Who: JCDecaux and CNIL (the French Data Protection Authority
When: 16 July 2015
Law stated as at: 12 October 2015
What happened: The CNIL refused to grant an authorisation for processing personal data to JCDecaux, a multinational corporation specialised in outdoor advertising.
JCDecaux’s project was to set up a Wi-Fi pedestrian-tracking system by fixing to its advertising panels electronic devices capable of capturing smartphones’ MAC address routers within a 25 meters radius.
This system would have allowed JCDecaux to measure frequency rate, repetition rate, and other metrics by identifying pedestrians’ smartphones in order to offer to its clients accurate statistics concerning the number of pedestrians passing by its advertising panels.
The CNIL found that the project respected the purpose limitation principle and the data quality principle. Its purpose was to enhance JCDecaux’s advertising panels and optimise communication by using new technologies. The purpose was therefore explicit, specified and legitimate. Moreover, since the project was experimental and limited in time and space, the CNIL considered that the personal data processing involved would be adequate, relevant and not excessive.
However, the CNIL refused to authorise the project on two grounds. First, the CNIL held that JCDecaux was not using a proper anonymisation technique capable of protecting personal data. Indeed, to estimate the number of times a pedestrian is passing by the advertising panels, the company would have needed to cross-reference data.
Second, the CNIL noted that the electronic device would have automatically collected personal data of pedestrians located in the 25 meters perimeter carrying a smartphone with a Wi-Fi interface activated. The CNIL also observed that the A4 size sign notifying the data subjects about their rights would have been fixed on the advertising panel. Individuals walking through at a 25 meters distance from the panel would not see the sign. Therefore, the CNIL held that the collection and processing of personal data would be made without the knowledge of data subjects.
Why this matters: As announced in its 2015 program, the CNIL is currently focusing its control on audience/frequentation measuring systems.
In fact, one month after this decision, the CNIL published on its website recommendations on how to use frequentation measuring and behaviour analysis systems in shops in a manner consistent with the French Data Protection Act.
Just as in the present decision, the CNIL recommendations emphasise the importance of ensuring data subjects’ anonymity.
In this case, JCDecaux would have memorised smartphones MAC address router to determine how many times a single individual was passing by the same advertising panel. CNIL considered that the technique used was a pseudonymisation technique and not an anonymisation technique.
This was not a satisfactory method of anonymisation in the view of the CNIL since an identifier was usually matching only one data subject at a time. The natural person is therefore still likely to be identified indirectly. This rule has been previously asserted by the article 29 Working Party in its recommendations on anonymisation adopted in April 2014.