Each year, the French data protection authority, “CNIL”, conducts hundreds of investigations (345 in 2022) on the basis of complaints received, notification of data breaches, information conveyed by press or other media, but also annual priority topics set by the CNIL. These topics are the following for 2023.
- The use of “smart” cameras by public actors
The CNIL has made the use of “smart” cameras a priority in its 2022-2024 strategic plan, especially with the forthcoming of large-scale sporting events scheduled in 2023 (Rugby World Cup) and 2024 (Olympic Games).
The CNIL initiated a series of actions that include support for private and public players and has released its position on this topic on July 2022.
It now intends to verify compliance with the legal framework by public players.
- The use of the personal credit repayment incidents file
The Banque de France’s file on personal credit payment incidents (“FICP”) records information on payment incidents linked to overdrafts and loans granted for non-business purposes, as well as information on over-indebtedness. Banks are legally complied to check this file, especially before granting a credit.
Given that the information contained in this file may impair an individual’s ability to obtain a loan, the accuracy of the data and the limited retention period of such data are of vital importance.
Investigations will focus on the conditions under which banks access the file, extract information from it and keep it up to date after payment incidents have been cleared.
- Access to the patient’s electronic record in health care institutions
Security of health/medical data has been a hot topic for several years and has already been part of the CNIL’s priority topic for investigation in 2020 and 2021.
The CNIL already initiated checks on access to the computerised patient file (dossier patient informatisé, “DPI”) in 2022 and will continue to do so in 2023. This choice was made following complaints received by the CNIL about unauthorised third-party access to the patient file in health establishments.
- User tracking by mobile apps
This covers the tracking of user behavior for advertising, statistical or technical purposes based on some identifiers generated by mobile operating systems (such as Apple IDFA, IDFV, Google AAID, etc.) which is, most of the time, carried out without the information or consent of users.
As a reminder, the CNIL is also conducting work on good practices in the development of mobile applications.