CNIL (France) - SAN-2021-003: Difference between revisions

From GDPRhub
mNo edit summary
Line 63: Line 63:
The French DPA questionned the Ministry of the Interior on the subject. In absence of reply, the DPA initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area before an arrest, surveillance of a drug traficking,  of demonstrations and road transport. An on-site control then established that the camera used were efficient enough to allow for facial identification of individuals.
The French DPA questionned the Ministry of the Interior on the subject. In absence of reply, the DPA initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area before an arrest, surveillance of a drug traficking,  of demonstrations and road transport. An on-site control then established that the camera used were efficient enough to allow for facial identification of individuals.


In this context, the report concluded to several violations of data protection law and proposed a sanction. The Ministry's main line of defence was that, since August 2020, a face-blurring program has been implemented. As a result, the data were anonimized, and data protection regulations not applicable.
In this context, the report concluded to several violations of data protection law and proposed a sanction. The Ministry's main line of defence was that, since August 2020, a face-blurring program has been implemented. As a result, data were allegedly anonimized, and data protection regulation not applicable.


===Dispute===
===Dispute===
Is recording of images by drones equipped with cameras a personal personal data according Article 4 GDPR ?
Is the recording of images by drones equipped with cameras a personal personal data in the sense of Article 4 GDPR ?
Did the Ministry of Interior comply with European and French data protection regulation inmplementing DIrective (UE) 2016/680 ?
Did the Ministry of Interior comply with the [https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2021-01-19/ French Data Protection Act] implementing [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016L0680 Directive (EU) 2016/680] ?


===Holding===
===Holding===
Line 73: Line 73:


======On the processing of personal data======
======On the processing of personal data======
The DPA reminds the broad definitions of processing and personal data laid down by Article 4(1) and (2) GDPR. The DPA then quotes ECJ, 11 December 2014, ''Ryneš'', case C-212/13 (point 22), EDPB Guidelines 3/2019 on processing of personal data through video devices, a ruling and an opinion by the French Supreme Administrative Court. It reiterates that personal data are processed whenever people can be identified on the basis of recorded images.
The DPA reminds the broad definitions of processing and personal data laid down by Article 4(1) and (2) GDPR. The DPA then quotes [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62013CJ0212 ECJ, 11 December 2014, ''Ryneš'', case C-212/13] (point 22), [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en EDPB Guidelines 3/2019 on processing of personal data through video devices], a [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000041897158/ ruling] and an [https://www.conseil-etat.fr/ressources/avis-aux-pouvoirs-publics/derniers-avis-publies/avis-relatif-a-l-usage-de-dispositifs-aeroportes-de-captation-d-images-par-les-autorites-publiques opinion] by the French Supreme Administrative Court. It reiterates that personal data are processed whenever people can be identified on the basis of recorded images.


The DPA notes that the equipped cameras have a high resolution and a zoom capability, which allow for identification of faces.  
The DPA notes that the equipped cameras have a high resolution and a zoom capability, which allow for identification of faces.  


Regarding the face-blurring program, it has only been implemented in some recent operation. It is of limited utility because it can only be used for prevention activities. For safety reasons, the pilot's screen is not subject to the blurring. Lastly, unblurred recordings can be accessed by operational services, although it takes time. All services are placed under the same authority.
Regarding the face-blurring program, it has only been implemented in some recent operation. Its utility is confined to prevention activities, where identification is not necessary. Furthemore, for safety reasons, the pilot's monitor screen is not subject to blurring. Lastly, unblurred recordings can be accessed by operational services, although it takes time. Indeed, despite the fact that only the technical service has control over the program, all services are placed under the same authority.


The DPA then decides that the program is of no effect on the definition of the subject matter of the inquiry as a processing of personal data.
The DPA then decides that the program is of no effect on the definition of the subject matter of the inquiry as a processing of personal data.


======On the violation of French data protection act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés (Loi Informatique et Libertés))======
======On the violation of French Data Protection Act, implementing Directive (EU) 2016/680======
Under French regulation, the processing of personal data can only occur where authorised by a specific legal provision (Article 89 Loi informatique et Libertés). In the present case, the Ministry has ignored this obligation.
Under French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés), the processing of personal data can only occur where authorised by a specific legal provision (Article 89). In the present case, the Ministry has ignored this obligation.


Furthermore, a data protection impact assessment is mandatory where the processing could create significant risks to the fundamental rights and freedoms. According to the DPA, drones generate such risks, especially because of the possibility given to the Ministry to acquire knowledge of beliefs and opinions of data subject participating to demonstrations. Those risks are increased by the fact that data subjects may not be aware of the drone operating and thus of the processing of their personal data.  
Furthermore, a data protection impact assessment is mandatory where the processing could create significant risks to the fundamental rights and freedoms. According to the DPA, drones generate such risks, especially because of the possibility given to the Ministry to acquire knowledge of beliefs and opinions of data subject participating to demonstrations. Those risks are increased by the fact that data subjects may not be aware of the drone operating and thus of the processing of their personal data.  
The data protection impact assessment is also required where a new mechanism is implemented (Article 89 Loi Informatique et Libertés). Drones being new to police forces, the assessment is required.
The data protection impact assessment is also required where a new mechanism is implemented (Article 90). Drones being new to police forces, the assessment is required.


Lastly, the CNIL finds that the Ministry has failed to its obligation as data controller to provide data subjects with mandatory information.
Lastly, the CNIL finds that the Ministry has failed to its obligation as data controller to provide data subjects with mandatory information.


As a result of these violations, the DPA issues a public call to order. It is however decided that the name of the Ministry of the Interior will not appear publicly on the decision after a period of 2 years.
As a result of these violations, the DPA issues a public call to order. It is however decided that the name of the Ministry of Interior will not appear publicly on the decision after a period of 2 years.
==Comment==
==Comment==
The decision follows the decisions of the French Administrative Supreme Court : Conseil d'État, ordonnance du 18 mai 2020, nos 440442 et 440445 and Conseil d'État, avis du 20 septembre 2020 relatif à l’usage de dispositifs aéroportés de captation d’images par les autorités publiques
The decision follows the decisions of the French Administrative Supreme Court : [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000041897158/ Conseil d'État, ordonnance du 18 mai 2020, nos 440442 et 440445] and [https://www.conseil-etat.fr/ressources/avis-aux-pouvoirs-publics/derniers-avis-publies/avis-relatif-a-l-usage-de-dispositifs-aeroportes-de-captation-d-images-par-les-autorites-publiques Conseil d'État, avis du 20 septembre 2020 relatif à l’usage de dispositifs aéroportés de captation d’images par les autorités publiques].


==Further Resources==
==Further Resources==

Revision as of 15:38, 19 January 2021

CNIL - SAN-2021-003
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(1) GDPR
Article 4(2) GDPR
Directive 2016/680
Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided: 12.01.2021
Published: 14.01.2021
Fine: None
Parties: Ministry of Interior
National Case Number/Name: SAN-2021-003
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Kest

The French DPA (CNIL) ordered the Ministry of Interior to cease the use of drones equipped with cameras by police forces. The Ministry violated its obligations to process personal data only where authorised by a specific legal provision and to conduct a privacy impact assessment.

English Summary

Facts

During March 2020 , the press reported to use of drones equipped with cameras by the police forces in several places, in order to monitor compliance with COVID-19 lockdown measures.

The French DPA questionned the Ministry of the Interior on the subject. In absence of reply, the DPA initated an inquiry. The Ministry was summoned to answer a questionnaire. It stated that the drones had also been used for other purposes : scouting an area before an arrest, surveillance of a drug traficking, of demonstrations and road transport. An on-site control then established that the camera used were efficient enough to allow for facial identification of individuals.

In this context, the report concluded to several violations of data protection law and proposed a sanction. The Ministry's main line of defence was that, since August 2020, a face-blurring program has been implemented. As a result, data were allegedly anonimized, and data protection regulation not applicable.

Dispute

Is the recording of images by drones equipped with cameras a personal personal data in the sense of Article 4 GDPR ? Did the Ministry of Interior comply with the French Data Protection Act implementing Directive (EU) 2016/680 ?

Holding

The DPA issues a public call to order against the Ministry of the Interior, on the following grounds.

On the processing of personal data

The DPA reminds the broad definitions of processing and personal data laid down by Article 4(1) and (2) GDPR. The DPA then quotes ECJ, 11 December 2014, Ryneš, case C-212/13 (point 22), EDPB Guidelines 3/2019 on processing of personal data through video devices, a ruling and an opinion by the French Supreme Administrative Court. It reiterates that personal data are processed whenever people can be identified on the basis of recorded images.

The DPA notes that the equipped cameras have a high resolution and a zoom capability, which allow for identification of faces.

Regarding the face-blurring program, it has only been implemented in some recent operation. Its utility is confined to prevention activities, where identification is not necessary. Furthemore, for safety reasons, the pilot's monitor screen is not subject to blurring. Lastly, unblurred recordings can be accessed by operational services, although it takes time. Indeed, despite the fact that only the technical service has control over the program, all services are placed under the same authority.

The DPA then decides that the program is of no effect on the definition of the subject matter of the inquiry as a processing of personal data.

On the violation of French Data Protection Act, implementing Directive (EU) 2016/680

Under French Data Protection Act (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés), the processing of personal data can only occur where authorised by a specific legal provision (Article 89). In the present case, the Ministry has ignored this obligation.

Furthermore, a data protection impact assessment is mandatory where the processing could create significant risks to the fundamental rights and freedoms. According to the DPA, drones generate such risks, especially because of the possibility given to the Ministry to acquire knowledge of beliefs and opinions of data subject participating to demonstrations. Those risks are increased by the fact that data subjects may not be aware of the drone operating and thus of the processing of their personal data. The data protection impact assessment is also required where a new mechanism is implemented (Article 90). Drones being new to police forces, the assessment is required.

Lastly, the CNIL finds that the Ministry has failed to its obligation as data controller to provide data subjects with mandatory information.

As a result of these violations, the DPA issues a public call to order. It is however decided that the name of the Ministry of Interior will not appear publicly on the decision after a period of 2 years.

Comment

The decision follows the decisions of the French Administrative Supreme Court : Conseil d'État, ordonnance du 18 mai 2020, nos 440442 et 440445 and Conseil d'État, avis du 20 septembre 2020 relatif à l’usage de dispositifs aéroportés de captation d’images par les autorités publiques.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

San-2021-003 deliberation of January 12, 2021
National Commission for Computing and Freedoms

    Nature of deliberation: Sanction
    Legal status: In force 

    Publication date on Légifrance: Thursday January 14, 2021 

Deliberation of restricted training n ° SAN-2021-003 of January 12, 2021 concerning the Ministry of the Interior

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ms Anne DEBET and Christine MAUGÜE, members;

Considering the Convention n o 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention and detection of criminal offenses, investigations and prosecutions in the matter or the execution of criminal sanctions, and the free movement of such data;

Considering the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following ;

Considering the decree n o 2019-536 of May 29, 2019 taken for the application of the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Considering the deliberation n o 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;

Considering the decision n o 2020-076C of May 7, 2020 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or to have carried out a mission to verify the processing operations implemented by the Ministry internally or on its behalf;

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated October 2, 2020;

Having regard to the report by Mrs Sophie LAMBREMON, rapporteur commissioner, notified to the Ministry of the Interior on October 30, 2020;

Considering the written submissions made by the Interior Ministry on 1 st December 2020;

Having regard to the oral observations made during the restricted training session on December 10, 2020;

Having regard to the other documents in the file;

Were present during the restricted training session:

- Mrs Sophie LAMBREMON, commissioner, heard in her report;

As representatives of the Ministry of the Interior:

- […] ;

- […] ;

The Ministry of the Interior having spoken last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. Following the confinement decided by the Government in March 2020, several press articles reported on the use, by the police (in particular the Cergy-Pontoise police station) and the gendarmerie (in particular the grouping departmental gendarmerie of Haute-Garonne), drones equipped with a camera to ensure compliance with the measures taken in this context. The use of such drones, appearing to her likely to implement the processing of personal data, the president of the National Commission for Informatics and Freedoms (hereinafter the CNIL or the Commission), by letter of 23 April 2020, asked the Ministry of the Interior for details on the processing carried out in this context.

2. In the absence of response, the Commission's Chair, by Decision o 2020-076C of 7 May 2020 initiated a review proceedings against the Department. The purpose of this procedure was to verify that the Ministry of the Interior all the provisions of complied with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the Regulation or the RGPD) of law No o 78-17 of 6 January 1978 relating to computers, files and liberties (hereinafter the Act of 6 January 1978 or the data Protection Act) of Directive (EU ) 2016/680 of the European Parliament and of the Council of April 27, 2016 (hereafter the police-justice directive) and the provisions provided for in articles L251-1 et seq. Of the Internal Security Code. As part of this procedure, the President of the Commission, on May 8, 2020, sent to the Ministry of the Interior, the Paris police headquarters, the Cergy-Pontoise police station and the departmental gendarmerie group of Haute -Garonne questionnaires on the use of drones to enforce the containment measures deployed in the context of the state of health emergency. The Ministry of the Interior replied to all of these questionnaires by letter of May 27, 2020.

3. On July 9, 2020, a delegation from the CNIL visited the premises of the Paris police headquarters in order to carry out an on-site check. This control notably enabled the control delegation to carry out a test flight of a drone used by the Paris police headquarters.

4. Various exchanges took place by email between the ministry and the control delegation between July and September 2020. These exchanges concerned the transmission of documents requested during the control as well as details requested subsequently.

5. For the purposes of examining these elements, the President of the Commission appointed, on October 2, 2020, Mrs Sophie LAMBREMON as rapporteur, on the basis of article 22 of the law of January 6, 1978.

6. At the end of her investigation, the rapporteur, on October 30, 2020, sent the Ministry of the Interior a report detailing the breaches of the Data Protection Act that she considered to have constituted in this case. The rapporteur proposed to the restricted formation of the Commission to issue an injunction to bring the processing into conformity with the provisions of Article 87 of the Data Protection Act, as well as a call to order. It also proposed that this decision be made public and no longer allow the ministry to be identified by name after a period of two years from its publication.

7. The same day, the Ministry of the Interior was informed that this file was on the agenda of the session of the restricted formation of December 10, 2020.

8. On 1 st December 2020, the ministry has submitted observations.

9. The Ministry and the rapporteur presented oral observations during the session of the restricted formation.

II. Reasons for the decision

A. On the existence of processing of personal data

10. The rapporteur observes that the Paris police headquarters, the Cergy-Pontoise police station and the Haute-Garonne departmental gendarmerie group have used drones to verify compliance with the containment measures. In addition, the Paris police headquarters also used these devices for other purposes, such as judicial police missions (recognition of a place before an arrest, monitoring of drug trafficking), maintenance operations order (surveillance of demonstrations) or crisis management and road checks (surveillance of urban rodeos).

11. The rapporteur notes that the drones used are equipped with a camera allowing the capture of high resolution images and having zoom capabilities capable of enlarging the image between six and twenty times.

12. In the light of these technical capacities, the rapporteur considers that the use of these drones by the Ministry of the Interior gives rise to the processing of personal data when people are filmed in conditions allowing their identification.

13. The Ministry of the Interior, for its part, first affirmed in response to questionnaires sent by the President of the CNIL that the flight of drones did not give rise to any processing of personal data, people did not being not identifiable. In its observations in response to the sanction report, it then considered that the legal uncertainty relating to the nature of the data processed demonstrated the good faith of the administration, that in any event, the blurring system implemented excluded any processing of personal data, while specifying that technical considerations prevented this blurring system from being performed at the level of the drone capturing the images and before any transmission thereof.

14. The restricted committee considers that the qualification of processing of personal data applies to a video capture system filming people for the following reasons.

15. First , on the existence of processing of personal data, article 2 of the Data Protection Act provides: unless otherwise provided, within the framework of this law the definitions of the Article 4 of Regulation (EU) 2016/679 of April 27, 2016 .

16. Pursuant to article 4 of the GDPR, personal data processing constitutes any operation or set of operations carried out or not using automated processes and applied to data or sets of data of a personal nature. personal, such as collection, recording, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form provision, reconciliation or interconnection, limitation, erasure or destruction . This same article defines personal data as any information relating to an identified or identifiable natural person […]; is deemed to be an identifiable natural person a natural person who can be identified, directly or indirectly, in particular by reference […] to one or more specific elements specific to his physical, physiological, genetic, psychological, economic, cultural or social identity .

17. In view of these definitions, the restricted committee notes that any operation - in particular the capture, transmission, modification or consultation - relating to the image of persons who can be recognized constitutes processing of personal data.

18. The restricted committee observes that this analysis, adopted for a long time by the CNIL, has been enshrined in European case law since 2014: the image of a person recorded by a camera constitutes personal data within the meaning of the provision referred to in the previous point insofar as it allows the data subject to be identified (CJEU, 11 December 2014, Ryneš, case C-212/13, point 22). It was very recently recalled by the European Data Protection Board (hereinafter the EDPS) in its guidelines 3/2019 of 29 January 2020 on the processing of personal data by video devices: Systematic surveillance and automation of a specific space by optical or audiovisual means, mainly for the purpose of protecting property or protecting human life and health, has become an important phenomenon of our time. This activity entails the collection and retention of pictorial or audiovisual information about all persons entering the monitored space that are identifiable on the basis of their appearance or other specific elements. The identity of these persons can be established on the basis of this information .

19. With regard more specifically to drones equipped with a camera, the summary judge of the Conseil d'État considered that the disputed surveillance system […] which consists in collecting data, thanks to the capture of images by drone, to transmit them, in certain cases, to the command center of the police headquarters for real-time viewing and to use them for carrying out administrative police missions constitutes processing (Council of State, ordinance of 18 May 2020, nos . 440442 and 440445). Noting that no system was in place to prevent, in all cases, that the information collected could lead to making the persons identifiable, this court concludes that the data likely to be collected by the disputed processing must be regarded as of a personal nature .

20. Finally, in an opinion of September 20, 2020 on the use of airborne image capture devices by public authorities, the Council of State specified that, in particular in view of the technologies currently available and their development and material resources available to the public authorities, the Council of State considers that the images of people captured by airborne cameras by these authorities as part of public security or civil security missions should, in principle, be regarded as data personal and that, therefore, the collection and use of these images are subject to compliance with the texts recalled above. However, it could be different in the event of use under special conditions excluding the existence of reasonable possibilities of identifying people, or in the event that technical devices preventing identification are implemented (Conseil d'État section of the interior, meeting on Tuesday, September 20, 2020, n o 401 214).

21. The restricted committee recalls that in this case, the Paris police headquarters, the Haute-Garonne departmental gendarmerie group and the Cergy-Pontoise police station admitted to having used drones equipped with a camera in the context of for verifying compliance with containment measures and, for the Paris police headquarters, for other purposes, in particular for justice and law enforcement. These drones flew at an altitude of between 30 and 120 meters, according to the actors, and were equipped with a 12 million pixel lens that could enlarge the image between six and twenty times.

22. The control delegation, having carried out a drone test flight on July 9, 2020, noted that the technical characteristics mentioned above allow the identification of people.

23. Secondly , with regard to a possible blurring device which could make it possible to make the persons concerned unidentifiable, the restricted formation notes, first of all, that the Paris police headquarters, the departmental gendarmerie group de Haute-Garonne and the Cergy-Pontoise police station indicated, in their response to the questionnaires sent, that no blurring device had been put in place.

24. It then observes that the Paris police headquarters subsequently indicated, during the check carried out on July 9, 2020, that a blurring device was under development. The Interior Ministry specified, during the session of December 10, 2020, that its deployment had been effective since the end of August 2020.

25. Consequently, the restricted training noted, on the one hand, that such a device was not implemented during the flights mentioned in the questionnaires sent to the operational services, and that drones equipped with a camera were therefore carried out numerous flights without blurring the images collected before the deployment of the mechanism. It considers, on the other hand, that the device described during the present procedure cannot, however, exempt the images collected from the applicable regulations on the protection of personal data.

26. Indeed, firstly, the evoked blurring system does not apply to the images captured by the camera present on the drone and transmitted to the pilot of the drone. If the visualization of unblurred images by the drone pilot is easily explained by security imperatives (control of the aircraft during flight time), which the restricted training does not question, the fact remains that the capturing of non-blurred images by the camera and their transmission to the pilot constitute personal data processing operations.

27. Secondly, it follows from the responses provided by the police headquarters that it recorded unblurred images when using drones for the needs of judicial police missions, which also constitutes processing. of personal data.

28. Finally, and contrary to the statements made by the Ministry of the Interior during the session, it emerges from the documents communicated in defense, and more particularly from the note relating to blurring entitled Processing of video streams from drones, dated 23 November 2020, that the blurred flows can be consulted in clear by the agents of the police headquarters: The blurring device being controlled by the DILT (direction of innovation, logistics and technologies) , it is impossible for the DOPC (public order and traffic department) to access unblurred flows. Access to unblurred streams would require a modification of the configuration currently implemented; only an engineer with rights to the entire device can do this laborious work. Engineers with these rights are placed under a different command from that of the DOPC. The limited training deduces from this document that, although laborious, access to unblurred streams remains possible by persons placed under the responsibility of the data controller. Therefore, the processing must be qualified as processing of personal data.

B. On the identification of the data controller

29. The restricted committee emphasizes that all the processing operations covered by this procedure, the purpose of which is to ensure compliance with the containment measures adopted in the context of the state of health emergency, to intervene for the benefit of police missions, policing missions, or as part of crisis management or traffic control, within the jurisdiction of the Ministry of the interior, in accordance with Decree o 2017-1070 of May 24, 2017 relating to the powers of the Minister of the Interior, which disposes of the Minister of the Interior prepares and implements the Government's policy in matters of internal security, public freedoms, territorial administration of the State, d immigration, asylum and road safety .

30. It also underlines that the services concerned (grouping of departmental gendarmerie of Haute-Garonne, police station of Cergy-Pontoise and prefecture of police of Paris) all act under the supervision of the Ministry of the Interior.

31. The Ministry of the Interior considers itself to be the controller, its central services having, moreover, drawn up a command instruction providing for the use of drones, in particular within the framework of containment.

32. Consequently, the restricted committee holds that the latter must be considered the data controller concerned by this procedure.

C. On the applicable law

33. The first paragraph of Article 87 of the Data Protection Act, Article I of Title III of the Act provides: this Title shall apply without prejudice to Title I er , data processing of personal data set implementing, for the purposes of preventing and detecting criminal offenses, investigating and prosecuting them or enforcing criminal sanctions, including protection against threats to public security and the prevention of such threats, by any competent public authority or any other body or entity to which has been entrusted, for these same purposes, the exercise of public authority and public power prerogatives, hereinafter referred to as the competent authority .

34. Title III therefore applies to processing operations which meet a dual characteristic relating to their purpose, on the one hand, and to the quality of the controller, on the other.

35. As regards the purposes pursued by the processing resulting from the flights of drones equipped with a camera, it appears from the declarations made by the departmental gendarmerie group of Haute-Garonne, by the Cergy-Pontoise police station and by the prefecture of police in Paris that the images were used by these three actors to ensure compliance with the containment measures adopted in the context of the state of health emergency and, for the last of them only, to other purposes, such as judicial police, law enforcement, crisis management and road control missions.

36. The restricted committee considers that the aforementioned missions fall within the scope of the purposes referred to in Article 87 of the Data Protection Act, either because they aim to prevent or detect criminal offenses - for example, when drones are used to ensure compliance with containment or road control measures -, to investigate or prosecute in criminal matters - for example for judicial police missions - to protect against threats to public security and prevent such threats - for example for law enforcement or crisis management missions.

37. The limited training also considers that in the framework of these missions, the Ministry of Interior must be regarded as the competent authority under Article 1 st of Decree o 2020-874 of July 15, 2020 on the powers of the Minister of the interior (previously Decree o 2017 to 1070 of 24 May 2017), supra.

38. Consequently, the restricted committee considers that in this case, the processing implemented by the Ministry of the Interior for the various purposes mentioned above must comply with the provisions of Title III of the Data Protection Act.

D. On breaches

1. The breach relating to the lawfulness of the processing and the lack of an impact study

39. The second paragraph of article 87 of the Data Protection Act provides that the processing referred to in Title II of the law is only lawful if and to the extent that it is necessary for the performance of a task carried out. , for one of the purposes set out in the first paragraph, by a competent authority within the meaning of the same first paragraph and where the provisions of Articles 89 and 90 are complied with .

40. Under I of article 89 of the law, if the processing is carried out on behalf of the State for at least one of the purposes set out in the first paragraph of article 87, provision is made for by a legislative or regulatory provision made under the conditions provided for in I of Article 31 and in Articles 33 to 36 . Pursuant to II of the same article, if the processing relates to data referred to in article 6 of the law (known as sensitive data), it must be provided for by a legislative or regulatory provision taken under the conditions provided for in II of the article 31. Article 31 of the law to which reference is made requires that the data processing in question be authorized by order of the competent minister or ministers, taken after a reasoned and published opinion of the Commission and, in the event of processing of sensitive data, by a decree of the Council of State taken after a reasoned and published opinion from the CNIL.

41. Article 90 of the law provides: if the processing is likely to generate a high risk for the rights and freedoms of natural persons, in particular because it relates to data mentioned in I of article 6, the data controller carries out an impact assessment relating to the protection of personal data .

42. As a preliminary point, the restricted committee notes that the Ministry of the Interior does not dispute the characterization of this failure, having wrongly considered that the processing operations in question did not relate to personal data.

43. With regard to the provisions of article 89, the restricted committee notes that no legislative or regulatory framework authorizes and regulates the processing of personal data arising from the use by the Ministry of the Interior of drones equipped of a camera. By indicating that work is underway to develop a legal framework as soon as possible, the Ministry of the Interior confirms this point.

44. With regard to the provisions of Article 90, the Restricted Committee considers that the processing carried out in this case is likely to create a high risk for the rights and freedoms of the persons concerned. This high risk arises, on the one hand, from the characteristics of drones, which are flying objects carrying a camera capable of filming in high resolutions, anywhere and at any time. They are therefore capable of filming any person circulating in the public space, of following them and of processing intangible personal data such as their facial features. The risk arises, on the other hand, from the use made of drones by the Ministry of the Interior, in particular during demonstrations, occasions during which the political opinions, religious or philosophical convictions of people, or their trade union membership, are likely to be revealed. Finally, the risk is aggravated by the fact that the treatments are potentially implemented without the knowledge of the people, they are often not aware of the presence of drones, the activation of the camera and the capture. of their image. This risk is in this respect aggravated, in the present case, by the lack of information of the persons during the thefts carried out.

45. The restricted committee noted that article 90 of the Data Protection Act specifies that this risk may also arise due to the use of new mechanisms , which is indeed the case in this case.

46. ​​Consequently, the restricted committee considers that the use of drones equipped with a camera gives rise to a high risk for the rights and freedoms of natural persons and that, therefore, it was up to the Ministry of the Interior to carry out an impact assessment relating to the protection of personal data.

47. The restricted committee noted that no impact analysis was carried out.

48. All of these elements show that the conditions for lawfulness of the processing operations are not met. The restricted committee therefore considers that breaches of articles 89 and 90 of the Data Protection Act have occurred.

2. On the failure to inform individuals

Under the terms of article 104 of the Data Protection Act, the data controller makes the following information available to the person concerned:

1 ° The identity and contact details of the data controller and, where applicable, those of his representative;

2 ° Where applicable, the contact details of the data protection officer;

3 ° The purposes pursued by the processing for which the data are intended;

4 ° The right to lodge a complaint with the National Commission for Informatics and Freedoms and the contact details of the commission;

5 ° The existence of the right to request from the data controller access to personal data, their rectification or erasure, and the existence of the right to request a limitation of the processing of personal data relating to a data subject .

49. As a preliminary point, the restricted committee notes that the Ministry of the Interior does not dispute the characterization of this failure, recalling only the commitments made to ensure, in the future, the information of the persons concerned.

50. The restricted party noted that the departmental gendarmerie group of Haute-Garonne and the Cergy-Pontoise police station indicated, in their response to the questionnaire sent, that people were informed of the presence of the drone by a voice message inviting them to disperse. The Paris police headquarters indicated that no specific information system had been put in place.

51. It emerges from the answers provided that no information meeting the requirements of Article 104 of the Data Protection Act was communicated to the persons concerned.

52. The restricted committee notes that, although article 107 of the Data Protection Act allows, under certain conditions, restrictions on the rights of individuals and in particular on the right to information, these restrictions must be provided for by the act establishing treatment . In the present case, in the absence of any act establishing the processing in question, no limitation to the right to information could be provided for.

53. All of these elements show that the information provided to individuals, when it existed, did not meet legal requirements. The restricted committee therefore considers that a breach of article 104 of the Data Protection Act has been established.

III. On corrective measures and their publicity

54. Under the terms of III of article 20 of the law of 6 January 1978:

When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee of the committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures:

1 ° A call to order;

2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty payment the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; (…).

55. The rapporteur suggests to the restricted committee that a call to order be issued as well as an injunction to bring the processing into conformity with the provisions of the Data Protection Act. She also proposes that this decision be made public.

56. In defense, the Ministry of the Interior considers that the pronouncement of a corrective measure is not justified, a formal notice seeming sufficient in this case, and that the publicity of the possible measure to be taken is not does not appear necessary. Finally, he considers that the injunction to cease the use of drones is not possible, this use now constituting an undeniable operational necessity.

57. The restricted committee considers that, in the present case, the aforementioned failures justify a call to order against the Ministry of the Interior for the following reasons.

58. The restricted committee notes the seriousness of the breach relating to the lawfulness of the processing operations, this failure depriving all the processing operations carried out of a legal basis. It also emphasizes that the data subjects were deprived of all the guarantees from which they should have benefited, in particular information relating to processing and the exercise of their rights.

59. It also notes the significant risks for the rights and freedoms of individuals, previously mentioned, linked to the possibility offered by these new devices to identify any person circulating in the public space, including in circumstances that may reveal particularly sensitive, for example linked to their political opinions, their religious or philosophical convictions or their trade union membership.

60. It also notes that technological developments are making drones more and more discreet with increased capturing capacities of their cameras which give the Ministry of the Interior the possibility of flying its drones at increasingly high altitudes, while maintaining an image with great precision. People are therefore unlikely to become aware of the treatments carried out and the capture of their image.

61. Finally, the restricted training considers that the improvement of technologies such as facial recognition could entail, in the future, even greater risks for individual rights and freedoms if they were coupled with the use of drones. It therefore considers that their deployment outside any legal framework should be severely sanctioned.

62. The restricted panel considers that the aforementioned elements also make it necessary for an injunction to be issued. In addition, the ministry having indicated during the meeting that it did not intend to renounce, including temporarily, the use of drones equipped with a camera, the pronouncement of an injunction constitutes the appropriate measure to bring it to use drones for this purpose only when a legal framework authorizing it has been adopted.

63. Finally, and for the same reasons, the restricted panel considers it necessary for its decision to be made public. It notes, on this point, that the public has demonstrated, over the past few months, a legitimate interest in matters relating to the processing of their personal data by the State. The publication of a sanction decision by the authority specially responsible for the protection of personal data thus appears fully justified.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

· Issue a call to order against the Ministry of the Interior for breaches of Articles 89, 90 and 104 of the Data Protection Act;

Issue an injunction against the Ministry of the Interior to bring the treatments referred to in line with the obligations resulting from Article 87 of the Data Protection Act, and in particular:

o for the purposes covered by Title III of the Data Protection Act, only use the collection of personal data from drones after the adoption of a normative framework authorizing the implementation of such data processing ;

· Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the ministry by name after the expiration of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be appealed against to the Council of State within two months of its notification.