French Data Protection Authority Unveils 2010 Inspections Report

Posted on March 22, 2010 by Hunton & Williams LLP

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

  • ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
  • verifying that data controllers comply with the technical recommendations defined in their registration forms; and
  • assessing the effectiveness of data protection officers within organizations.

The CNIL also intends to focus on certain business sectors and concerns, such as:

  • the airline industry, including customer relations (customer databases, mileage programs, “no-fly” lists, passenger name record data), airport security (body scanners, cameras in airports) and biometric passports;
  • the real estate industry, including the collection of personal data by real estate agencies, test screenings, blacklisting and discriminatory practices;
  • the protection of minors, including verifying the collection of personal data about minors, particularly in the context of direct marketing to minors by online merchants; and
  • the use of closed-circuit television (“CCTV”) for video surveillance, including verifying that such surveillance systems comply with the Data Protection Act and respect the privacy rights of individuals.

In 2009 the CNIL conducted 270 on-site inspections, representing a 27% increase over 2008.  According to the CNIL, this increase in inspections and more effective enforcement is a result of a strengthening of the CNIL’s powers in 2004.  Of the 270 inspections, 22% led to warnings or sanctions and 85% of the inspections targeted private sector entities.  The CNIL also noted that 92% of the organizations it inspected had not appointed a data protection officer.

More information about the CNIL’s agenda for 2010 may be found (in French) on the CNIL’s website.
Tags: , , , , , , , , , , , , ,

UK Airports Implement Compulsory Use of Full Body Scanners

Posted on February 9, 2010 by Hunton & Williams LLP

On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights.  This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports.  The move has raised concerns about the excessive collection of personal data.

The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators. The privacy policy should include as a minimum:

  • rules regarding the location of the equipment;
  • a process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
  • a process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
  • a prohibition on copying or transferring the images in any way;
  • instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
  • a process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The use of body scanners caused alarm in the privacy community when it was first mooted several years ago. The concern was that scanners could violate the European Convention on Human Rights and that their use would raise sensitivities (or even result in the commission of criminal offenses) when used to capture images of children. Towards the end of 2008, the European Commission withdrew a proposal to roll out body scanners across the EU after Members of the European Parliament called for a detailed impact assessment study. This resulted in the formation of a Body Scanners Taskforce, appointed to advise the Commission. A report, or any specific legislative proposals, have yet to be published.   
 
The use of scanners has been discussed previously in France and Germany. In France, the proposal was dropped due to privacy concerns. The German Data Protection Commission  has indicated it  believes the machines infringe on the privacy of both adults and children, but the German news outlet Spiegel Online recently suggested that the machines may yet be installed in German airports following tests by Germany’s federal police. 

Meanwhile, in a Canadian report published in March 2009, the Ontario Privacy Commissioner,  Dr. Ann Cavoukian, approved the usage of the screening technology, commenting that as long as the scanners “incorporate strong privacy filters … [they] can deliver privacy-protective security.”
 
The British Department of Transport will continue to develop the Interim Code of Practice. The Department has announced that it will launch a full public consultation on the requirements relating to the use of scanners as set out in the Interim Code of Practice, and it will publish a Final Code of Practice later in the year. In the meantime, it is likely that additional airports in the UK and elsewhere in Europe will subject travelers to full body scans. 
 
Tags: , , , , , , , , , , , , ,