| |
| META TOPICPARENT | name="FirstPaper" |
|---|
| |
<
< | Minor League Snoops
The spying of the federal government on American citizens is well documented. The revelations of Edward Snowden have filled news archives with articles detailing the snooping of the United States government. This accepted and understood. To what extent though does an individual have to anticipate surveillance at a more local level? Is there a difference in the ability of local governments versus the federal government to spy on citizens and should one be more acceptable than the other? | >
> | *Data protection in France following the terrorist attacks in Paris: Nothing new under the sun*
Center text
| | | | |
<
< | The Dragnet
Earlier this year, it was revealed that police in Oakland California were employing Automatic License Plate Readers (ALPRs) to track license plates. The Electronic Frontier Foundation (EFF), which analyzed the data, found that as few as two patrol cars equipped with ALPRs were responsible for collecting 63,272 data points. On average, the EFF found that individual plates were recorded on average 1.3 times. With the sheer amount of plates being collected, it seems safe to say that this is not a targeted approach. The movements of individuals are being tracked with little regard for reasonable suspicion and for the sole sake of data collection. | | | | |
<
< | The Technology
According to the American Civil Liberties Union (ACLU), ALPR technology consists of high-speed cameras that capture license plates and then add and compare them to a growing database of previously recorded plates. The cameras may also more than just license plates, and sometimes record vehicle occupants and location. Oakland is not the only city to employ the technology, but they are among the most willing to divulge their use of the collected data. Police in Los Angeles have been reticent to be completely open regarding their use of ALPRs. A district court in San Diego ruled last year that the collection of license plate data did not constitute public information and that the holders of the information were not required to turn it over. The judge cited concerns that criminals could use the information to locate the ALPR cameras or areas of police investigation. | >
> | Introduction | | | | |
<
< | How is it Different?
Americans are accustomed to submitting to various forms of surveillance without a second thought. Many Americans have accepted that a camera may photograph them if they run a red light and security cameras are now just a fact of life. What can be said though, is that for the most part, these forms of surveillance are used only after the fact. Traffic violators are snapped only after they have run a red light and security footage is often used to identify criminals after they have committed a crime. On the other hand, ALPRs are used to actively create a database of not only who is on the road, but also where they are going. | >
> | The terrorist attacks that occurred in Paris between the 7th and the 9th of January 2015 have been called the “France’s 9/11” by certain international and French newspaper. If, from an operational point of view, these attacks largely differ from what happened in the United States in 2001, from a legal standpoint, however, they may trigger the same consequences, especially with regard to data protection. Indeed, the French government, as it has already mentioned, intends to reform several aspects of its national legislation in relation to data protection and has called for the European Union to act similarly. Listening at the speech of the French Prime Minister, one could not miss the references made to the Patriot Act enacted by the United States after 9/11. Although no legislative step has been undertaken yet, I believe that this situation deserves an overview. Therefore, I will consecutively address (i) the current French law on data protection and (ii) the purported reforms announced by the French government. | | | | |
<
< | Facial Recognition
The use of facial recognition technology further complicates the matter. It is not far fetched to imagine government authorities coupling ALPR technology with face recognition software to more precisely identify their targets. While it has always been hinted that license plates were not always the target of ALPRs, a Freedom of Information Act request by the ACLU on the Drug Enforcement Administration (DEA) revealed that in some cases, “Occupant photos are not an occasional, accidental byproduct of the technology, but one that is intentionally being cultivated.” In fact this pairing makes so much sense that some APLR manufacturers are already looking to incorporate facial recognition technology into their new models. This allows law enforcement to attach a current visual profile to the already large amount of information they are able to gather about an individual just from their automobile data. While there is some "research" going towards thwarting facial recognition software, it seems likely that the average driver will generally be defenseless against the tracking of ALPR cameras. | >
> | i. The current French law on data protection | | | | |
<
< | Just Don't be a Criminal
The much touted mantra of those that would have us accept government surveillance is that if we're doing nothing wrong, we have nothing to worry about. But even if this is assumed to be true, the specter of human error looms large. With courts deciding that citizens no right to know specifically what sort of data is being kept in databases | >
> | On 6th January 1978, France enacted the Law on Information Technology, Data Files and Civil Liberty. France was thus one of the first countries that adopted a law dealing with computers and freedoms. This law established the Commission Nationale de l’Informatique et des Libertés (“CNIL”), an independent administrative authority whose main goal is to ensure the protection of personal data. Since then, the Law of 1978 has been modified by the Law of 6th August 2004, which transposed the 95/46/EC Directive into national legislation.
The CNIL is one of the leading European authorities fighting for the protection of data protection. For instance, in its highly publicized decision against Google Spain on 13th May 2014, the European Court of Justice took up the economic approach adopted by the CNIL in its decision against Google on 3rd January of 2014.
Moreover, the French legal regime of data protection is of a criminal nature. Indeed, violation of the Law of 1978, as modified, may trigger fines up to ¤1,5 million for legal persons and up to ¤300,000 for natural persons as well as up to 5 years of imprisonment.
In addition, regarding the transfer of personal data outside the European Union, the CNIL, pursuant to the 95/46/EC Directive, has set out different procedures depending on the country to which personal data are transferred. Transfers of personal data to countries whose level of data protection are deemed to be equivalent to the European Union are easily accomplished by filing a form with the CNIL. However, it is strictly forbidden to transfer such data to countries where the level of protection is considered insufficient, unless the company undertaking a data transfer within its own structure has adopted Binding Corporate Rules or if the two companies that are parties to a data transfer have signed standard contractual clauses adopted by the European Commission.
The terrorist attacks in Paris have not called into question the missions or the existence of the CNIL. However, one could believe that the potential enactment of a purported French “Passenger Name Record” (“PNR”) system, as announced by the Prime Minister, would broaden the possibilities to collect, process and transfer personal data. | | | | |
<
< | Data Privacy | >
> | ii. The purported reforms announced by the French government | | | | |
<
< | Sharing | >
> | In fact, the purported adoption of a PNR system by France would be nothing more than a scam since this system is already in place. Not surprisingly, the speech given by the Prime Minister following the terrorist attacks was merely political. Indeed, Article 7 of the Law on the fight against terrorism of 23rd January 2006 expressly authorized the collect and process of PNR data even though “sensitive” data, as defined by the Law of 6th January 1978, could not be used. Thus, for instance, the use of data revealing what meals passengers ordered was forbidden. Although this article has been abrogated, an equivalent provision remains in force in France. Moreover, for a long time, the French Code of Customs has enabled customs officers to “require the submission of papers and documents of any kind, relating to operations of interest for their services, regardless of the medium”. Consequently, customs officers are authorized to collect PNR data.
Furthermore, the Prime Minister also mentioned that France was contemplating the adoption of a “French Patriot Act”. Considering the domestic and European obstacles that the government would have to surmount, the transposition into French law of a US inspired Patriot Act is not really on the agenda.
Nevertheless, a controversial step towards the reinforcement of mass surveillance has already been made through the enactment of the Law on military programming of 18th December 2013. Accordingly, where authorized by the Prime Minister, police officers are allowed to collect any electronic data and to intercept any electronic communications for the purpose of identifying and preventing – in real time – potential threats to the national security. Despite the apparent violation of both the right to liberty and security and the right to privacy enshrined in the European Convention on Human Rights and whose constitutional value has been established by the Conseil Constitutionnel (French Supreme Court), the latter has upheld the preventive aspect of the Law, as described above. This Law entered into force on 1st January 2015. Yet, this legislative arsenal did not prevent terrorist attacks. Stiffening mass surveillance did not work in the first place but it makes no doubt that further legislative steps in this direction will be taken.
Conclusion
Surveillance has certainly been strengthened since the terrorist attacks but French law on data protection has not been formally impacted yet. However, it would be naïve to believe that the assault on privacy is over. Here is the paradox: rather than reinforcing our liberties whose scope has been temporarily reduced by the terrorist attacks, the legislative reforms will follow the same path. |
|