On January 12, 2021, the French Data Protection Authority (Commission Nationale Informatique et Libertes – the “CNIL”) held that French Ministry of the Interior (the “Ministry”) was unlawfully processing personal information through the use of drones equipped with cameras. These drones were being used to monitor the public’s compliance with containment measures and public demonstrations. The Ministry was ordered to cease all drone flights until authorized by a legal framework.
In this decision, the CNIL makes a clear statement that regulating mass surveillance initiatives is a major challenge for the preservation of our rights and freedom as citizens.
1/ The facts
In March 2020, the press revealed the use by the police of drones equipped with cameras to ensure compliance with Covid-19 containment measures. In response to this, the CNIL sent a letter to the Ministry in April 2020 requesting for clarity on the features of these drones and of their usage. In May 2020, the CNIL further decided to carry out investigations on how the drones functioned. It found out that these drones were also used for the surveillance of demonstrations, for crime investigation such as the surveillance of drug trafficking, or for the surveillance of street racing. In July 2020, the CNIL carried out a test flight on one of the drones used. The drones were able to capture high resolution images with zoom capabilities that can magnify the image up to twenty times: this test clearly demonstrated that the people filmed by this type of device were likely to be identified.
The CNIL was of the view that the Ministry did not have any legal basis to process personal data collected by the drones. Based on this view, the CNIL initiated a sanction procedure against the Ministry.
On 21 July 2021, the sanction committee of the CNIL considered the matter. It held that the processing qualified as a processing of personal data subject to the French Data Protection Act. It found that the Ministry had indeed breached several obligations of the French Data Protection Act, which embeds the terms of the General Data Protection Regulation, 2016. The CNIL’s findings are discussed below.
2/ Qualification as a processing of personal data
Any processing such as the capture, transmission, modification or consultation relating to the image of persons who can be identified constitutes processing of personal data.
The European Data Protection Board (“EDPB”) recently reminded, in its guidelines 3/2019, of 29 January 2020 on processing of personal data through video devices that “Systematic automated monitoring of a specific space by optical or audio-visual means, mostly for property protection purposes, or to protect individual´s life and health, has become a significant phenomenon of our days. This activity brings about collection and retention of pictorial or audio-visual information on all persons entering the monitored space that are identifiable on basis of their looks or other specific elements. Identity of these persons may be established on grounds of these details.”
If the identity of persons could not be established, based on information collected, the processing would not qualify as a processing of personal data. However, the flight test performed in July 2020 clearly showed that persons can easily be identified by technical means used.
The Ministry further argued that it has developed a blurring mechanism so that people cannot be identified in the footage. However, this mechanism cannot be performed directly by the drone. Images containing personal data are therefore collected, transmitted and processed by the Ministry before the blurring is performed. In addition, this mechanism does not necessarily prevent the identification of people since the services of the Ministry can deactivate the blurring.
3/ Lack of legal basis for processing
The French Data Protection Act provides that the processing of personal data implemented by the State, to prevent or detect criminal offenses, to conduct investigations or to guard against attacks on public security, must be provided for by an Act or a Regulation.
To date, there is no text which authorizes the Ministry to use drones equipped with cameras capturing images on which people are identifiable.
4/ Non-performance of a Data Protection Impact Assessment
A Data Protection Impact Assessment (“DPIA”) must be carried out when such processing presents a high risk for the rights and freedoms of individuals.
The CNIL explains clearly why the use of drones to capture footage on the public space qualifies as such risk:
- Features of drones, which are flying objects carrying a camera capable of filming in high resolutions, anywhere and at any time. They are therefore able to film any person moving in public space, to follow them and to process intangible personal data such as their facial features.
- Use of drones, in particular to monitor public demonstrations, during which the political opinions, religious or philosophical beliefs of persons, or their trade union membership, are likely to be revealed.
The CNIL further explains that the risk is aggravated by the fact that the processing is potentially implemented without the knowledge of the people: most of the time, they are not aware of the presence of drones, the activation of the camera and the capture of their image.
The CNIL emphasizes that further development of technologies such as facial recognition could pose great risks to individual rights and freedoms in the future if coupled with the use of drones. Their deployment outside of any legal framework should therefore be severely sanctioned.
The Ministry did neither perform a DPIA nor inform the public about the use of drones as required by law.
5/ Failure to inform the data subjects.
The CNIL reminds that the controller should inform the data subject of the processing. If restrictions can be justified in certain instances, for police investigation operations for example, these restrictions should be clearly stated in the legislative act or decree authorising the processing.
The Ministry did not inform the data subjects of the processing and failed to comply with relevant obligations of the French Data Protection Act.
6/ The sanction
The CNIL cannot impose fines on the State, but it pronounced a Notification of the Law and demanded that the Ministry ceases all drone flights until a regulatory framework authorizes such processing of personal data. This decision is applicable to the use of drones by all law enforcement department acting under the authority of the Ministry, throughout the territory, and whatever the aims pursued.