On September 16, 2021, the French data protection authority – CNIL (Commission Nationale de l’Informatique et des Libertés) – issued a formal notice to School 42 for excessive video surveillance. This article will provide you with all the information you need to know about this incident.
What is CNIL?
CNIL is an independent administrative authority in France that is responsible for ensuring that data privacy law is applied to the collection, storage, and use of personal data. It was created in 1978 and has the power to investigate and sanction organizations that violate data protection laws.
What is School 42?
School 42 is a private computer programming school in France. It was founded in 2013 by Xavier Niel, a French billionaire businessman and entrepreneur. The school provides free education in computer programming to students aged 18-30.
What Happened?
CNIL received a complaint in March 2021 that School 42 was using excessive video surveillance on its premises. After conducting an investigation, CNIL found that the school was using 1,000 cameras to monitor its students and staff, including in areas such as classrooms, corridors, and restrooms. The cameras were equipped with microphones and facial recognition technology, which allowed the school to identify individuals.
CNIL found that this was a violation of the General Data Protection Regulation (GDPR), which requires organizations to limit the collection and use of personal data.
What is the GDPR?
The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It came into effect on May 25, 2018, and replaced the 1995 Data Protection Directive. The GDPR aims to give individuals greater control over their data and to harmonize data protection laws across the EU.
What Was CNIL’s Response?
As a result of its findings, CNIL issued a formal notice to School 42, ordering it to stop using the cameras and to delete all personal data collected through them. The school has three months to comply with the notice. If it fails to do so, CNIL may impose a penalty of up to 20 million euros or 4% of the school’s global annual revenue, whichever is higher.
What Does This Mean for Other Organizations?
This incident serves as a reminder to all organizations that use video surveillance to ensure that they are complying with data protection laws. They should only use cameras where necessary and proportionate, and should not collect more data than they need. They should also inform individuals that they are being monitored and provide them with information about the purpose of the surveillance and how the data will be used. Failure to comply with these requirements can result in significant penalties.
Conclusion
The CNIL’s formal notice to School 42 is a clear indication that data protection authorities are taking the GDPR seriously and are willing to enforce it. Organizations that violate data protection laws can face significant penalties, which can have a serious impact on their reputation and financial stability. It is therefore essential that all organizations take data protection seriously and take steps to ensure that they are complying with the law.
FAQs
What is CNIL?
CNIL is the French data protection authority that is responsible for ensuring that data privacy law is applied to the collection, storage, and use of personal data.
What is the GDPR?
The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area. It aims to give individuals greater control over their data and to harmonize data protection laws across the EU.
What was School 42’s violation of the GDPR?
School 42 violated the GDPR by using excessive video surveillance on its premises, which included 1,000 cameras equipped with microphones and facial recognition technology. This violated the GDPR’s requirement to limit the collection and use of personal data.
What was CNIL’s response to School 42’s violation?
CNIL issued a formal notice to School 42, ordering it to stop using the cameras and to delete all personal data collected through them. The school has three months to comply with the notice.
What are the penalties for violating the GDPR?
Organizations that violate the GDPR can face penalties of up to 20 million euros or 4% of their global annual revenue, whichever is higher.
How can organizations ensure GDPR compliance?
Organizations can ensure GDPR compliance by only using cameras where necessary and proportionate, informing individuals that they are being monitored, providing them with information about the purpose of the surveillance and how the data will be used, and not collecting more data than they need.
