Blog: Chronicle of Data Protection | 20 May 2016

French DPA Announces 2016 Inspections Program Topics

The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet of Things (IoT) in the crosshairs.

In 2016, CNIL plans to conduct 400 to 450 on-site, online and records inspections.

A look into how the CNIL works: The inspections will break down as follows:

• Inspections related to the 2016 program topics will make up 25% of overall activity.
• Inspections initiated due to complaints addressed to the CNIL will make up 20% of overall activity.
• Verifications conducted following the CNIL’s written observations, notices or sanctions, or conducted on the CNIL’s initiative or related to subjects of current interest will make up about 35% of overall activity.
• Verifications of video surveillance and public video protection systems will make up 20% of overall activity.

• Health database: the CNIL plans to inspect the SNIIRAM, the National Information System Inter-scheme for Health Insurance (created in 1999). This French database contains several million pseudonymised records of requests for reimbursement of health costs (treatment forms, clinic bills, etc.). Collected data includes age and sex of patients, diagnosis of chronic illnesses, city and department of residence, date of death or reimbursed care details. This national database contributes to the improvement of management for health insurance and public health policies, quality of care and to information sharing with healthcare professionals. Inspections by the CNIL will ensure that data processing complies with French Data Protection Law, in particular regarding data security and pseudonymisation.
• Flight passengers’ data: the CNIL plans to inspect the API-PNR (Advance Passenger Information-Passenger Name Record) system. This system contains records of air travel information of flights to and from foreign countries in order to fight, amongst other things, terrorism and drug trafficking. It is managed by the Customs Ministry and may be accessed by police and customs services, as well as security and intelligence services. The CNIL was consulted when the system was set up and will review legal compliance in light of its previous opinions and requests for increased security measures.
• Data for marketing: the CNIL plans to exert greater control over data brokers. Businesses use personal data to maximize profitability and improve performance by analyzing their customers’ interests, behavior and habits. Marketing practices using such data are continuously evolving through the development of new methods of data collection. The CNIL declared that it will focus on those businesses that act as intermediaries or brokers between entities collecting personal data and entities using data for marketing purposes. As profiling becomes more and more accurate and relevant, the role data brokers play become even more critical in order to protect privacy rights. In this context, the CNIL will monitor compliance with obligations such as the relevance of data collected and the information provided to individuals, consents and the respect paid to rights set out in the French Data Protection Act.

This sweep will be performed during May 2016 and will cover health and well-being devices as well as devices people use in the privacy of their own homes e.g. connected fridges. The CNIL announced that the sweep will assess the quality of the information notices provided to users, the level of security for data flows, and the degree of user’s control over the use of his/her data (such as user’s consent, exercise of data protection rights, etc.). The results will be published in Fall  2016.