ministry of the Interior, on the following grounds.


On the processing of personal data
======On the processing of personal data======
 
The DPA reminds the broad definitions of processing and personal data laid down by Article 4(1) and (2) GDPR. The DPA then quotes [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62013CJ0212 ECJ, 11 December 2014, ''Ryneš'', case C-212/13] (point 22), [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en EDPB Guidelines 3/2019 on processing of personal data through video devices], a [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000041897158/ ruling] and an [https://www.conseil-etat.fr/ressources/avis-aux-pouvoirs-publics/derniers-avis-publies/avis-relatif-a-l-usage-de-dispositifs-aeroportes-de-captation-d-images-par-les-autorites-publiques opinion] by the French Supreme Administrative Court. It reiterates that personal data are processed whenever people can be identified on the basis of recorded images.
The DPA reminds the broad definitions of processing and personal data laid down by Article 4(1) and (2) GDPR. The DPA then quotes ECJ, 11 December 2014, Ryneš, case C-212/13 (point 22), EDPB Guidelines 3/2019 on processing of personal data through video devices, a ruling and an opinion of the French Administrive Supreme Court. It reiterates that personal data are processed whenever people can be identified on the basis of recorded images.


The DPA notes that the equipped cameras have a high resolution and a zoom capability, which allow for identification of faces.  
The DPA notes that the equipped cameras have a high resolution and a zoom capability, which allow for identification of faces.  


Regarding the face-blurring program, it has only been implemented in some recent operation. It is of limited utility because it can only be used for prevention activities. For safety reasons, the pilot's screen is not subject to the blurring. Lastly, unblurred recordings can be accessed by operational services, although it takes time. All services are placed under the same authority.
Regarding the face-blurring program, it has only been implemented in some recent operation. Its utility is confined to prevention activities, where identification is not necessary. Furthemore, for safety reasons, the pilot's monitor screen is not subject to blurring. Lastly, unblurred recordings can be accessed by operational services, although it takes time. Indeed, despite the fact that only the technical service has control over the program, all services are placed under the same authority.


The DPA then decides that the program is of no effect on the definition of the subject matter of the inquiry as a processing of personal data.
The DPA then decides that the program is of no effect on the definition of the subject matter of the inquiry as a processing of personal data.


On the violation of French data protection act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (Loi Informatique et Libertés))
======On the violation of French Data Protection Act, implementing Directive (EU) 2016/680======
 
Under French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés), the processing of personal data can only occur where authorised by a specific legal provision (Article 89). In the present case, the Ministry has ignored this obligation.
Under French regulation, the processing of personal data can only occur where authorised by a specific legal provision (Article 89 Loi informatique et Libertés). In the present case, the Ministry has ignored this obligation.


Furthermore, a data protection impact assessment is mandatory where the processing could create significant risks to the fundamental rights and freedoms. According to the DPA, drones generate such risks, especially because of the possibility given to the Ministry to acquire knowledge of beliefs and opinions of data subject participating to demonstrations. Those risks are increased by the fact that data subjects may not be aware of the drone operating and thus of the processing of their personal data.  
Furthermore, a data protection impact assessment is mandatory where the processing could create significant risks to the fundamental rights and freedoms. According to the DPA, drones generate such risks, especially because of the possibility given to the Ministry to acquire knowledge of beliefs and opinions of data subject participating to demonstrations. Those risks are increased by the fact that data subjects may not be aware of the drone operating and thus of the processing of their personal data.  
The data protection impact assessment is also required where a new mechanism is implemented (Article 89 Loi Informatique et Libertés). Drones being new to police forces, the assessment is required.
The data protection impact assessment is also required where a new mechanism is implemented (Article 90). Drones being new to police forces, the assessment is required.


Lastly, the CNIL finds that the Ministry has failed to its obligation as data controller to provide data subjects with mandatory information.
Lastly, the CNIL finds that the Ministry has failed to its obligation as data controller to provide data subjects with mandatory information.


As a result of these violations, the DPA issues a public call to order. It is however decided that the name of the Ministry of the Interior will not appear publicly on the decision after a period of 2 years.
As a result of these violations, the DPA issues a public call to order. It is however decided that the name of the Ministry of Interior will not appear publicly on the decision after a period of 2 years.
 
 
==Comment==
==Comment==
The decision follows the decisions of the French Administrative Supreme Court : Conseil d'État, ordonnance du 18 mai 2020, nos 440442 et 440445 and Conseil d'État, avis du 20 septembre 2020 relatif à l’usage de dispositifs aéroportés de captation d’images par les autorités publiques
The decision follows the decisions of the French Administrative Supreme Court : [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000041897158/ Conseil d'État, ordonnance du 18 mai 2020, nos 440442 et 440445] and [https://www.conseil-etat.fr/ressources/avis-aux-pouvoirs-publics/derniers-avis-publies/avis-relatif-a-l-usage-de-dispositifs-aeroportes-de-captation-d-images-par-les-autorites-publiques Conseil d'État, avis du 20 septembre 2020 relatif à l’usage de dispositifs aéroportés de captation d’images par les autorités publiques].


==Further Resources==
==Further Resources==
Line 104: Line 100:


<pre>
<pre>
Délibération SAN-2021-003 du 12 janvier 2021
San-2021-003 deliberation of January 12, 2021
Commission Nationale de l’Informatique et des Libertés
National Commission for Computing and Freedoms


     Nature de la délibération : Sanction
     Nature of deliberation: Sanction
     Etat juridique : En vigueur
     Legal status: In force


     Date de publication sur Légifrance : Jeudi 14 janvier 2021
     Publication date on Légifrance: Thursday January 14, 2021  


Délibération de la formation restreinte n°SAN-2021-003 du 12 janvier 2021 concernant le ministère de l'intérieur
Deliberation of restricted training n ° SAN-2021-003 of January 12, 2021 concerning the Ministry of the Interior


La Commission nationale de l’informatique et des libertés, réunie en sa formation restreinte composée de Messieurs Alexandre LINDEN, président, Philippe-Pierre CABOURDIN, vice-président, et de Mesdames Anne DEBET et Christine MAUGÜE, membres ;
The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ms Anne DEBET and Christine MAUGÜE, members;


Vu la Convention no 108 du Conseil de l’Europe du 28 janvier 1981 pour la protection des personnes à l’égard du traitement automatisé des données à caractère personnel ;
Considering the Convention n o 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;


Vu le règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des données à caractère personnel et à la libre circulation de ces données ;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;


Vu la directive (UE) 2016/680 du Parlement européen et du Conseil du 27 avril 2016 relative à la protection des personnes physiques à l'égard du traitement des données à caractère personnel par les autorités compétentes à des fins de prévention et de détection des infractions pénales, d'enquêtes et de poursuites en la matière ou d'exécution de sanctions pénales, et à la libre circulation de ces données ;
Having regard to Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention and detection of criminal offenses, investigations and prosecutions in the matter or the execution of criminal sanctions, and the free movement of such data;


Vu la loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, notamment ses articles 20 et suivants;
Considering the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following ;


Vu le décret no 2019-536 du 29 mai 2019 pris pour l'application de la loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés ;
Considering the decree n o 2019-536 of May 29, 2019 taken for the application of the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms;


Vu la délibération no 2013-175 du 4 juillet 2013 portant adoption du règlement intérieur de la Commission nationale de l'informatique et des libertés ;
Considering the deliberation n o 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;


Vu la décision no 2020-076C du 7 mai 2020 de la présidente de la Commission nationale de l’informatique et des libertés de charger le secrétaire général de procéder ou de faire procéder à une mission de vérification des traitements mis en œuvre par le ministère de l'intérieur ou pour son compte ;
Considering the decision n o 2020-076C of May 7, 2020 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or to have carried out a mission to verify the processing operations implemented by the Ministry internally or on its behalf;


Vu la décision de la présidente de la Commission nationale de l’informatique et des libertés portant désignation d’un rapporteur devant la formation restreinte, en date du 2 octobre 2020 ;
Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated October 2, 2020;


Vu le rapport de Madame Sophie LAMBREMON, commissaire rapporteure, notifié au ministère de l'intérieur le 30 octobre 2020 ;
Having regard to the report by Mrs Sophie LAMBREMON, rapporteur commissioner, notified to the Ministry of the Interior on October 30, 2020;


Vu les observations écrites versées par le ministère de l'intérieur le 1er décembre 2020 ;
Considering the written submissions made by the Interior Ministry on 1 st December 2020;


Vu les observations orales formulées lors de la séance de la formation restreinte, le 10 décembre 2020 ;
Having regard to the oral observations made during the restricted training session on December 10, 2020;


Vu les autres pièces du dossier ;
Having regard to the other documents in the file;


Étaient présents, lors de la séance de la formation restreinte :
Were present during the restricted training session:


- Madame Sophie LAMBREMON, commissaire, entendu en son rapport ;
- Mrs Sophie LAMBREMON, commissioner, heard in her report;


En qualité de représentants du ministère de l'intérieur :
As representatives of the Ministry of the Interior:


- […] ;
- […] ;
Line 150: Line 146:
- […] ;
- […] ;


Le ministère de l'Intérieur ayant eu la parole en dernier ;
The Ministry of the Interior having spoken last;


La formation restreinte a adopté la décision suivante :
The restricted committee adopted the following decision:


I. Faits et procédure
I. Facts and procedure


1. À la suite du confinement décidé par le Gouvernement au mois de mars 2020, plusieurs articles de presse ont fait état de l’utilisation, par les forces de police (notamment le commissariat de Cergy-Pontoise) et de gendarmerie (notamment le groupement de gendarmerie départementale de Haute-Garonne), de drones équipés d’une caméra afin de veiller au respect des mesures prises dans ce contexte. L’utilisation de tels drones lui paraissant susceptible de mettre en œuvre des traitements de données à caractère personnel, la présidente de la Commission nationale de l'informatique et des libertés (ci-après la CNIL ou la Commission ) a, par courrier du 23 avril 2020, demandé au ministère de l'intérieur des précisions quant aux traitements réalisés dans ce cadre.
1. Following the confinement decided by the Government in March 2020, several press articles reported on the use, by the police (in particular the Cergy-Pontoise police station) and the gendarmerie (in particular the grouping departmental gendarmerie of Haute-Garonne), drones equipped with a camera to ensure compliance with the measures taken in this context. The use of such drones, appearing to her likely to implement the processing of personal data, the president of the National Commission for Informatics and Freedoms (hereinafter the CNIL or the Commission), by letter of 23 April 2020, asked the Ministry of the Interior for details on the processing carried out in this context.


2. En l’absence de réponse, la présidente de la Commission a, par la décision no 2020-076C du 7 mai 2020, initié une procédure de contrôle à l’encontre du ministère. Cette procédure avait pour objet de vérifier le respect, par le ministère de l'intérieur, de l’ensemble des dispositions durèglement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 (ci-après le Règlement ou le RGPD ), dela loi no 78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés (ci-après la loi du 6 janvier 1978 ou la loi Informatique et Libertés ), de la directive (UE) 2016/680 du Parlement européen et du Conseil du 27 avril 2016 (ci-après la directive police-justice ) et des dispositions prévues aux articles L251-1 et suivants du code de la sécurité intérieure. Dans le cadre de cette procédure, la présidente de la Commission a, le 8 mai 2020, fait parvenir au ministère de l'intérieur, à la préfecture de police de Paris, au commissariat de Cergy-Pontoise et au groupement de gendarmerie départementale de Haute-Garonne des questionnaires portant sur l’utilisation de drones afin de faire respecter les mesures de confinement déployées dans le cadre de l’état d’urgence sanitaire. Le ministère de l'intérieur a répondu à l’ensemble de ces questionnaires par courrier du 27 mai 2020.
2. In the absence of response, the Commission's Chair, by Decision o 2020-076C of 7 May 2020 initiated a review proceedings against the Department. The purpose of this procedure was to verify that the Ministry of the Interior all the provisions of complied with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the Regulation or the RGPD) of law No o 78-17 of 6 January 1978 relating to computers, files and liberties (hereinafter the Act of 6 January 1978 or the data Protection Act) of Directive (EU ) 2016/680 of the European Parliament and of the Council of April 27, 2016 (hereafter the police-justice directive) and the provisions provided for in articles L251-1 et seq. Of the Internal Security Code. As part of this procedure, the President of the Commission, on May 8, 2020, sent to the Ministry of the Interior, the Paris police headquarters, the Cergy-Pontoise police station and the departmental gendarmerie group of Haute -Garonne questionnaires on the use of drones to enforce the containment measures deployed in the context of the state of health emergency. The Ministry of the Interior replied to all of these questionnaires by letter of May 27, 2020.


3. Le 9 juillet 2020, une délégation de la CNIL s’est rendue dans les locaux de la préfecture de police de Paris afin de procéder à un contrôle sur place. Ce contrôle a notamment permis à la délégation de contrôle de faire procéder à un vol d’essai d’un drone utilisé par la préfecture de police de Paris.
3. On July 9, 2020, a delegation from the CNIL visited the premises of the Paris police headquarters in order to carry out an on-site check. This control notably enabled the control delegation to carry out a test flight of a drone used by the Paris police headquarters.


4. Différents échanges sont intervenus par courriel entre le ministère et la délégation de contrôle entre les mois de juillet et de septembre 2020. Ces échanges concernaient la transmission de documents demandés à l’occasion du contrôle ainsi que de précisions demandées ultérieurement.
4. Various exchanges took place by email between the ministry and the control delegation between July and September 2020. These exchanges concerned the transmission of documents requested during the control as well as details requested subsequently.


5. Aux fins d’instruction de ces éléments, la présidente de la Commission a, le 2 octobre 2020, désigné Madame Sophie LAMBREMON en qualité de rapporteure, sur le fondement de l’article 22 de la loi du 6 janvier 1978.
5. For the purposes of examining these elements, the President of the Commission appointed, on October 2, 2020, Mrs Sophie LAMBREMON as rapporteur, on the basis of article 22 of the law of January 6, 1978.


6. À l’issue de son instruction, la rapporteure a, le 30 octobre 2020, fait signifier au ministère de l'intérieur un rapport détaillant les manquements à la loi Informatique et Libertés qu’elle estimait constitués en l’espèce. La rapporteure proposait à la formation restreinte de la Commission de prononcer une injonction de mettre en conformité le traitement avec les dispositions de l’article 87 de la loi Informatique et Libertés, ainsi qu’un rappel à l’ordre. Elle proposait également que cette décision soit rendue publique et ne permette plus d’identifier nommément le ministère à l’expiration d’un délai de deux ans à compter de sa publication.
6. At the end of her investigation, the rapporteur, on October 30, 2020, sent the Ministry of the Interior a report detailing the breaches of the Data Protection Act that she considered to have constituted in this case. The rapporteur proposed to the restricted formation of the Commission to issue an injunction to bring the processing into conformity with the provisions of Article 87 of the Data Protection Act, as well as a call to order. It also proposed that this decision be made public and no longer allow the ministry to be identified by name after a period of two years from its publication.


7. Le même jour, le ministère de l'intérieur a été informé que ce dossier était inscrit à l’ordre du jour de la séance de la formation restreinte du 10 décembre 2020.
7. The same day, the Ministry of the Interior was informed that this file was on the agenda of the session of the restricted formation of December 10, 2020.


8. Le 1er décembre 2020, le ministère a produit des observations.
8. On 1 st December 2020, the ministry has submitted observations.


9. Le ministère et la rapporteure ont présenté des observations orales lors de la séance de la formation restreinte.
9. The Ministry and the rapporteur presented oral observations during the session of the restricted formation.


II. Motifs de la décision
II. Reasons for the decision


A. Sur l’existence d’un traitement de données à caractère personnel
A. On the existence of processing of personal data


10. La rapporteure observe que la préfecture de police de Paris, le commissariat de Cergy-Pontoise et le groupement de gendarmerie départementale de Haute-Garonne ont utilisé des drones afin de vérifier le respect des mesures de confinement. Par ailleurs, la préfecture de police de Paris a également utilisé ces dispositifs pour d’autres finalités, telles que des missions de police judiciaire (reconnaissance d’un lieu avant une interpellation, surveillance d’un trafic de stupéfiants), des opérations de maintien de l’ordre (surveillance de manifestations) ou de gestion de crise et des contrôles routiers (surveillance de rodéos urbains).
10. The rapporteur observes that the Paris police headquarters, the Cergy-Pontoise police station and the Haute-Garonne departmental gendarmerie group have used drones to verify compliance with the containment measures. In addition, the Paris police headquarters also used these devices for other purposes, such as judicial police missions (recognition of a place before an arrest, monitoring of drug trafficking), maintenance operations order (surveillance of demonstrations) or crisis management and road checks (surveillance of urban rodeos).


11. La rapporteure relève que les drones utilisés sont équipés d’une caméra permettant la captation d’images en haute résolution et possédant des capacités de zoom pouvant agrandir l’image entre six et vingt fois.
11. The rapporteur notes that the drones used are equipped with a camera allowing the capture of high resolution images and having zoom capabilities capable of enlarging the image between six and twenty times.


12. Au regard de ces capacités techniques, la rapporteure considère que l’utilisation de ces drones par le ministère de l'intérieur donne lieu à un traitement de données à caractère personnel dès lors que des personnes sont filmées dans des conditions permettant leur identification.
12. In the light of these technical capacities, the rapporteur considers that the use of these drones by the Ministry of the Interior gives rise to the processing of personal data when people are filmed in conditions allowing their identification.


13. Le ministère de l'intérieur, quant à lui, a d’abord affirmé en réponse aux questionnaires envoyés par la présidente de la CNIL que le vol des drones ne donnait lieu à aucun traitement de données à caractère personnel, les personnes n’étant pas identifiables. Dans ses observations en réponse au rapport de sanction, il a ensuite considéré que l’incertitude juridique relative à la nature des données traitées démontrait la bonne foi de l’administration, qu’en tout état de cause, le système de floutage mis en œuvre excluait tout traitement de données à caractère personnel, tout en précisant que des considérations techniques empêchaient que ce système de floutage soit exécuté au niveau du drone captant les images et avant toute transmission de celles-ci.
13. The Ministry of the Interior, for its part, first affirmed in response to questionnaires sent by the President of the CNIL that the flight of drones did not give rise to any processing of personal data, people did not being not identifiable. In its observations in response to the sanction report, it then considered that the legal uncertainty relating to the nature of the data processed demonstrated the good faith of the administration, that in any event, the blurring system implemented excluded any processing of personal data, while specifying that technical considerations prevented this blurring system from being performed at the level of the drone capturing the images and before any transmission thereof.


14. La formation restreinte estime que la qualification de traitement de données à caractère personnel s’applique à un système de captation vidéo filmant des personnes pour les raisons suivantes.
14. The restricted committee considers that the qualification of processing of personal data applies to a video capture system filming people for the following reasons.


15. En premier lieu, sur l’existence d’un traitement de données à caractère personnel, l’article 2 de la loi Informatique et Libertés dispose : sauf dispositions contraires, dans le cadre de la présente loi s'appliquent les définitions de l'article 4 du règlement (UE) 2016/679 du 27 avril 2016 .
15. First , on the existence of processing of personal data, article 2 of the Data Protection Act provides: unless otherwise provided, within the framework of this law the definitions of the Article 4 of Regulation (EU) 2016/679 of April 27, 2016 .


16. Aux termes de l’article 4 du RGPD, constitue un traitement de données à caractère personnel toute opération ou tout ensemble d'opérations effectuées ou non à l'aide de procédés automatisés et appliquées à des données ou des ensembles de données à caractère personnel, telles que la collecte, l'enregistrement, l'organisation, la structuration, la conservation, l'adaptation ou la modification, l'extraction, la consultation, l'utilisation, la communication par transmission, la diffusion ou toute autre forme de mise à disposition, le rapprochement ou l'interconnexion, la limitation, l'effacement ou la destruction . Ce même article définit une donnée à caractère personnel comme toute information se rapportant à une personne physique identifiée ou identifiable […] ; est réputée être une personne physique identifiable une personne physique qui peut être identifiée, directement ou indirectement, notamment par référence […] à un ou plusieurs éléments spécifiques propres à son identité physique, physiologique, génétique, psychique, économique, culturelle ou sociale .
16. Pursuant to article 4 of the GDPR, personal data processing constitutes any operation or set of operations carried out or not using automated processes and applied to data or sets of data of a personal nature. personal, such as collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form provision, reconciliation or interconnection, limitation, erasure or destruction . This same article defines personal data as any information relating to an identified or identifiable natural person […]; is deemed to be an identifiable natural person a natural person who can be identified, directly or indirectly, in particular by reference […] to one or more specific elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity .


17. Au regard de ces définitions, la formation restreinte relève que tout opération – notamment la captation, la transmission, la modification ou la consultation – portant sur l’image de personnes pouvant être reconnues constitue un traitement de données à caractère personnel.
17. In view of these definitions, the restricted committee notes that any operation - in particular the capture, transmission, modification or consultation - relating to the image of persons who can be recognized constitutes processing of personal data.


18. La formation restreinte observe que cette analyse, adoptée de longue date par la CNIL, a été consacrée par la jurisprudence européenne dès 2014 : l’image d’une personne enregistrée par une caméra constitue une donnée à caractère personnel au sens de la disposition visée au point précédent dans la mesure où elle permet d’identifier la personne concernée (CJUE, 11 décembre 2014, Ryneš, affaire C-212/13, point 22). Elle a été rappelée très récemment par le Comité européen de la protection des données (ci-après le CEPD ) dans ses lignes directrices 3/2019 du 29 janvier 2020 sur le traitement des données à caractère personnel par des dispositifs vidéo : La surveillance systématique et automatisée d’un espace spécifique par des moyens optiques ou audiovisuels, principalement à des fins de protection des biens ou de protection de la vie et de la santé des personnes, est devenue un phénomène important de notre époque. Cette activité entraîne la collecte et la conservation d’informations picturales ou audiovisuelles sur toutes les personnes entrant dans l’espace surveillé qui sont identifiables sur la base de leur apparence ou d’autres éléments spécifiques. L’identité de ces personnes peut être établie sur la base de ces informations .
18. The restricted committee observes that this analysis, adopted for a long time by the CNIL, has been enshrined in European case law since 2014: the image of a person recorded by a camera constitutes personal data within the meaning of the provision referred to in the previous point insofar as it allows the data subject to be identified (CJEU, 11 December 2014, Ryneš, case C-212/13, point 22). It was very recently recalled by the European Data Protection Board (hereinafter the EDPS) in its guidelines 3/2019 of 29 January 2020 on the processing of personal data by video devices: Systematic surveillance and automation of a specific space by optical or audiovisual means, mainly for the purpose of protecting property or protecting human life and health, has become an important phenomenon of our time. This activity entails the collection and retention of pictorial or audiovisual information about all persons entering the monitored space that are identifiable on the basis of their appearance or other specific elements. The identity of these persons can be established on the basis of this information .


19. S’agissant plus spécifiquement des drones équipés d’une caméra, le juge des référés du Conseil d'État a considéré que le dispositif de surveillance litigieux […] qui consiste à collecter des données, grâce à la captation d’images par drone, à les transmettre, dans certains cas, au centre de commandement de la préfecture de police pour un visionnage en temps réel et à les utiliser pour la réalisation de missions de police administrative constitue un traitement (Conseil d'État, ordonnance du 18 mai 2020, nos 440442 et 440445). Constatant qu’aucun dispositif n’était mis en place pour empêcher, dans tous les cas, que les informations collectées puissent conduire à rendre les personnes identifiables, cette juridiction conclut que les données susceptibles d’être collectées par le traitement litigieux doivent être regardées comme revêtant un caractère personnel .
19. With regard more specifically to drones equipped with a camera, the summary judge of the Conseil d'État considered that the disputed surveillance system […] which consists in collecting data, thanks to the capture of images by drone, to transmit them, in certain cases, to the command center of the police headquarters for real-time viewing and to use them for carrying out administrative police missions constitutes processing (Council of State, ordinance of 18 May 2020, nos . 440442 and 440445). Noting that no system was in place to prevent, in all cases, that the information collected could lead to making the persons identifiable, this court concludes that the data likely to be collected by the disputed processing must be regarded as of a personal nature .


20. Enfin, dans un avis du 20 septembre 2020 relatif à l’usage de dispositifs aéroportés de captation d’images par les autorités publiques, le Conseil d'État a précisé que eu égard notamment aux technologies actuellement disponibles et à leur évolution et aux moyens matériels dont disposent les autorités publiques, le Conseil d’État estime que les images de personnes captées au moyen de caméras aéroportées par ces autorités dans le cadre de missions de sécurité publique ou de sécurité civile doivent, en principe, être regardées comme des données personnelles et que, par suite, la collecte et l’utilisation de ces images sont soumises au respect des textes rappelés ci-dessus. Il pourrait toutefois en aller autrement en cas d’emploi dans des conditions particulières excluant l’existence de possibilités raisonnables d’identifier des personnes, ou dans l’hypothèse où seraient mis en œuvre des dispositifs techniques empêchant l’identification (Conseil d'État, section de l’intérieur, séance du mardi 20 septembre 2020, no 401 214).
20. Finally, in an opinion of September 20, 2020 on the use of airborne image capture devices by public authorities, the Council of State specified that, in particular in view of the technologies currently available and their development and material resources available to the public authorities, the Council of State considers that the images of people captured by airborne cameras by these authorities as part of public security or civil security missions should, in principle, be regarded as data personal and that, therefore, the collection and use of these images are subject to compliance with the texts recalled above. However, it could be different in the event of use under special conditions excluding the existence of reasonable possibilities of identifying people, or in the event that technical devices preventing identification are implemented (Conseil d'État section of the interior, meeting on Tuesday, September 20, 2020, n o 401 214).


21. La formation restreinte rappelle qu’en l’espèce, la préfecture de police de Paris, le groupement de gendarmerie départementale de Haute-Garonne et le commissariat de Cergy-Pontoise ont reconnu avoir utilisé des drones équipés d’une caméra dans le cadre de vérifications du respect des mesures de confinement et, pour la préfecture de police de Paris, pour d’autres finalités, notamment judiciaires et de maintien de l’ordre. Ces drones ont volé à une altitude comprise, selon les acteurs, entre 30 et 120 mètres et étaient équipés d’un objectif de 12 millions de pixels pouvant agrandir l’image entre six et vingt fois.
21. The restricted committee recalls that in this case, the Paris police headquarters, the Haute-Garonne departmental gendarmerie group and the Cergy-Pontoise police station admitted to having used drones equipped with a camera in the context of for verifying compliance with containment measures and, for the Paris police headquarters, for other purposes, in particular for justice and law enforcement. These drones flew at an altitude of between 30 and 120 meters, according to the actors, and were equipped with a 12 million pixel lens that could enlarge the image between six and twenty times.


22. La délégation de contrôle, ayant fait réaliser un vol d’essai de drone le 9 juillet 2020, a constaté que les caractéristiques techniques évoquées ci-dessus permettent l’identification des personnes.
22. The control delegation, having carried out a drone test flight on July 9, 2020, noted that the technical characteristics mentioned above allow the identification of people.


23. En second lieu, s’agissant d’un éventuel dispositif de floutage qui pourrait permettre de rendre les personnes concernées non identifiables, la formation restreinte note, tout d’abord, que la préfecture de police de Paris, le groupement de gendarmerie départementale de Haute-Garonne et le commissariat de Cergy-Pontoise ont indiqué, dans leur réponse aux questionnaires envoyés, qu’aucun dispositif de floutage n’avait été mis en place.
23. Secondly , with regard to a possible blurring device which could make it possible to make the persons concerned unidentifiable, the restricted formation notes, first of all, that the Paris police headquarters, the departmental gendarmerie group de Haute-Garonne and the Cergy-Pontoise police station indicated, in their response to the questionnaires sent, that no blurring device had been put in place.


24. Elle observe ensuite que la préfecture de police de Paris a ultérieurement indiqué, lors du contrôle réalisé le 9 juillet 2020, qu’un dispositif de floutage était en cours de développement. Le ministère de l'intérieur a précisé, durant la séance du 10 décembre 2020, que son déploiement était effectif depuis la fin du mois d’août 2020.
24. It then observes that the Paris police headquarters subsequently indicated, during the check carried out on July 9, 2020, that a blurring device was under development. The Interior Ministry specified, during the session of December 10, 2020, that its deployment had been effective since the end of August 2020.


25. En conséquence, la formation restreinte relève, d’une part, qu’un tel dispositif n’était pas mis en œuvre lors des vols évoqués dans les questionnaires envoyés aux services opérationnels, et que des drones équipés d’une caméra ont donc procédé à de nombreux vols sans floutage des images collectées avant le déploiement du mécanisme. Elle considère, d’autre part, que le dispositif décrit durant la présente procédure ne saurait, pour autant, soustraire les images collectées à la règlementation applicable en matière de la protection des données à caractère personnel.
25. Consequently, the restricted training noted, on the one hand, that such a device was not implemented during the flights mentioned in the questionnaires sent to the operational services, and that drones equipped with a camera were therefore carried out numerous flights without blurring the images collected before the deployment of the mechanism. It considers, on the other hand, that the device described during the present procedure cannot, however, exempt the images collected from the applicable regulations on the protection of personal data.


26. En effet, premièrement, le système de floutage évoqué ne s’applique pas aux images captées par la caméra présente sur le drone et transmises au pilote du drone. Si la visualisation d’images non floutées par le pilote du drone s’explique aisément par des impératifs de sécurité (contrôle de l’appareil pendant le temps de vol), ce que la formation restreinte ne remet pas en question, il reste que la captation d’images non floutées par la caméra et leur transmission au pilote constituent des opérations de traitement de données à caractère personnel.
26. Indeed, firstly, the evoked blurring system does not apply to the images captured by the camera present on the drone and transmitted to the pilot of the drone. If the visualization of unblurred images by the drone pilot is easily explained by security imperatives (control of the aircraft during flight time), which the restricted training does not question, the fact remains that the capturing of non-blurred images by the camera and their transmission to the pilot constitute personal data processing operations.


27. Deuxièmement, il résulte des réponses apportées par la préfecture de police qu’elle a procédé à l’enregistrement d’images non floutées lors de l’utilisation de drones pour les besoins de missions de police judiciaire, ce qui constitue également un traitement de données à caractère personnel.
27. Secondly, it follows from the responses provided by the police headquarters that it recorded unblurred images when using drones for the needs of judicial police missions, which also constitutes processing. of personal data.


28. Enfin, et contrairement aux déclarations faites par le ministère de l'intérieur durant la séance, il ressort des pièces communiquées en défense, et plus particulièrement de la note relative au floutage intitulée Traitement de flux vidéo provenant des drones , datée du 23 novembre 2020, que les flux floutés peuvent être consultés en clair par les agents de la préfecture de police : Le dispositif de floutage étant maîtrisé par la DILT (direction de l'innovation, de la logistique et des technologies), il est impossible à la DOPC (direction de l'ordre public et de la circulation) d’accéder aux flux non floutés.L’accès aux flux non floutés nécessiterait une modification de la configuration actuellement en œuvre ; seul un ingénieur ayant les droits sur l’ensemble du dispositif peut faire ce travail laborieux. Les ingénieurs ayant ces droits sont placés sous un commandement différent de celui du DOPC. La formation restreinte déduit de ce document que, bien que laborieux , l’accès à des flux non floutés demeure possible par des personnes placées sous la responsabilité du responsable de traitement. Dès lors, le traitement doit être qualifié de traitement de données à caractère personnel.
28. Finally, and contrary to the statements made by the Ministry of the Interior during the session, it emerges from the documents communicated in defense, and more particularly from the note relating to blurring entitled Processing of video streams from drones, dated 23 November 2020, that the blurred flows can be consulted in clear by the agents of the police headquarters: The blurring device being controlled by the DILT (direction of innovation, logistics and technologies) , it is impossible for the DOPC (public order and traffic department) to access unblurred flows. Access to unblurred streams would require a modification of the configuration currently implemented; only an engineer with rights to the entire device can do this laborious work. Engineers with these rights are placed under a different command from that of the DOPC. The limited training deduces from this document that, although laborious, access to unblurred streams remains possible by persons placed under the responsibility of the data controller. Therefore, the processing must be qualified as processing of personal data.


B. Sur l’identification du responsable de traitement
B. On the identification of the data controller


29. La formation restreinte souligne que l’ensemble des traitements visés par la présente procédure, ayant pour finalités de s’assurer du respect des mesures de confinement adoptées dans le cadre de l’état d’urgence sanitaire, d’intervenir au profit de missions de police judiciaire, de missions de maintien de l’ordre, ou dans le cadre de la gestion de crise ou de contrôle routier, relèvent de la compétence du ministère de l'intérieur, conformément aux dispositions du décret no 2017-1070 du 24 mai 2017 relatif aux attributions du ministre de l'intérieur, lequel dispose le ministre de l'intérieur prépare et met en œuvre la politique du Gouvernement en matière de sécurité intérieure, de libertés publiques, d'administration territoriale de l'État, d'immigration, d'asile et de sécurité routière .
29. The restricted committee emphasizes that all the processing operations covered by this procedure, the purpose of which is to ensure compliance with the containment measures adopted in the context of the state of health emergency, to intervene for the benefit of police missions, policing missions, or as part of crisis management or traffic control, within the jurisdiction of the Ministry of the interior, in accordance with Decree o 2017-1070 of May 24, 2017 relating to the powers of the Minister of the Interior, which disposes of the Minister of the Interior prepares and implements the Government's policy in matters of internal security, public freedoms, territorial administration of the State, d immigration, asylum and road safety .


30. Elle souligne également que les services concernés (groupement de gendarmerie départementale de Haute-Garonne, commissariat de Cergy-Pontoise et préfecture de police de Paris) agissent tous sous la tutelle du ministère de l'intérieur.
30. It also underlines that the services concerned (grouping of departmental gendarmerie of Haute-Garonne, police station of Cergy-Pontoise and prefecture of police of Paris) all act under the supervision of the Ministry of the Interior.


31. Le ministère de l’intérieur se considère bien comme le responsable de traitement, ses services centraux ayant d’ailleurs rédigé une instruction de commandement prévoyant le recours aux drones notamment dans le cadre du confinement.
31. The Ministry of the Interior considers itself to be the controller, its central services having, moreover, drawn up a command instruction providing for the use of drones, in particular within the framework of containment.


32. Dès lors, la formation restreinte, retient que ce dernier doit être considéré le responsable des traitements concernés par la présente procédure.
32. Consequently, the restricted committee holds that the latter must be considered the data controller concerned by this procedure.


C. Sur la loi applicable
C. On the applicable law


33. Le premier paragraphe de l’article 87 de la loi Informatique et Libertés, premier article du titre III de la loi, dispose : le présent titre s'applique, sans préjudice du titre Ier, aux traitements de données à caractère personnel mis en œuvre, à des fins de prévention et de détection des infractions pénales, d'enquêtes et de poursuites en la matière ou d'exécution de sanctions pénales, y compris la protection contre les menaces pour la sécurité publique et la prévention de telles menaces, par toute autorité publique compétente ou tout autre organisme ou entité à qui a été confié, à ces mêmes fins, l'exercice de l'autorité publique et des prérogatives de puissance publique, ci-après dénommés autorité compétente .
33. The first paragraph of Article 87 of the Data Protection Act, Article I of Title III of the Act provides: this Title shall apply without prejudice to Title I er , data processing of personal data set implementing, for the purposes of preventing and detecting criminal offenses, investigating and prosecuting them or enforcing criminal sanctions, including protection against threats to public security and the prevention of such threats, by any competent public authority or any other body or entity to which has been entrusted, for these same purposes, the exercise of public authority and public power prerogatives, hereinafter referred to as the competent authority .


34. Ce titre III s’applique donc aux traitements qui répondent à une double caractéristique relative à leur finalité, d’une part, et à la qualité du responsable de traitement, d’autre part.
34. Title III therefore applies to processing operations which meet a dual characteristic relating to their purpose, on the one hand, and to the quality of the controller, on the other.


35. S’agissant des finalités poursuivies par les traitements nés des vols de drones équipés d’une caméra, il ressort des déclarations effectuées par le groupement de gendarmerie départementale de Haute-Garonne, par le commissariat de Cergy-Pontoise et par la préfecture de police de Paris que les images ont été utilisées, par ces trois acteurs, afin de s’assurer du respect des mesures de confinement adoptées dans le cadre de l’état d’urgence sanitaire et, pour le dernier d’entre eux uniquement, pour d’autres finalités, telles que des missions de police judiciaire, de maintien de l’ordre, de gestion de crise et de contrôle routier.
35. As regards the purposes pursued by the processing resulting from the flights of drones equipped with a camera, it appears from the declarations made by the departmental gendarmerie group of Haute-Garonne, by the Cergy-Pontoise police station and by the prefecture of police in Paris that the images were used by these three actors to ensure compliance with the containment measures adopted in the context of the state of health emergency and, for the last of them only, to other purposes, such as judicial police, law enforcement, crisis management and road control missions.


36. La formation restreinte considère que les missions précitées entrent dans le champ des finalités visées par l’article 87 de la loi Informatique et Libertés, soit parce qu’elles visent à prévenir ou détecter des infractions pénales – par exemple, lorsque les drones sont utilisés afin de veiller au respect des mesures de confinement ou de contrôle routier –, à enquêter ou poursuivre en matière pénale – par exemple pour les missions de police judiciaire – à la protection contre les menaces pour la sécurité publique et la prévention de telles menaces – par exemple pour les missions de maintien de l’ordre ou de gestion de crise.
36. The restricted committee considers that the aforementioned missions fall within the scope of the purposes referred to in Article 87 of the Data Protection Act, either because they aim to prevent or detect criminal offenses - for example, when drones are used to ensure compliance with containment or road control measures -, to investigate or prosecute in criminal matters - for example for judicial police missions - to protect against threats to public security and prevent such threats - for example for law enforcement or crisis management missions.


37. La formation restreinte considère également que, dans le cadre de ces missions, le ministère de l'intérieur doit être regardé comme l’autorité compétente, au regard de l’article 1er du décret no 2020-874 du 15 juillet 2020 relatif aux attributions du ministre de l'intérieur (précédemment décret no 2017-1070 du 24 mai 2017), précité.
37. The limited training also considers that in the framework of these missions, the Ministry of Interior must be regarded as the competent authority under Article 1 st of Decree o 2020-874 of July 15, 2020 on the powers of the Minister of the interior (previously Decree o 2017 to 1070 of 24 May 2017), supra.


38. En conséquence, la formation restreinte considère qu’en l’espèce, les traitements mis en œuvre par le ministère de l'intérieur pour les différentes finalités ci-dessus évoquées doivent respecter les dispositions du titre III de la loi Informatique et Libertés.
38. Consequently, the restricted committee considers that in this case, the processing implemented by the Ministry of the Interior for the various purposes mentioned above must comply with the provisions of Title III of the Data Protection Act.


D. Sur les manquements
D. On breaches


1. Sur le manquement relatif à la licéité du traitement et à l’absence d’étude d’impact
1. The breach relating to the lawfulness of the processing and the lack of an impact study


39. Le second paragraphe de l’article 87 de la loi Informatique et Libertés prévoit que les traitements visés par le titre II de la loi ne sont licites que si et dans la mesure où ils sont nécessaires à l'exécution d'une mission effectuée, pour l'une des finalités énoncées au premier alinéa, par une autorité compétente au sens du même premier alinéa et où sont respectées les dispositions des articles 89 et 90 .
39. The second paragraph of article 87 of the Data Protection Act provides that the processing referred to in Title II of the law is only lawful if and to the extent that it is necessary for the performance of a task carried out. , for one of the purposes set out in the first paragraph, by a competent authority within the meaning of the same first paragraph and where the provisions of Articles 89 and 90 are complied with .


40. Aux termes du I de l’article 89 de la loi, si le traitement est mis en œuvre pour le compte de l'État pour au moins l'une des finalités énoncées au premier alinéa de l'article 87, il est prévu par une disposition législative ou réglementaire prise dans les conditions prévues au I de l'article 31 et aux articles 33 à 36 . En application du II du même article, si le traitement porte sur des données visées par l'article 6 de la loi (dites données sensibles), il doit être prévu par une disposition législative ou réglementaire prise dans les conditions prévues au II de l'article 31. L’article 31 de la loi auquel il est fait référence impose que les traitements de données en cause soient autorisés par arrêté du ministre ou des ministres compétents, pris après avis motivé et publié de la Commission et, en cas de traitement de données sensibles, par un décret en Conseil d’État pris après avis motivé et publié de la CNIL.
40. Under I of article 89 of the law, if the processing is carried out on behalf of the State for at least one of the purposes set out in the first paragraph of article 87, provision is made for by a legislative or regulatory provision made under the conditions provided for in I of Article 31 and in Articles 33 to 36 . Pursuant to II of the same article, if the processing relates to data referred to in article 6 of the law (known as sensitive data), it must be provided for by a legislative or regulatory provision taken under the conditions provided for in II of the article 31. Article 31 of the law to which reference is made requires that the data processing in question be authorized by order of the competent minister or ministers, taken after a reasoned and published opinion of the Commission and, in the event of processing of sensitive data, by a decree of the Council of State taken after a reasoned and published opinion from the CNIL.


41. L’article 90 de la loi dispose : si le traitement est susceptible d'engendrer un risque élevé pour les droits et les libertés des personnes physiques, notamment parce qu'il porte sur des données mentionnées au I de l'article 6, le responsable de traitement effectue une analyse d'impact relative à la protection des données à caractère personnel .
41. Article 90 of the law provides: if the processing is likely to generate a high risk for the rights and freedoms of natural persons, in particular because it relates to data mentioned in I of article 6, the data controller carries out an impact assessment relating to the protection of personal data .


42. À titre liminaire, la formation restreinte relève que le ministère de l'intérieur ne conteste pas la caractérisation de ce manquement, ayant considéré à tort que les traitements en cause ne portaient pas sur des données à caractère personnel.
42. As a preliminary point, the restricted committee notes that the Ministry of the Interior does not dispute the characterization of this failure, having wrongly considered that the processing operations in question did not relate to personal data.


43. Au regard des dispositions de l’article 89, la formation restreinte relève qu’aucun cadre législatif ou réglementaire ne vient autoriser et encadrer les traitements de données à caractère personnel nés de l’utilisation par le ministère de l'intérieur de drones équipés d’une caméra. En indiquant que des travaux sont engagés pour élaborer un cadre légal dans les plus brefs délais, le ministère de l’intérieur confirme ce point.
43. With regard to the provisions of article 89, the restricted committee notes that no legislative or regulatory framework authorizes and regulates the processing of personal data arising from the use by the Ministry of the Interior of drones equipped of a camera. By indicating that work is underway to develop a legal framework as soon as possible, the Ministry of the Interior confirms this point.


44. S’agissant des dispositions de l’article 90, la formation restreinte considère que les traitements mis en œuvre en l’espèce sont susceptibles d’engendrer un risque élevé pour les droits et libertés des personnes concernées. Ce risque élevé naît, d’une part, des caractéristiques des drones, qui sont des objets volants embarquant une caméra capable de filmer dans des résolutions importantes, en tout lieu et à tout moment. Ils sont donc capables de filmer toute personne circulant dans l’espace public, de la suivre et de traiter des données personnelles intangibles telles que les traits de son visage. Le risque naît, d’autre part, de l’utilisation faite des drones par le ministère de l'intérieur, notamment lors de manifestations, occasions au cours desquelles les opinions politiques, les convictions religieuses ou philosophiques des personnes, ou leur appartenance syndicale, sont susceptibles d’être révélées. Enfin, le risque est aggravé par le fait que les traitements sont potentiellement mis en œuvre à l’insu des personnes, celles-ci n’étant souvent pas conscientes de la présence de drones, de l’activation de la caméra et de la captation de leur image. Ce risque est à cet égard aggravé, en l’espèce, par l’absence d’information des personnes à l’occasion des vols réalisés.
44. With regard to the provisions of Article 90, the Restricted Committee considers that the processing carried out in this case is likely to create a high risk for the rights and freedoms of the persons concerned. This high risk arises, on the one hand, from the characteristics of drones, which are flying objects carrying a camera capable of filming in high resolutions, anywhere and at any time. They are therefore capable of filming any person circulating in the public space, of following them and of processing intangible personal data such as their facial features. The risk arises, on the other hand, from the use made of drones by the Ministry of the Interior, in particular during demonstrations, occasions during which the political opinions, religious or philosophical convictions of people, or their trade union membership, are likely to be revealed. Finally, the risk is aggravated by the fact that the treatments are potentially implemented without the knowledge of the people, they are often not aware of the presence of drones, the activation of the camera and the capture. of their image. This risk is in this respect aggravated, in the present case, by the lack of information of the persons during the thefts carried out.


45. La formation restreinte note que l’article 90 de la loi Informatique et Libertés précise que ce risque peut aussi naître en raison de l’utilisation de nouveaux mécanismes , ce qui est bien le cas en l’espèce.
45. The restricted committee noted that article 90 of the Data Protection Act specifies that this risk may also arise due to the use of new mechanisms , which is indeed the case in this case.


46. En conséquence, la formation restreinte considère que l’utilisation de drones équipés d’une caméra fait naître un risque élevé pour les droits et les libertés des personnes physiques et que, dès lors, il revenait au ministère de l'intérieur de réaliser une analyse d’impact relative à la protection des données à caractère personnel.
46. ​​Consequently, the restricted committee considers that the use of drones equipped with a camera gives rise to a high risk for the rights and freedoms of natural persons and that, therefore, it was up to the Ministry of the Interior to carry out an impact assessment relating to the protection of personal data.


47. La formation restreinte relève qu’aucune analyse d’impact n’a été réalisée.
47. The restricted committee noted that no impact analysis was carried out.


48. Il ressort de l’ensemble de ces éléments que les conditions de licéité des traitements mis en œuvre ne sont pas remplies. La formation restreinte considère donc que des manquements aux articles 89 et 90 de la loi Informatique et Libertés sont constitués.
48. All of these elements show that the conditions for lawfulness of the processing operations are not met. The restricted committee therefore considers that breaches of articles 89 and 90 of the Data Protection Act have occurred.


2. Sur le manquement relatif à l’information des personnes
2. On the failure to inform individuals


Aux termes de l’article 104 de la loi Informatique et Libertés, Le responsable de traitement met à la disposition de la personne concernée les informations suivantes :
Under the terms of article 104 of the Data Protection Act, the data controller makes the following information available to the person concerned:


1° L'identité et les coordonnées du responsable de traitement et, le cas échéant, celles de son représentant ;
1 ° The identity and contact details of the data controller and, where applicable, those of his representative;


2° Le cas échéant, les coordonnées du délégué à la protection des données ;
2 ° Where applicable, the contact details of the data protection officer;


3° Les finalités poursuivies par le traitement auquel les données sont destinées ;
3 ° The purposes pursued by the processing for which the data are intended;


4° Le droit d'introduire une réclamation auprès de la Commission nationale de l'informatique et des libertés et les coordonnées de la commission ;
4 ° The right to lodge a complaint with the National Commission for Informatics and Freedoms and the contact details of the commission;


5° L'existence du droit de demander au responsable de traitement l'accès aux données à caractère personnel, leur rectification ou leur effacement, et l'existence du droit de demander une limitation du traitement des données à caractère personnel relatives à une personne concernée .
5 ° The existence of the right to request from the data controller access to personal data, their rectification or erasure, and the existence of the right to request a limitation of the processing of personal data relating to a data subject .


49. À titre liminaire, la formation restreinte relève que le ministère de l'intérieur ne conteste pas la caractérisation de ce manquement, rappelant seulement les engagements pris pour assurer, à l’avenir, l’information des personnes concernées.
49. As a preliminary point, the restricted committee notes that the Ministry of the Interior does not dispute the characterization of this failure, recalling only the commitments made to ensure, in the future, the information of the persons concerned.


50. La formation restreinte note que le groupement de gendarmerie départementale de Haute-Garonne et le commissariat de Cergy-Pontoise ont indiqué, dans leur réponse au questionnaire envoyé, que les personnes étaient informées de la présence du drone par un message vocal les invitant à se disperser. La préfecture de police de Paris a indiqué qu’aucun dispositif spécifique d’information n’avait été mis en place.
50. The restricted party noted that the departmental gendarmerie group of Haute-Garonne and the Cergy-Pontoise police station indicated, in their response to the questionnaire sent, that people were informed of the presence of the drone by a voice message inviting them to disperse. The Paris police headquarters indicated that no specific information system had been put in place.


51. Il ressort des réponses apportées qu’aucune information répondant aux exigences de l’article 104 de la loi Informatique et Libertés n’a été communiquée aux personnes concernées.
51. It emerges from the answers provided that no information meeting the requirements of Article 104 of the Data Protection Act was communicated to the persons concerned.


52. La formation restreinte relève que, si l’article 107 de la loi Informatique et Libertés permet, sous certaines conditions, des restrictions aux droits des personnes et notamment au droit à l’information, ces restrictions doivent être prévues par l’acte instaurant le traitement . En l’espèce, en l’absence de tout acte instaurant les traitements en question, aucune limitation au droit à l’information ne pouvait être prévue.
52. The restricted committee notes that, although article 107 of the Data Protection Act allows, under certain conditions, restrictions on the rights of individuals and in particular on the right to information, these restrictions must be provided for by the act establishing treatment . In the present case, in the absence of any act establishing the processing in question, no limitation to the right to information could be provided for.


53. Il ressort de l’ensemble de ces éléments que l’information délivrée aux personnes, quand elle existait, ne répondait pas aux exigences légales. La formation restreinte considère donc qu’un manquement à l’article 104 de la loi Informatique et Libertés est constitué.
53. All of these elements show that the information provided to individuals, when it existed, did not meet legal requirements. The restricted committee therefore considers that a breach of article 104 of the Data Protection Act has been established.


III. Sur les mesures correctrices et leur publicité
III. On corrective measures and their publicity


54. Aux termes du III de l’article 20 de la loi du 6 janvier 1978 :
54. Under the terms of III of article 20 of the law of 6 January 1978:


Lorsque le responsable de traitement ou son sous-traitant ne respecte pas les obligations résultant du règlement (UE) 2016/679 du 27 avril 2016 ou de la présente loi, le président de la Commission nationale de l'informatique et des libertés peut également, le cas échéant après lui avoir adressé l'avertissement prévu au I du présent article ou, le cas échéant en complément d'une mise en demeure prévue au II, saisir la formation restreinte de la commission en vue du prononcé, après procédure contradictoire, de l'une ou de plusieurs des mesures suivantes :
When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee of the committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures:


1° Un rappel à l'ordre ;
1 ° A call to order;


2° Une injonction de mettre en conformité le traitement avec les obligations résultant du règlement (UE) 2016/679 du 27 avril 2016 ou de la présente loi ou de satisfaire aux demandes présentées par la personne concernée en vue d'exercer ses droits, qui peut être assortie, sauf dans des cas où le traitement est mis en œuvre par l'État, d'une astreinte dont le montant ne peut excéder 100 000 € par jour de retard à compter de la date fixée par la formation restreinte ; (…) .
2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty payment the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; (…).


55. La rapporteure propose à la formation restreinte que soient prononcés un rappel à l’ordre ainsi qu’une injonction de mettre le traitement en conformité avec les dispositions la loi Informatique et Libertés. Elle propose également que cette décision soit rendue publique.
55. The rapporteur suggests to the restricted committee that a call to order be issued as well as an injunction to bring the processing into conformity with the provisions of the Data Protection Act. She also proposes that this decision be made public.


56. En défense, le ministère de l'intérieur estime que le prononcé d’une mesure correctrice ne se justifie pas, une mise en demeure lui semblant suffisante en l’espèce, et que la publicité de l’éventuelle mesure à intervenir n’apparaît pas nécessaire. Enfin, il considère que l’injonction de cesser l’usage des drones n’est pas envisageable, cet usage constituant désormais une nécessité opérationnelle indéniable.
56. In defense, the Ministry of the Interior considers that the pronouncement of a corrective measure is not justified, a formal notice seeming sufficient in this case, and that the publicity of the possible measure to be taken is not does not appear necessary. Finally, he considers that the injunction to cease the use of drones is not possible, this use now constituting an undeniable operational necessity.


57. La formation restreinte considère que, dans le cas d’espèce, les manquements précités justifient que soit prononcé un rappel à l’ordre à l’encontre du ministère de l'intérieur pour les motifs suivants.
57. The restricted committee considers that, in the present case, the aforementioned failures justify a call to order against the Ministry of the Interior for the following reasons.


58. La formation restreinte relève la gravité du manquement relatif à la licéité des traitements, ce manquement privant l’ensemble des traitements mis en œuvre de base légale. Elle souligne également que les personnes concernées étaient privées de l’ensemble des garanties dont elles auraient dû bénéficier, notamment une information relative aux traitements ainsi que sur l’exercice de leurs droits.
58. The restricted committee notes the seriousness of the breach relating to the lawfulness of the processing operations, this failure depriving all the processing operations carried out of a legal basis. It also emphasizes that the data subjects were deprived of all the guarantees from which they should have benefited, in particular information relating to processing and the exercise of their rights.


59. Elle relève également les risques importants pour les droits et libertés des personnes, précédemment évoqués, liés à la possibilité offerte par ces nouveaux dispositifs d’identifier toute personne circulant sur l’espace public, y compris dans des circonstances pouvant révéler des informations particulièrement sensibles, par exemple liées à leurs opinions politiques, leurs convictions religieuses ou philosophiques ou leur appartenance syndicale.
59. It also notes the significant risks for the rights and freedoms of individuals, previously mentioned, linked to the possibility offered by these new devices to identify any person circulating in the public space, including in circumstances that may reveal particularly sensitive, for example linked to their political opinions, their religious or philosophical convictions or their trade union membership.


60. Elle note aussi que les évolutions technologiques rendent les drones de plus en plus discrets avec des capacités augmentées de captation de leurs caméras qui donnent au ministère de l'intérieur la possibilité de faire voler ses drones à des altitudes de plus en plus importantes, tout en conservant une image d’une grande précision. Les personnes sont donc peu susceptibles de prendre conscience des traitements opérés et de la captation de leur image.
60. It also notes that technological developments are making drones more and more discreet with increased capturing capacities of their cameras which give the Ministry of the Interior the possibility of flying its drones at increasingly high altitudes, while maintaining an image with great precision. People are therefore unlikely to become aware of the treatments carried out and the capture of their image.


61. Enfin, la formation restreinte considère que le perfectionnement de technologies telles que la reconnaissance faciale pourrait entraîner, à l’avenir, des risques encore plus importants pour les droits et libertés individuelles si elles étaient couplées à l’utilisation de drones. Elle considère donc que leur déploiement en dehors de tout cadre légal doit être sévèrement sanctionné.
61. Finally, the restricted training considers that the improvement of technologies such as facial recognition could entail, in the future, even greater risks for individual rights and freedoms if they were coupled with the use of drones. It therefore considers that their deployment outside any legal framework should be severely sanctioned.


62. La formation restreinte estime que les éléments précités rendent également nécessaire qu’une injonction soit prononcée. En outre, le ministère ayant indiqué lors de la séance qu’il n’entendait pas renoncer, y compris temporairement, à l’usage de drones équipés d’une caméra, le prononcé d’une injonction constitue la mesure appropriée pour l’amener à n’utiliser des drones à cet effet que lorsqu’un cadre légal l’y autorisant aura été adopté.
62. The restricted panel considers that the aforementioned elements also make it necessary for an injunction to be issued. In addition, the ministry having indicated during the meeting that it did not intend to renounce, including temporarily, the use of drones equipped with a camera, the pronouncement of an injunction constitutes the appropriate measure to bring it to use drones for this purpose only when a legal framework authorizing it has been adopted.


63. Enfin, et pour les mêmes raisons, la formation restreinte estime nécessaire que sa décision soit rendue publique. Elle relève, sur ce point, que le public a démontré, au cours des derniers mois, un intérêt légitime pour les questions relatives au traitement de ses données à caractère personnel par l’État. La publicité d’une décision de sanction par l’autorité spécialement chargée de la protection des données à caractère personnel apparaît ainsi pleinement justifiée.
63. Finally, and for the same reasons, the restricted panel considers it necessary for its decision to be made public. It notes, on this point, that the public has demonstrated, over the past few months, a legitimate interest in matters relating to the processing of their personal data by the State. The publication of a sanction decision by the authority specially responsible for the protection of personal data thus appears fully justified.


PAR CES MOTIFS
FOR THESE REASONS


La formation restreinte de la CNIL, après en avoir délibéré, décide de :
The restricted formation of the CNIL, after having deliberated, decides to:


· prononcer à l’encontre du ministère de l'intérieur un rappel à l’ordre pour les manquements aux articles 89, 90 et 104 de la loi Informatique et Libertés ;
· Issue a call to order against the Ministry of the Interior for breaches of Articles 89, 90 and 104 of the Data Protection Act;


· prononcer à l’encontre du ministère de l'intérieur une injonction de mettre en conformité les traitements visés avec les obligations résultant de l’article 87 de la loi Informatique et Libertés, et en particulier :
Issue an injunction against the Ministry of the Interior to bring the treatments referred to in line with the obligations resulting from Article 87 of the Data Protection Act, and in particular:


o pour les finalités relevant du titre III de la loi Informatique et Libertés, ne recourir à la captation de données à caractère personnel à partir de drones qu’après l’adoption d’un cadre normatif autorisant la mise en œuvre de traitements de telles données ;
o for the purposes covered by Title III of the Data Protection Act, only use the collection of personal data from drones after the adoption of a normative framework authorizing the implementation of such data processing ;


· rendre publique, sur le site de la CNIL et sur le site de Légifrance, sa délibération, qui n’identifiera plus nommément le ministère à l’expiration d’un délai de deux ans à compter de sa publication.
· Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the ministry by name after the expiration of a period of two years from its publication.


Le président
President


Alexandre LINDEN
Alexandre LINDEN


Cette décision est susceptible de faire l’objet d’un recours devant le Conseil d’État dans un délai de deux mois à compter de sa notification.
This decision may be appealed against to the Council of State within two months of its notification.  
</pre>
</pre>

Latest revision as of 17:11, 6 December 2023

CNIL - SAN-2021-003
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Directive 2016/680
Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided: 12.01.2021
Published: 14.01.2021
Fine: None
Parties: Ministry of Interior
National Case Number/Name: SAN-2021-003
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Kest

The French DPA (CNIL) ordered the Ministry of Interior to cease the use of drones equipped with cameras by police forces. The Ministry violated its obligations to process personal data only where authorised by a specific legal provision and to conduct a privacy impact assessment.

English Summary

Facts

During March 2020 , the press reported the use of drones equipped with cameras by the police forces in several places, in order to monitor compliance with COVID-19 lockdown measures.

The French DPA questionned the Ministry of the Interior on the subject. In absence of reply, the DPA initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area before an arrest, surveillance of a drug traficking, of demonstrations and road transport. An on-site control then established that the camera used were efficient enough to allow for facial identification of individuals.

In this context, the report concluded to several violations of data protection law and proposed a sanction. The Ministry's main line of defence was that, since August 2020, a face-blurring program has been implemented. As a result, data were allegedly anonimized, and data protection regulation not applicable.

Dispute

Is the recording of images by drones equipped with cameras a personal personal data in the sense of Article 4 GDPR ? Did the Ministry of Interior comply with the French Data Protection Act implementing Directive (EU) 2016/680 ?

Holding

The DPA issues a public call to order against the Ministry of the Interior, on the following grounds.

On the processing of personal data

The DPA reminds the broad definitions of processing and personal data laid down by Article 4(1) and (2) GDPR. The DPA then quotes ECJ, 11 December 2014, Ryneš, case C-212/13 (point 22), EDPB Guidelines 3/2019 on processing of personal data through video devices, a ruling and an opinion by the French Supreme Administrative Court. It reiterates that personal data are processed whenever people can be identified on the basis of recorded images.

The DPA notes that the equipped cameras have a high resolution and a zoom capability, which allow for identification of faces.

Regarding the face-blurring program, it has only been implemented in some recent operation. Its utility is confined to prevention activities, where identification is not necessary. Furthemore, for safety reasons, the pilot's monitor screen is not subject to blurring. Lastly, unblurred recordings can be accessed by operational services, although it takes time. Indeed, despite the fact that only the technical service has control over the program, all services are placed under the same authority.

The DPA then decides that the program is of no effect on the definition of the subject matter of the inquiry as a processing of personal data.

On the violation of French Data Protection Act, implementing Directive (EU) 2016/680

Under French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés), the processing of personal data can only occur where authorised by a specific legal provision (Article 89). In the present case, the Ministry has ignored this obligation.

Furthermore, a data protection impact assessment is mandatory where the processing could create significant risks to the fundamental rights and freedoms. According to the DPA, drones generate such risks, especially because of the possibility given to the Ministry to acquire knowledge of beliefs and opinions of data subject participating to demonstrations. Those risks are increased by the fact that data subjects may not be aware of the drone operating and thus of the processing of their personal data. The data protection impact assessment is also required where a new mechanism is implemented (Article 90). Drones being new to police forces, the assessment is required.

Lastly, the CNIL finds that the Ministry has failed to its obligation as data controller to provide data subjects with mandatory information.

As a result of these violations, the DPA issues a public call to order. It is however decided that the name of the Ministry of Interior will not appear publicly on the decision after a period of 2 years.

Comment

The decision follows the decisions of the French Administrative Supreme Court : Conseil d'État, ordonnance du 18 mai 2020, nos 440442 et 440445 and Conseil d'État, avis du 20 septembre 2020 relatif à l’usage de dispositifs aéroportés de captation d’images par les autorités publiques.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

San-2021-003 deliberation of January 12, 2021
National Commission for Computing and Freedoms

    Nature of deliberation: Sanction
    Legal status: In force 

    Publication date on Légifrance: Thursday January 14, 2021 

Deliberation of restricted training n ° SAN-2021-003 of January 12, 2021 concerning the Ministry of the Interior

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ms Anne DEBET and Christine MAUGÜE, members;

Considering the Convention n o 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention and detection of criminal offenses, investigations and prosecutions in the matter or the execution of criminal sanctions, and the free movement of such data;

Considering the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following ;

Considering the decree n o 2019-536 of May 29, 2019 taken for the application of the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Considering the deliberation n o 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;

Considering the decision n o 2020-076C of May 7, 2020 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or to have carried out a mission to verify the processing operations implemented by the Ministry internally or on its behalf;

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated October 2, 2020;

Having regard to the report by Mrs Sophie LAMBREMON, rapporteur commissioner, notified to the Ministry of the Interior on October 30, 2020;

Considering the written submissions made by the Interior Ministry on 1 st December 2020;

Having regard to the oral observations made during the restricted training session on December 10, 2020;

Having regard to the other documents in the file;

Were present during the restricted training session:

- Mrs Sophie LAMBREMON, commissioner, heard in her report;

As representatives of the Ministry of the Interior:

- […] ;

- […] ;

The Ministry of the Interior having spoken last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. Following the confinement decided by the Government in March 2020, several press articles reported on the use, by the police (in particular the Cergy-Pontoise police station) and the gendarmerie (in particular the grouping departmental gendarmerie of Haute-Garonne), drones equipped with a camera to ensure compliance with the measures taken in this context. The use of such drones, appearing to her likely to implement the processing of personal data, the president of the National Commission for Informatics and Freedoms (hereinafter the CNIL or the Commission), by letter of 23 April 2020, asked the Ministry of the Interior for details on the processing carried out in this context.

2. In the absence of response, the Commission's Chair, by Decision o 2020-076C of 7 May 2020 initiated a review proceedings against the Department. The purpose of this procedure was to verify that the Ministry of the Interior all the provisions of complied with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the Regulation or the RGPD) of law No o 78-17 of 6 January 1978 relating to computers, files and liberties (hereinafter the Act of 6 January 1978 or the data Protection Act) of Directive (EU ) 2016/680 of the European Parliament and of the Council of April 27, 2016 (hereafter the police-justice directive) and the provisions provided for in articles L251-1 et seq. Of the Internal Security Code. As part of this procedure, the President of the Commission, on May 8, 2020, sent to the Ministry of the Interior, the Paris police headquarters, the Cergy-Pontoise police station and the departmental gendarmerie group of Haute -Garonne questionnaires on the use of drones to enforce the containment measures deployed in the context of the state of health emergency. The Ministry of the Interior replied to all of these questionnaires by letter of May 27, 2020.

3. On July 9, 2020, a delegation from the CNIL visited the premises of the Paris police headquarters in order to carry out an on-site check. This control notably enabled the control delegation to carry out a test flight of a drone used by the Paris police headquarters.

4. Various exchanges took place by email between the ministry and the control delegation between July and September 2020. These exchanges concerned the transmission of documents requested during the control as well as details requested subsequently.

5. For the purposes of examining these elements, the President of the Commission appointed, on October 2, 2020, Mrs Sophie LAMBREMON as rapporteur, on the basis of article 22 of the law of January 6, 1978.

6. At the end of her investigation, the rapporteur, on October 30, 2020, sent the Ministry of the Interior a report detailing the breaches of the Data Protection Act that she considered to have constituted in this case. The rapporteur proposed to the restricted formation of the Commission to issue an injunction to bring the processing into conformity with the provisions of Article 87 of the Data Protection Act, as well as a call to order. It also proposed that this decision be made public and no longer allow the ministry to be identified by name after a period of two years from its publication.

7. The same day, the Ministry of the Interior was informed that this file was on the agenda of the session of the restricted formation of December 10, 2020.

8. On 1 st December 2020, the ministry has submitted observations.

9. The Ministry and the rapporteur presented oral observations during the session of the restricted formation.

II. Reasons for the decision

A. On the existence of processing of personal data

10. The rapporteur observes that the Paris police headquarters, the Cergy-Pontoise police station and the Haute-Garonne departmental gendarmerie group have used drones to verify compliance with the containment measures. In addition, the Paris police headquarters also used these devices for other purposes, such as judicial police missions (recognition of a place before an arrest, monitoring of drug trafficking), maintenance operations order (surveillance of demonstrations) or crisis management and road checks (surveillance of urban rodeos).

11. The rapporteur notes that the drones used are equipped with a camera allowing the capture of high resolution images and having zoom capabilities capable of enlarging the image between six and twenty times.

12. In the light of these technical capacities, the rapporteur considers that the use of these drones by the Ministry of the Interior gives rise to the processing of personal data when people are filmed in conditions allowing their identification.

13. The Ministry of the Interior, for its part, first affirmed in response to questionnaires sent by the President of the CNIL that the flight of drones did not give rise to any processing of personal data, people did not being not identifiable. In its observations in response to the sanction report, it then considered that the legal uncertainty relating to the nature of the data processed demonstrated the good faith of the administration, that in any event, the blurring system implemented excluded any processing of personal data, while specifying that technical considerations prevented this blurring system from being performed at the level of the drone capturing the images and before any transmission thereof.

14. The restricted committee considers that the qualification of processing of personal data applies to a video capture system filming people for the following reasons.

15. First , on the existence of processing of personal data, article 2 of the Data Protection Act provides: unless otherwise provided, within the framework of this law the definitions of the Article 4 of Regulation (EU) 2016/679 of April 27, 2016 .

16. Pursuant to article 4 of the GDPR, personal data processing constitutes any operation or set of operations carried out or not using automated processes and applied to data or sets of data of a personal nature. personal, such as collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form provision, reconciliation or interconnection, limitation, erasure or destruction . This same article defines personal data as any information relating to an identified or identifiable natural person […]; is deemed to be an identifiable natural person a natural person who can be identified, directly or indirectly, in particular by reference […] to one or more specific elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity .

17. In view of these definitions, the restricted committee notes that any operation - in particular the capture, transmission, modification or consultation - relating to the image of persons who can be recognized constitutes processing of personal data.

18. The restricted committee observes that this analysis, adopted for a long time by the CNIL, has been enshrined in European case law since 2014: the image of a person recorded by a camera constitutes personal data within the meaning of the provision referred to in the previous point insofar as it allows the data subject to be identified (CJEU, 11 December 2014, Ryneš, case C-212/13, point 22). It was very recently recalled by the European Data Protection Board (hereinafter the EDPS) in its guidelines 3/2019 of 29 January 2020 on the processing of personal data by video devices: Systematic surveillance and automation of a specific space by optical or audiovisual means, mainly for the purpose of protecting property or protecting human life and health, has become an important phenomenon of our time. This activity entails the collection and retention of pictorial or audiovisual information about all persons entering the monitored space that are identifiable on the basis of their appearance or other specific elements. The identity of these persons can be established on the basis of this information .

19. With regard more specifically to drones equipped with a camera, the summary judge of the Conseil d'État considered that the disputed surveillance system […] which consists in collecting data, thanks to the capture of images by drone, to transmit them, in certain cases, to the command center of the police headquarters for real-time viewing and to use them for carrying out administrative police missions constitutes processing (Council of State, ordinance of 18 May 2020, nos . 440442 and 440445). Noting that no system was in place to prevent, in all cases, that the information collected could lead to making the persons identifiable, this court concludes that the data likely to be collected by the disputed processing must be regarded as of a personal nature .

20. Finally, in an opinion of September 20, 2020 on the use of airborne image capture devices by public authorities, the Council of State specified that, in particular in view of the technologies currently available and their development and material resources available to the public authorities, the Council of State considers that the images of people captured by airborne cameras by these authorities as part of public security or civil security missions should, in principle, be regarded as data personal and that, therefore, the collection and use of these images are subject to compliance with the texts recalled above. However, it could be different in the event of use under special conditions excluding the existence of reasonable possibilities of identifying people, or in the event that technical devices preventing identification are implemented (Conseil d'État section of the interior, meeting on Tuesday, September 20, 2020, n o 401 214).

21. The restricted committee recalls that in this case, the Paris police headquarters, the Haute-Garonne departmental gendarmerie group and the Cergy-Pontoise police station admitted to having used drones equipped with a camera in the context of for verifying compliance with containment measures and, for the Paris police headquarters, for other purposes, in particular for justice and law enforcement. These drones flew at an altitude of between 30 and 120 meters, according to the actors, and were equipped with a 12 million pixel lens that could enlarge the image between six and twenty times.

22. The control delegation, having carried out a drone test flight on July 9, 2020, noted that the technical characteristics mentioned above allow the identification of people.

23. Secondly , with regard to a possible blurring device which could make it possible to make the persons concerned unidentifiable, the restricted formation notes, first of all, that the Paris police headquarters, the departmental gendarmerie group de Haute-Garonne and the Cergy-Pontoise police station indicated, in their response to the questionnaires sent, that no blurring device had been put in place.

24. It then observes that the Paris police headquarters subsequently indicated, during the check carried out on July 9, 2020, that a blurring device was under development. The Interior Ministry specified, during the session of December 10, 2020, that its deployment had been effective since the end of August 2020.

25. Consequently, the restricted training noted, on the one hand, that such a device was not implemented during the flights mentioned in the questionnaires sent to the operational services, and that drones equipped with a camera were therefore carried out numerous flights without blurring the images collected before the deployment of the mechanism. It considers, on the other hand, that the device described during the present procedure cannot, however, exempt the images collected from the applicable regulations on the protection of personal data.

26. Indeed, firstly, the evoked blurring system does not apply to the images captured by the camera present on the drone and transmitted to the pilot of the drone. If the visualization of unblurred images by the drone pilot is easily explained by security imperatives (control of the aircraft during flight time), which the restricted training does not question, the fact remains that the capturing of non-blurred images by the camera and their transmission to the pilot constitute personal data processing operations.

27. Secondly, it follows from the responses provided by the police headquarters that it recorded unblurred images when using drones for the needs of judicial police missions, which also constitutes processing. of personal data.

28. Finally, and contrary to the statements made by the Ministry of the Interior during the session, it emerges from the documents communicated in defense, and more particularly from the note relating to blurring entitled Processing of video streams from drones, dated 23 November 2020, that the blurred flows can be consulted in clear by the agents of the police headquarters: The blurring device being controlled by the DILT (direction of innovation, logistics and technologies) , it is impossible for the DOPC (public order and traffic department) to access unblurred flows. Access to unblurred streams would require a modification of the configuration currently implemented; only an engineer with rights to the entire device can do this laborious work. Engineers with these rights are placed under a different command from that of the DOPC. The limited training deduces from this document that, although laborious, access to unblurred streams remains possible by persons placed under the responsibility of the data controller. Therefore, the processing must be qualified as processing of personal data.

B. On the identification of the data controller

29. The restricted committee emphasizes that all the processing operations covered by this procedure, the purpose of which is to ensure compliance with the containment measures adopted in the context of the state of health emergency, to intervene for the benefit of police missions, policing missions, or as part of crisis management or traffic control, within the jurisdiction of the Ministry of the interior, in accordance with Decree o 2017-1070 of May 24, 2017 relating to the powers of the Minister of the Interior, which disposes of the Minister of the Interior prepares and implements the Government's policy in matters of internal security, public freedoms, territorial administration of the State, d immigration, asylum and road safety .

30. It also underlines that the services concerned (grouping of departmental gendarmerie of Haute-Garonne, police station of Cergy-Pontoise and prefecture of police of Paris) all act under the supervision of the Ministry of the Interior.

31. The Ministry of the Interior considers itself to be the controller, its central services having, moreover, drawn up a command instruction providing for the use of drones, in particular within the framework of containment.

32. Consequently, the restricted committee holds that the latter must be considered the data controller concerned by this procedure.

C. On the applicable law

33. The first paragraph of Article 87 of the Data Protection Act, Article I of Title III of the Act provides: this Title shall apply without prejudice to Title I er , data processing of personal data set implementing, for the purposes of preventing and detecting criminal offenses, investigating and prosecuting them or enforcing criminal sanctions, including protection against threats to public security and the prevention of such threats, by any competent public authority or any other body or entity to which has been entrusted, for these same purposes, the exercise of public authority and public power prerogatives, hereinafter referred to as the competent authority .

34. Title III therefore applies to processing operations which meet a dual characteristic relating to their purpose, on the one hand, and to the quality of the controller, on the other.

35. As regards the purposes pursued by the processing resulting from the flights of drones equipped with a camera, it appears from the declarations made by the departmental gendarmerie group of Haute-Garonne, by the Cergy-Pontoise police station and by the prefecture of police in Paris that the images were used by these three actors to ensure compliance with the containment measures adopted in the context of the state of health emergency and, for the last of them only, to other purposes, such as judicial police, law enforcement, crisis management and road control missions.

36. The restricted committee considers that the aforementioned missions fall within the scope of the purposes referred to in Article 87 of the Data Protection Act, either because they aim to prevent or detect criminal offenses - for example, when drones are used to ensure compliance with containment or road control measures -, to investigate or prosecute in criminal matters - for example for judicial police missions - to protect against threats to public security and prevent such threats - for example for law enforcement or crisis management missions.

37. The limited training also considers that in the framework of these missions, the Ministry of Interior must be regarded as the competent authority under Article 1 st of Decree o 2020-874 of July 15, 2020 on the powers of the Minister of the interior (previously Decree o 2017 to 1070 of 24 May 2017), supra.

38. Consequently, the restricted committee considers that in this case, the processing implemented by the Ministry of the Interior for the various purposes mentioned above must comply with the provisions of Title III of the Data Protection Act.

D. On breaches

1. The breach relating to the lawfulness of the processing and the lack of an impact study

39. The second paragraph of article 87 of the Data Protection Act provides that the processing referred to in Title II of the law is only lawful if and to the extent that it is necessary for the performance of a task carried out. , for one of the purposes set out in the first paragraph, by a competent authority within the meaning of the same first paragraph and where the provisions of Articles 89 and 90 are complied with .

40. Under I of article 89 of the law, if the processing is carried out on behalf of the State for at least one of the purposes set out in the first paragraph of article 87, provision is made for by a legislative or regulatory provision made under the conditions provided for in I of Article 31 and in Articles 33 to 36 . Pursuant to II of the same article, if the processing relates to data referred to in article 6 of the law (known as sensitive data), it must be provided for by a legislative or regulatory provision taken under the conditions provided for in II of the article 31. Article 31 of the law to which reference is made requires that the data processing in question be authorized by order of the competent minister or ministers, taken after a reasoned and published opinion of the Commission and, in the event of processing of sensitive data, by a decree of the Council of State taken after a reasoned and published opinion from the CNIL.

41. Article 90 of the law provides: if the processing is likely to generate a high risk for the rights and freedoms of natural persons, in particular because it relates to data mentioned in I of article 6, the data controller carries out an impact assessment relating to the protection of personal data .

42. As a preliminary point, the restricted committee notes that the Ministry of the Interior does not dispute the characterization of this failure, having wrongly considered that the processing operations in question did not relate to personal data.

43. With regard to the provisions of article 89, the restricted committee notes that no legislative or regulatory framework authorizes and regulates the processing of personal data arising from the use by the Ministry of the Interior of drones equipped of a camera. By indicating that work is underway to develop a legal framework as soon as possible, the Ministry of the Interior confirms this point.

44. With regard to the provisions of Article 90, the Restricted Committee considers that the processing carried out in this case is likely to create a high risk for the rights and freedoms of the persons concerned. This high risk arises, on the one hand, from the characteristics of drones, which are flying objects carrying a camera capable of filming in high resolutions, anywhere and at any time. They are therefore capable of filming any person circulating in the public space, of following them and of processing intangible personal data such as their facial features. The risk arises, on the other hand, from the use made of drones by the Ministry of the Interior, in particular during demonstrations, occasions during which the political opinions, religious or philosophical convictions of people, or their trade union membership, are likely to be revealed. Finally, the risk is aggravated by the fact that the treatments are potentially implemented without the knowledge of the people, they are often not aware of the presence of drones, the activation of the camera and the capture. of their image. This risk is in this respect aggravated, in the present case, by the lack of information of the persons during the thefts carried out.

45. The restricted committee noted that article 90 of the Data Protection Act specifies that this risk may also arise due to the use of new mechanisms , which is indeed the case in this case.

46. ​​Consequently, the restricted committee considers that the use of drones equipped with a camera gives rise to a high risk for the rights and freedoms of natural persons and that, therefore, it was up to the Ministry of the Interior to carry out an impact assessment relating to the protection of personal data.

47. The restricted committee noted that no impact analysis was carried out.

48. All of these elements show that the conditions for lawfulness of the processing operations are not met. The restricted committee therefore considers that breaches of articles 89 and 90 of the Data Protection Act have occurred.

2. On the failure to inform individuals

Under the terms of article 104 of the Data Protection Act, the data controller makes the following information available to the person concerned:

1 ° The identity and contact details of the data controller and, where applicable, those of his representative;

2 ° Where applicable, the contact details of the data protection officer;

3 ° The purposes pursued by the processing for which the data are intended;

4 ° The right to lodge a complaint with the National Commission for Informatics and Freedoms and the contact details of the commission;

5 ° The existence of the right to request from the data controller access to personal data, their rectification or erasure, and the existence of the right to request a limitation of the processing of personal data relating to a data subject .

49. As a preliminary point, the restricted committee notes that the Ministry of the Interior does not dispute the characterization of this failure, recalling only the commitments made to ensure, in the future, the information of the persons concerned.

50. The restricted party noted that the departmental gendarmerie group of Haute-Garonne and the Cergy-Pontoise police station indicated, in their response to the questionnaire sent, that people were informed of the presence of the drone by a voice message inviting them to disperse. The Paris police headquarters indicated that no specific information system had been put in place.

51. It emerges from the answers provided that no information meeting the requirements of Article 104 of the Data Protection Act was communicated to the persons concerned.

52. The restricted committee notes that, although article 107 of the Data Protection Act allows, under certain conditions, restrictions on the rights of individuals and in particular on the right to information, these restrictions must be provided for by the act establishing treatment . In the present case, in the absence of any act establishing the processing in question, no limitation to the right to information could be provided for.

53. All of these elements show that the information provided to individuals, when it existed, did not meet legal requirements. The restricted committee therefore considers that a breach of article 104 of the Data Protection Act has been established.

III. On corrective measures and their publicity

54. Under the terms of III of article 20 of the law of 6 January 1978:

When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee of the committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures:

1 ° A call to order;

2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty payment the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; (…).

55. The rapporteur suggests to the restricted committee that a call to order be issued as well as an injunction to bring the processing into conformity with the provisions of the Data Protection Act. She also proposes that this decision be made public.

56. In defense, the Ministry of the Interior considers that the pronouncement of a corrective measure is not justified, a formal notice seeming sufficient in this case, and that the publicity of the possible measure to be taken is not does not appear necessary. Finally, he considers that the injunction to cease the use of drones is not possible, this use now constituting an undeniable operational necessity.

57. The restricted committee considers that, in the present case, the aforementioned failures justify a call to order against the Ministry of the Interior for the following reasons.

58. The restricted committee notes the seriousness of the breach relating to the lawfulness of the processing operations, this failure depriving all the processing operations carried out of a legal basis. It also emphasizes that the data subjects were deprived of all the guarantees from which they should have benefited, in particular information relating to processing and the exercise of their rights.

59. It also notes the significant risks for the rights and freedoms of individuals, previously mentioned, linked to the possibility offered by these new devices to identify any person circulating in the public space, including in circumstances that may reveal particularly sensitive, for example linked to their political opinions, their religious or philosophical convictions or their trade union membership.

60. It also notes that technological developments are making drones more and more discreet with increased capturing capacities of their cameras which give the Ministry of the Interior the possibility of flying its drones at increasingly high altitudes, while maintaining an image with great precision. People are therefore unlikely to become aware of the treatments carried out and the capture of their image.

61. Finally, the restricted training considers that the improvement of technologies such as facial recognition could entail, in the future, even greater risks for individual rights and freedoms if they were coupled with the use of drones. It therefore considers that their deployment outside any legal framework should be severely sanctioned.

62. The restricted panel considers that the aforementioned elements also make it necessary for an injunction to be issued. In addition, the ministry having indicated during the meeting that it did not intend to renounce, including temporarily, the use of drones equipped with a camera, the pronouncement of an injunction constitutes the appropriate measure to bring it to use drones for this purpose only when a legal framework authorizing it has been adopted.

63. Finally, and for the same reasons, the restricted panel considers it necessary for its decision to be made public. It notes, on this point, that the public has demonstrated, over the past few months, a legitimate interest in matters relating to the processing of their personal data by the State. The publication of a sanction decision by the authority specially responsible for the protection of personal data thus appears fully justified.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

· Issue a call to order against the Ministry of the Interior for breaches of Articles 89, 90 and 104 of the Data Protection Act;

Issue an injunction against the Ministry of the Interior to bring the treatments referred to in line with the obligations resulting from Article 87 of the Data Protection Act, and in particular:

o for the purposes covered by Title III of the Data Protection Act, only use the collection of personal data from drones after the adoption of a normative framework authorizing the implementation of such data processing ;

· Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the ministry by name after the expiration of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be appealed against to the Council of State within two months of its notification.