The French Data Protection Authority (the CNIL) published its assessment of the first four months of GDPR and several guidelines, including one on how to make a GDPR compliant blockchain.
The CNIL just published its latest newsletter (n°14, dated 25 September 2018) with:
- initial results of its factual assessment of the implementation of the EU General Data Protection Regulation (GDPR) in France and in Europe; and
- interesting developments about its latest series of guidelines on social network posts, blockchain, personal data access requests, and consent:
- Guidelines on responsibility using blockchain and personal data: in these guidelines, the CNIL proposes concrete solutions to use blockchain with appropriate data protection safeguards;
- Helping tool on how to delete embarrassing posts on social networks: the CNIL provides links to help individuals report embarrassing publications on social networks and delete them;
- Guidelines for controllers on answering personal data access requests from data subjects: the CNIL provides advice to companies on how to respond to a data subject access request and underlines that data subjects need not always provide a copy of their identification card;
- Guidelines for controllers on obtaining consent from individuals: the CNIL recaps the key principles for valid consent and the strengthening of the data subject rights under the GDPR.
The CNIL’s assessment on four months of GDPR
The CNIL posted a review of its activity since the General Data Protection Regulation came into force, four months ago. The French authority is broadly positive about the implementation of the GDPR in Europe and in France. The CNIL’s positive response surrounding the new EU regulation is attributed both to an enthusiastic reception by citizens and to the impact of the Cambridge Analytica scandal raising awareness about the necessity of protecting personal data.
Over a period of four months, the CNIL reports that it has received more than 600 data breach notifications (an average of seven per day since 25 May 2018), and that the number of complaints has gone up 64% compared to last year. The CNIL also takes note of the strong European cooperation between data protection authorities, as evidenced by the eighteen guidelines adopted by the European Data Protection Board (“EDPB”, formerly known as Article 29 Working Party) and the seven that are under preparation (regarding territorial scope, data transfers, and video surveillance).
During those four months, there have also been major developments in French law regarding Data Protection. On 4 July 2018, the new Data Protection Act and, one month later, its implementing decree, came into force. The Data Protection Act and its implementing decree have been amended to bring French law fully in line with the European legal framework, namely the GDPR and the “police-justice” Directive. The new Data Protection Act mainly exercises some of the “national leeway” authorised by the GDPR and gives the CNIL more power to carry out its missions.
Since the Data Protection Act’s implementation, the CNIL has been very active in guiding French citizens on how to comply with the new legal framework and warning them about threats from new technologies:
- For instance, in a letter dated 19 September 2018 the CNIL urged the legislature to initiate a parliamentary and democratic debate in order to regulate new uses of CCTVs and video software, particularly with regards to public order and law enforcement, including by using Big Data analytics. The CNIL is of the opinion that these new uses must be balanced out with interests of national security and the protection of individual rights and freedoms.
- The CNIL also launched a public consultation on the future regulation on the use of biometric data in the workplace, open until 1 October 2018. The use of biometric data is generally prohibited, but the new French Data Protection law allows for biometric access control devices to be set up by employers provided they comply with a model regulation. This model regulation must be drawn up by the CNIL “in consultation with the public and private bodies representing the stakeholders concerned.” The amended draft, taking into account all the comments received, will then be submitted to the CNIL’s Commission for approval.
The CNIL is not set to slow down as many more projects are underway. These projects include publishing a list of processing operations that require a data protection impact assessment (DPIA), producing a number of codes of conduct specifically regarding cloud-based systems and medical research, creating a “MOOC” to help individuals familiarise themselves with GDPR and writing a number of guidelines and briefing notes in various areas. Some of these projects have already been published at this time, as set out below.
Highlights of the most recent CNIL guidelines and helping tools
1) Guidelines on responsibility using blockchain and personal data
After receiving queries from actors (public and private) from the healthcare and financial sectors, the CNIL is tackling the issue of responsible use of blockchain and sets forth in its guidelines concrete solutions to those who wish to use blockchain in conjunction with personal data:
- The CNIL advises that personal data, whether it is participants’ and miners’ credentials, or additional data (“the payload”), should be recorded in the blockchain, preferably in the form of a cryptographic commitment scheme. The CNIL is of the opinion that blockchain essential players must be assigned responsibility according to the GDPR. In that respect, natural persons whose processing is related to a professional or commercial activity, and legal persons who register personal data can be regarded as controllers. In contrast, “smart contracts” developers, which process personal data on behalf of the participant, and miners who validate the recording of personal data, are to be regarded as processors within the meaning of the GDPR.
- Since the GDPR applies when blockchain involves personal data, a specific analysis of the situation is required. The CNIL highly recommends conducting a DPIA in order to assess the necessity and proportionality of such technology and the potentially dangerous ways it may involve processing of personal data. The choice of whether to use blockchain or what kind of blockchain to use can have a great impact on threats to fundamental rights caused by processing personal data (and the risk of infringing GDPR). Therefore, the CNIL asks controllers to choose carefully, and to favour a blockchain based on permission (“Permissioned Blockchain”), as it enables a better control on personal data, especially with regards to transfers outside the EU.
These guidelines are meant to be reassuring, with the CNIL insisting that blockchain technology and the protection of fundamental human rights are not antagonistic or mutually exclusive. Blockchain can be used positively and can help consolidate data protection and data subject rights. In fact some characteristics of blockchain can be used to fulfil requirements under the GDPR. For example, it can provide evidence of consent or processing operations undertaken on data, etc. Blockchain can also allow certain rights to be exercised effectively, such as the right to be informed, access rights and data portability rights. However, there are some obvious obstacles regarding the exercise of other rights, such as the right to rectification, right to erasure, or right to object to processing. In these specific cases, if the data entered in the chain is a commitment scheme, an imprint from a key hash function or an encrypted code using state-of-the-art algorithms and keys, the controller may make the data almost unreachable and come close to the GDPR requirements regarding full erasure of data. The same technique can be used for rectification rights, where the rectified data must be recorded in a new block of the chain and the old data must be made unreachable. The CNIL also insists that implementing adequate security measures is key to protecting personal data embedded in the blockchain.
2) Helping tool on how to delete embarrassing posts on social networks posted by others.
The CNIL published on 17 September 2018, useful links that can be accessed to request the deletion of personal information published by other Internet users, in a timely manner. The French data protection authority made available on its web page all the hyperlinks that can be used to report a publication, or ask for it to be deleted on social media platforms such as Twitter, Instagram, Facebook, Snapchat, LinkedIn, YouTube, and Dailymotion. Under the French Data Protection law and its right to erasure, social networks must delete the post as soon as possible and at the latest within one month. This may be extended to three months subject to the company explaining the reasons why it needs the extension. Failure to do so may result in proceedings before the CNIL. The CNIL also recommends that data subjects exercise the right to be forgotten and ask for the dereferencing of the publication in search engine results.
3) Guidelines for controllers on answering personal data access requests from data subjects
Because of high-profile privacy scandals, people have become more aware of the necessity to protect their personal data and they are now more than ever exercising their rights regarding their personal data. The CNIL thought it would be useful for controllers to refer to specific guidelines to meet data subjects’ expectations.
The French Data Protection Act and the GDPR allow anyone to access data concerning them. The person who wants to access his or her personal data must ask for it or have someone ask on his/her behalf (mandate). The person must be able to prove his/her identity (or both identities in case of a mandate) but the CNIL’s guidelines specify that the controller may request further evidence if there are “reasonable doubts” about the identity without necessarily requesting a copy of the data subject’s identification card.
The CNIL notes that while the right of access is free, the controller may request payment of a “reasonable fee based on administrative costs” for any additional copy requested by the data subject, or if the request is clearly unfounded or excessive. Furthermore, access requests may be made on site or in writing (by post or electronically). The CNIL insists that requests must be dated and recorded and the person must be handed a receipt. The information should be communicated in the same medium as the request unless the person wishes otherwise, and, above all, in a secure manner (using encryption or passwords).
The CNIL also emphasizes the importance of deadlines. Controllers will necessarily have to answer within a maximum period of one month whether they are able to grant the request for access or decide to extend the deadline by two months. The CNIL warns of the specific deadline applicable to health data, set at a maximum of eight days following the request and a minimum of 48 hours. If the information is more than five years old, the period is extended to two months (Article L. 1111-7 of the French Public Health Code).
The controller may refuse to honor access requests if the requests are unfounded or excessive (in particular because of their repetitive nature), or if the data no longer exists or access to it has been made impossible. The controller must give reasons for its decision and inform the data subject of the remedies and time limits provided to him/her to appeal against that decision.
4) Guidelines for controllers on obtaining consent from individuals
Consent is one of the legal bases provided for by the GDPR authorising the processing of personal data. Although not systematically required, consent is imposed for certain processing operations (to conduct sales prospecting by e-mail for example). Following the entry into force of the GDPR and the French Data Protection Law, consent obtained and collected before 25 May 2018 must be “refreshed” in order to fully satisfy the legal requirements set out below.
Due to its necessity for subscribing to and using services, the CNIL warns in its guidelines, that consent must be collected under specific conditions, particularly online, in order to ensure its validity. The CNIL identifies four cumulative criteria in order for consent to be validly obtained: consent must be free, specific, informed, and unambiguous.
The CNIL insists on being more mindful when confronted with consent of minors (in France, children aged fifteen or over can consent on their own) and fully automated data processing (which requires explicit consent).