CNIL to investigate data privacy in contactless payments and digital health

Data protection law expert Annabelle Richard of Pinsent Masons, the law firm behind Out-Law.com, said the Commission Nationale de l’information et des Liberties (CNIL) will probably scrutinise retailers and the providers of contactless payments technology most in its review.

"CNIL is likely to be interested in the type of data that is being collected through contactless payments systems and whether the collection of that data is proportionate," Richard said. "CNIL will also want to ensure that sensitive payment data is not retained or is securely protected from hackers and that consumers' right to object to the processing of their data via contactless payment systems is being observed."

"Data security in contactless payments is another issue CNIL will be concerned with and it will have a number of questions for companies about the steps they are taking to keep the sensitive account details of consumers private," Richard said. "In the UK, the information commissioner has said that companies that breach industry standards on payment card data security (PCI DSS) can be said to be in breach of UK data protection laws. An outcome of the CNIL review into contactless payments might be some equally clear warnings for the retail sector in France."

The review of contactless payments is one of a number of priority areas CNIL has said it will monitor in 2015. Other areas that will be scrutinised by the watchdog will include the way in which French employers process the personal data of staff when assessing their stress risk.

Data privacy in a digital health setting will also be monitored by CNIL. It said it would look at the way devices and health and wellbeing mobile apps and other online services are being used to monitor people's behaviours and whether the sharing of information in the digital health "ecosystem" is occurring with people's consent.

"If CNIL's review into privacy in the health and wellness sector reveals widespread issues and failings then an option open to it would be to issue new guidance on what it expects from organisations operating in this market when they are processing personal data," Richard said.

Other priority areas of CNIL's "control program" for 2015 will include a review of the technologies being used to measure people traffic in public places. CNIL said that organisations, such as shopping centre managers, are tracking shoppers through their mobile devices to establish their movements so as to "monetise advertising space", among other things.

CNIL said it also intends to carry out checks of some of the businesses that had adopted binding corporate rules (BCRs) to govern the transfer of personal data outside of the European Economic Area. The checks will "provide insight into the impact of [BCRs] in relation to the protection of personal data and respect for privacy within the groups concerned", it said.

"Data protection authorities have always kept a close watch on the way businesses facilitate international transfers of personal data, but CNIL's plans promise to shine more of a light on the way businesses keep themselves compliant with the BCRs they have adopted following the complicated process of setting up the privacy protections to win approval for BCRs in the first place," Richard said.

In total, CNIL said it plans to carry out 550 inspections of organisations' data protection practices in 2015, up from 421 last year. The majority of the inspections will comprise of physical audits, where a focus of CNIL's work in a quarter of those 350 cases will be on privacy practices relating to video surveillance and the use of CCTV devices. The other 200 cases will comprise of remote privacy audits.