Image: CNIL.
This is a common practice in the CNIL. Each year, the data protection authority determines a list of priority topics for its controls, also driven by current events. Thus, in 2022 and in step with the times, the Commission has taken a close look at monitoring remote work.
This year, France will host two sporting events: the Olympic Games and the Rugby World Cup. These activities will give public authorities the opportunity to experiment with a new type of camera. The government has specifically passed a security law to allow the use of AI-enhanced video protection.
AI Cameras: Compliance with Expected Regulatory Framework
CNIL has never made a secret of its stance on these technologies and facial recognition in particular. The latter are also a priority in its strategic plan. Therefore, the authorities intend in 2023 to become the arbiter of the proper use of the so-called augmented cameras by statesmen.
This needs support, but also control, and this area has been identified as a priority. “This will allow verification of compliance with the regulatory framework by state actors,” CNIL reports.
The executive branch and legislators have not only new security ambitions. Health data is another policy area. In 2022, the government introduced the My Health space, nothing less than a “new revolution” for the ministry.
Medical records are also highly sensitive data. Thus, the growing digitization and aggregation of data in the healthcare ecosystem justifies increased vigilance. Therefore, as in 2020 and 2021, CNIL is giving this issue a high priority.
Complaints about unauthorized access to IPR
The audits will focus on methods of accessing the computerized patient record (DPI) in healthcare facilities. CNIL recalls that it initiated inspections in 2022. They will continue, including because of the complaints received.
With its services, citizens “report unauthorized third-party access to IPRs in healthcare facilities.” The CNIL will also review the “measures taken to ensure data security” – just as it will review banks’ use of the Personal Credit Incident File (FICP).
Mobile app publishers will also need to show their credentials. Recall that in 2018, CNIL had targeted publishers specializing in mobile and geolocation advertising. The sanctions and consequences for these participants were harsh.
However, this has not led to a consolidation of more general privacy practices in the mobile app sector. CNIL notes the “systematic use” of mobile OS advertising identifiers and the “massive use” of cookies that are not slowed down by cookie walls.
An excellent manager of third party cookies and their use on the web, Google is slow to act. Last year, the web giant again delayed their disappearance. Mozilla, tired of waiting, has just made the decision to ban them from Firefox on Android.
Mobile applications: stick and carrot
However, self-regulation is not enough. As such, CNIL deplores actions taken “often without the knowledge or consent of users”. The latest advice from the CNIL regarding cookies and other tracers was to change the trajectory.
Their publication was followed by checks. “CNIL will continue its inspections in 2023,” she warns. He also looks forward to working on best practices in mobile app development.
And if pedagogy and control are not enough, there are still sanctions. This strength of the CNIL has been reinforced by the GDPR. A few weeks earlier, the authorities had reminded that they did not hesitate to use this leverage when necessary.
In 2022, the Commission issued 21 fines and 147 legal notices. The total amount of fines for the year exceeded 100 million euros. At the European level, since the entry into force of the GDPR, fines amount to 2.5 billion euros.