Communication from the CNIL on its website
Each year, the CNIL decides to focus part of its controls on specific topics, in parallel with controls following complaints from individuals or current events. The authority has just unveiled the four themes that will occupy it in 2023: “augmented” cameras, mobile applications, bank files and patient files.
The term “augmented” cameras refers to devices that combine automated image processing software with cameras. The rapid development of processing software, often associated with an artificial intelligence system, has allowed augmented cameras to significantly increase their performance and multiply their use cases: tracking and detection of events or objects, automated recognition of biometric characteristics – leading to the identification of people, etc.
Conscious of this trend, the CNIL published a position paper in July 2022 on the conditions of deployment of these technologies.
A few months later, the CNIL decided to make it one of its priority control themes. It should be noted, however, that for this year the authority will limit itself to the use of augmented cameras by public entities. The lessons learned from the upcoming controls should however also be valuable for private companies wishing to develop this type of technology.
Tracking via mobile applications
Until recently, the CNIL had mainly focused on the tracking of Internet users through the use of classic web techniques, such as cookies. Since the beginning of 2023, however, the French protection authority has started to issue decisions concerning mobile identifiers (notably against Apple and the mobile game publisher Voodoo).
This topic will therefore be one of its priority control topics for 2023, so other decisions should be made public during the year. The mobile ecosystem has specific characteristics that require the implementation of significantly different solutions than in the classic web world, and therefore an adapted analysis by the CNIL.
The CNIL’s action in this context will focus on the “Fichier des Incidents de Crédit aux Particuliers” or “FIPC”. This file contains very sensitive information on payment incidents and must be consulted by banks in a certain number of cases – such as the granting of a credit. The proper use of this file, and in particular the accuracy of the data contained in it, is therefore particularly important in view of the consequences that registration in it has for individuals.
The CNIL announces that its controls will focus on the conditions under which banks access the file, extract information from it and keep it up to date.
Access to the computerized patient record (“CPR”)
In 2023, the CNIL will continue its action on this topic after several audits already carried out during the previous year. In particular, the authority has received several complaints about unauthorized third-party access to personal data in health care institutions.
The security measures implemented by healthcare institutions around the CPR should therefore be a crucial point of attention for the CNIL, which recalls that health data security is a very recurrent (and therefore important) theme.