May 25, 2021 marked the third anniversary of the entry into force of the General Data Protection Regulation. Driven by a desire to reform and standardize data protection rules while ensuring greater respect for the rights of data subjects, GDPR continues to pursue its goal of establishing itself as the benchmark text in the world of data protection.
The year 2020 was marked by a number of events: the Covid-19 pandemic, the invalidation of the Privacy Shield, etc. Many players have had to adapt to the various changes despite themselves. The year 2021 is also shaping up to be a landmark year in the field of Data Protection.
On this occasion, what were the key events of this year 2020? What are the challenges for 2021?
In its activity report dated June 2020, the CNIL presented a series of issues concerning the year 2020 with the objective of guaranteeing greater respect for the fundamental rights and freedoms of the persons concerned. In this sense, the CNIL wanted to increase its controls on the technical and organizational security measures implemented by data controllers when they are likely to carry out one or more processing of health data. Similarly, certain technologies such as geolocation or facial recognition are becoming more and more common in the daily lives of citizens. The CNIL has therefore decided to guide its experiments and to specify the points of vigilance that must be observed when using this type of tool.
It goes without saying that this retrospective of the year 2020 cannot be done without mentioning the impact that the Covid-19 pandemic has had, and in all sectors worldwide. The data protection field has not been spared and all players, the CNIL in particular, have had to adapt to the changes that were required.
Among the developments due to the pandemic, there was the question of the extent to which certain means of surveillance could be put in place in the context of the state of health emergency. In this sense, the development of the mobile application Tous AntiCovid (or Stop Covid) raised many questions as to how to combine public interest and massive surveillance of the population while preserving the rights and freedoms of everyone. On April 24, 2020, the CNIL ruled for the first time on the implementation of such a tool, specifying in particular that it should be “deployed as part of an overall health strategy” by providing “additional guarantees“, while stating that the application complies with the necessary conditions imposed by the General Data Protection Regulation. The CNIL has again ruled on December 17, 2020 on the amendment of the decree of May 29, 2020 on the processing of personal data carried out by the Stop Covid application in order to introduce, in particular, a device for recording visits to certain establishments receiving the public. On this occasion, the CNIL confirmed that this device allowed the fight against the Covid-19 epidemic while providing sufficient guarantees, necessary to ensure the proportionality of the device used with regard to the rights and freedoms of the persons concerned, while issuing a certain number of recommendationsand this to avoid any misuse.
2020 was also an opportunity for many companies to review the way they work. Thus, the use of remote working in a massive way was noticeable during 2020, due to the first quarantine measures having been implemented in March. This new practice has therefore allowed a number of risks to emerge, particularly related to security measures that can sometimes be difficult to comply with by employees likely to handle personal data, or in some cases, to the data subjects themselves who may fall victim to certain abuses regarding the way their data is processed. To learn more, see our articleon this topic.
Among the events that marked 2020, the invalidation of the Privacy Shieldby the Court of Justice of the European Union on July 16, 2020 marks a turning point regarding the transfer of personal data outside the European Union.
Put in place following the invalidation of Safe Harbor in 2016, the Privacy Shield is an agreement between the European Union and the United States to ensure a sufficient level of security with respect to the requirements that arise from the European Regulation regarding data transfers that may be made.
The invalidation of this text has had many consequences and raises several questions about the way in which personal data processing can be carried out in the absence of this protection shield. The European Data Protection Committee has provided the first elements of an answer as to how these transfers may be carried out.
Companies are therefore asked to be vigilant when transfers are made, and to ensure as required by Article 46 of the General Data Protection Regulation that “appropriate safeguards” are put in place. These may take the form of Standard Contractual Clauses to be signed by both parties, a Code of Conduct, or a certification mechanism approved by Article 42 “with a binding and enforceable commitment by the controller or processor in the third country to apply appropriate safeguards, including with respect to the rights of data subjects.”
As it does every year, the CNIL publishes its report outlining the previous year’s results and the upcoming objectives for the current year. Even if this one has not been published yet, it is legitimate to think that the CNIL is likely to pronounce itself on certain subjects that are likely to raise certain questions.
Returning to the application of the new rules on cookies and other trackers:April 1st, 2021 marked the day when the guidelines issued by the CNIL dated October 1st, 2020 come into force. Data controllers have therefore had 6 months to implement all the necessary measures to ensure the compliance of their website. For some, difficulties may have been encountered and certain maneuvers denounced by a good number of users may have been noted. Among them, the use of Cookie walls, the legality of which is subject to controversy. This practice aims to force the user to choose between accepting the deposit of cookies or … to leave the website in question. It was initially condemned by the CNIL in its decision dated July 4, 2019. But the Conseil d’Etat, in its decisionrendered on June 19, 2019 following an annulment appeal made by a number of professional organizations, condemned the position of the CNIL, which was engaging in an “excess of power“. Other similar practices have been found to date, such as requiring users to accept the deposit of cookies or to refuse them, in return for payment of a sum of money for the purpose of compensating for the losses associated with the absence of the deposit of cookies, in particular advertising revenue.
Despite the fact that the CNIL’s position on this matter is very strongly linked to the provisions of the ePrivacy Regulation authorizing the use of such practices, it may nevertheless decide to clarify certain points.
Massive leakage of health data: As specified above, the CNIL’s plan for 2021 was to focus on the technical and organizational security measures framing the processing of health data likely to be carried out by Data Controllers. Coincidentally, in March 2021, nearly 500,000 people were victims of a massive data leak of their health data. Following this, the CNIL published a number of recommendationsfor potentially affected individuals, for the purpose of guarding against the risks associated with this type of event.
Health pass and personal data processing: In December 2020, a vast vaccination campaign begun in France in order to fight the Covid-19 pandemic. This led to the creation of a Health Pass allowing vaccinated individuals to benefit from more freedom, particularly when traveling. The pass is intended to be available through the Tous Anti Covid application and will also allow recipients to travel within Europe. Presented as non-mandatory, it will centralize certain documents such as negative test results, the Covid-19 recovery certificate or a vaccination certificate.
The CNIL validated the use of the Health Pass in an opinion dated April 23, 2021 through a new update of the Tous Anti Covid application. However, it specifies that the use of this Pass should only be done on a voluntary basis, while prohibiting the authorities from creating a database listing all the information that will be stored there. More generally, the authorities will not be able to access it, and the information transmitted by the persons concerned will always have to remain accessible to them, while respecting their rights. Some clarifications have also been made concerning the storage of this data, the use of which will have to be reduced to the strict minimum, without being kept after the control.
The question arises as to whether the use of this Pass will remain optional and whether, for reasons related to the state of health emergency, its use is likely to become mandatory, or be conditional on access to certain places. Also, will the personal data accessible via the application be strictly limited as it is today? Is it conceivable that data such as the data subject’s social security number could be mentioned in the documents transmitted and accessible to the supervisory authorities?
Such measures would be likely to present an obstacle to the rights and freedoms of the persons concerned in the absence of very strict supervision by the authorities. The CNIL will have to take a new position if the operation of the Health Pass changes.