CNIL authorizes experimental concert in Paris after a request for authorization, due to the processing of sensitive data.
As governments worldwide endeavour to reopen and boost economies affected by the COVID-19 pandemic, attempts are being made at hosting mass crowd events, something which has been disallowed in many countries since the start of the pandemic. Last month, we wrote about the CNIL of France’s opinion on the use of “vaccine passports” for admission into mass crowd events. The Authority addressed the aspects of privacy and protection of personal data, much of which would need to be processed in order to make this operation functional or successful. Due to the volume of personal data to be processed, authorization was sought from the CNIL, by the AP-HP for the hosting of an experimental concert, studying the risk of spread of COVID-19. The CNIL has given its support to the execution of this exercise for research purposes, reiterating the importance of ensuring compliance with the GDPR and Data Protection Act.
This experimental concert is part of a clinical trial studying the risk of contamination of COVID-19 in crowd settings.
This clinical trial consists of two groups of people, an experimental group of 5000 people who would be in attendance at the concert and a control group of 2500 people who would not be at the concert. The aim of this study is to analyze the transmission of COVID-19 in a large-scale gathering or mass crowd event in an enclosed room, with the application of specific health protocols. The concert, which was scheduled for May 29, is seen as the first attempt at the return of standing concerts in France. Similar concerts have taken place in other European countries like Spain, and these events are expected to give researchers and officials an idea of how safe it truly is to reintroduce mass crowd events to everyday life in a post pandemic society.
Due to the volume of personal data to be processed in the execution of this clinical trial, CNIL was asked for authorization.
The research conducted by the hosting of this experimental concert involved the processing of sensitive data from a large number of participants. During the study, the participants had to take several COVID-19 screening tests, the results of which were centrally stored. Participants had the option of uploading proof of a recent and negative screening test result online, or of presenting a hard copy. In addition participants from the experimental group attending the concert were filmed throughout the process, using smart cameras, in an effort to assess the circumstances under which concert attendees were less likely to respect mask mandates. Each participant was individually informed on the manner in which the study would be carried out, and their consent was obtained in writing, in advance of the study, ensuring that their consent was free, specific and informed. Participants were specifically expected to consent to participating in the research in general, and also to being recorded. This consent could have been withdrawn at any time without justification.
CNIL was in full support of this initiative, giving authorization the very day the request was received.
CNIL, considering the challenges that have been faced by entertainment professionals in France for the duration of the pandemic, has given its support to this experimental concert. The authority reiterated the importance of compliance with the GDPR, and data protection regulations, as well as guarantees for the protection of individual rights and freedoms. This concert is one of many research projects which have benefited from legal and technical support from the CNIL during this health crisis. Many of these projects have been authorized in less than two days in order to meet specific deadlines, with a total of 117 medical research authorizations issued by the CNIL on COVID-19 during the pandemic.
AEPD fines EDP Comercializadora, S.A.U 1.5 million euros for two violations of the GDPR.
EDP Comercializadora, S.A.U, an electricity service provider in Spain has been fined for two violations of the GDPR. The company was found to lack sufficient technical and organizational measures to verify whether someone signing up for its services on behalf of another natural person is indeed authorised to do so, or authorised to process personal data on behalf of the other person. The AEPD also found that in some cases, the company was not providing data subjects with sufficient information related to the processing of their personal data, just by the nature of the informational document provided to data subjects, and the method of providing information. A total of 1.5 million euros in fines was imposed on the company for these violations, in accordance with GDPR Article 83.
AEPD fines EDP Comercializadora, S.A.U €500,000 for a violation of article 25 of the GDPR.
Article 25 (2) of the GDPR addresses the requirement for the implementation of appropriate technical and organisational measures for ensuring the protection of personal data, from the point of collection and throughout the use and storage of this personal data.In addition, the regulation states “In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.” EDP Comercializadora S.A.U was found to lack sufficient measures to avoid and mitigate the risks associated with the processing of personal data in instances where the service is being registered for by a third party. The company was found to lack the technical and organizational measures required to verify firstly, whether a third-party who hires its service on behalf of another natural person has authorization to perform this contracting, as well as whether they are authorized by that person to process personal data on their behalf. In accordance with article 83 (4) (a), the supervisory authority imposed a fine of €500,000 for this infringement.
An additional 1 million euro fine was imposed by the AEPD.
Article 13 of the GDPR outlines comprehensive and specific information to be provided to all data subjects at the point when personal data is collected from them. This information is all required to be provided by the data controller to every data subject from whom data is collected and processed. Upon review of the document provided to data subjects by the controller, EDP Comercializadora S.A.U, information was found to be lacking regarding the controller, the legal basis for processing not based on consent, the purposes of processing relating to profiling on the basis of legitimate interest, and the possibility to object to processing activities that the controller bases on its legitimate interest. In addition, in some of the company’s procedures, for example contracting the company’s services by telephone, the method of access to the information required by the data subject was not simple and immediate. For this, a fine of €1,000,000 was imposed by the AEPD.
The CNIL issues it’s opinion on the implementation and use of vaccine passes for admittance to mass crowd events in France.
As the world aims to resume somewhat normal activity during the global COVID-19 pandemic, France is considering the use of the vaccine passes or green passes for admission to mass gatherings of at least 1000 persons. This suggestion comes in an effort to re-open certain establishments and resume certain activities, while minimizing the risk of contamination from the virus. These green passes, as with the ones for travel, will include information related to the COVID-19 vaccine, a negative COVID-19 test, or proof of recovery from the virus. While they were originally developed to facilitate travel with more ease during the pandemic, the Government of France seeks to take the opportunity to use them for access to mass crowd events, in an effort to resume those activities much sooner.
The CNIL makes it clear that these passes are not to be used beyond the health crisis.
The CNIL wishes that it be made clear that these passes are intended only for use during the pandemic and it will definitely be of a temporary nature. In acknowledging the unprecedented nature of an initiative like this and the implications that it may have for the lives of individuals, the Authority wants it to be made clear that this measure is meant for the specific purpose of dealing with the current health crisis and should only be used for as long as its purpose is applicable to the COVID-19 pandemic. In addition, the CNIL requests that the impact of this system on the health situation be monitored, studied and documented at regular intervals and on the basis of objective data, in order to determine whether public authorities should continue its use.
The CNIL would like guarantees that the use of these passes is limited to mass crowd events.
While the authority acknowledges the functionality of these passes for admittance into mass crowd events, CNIL would like to make it clear that in the interest of respect for the fundamental rights and freedoms of persons, these passes should be limited to those mass crowd events for which they are intended. The Authority wants to ensure that the use of these passes excludes places that relate to the daily activities of the population like restaurants, workplaces, shops, etc. In addition these passes should not be used for admission to any venue linked to certain usual manifestations of fundamental freedoms (in particular the freedom to demonstrate, to organize political or trade unionists and to freedom of religion). The CNIL notes that the particular exclusion of these passes and the prohibition of their use in these spheres is likely to minimize any implications of the use of this system on the rights and freedoms of individuals. CNIL also believes that there should be further clarification and transparency on the qualification of the events where the use of these passes would be considered appropriate, and measures ensuring that the passes are not used in places and events which do not meet those qualifications.
The CNIL would like to ensure that the use of these passes does not result in discrimination, and protects the personal data of individuals.
In order to avoid discrimination, the CNIL is stressing the need that these passes be accessible to all. This includes ensuring that passes are available on paper as well as in digital format. It is also important to ensure that there is no discrimination based on the type of evidence presented in these passes, whether it be evidence of vaccination, a negative COVID-19 test, or recovery from the virus. Due to the sensitive nature of the information used for these passes, it is very important to make special considerations for limiting the disclosure of health information of individuals. The CNIL therefore suggests the implementation of a solution which would make it possible to limit access to persons authorized to verify the certificates. In addition, the Authority believes that these verifications should result in a color code (green or red color), along with the identity of their holder, so as not to reveal whether the individual has been vaccinated, tested, or recovered from a previous infection with COVID-19.
The children’s code transitionary period, which saw its inception on 2nd September 2020, ends in less than 6 months. All online services are expected to be in compliance with this code by September 2021.
Last year, we reported that the Children’s Code, then known as the Age Appropriate Design Code was about to come into effect on September 2, 2020. Since then, we have been in a transitionary period during which all online services are expected to come into compliance with this code. The ICO has just released a statement urging businesses to ensure that they are in full compliance by the end of this transitionary period, in less than 6 months.
This code is a statutory code of practice laying out 15 standards which are aimed at ensuring children’s best interest online.
The Children’sCode lays out 15 standards to ensure that children’s best interest is at the forefront. These standards include principles governing the best interest of the child, data protection impact assessments, age appropriate application, transparency, detrimental use of data, policies and community standards, default settings, data minimization, data sharing, geolocation, parental controls, profiling, knowledge techniques, connected toys and devices, and online tools. During this transitionary period, online services are expected to take steps to bring their services into full compliance with this code, ensuring that all principles are considered and that their services support the rights of the child.
This code applies to any online product or service likely to be accessed by children and is not limited to only those aimed at children.
This code will apply to every online service that is likely to be accessed by children. This means that not only are services made for children expected to come into compliance but every service that may be accessed by children will need to as well. Online services may take a risk based approach to recognizing the age of their individual uses to ensure that the standards in this code will be applied to child users. Unless the age of the individual users can be established with a level of certainty, this code should be applied to all users on the platform.
The ICO has launched initiatives to detect businesses’ readiness for compliance with this code, as well as educating and sensitizing on the topic of the children’s code.
The ICO recently conducted a survey to gauge general understanding of the age-appropriate design code. Some 500 services were part of this survey from which findings show, so far, that about 75% of businesses are aware of this code. The ICO has set up what is called the Children’s Code hub with a range of resources for organizations to understand the code and to know whether they are in the scope of it. The regulator has also been holding webinars and will also be hosting a workshop at the Festival of UX and Design 2021 to help raise awareness within the design community and explain how this code can be applied to innovative projects. The ICO has also launched a call for transparency champions which will consist of organizations, designing projects using privacy information in a way that is tailored to children’s understanding.