At the start of the week, during a press conference, the mayor of Nice and President of the Nice Cรดte d’Azur Metropolis, Christian Estrosi, claimed to have received authorization from the CNIL to begin facial recognition experimentation during the carnival period.
However, on Tuesday, February 19, the CNIL provided numerous details about this matter in a series of nine tweets. Contrary to the enthusiastic claims made during the press conference, the organization is much more skeptical and cautious about the experimentation of the Anyvision solution on a panel of volunteers.
Here are the main remarks from the CNIL:
- Regarding the implementation of this experiment, it confirmed having received a letter from the city of Nice dated February 1. In a spirit of assisting with compliance, only one meeting was organized within a very tight schedule.
3โฃThe @CNIL regrets the urgency with which its services were solicited, as these circumstances are not conducive to a thorough analysis of the projected system. #Nice06
โ CNIL (@CNIL) February 19, 2019
- From a more legal standpoint, biometric systems are no longer subject to prior authorization by the CNIL since the implementation of the General Data Protection Regulation (GDPR).
As a reminder, the GDPR is a European regulation in effect since May 2018. It aims to harmonize the governance of personal information within the member countries of the European Union, especially in terms of securing and protecting personal data held by companies. - The commission reminds that the experimentation mainly relies on the consent of the volunteers (it must be free and informed). It also specifies that Nice cannot go beyond a simple test.
6โฃThe @CNIL recalls that, under the current framework, the projected experimentation cannot go beyond a simple test. Indeed, if the system were actually used for security/prevention purposes, the “Police/Justice” directive of 04/27/16 would apply instead of the GDPR.
โ CNIL (@CNIL) February 19, 2019
The mentioned directive is part of the Law on Information Technology and Liberties since 2016 and establishes rules regarding “the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention and detection of criminal offenses, investigations and prosecutions, or the execution of criminal penalties, including protection against threats to public safety and prevention of such threats,” according to the CNIL. The experimentation in Nice would therefore follow this directive, which is a separate field from the GDPR.
- The consent of individuals cannot constitute legal grounds for data processing under this Police/Justice directive. For this, a decree from the Council of State or a law would be necessary.
As can be observed, the debate around personal information, its storage, and collection is far from over. One can imagine that if facial recognition is successfully implemented in Nice (despite a somewhat questionable method of implementation), significant legal changes could occur.
