NEWSLETTER No 37 // Thursday 27 April 2023
|
|
|
|
The 2024 Olympic and Paralympic Games: Impact of the new regulation on personal data and privacy
|
|
|
|
This month, La Lettre de la DPO interviewed Jean Martinot, vice-president of the Cercle de la Donnée (an independent and interdisciplinary think tank producing forward-looking reflections on data and digital technology) and Frédéric Le Corre, a specialist in the sports ecosystem and co-founder of Whimup, a social fan-experience platform. They have provided La Lettre du DPO with their views on the major challenges in terms of personal data protection resulting from the provisions of the law relating to the 2024 Olympic and Paralympic Games, and the future of sports content broadcasting in the digital world.
An event of colossal scale, the success of which requires flawless organisation and legal supervision. Just over a year before the start of the Olympic and Paralympic Games, which will be hosted in France from 26 July to 8 September 2024, and following the adoption of a first law relating to the organisation of the Olympic and Paralympic Games on 26 March 2018, a second law relating to the Games has just been passed in order to supplement the measures already adopted. This law aims to adapt certain provisions of French law, including the Civil Code, the Internal Security Code and the Sports Code. As a result, it presents major challenges in terms of personal data protection and privacy, in particular by enabling (i) the reinforcement of the anti-doping mechanism by authorising, under certain conditions, the examination of genetic characteristics or the comparison of the athlete’s genetic fingerprints in the context of anti-doping analyses, and (ii) the implementation of all the necessary means to ensure the security of the Games, such as body scanners at the entrance of certain events or automated video-protection devices in public places.
Are the new devices aimed at ensuring the security of major events or restricting liberties? The law creates an experimental framework allowing the use, under certain conditions, of algorithmic processing of images captured by video protection systems or drones that include artificial intelligence systems, known as “augmented” or “smart” cameras. Their purpose will be the automatic analysis, by means of algorithms, of images in real time in order to detect and report predetermined events likely to threaten the safety of persons. Even if guarantees are provided by the law to limit the risks of data breach (no processing of biometric data, no reconciliation with other files or automatic decision, etc.), some actors, such as the general assembly of the National Bar Council or a group of international organisations, are opposed to the introduction of automated video protection that this law will allow - and for good reason! The mere presence of these CCTV devices in areas accessible to the public could indeed have a negative effect on the willingness and ability of people to exercise their civil liberties, for fear of being identified, spotted or even wrongly prosecuted. It is therefore legitimate to wonder whether security provisions, under the pretext of “guaranteeing security”, might not have the undesirable effect of “restricting liberties”.
“Augmented” cameras: a priority topic for the CNIL in 2023. The topic of “augmented” cameras has been of interest to the CNIL for some time, as it had already included it as a priority in its strategic plan for the period 2022 to 2024. Having taken a position on this technology in July 2022, and given the fact that the use of such a device will not only be planned for the Olympic Games in 2024 but also for the Rugby World Cup that will take place from 8 September to 28 October 2023, the CNIL has decided, for 2023, to make this subject a priority for its controls in order to verify compliance with the legal framework by public actors.
This law has been referred to the Constitutional Council and will be supplemented by decrees. The text was adopted by Parliament on 12 April 2023, and more than sixty deputies referred it to the Constitutional Council. The procedure is ongoing, and some provisions may therefore be repealed or be subject to reservations of interpretation. Several Council of State decrees, most of which will be issued once the CNIL has given its opinion, are then expected to define the conditions and procedures for applying numerous articles of this law.
|
|
|
|
“The ‘traditional’ model of broadcasting sports content via television will be balanced out in favour of legal OTT (over-the-top) streaming platforms”
|
|
|
|
Frédéric Le Corre (a specialist in the sports ecosystem and co-founder of Whimup, a social fan-experience platform) goes back in detail, for La Lettre du DPO, on his career and provides his views on the future of sports content broadcasting in the digital world.
|
|
|
|
1/- What is your background and and what led you to take an interest in digital technology and data?
I have a postgraduate degree in Sports Economics (Grenoble University) and a business school diploma (Brest). I am an avid fan of sports and have built up my career in the sports ecosystem. Within para-public structures, I have led multi-business missions for the organisation of major events in France (World Cycling Championships in 2000, World Athletics Championships in 2003, Rugby World Cup 2007) and on an international level (European Figure Skating Championships 2003, Winter Olympic Games 2006 in Italy, Asian Games 2006 in Qatar, FIFA Club World Cup 2009 in Abu Dhabi, World Swimming Championships 2010 in Dubai, CAN (African Cup of Nations football championship) 2012 and 2017 in Gabon). I have also worked in consulting and marketing agencies (Marketing Manager at Havas Sports Italy and Project Director at Keneo).
During the organisation of the last CAN football championship, I was appointed General Coordinator of the event (4 venues and +350,000 spectators). It was then that I became aware of the gap existing in the fan experience between what we proposed and the potential that digital technology could generate in terms of commitment and monetisation. But between the maturation of the idea and the development of a solution to this problem, a few years have passed...
After taking over and consolidating two digital advertising companies, I co-founded Whimup with a team of partners having complementary profiles. It is a social fan-experience platform, with the aim of addressing the issues outlined above! Our promise is to put fans at the heart of the action by gamifying their experience and generating new revenues for clubs. It is this project that led me to take a closer interest in digital technology and data.
2/- What are your responsibilities and the missions you carry out, in particular at the moment?
Released, since the beginning of this year, from dealing with the operational side of the Wijoo group co-founded in 2019, of which I am president, I am seeking opportunities to grow and diversify. For Whimup, I took over the start-up after a period of maturation and development of the commercial concept. More specifically, I am currently approaching professional clubs to present them with the prototype that came out at the beginning of the year. The groundwork has been laid for a market launch of the application in July this year, at the start of the 2023/2024 season.
We are currently in the process of contracting our first club clients, recruiting our first team members to complete the team already in place, and have launched the fundraising process. We have three priority issues:
- to demonstrate the relevance of commitment mechanisms through gamification of the experience;
- to monetise the target audience of digital fans through soft levers and the distribution of innovative virtual items;
- to enhance the data generated within the application.
The digital world and the targeting of Generation Z constantly lead to new thinking and a certain number of daily challenges that we have to confront with our legal framework.
3/- How do you see the future of the digital economy, in particular as regards the distribution of content?
I think that the “traditional” model of broadcasting sports content via television will be balanced out in favour of legal OTT (over-the-top) streaming platforms, for various reasons:
- the overabundance of advertising in downtime, which could be filled by entertaining or higher value-added content (statistics, short video clips, etc.) ;
- the cost of accessing sports events televised on traditional channels;
- the need of younger generations to consume sport differently (“snacking”, “zapping”, “scrolling”, etc.);
- the emergence of new platforms that offer quality sports content (level of visual and sound production, level and reputation of journalists and consultants, etc.) and affordable subscriptions (e.g. Amazon, with the French Ligue 1);
- the possibility via the Internet of easily integrating content generated by other channels (online games, fan interaction, statistical tools, targeted advertising, etc.).
In a few years’ time, the proportion of people watching the Olympic Games or the Football World Cup on their smartphones is expected to exceed television audiences, thanks to enriched content and permanent quality access to content (5G coverage with no latency and reduced energy consumption).
We can even envisage a new revolution in the consumption of sporting events when fan-generated and already experimental player-generated content will be distributed via these platforms (the activity of which is increasingly regulated, notably by the Digital Markets Act (DMA) and the Digital Services Act (DSA) which limit the economic domination of the large platforms and the online distribution of illegal content and products) and will generate new forms of interaction. In any case, this is the bet we are making at Whimup!
|
|
|
|
“DIGITAL TECHNOLOGY FOR SECURING THE 2024 OLYMPIC GAMES: AN AMBIVALENT PATH!”
|
|
|
|
Jean Martinot is Vice-President of the Cercle de la Donnée, an independent think-tank bringing together professionals interested in the uses of data beyond its technological dimension, and producing in-depth reflections on its impact on people and the world around them. He currently chairs a working group dedicated to “the footprint of data on living things”.
An avid fan of technology and sport, with an engineering degree and 25 years of competitive gymnastics experience, Jean Martinot currently works for a sports federation where he is the Information Systems Manager (ISM) and Data Protection Officer. Involved with his federation in the preparation of the 2024 Olympic Games, he has agreed to share his views on this subject with La Lettre du DPO.
The difficult reconciliation between past legacy and legal imperatives in the European Union.
“The Olympic Games have gradually become highly computerised and, more importantly, since the London Olympics in 2012, such computing has migrated to cloud infrastructures. These technologies are now ubiquitous and some digital operators have established themselves as official providers, such as the Alibaba platform, which notably hosts the file containing data on people accredited to access sports events taking place during the Olympic Games (in particular police officers). Indeed, chosen in 2019, the Chinese group was entrusted with providing ticketing services for the Winter Olympics held in Beijing in 2022, which, according to some, imposed it as the supplier for the Paris 2024 Olympics and for a broad scope since Alibaba also hosts the applications of the OCOG (Organising Committee of the Olympic Games). This legacy has given rise to bitter discussions, since the GDPR, which applies to data collected in the context of the Paris 2024 Olympics, prohibits transfers outside the European Union, in particular to China, unless they are very strictly regulated contractually and technically or if the recipient country has legislation deemed sufficiently protective in this respect. On this point, for so long as China does not decide to change its regulations, the hosting of European data on Chinese territory will raise difficulties, which is why, for the time being, some people feel it is necessary to entrust the hosting of this data to a European operator.”
In the face of growing and unprecedented threats to a sporting event, digital technology is both the antidote and the poison.
“To secure vast areas that will host an unprecedented influx of people, more than 13 million tickets are on sale and 600,000 people are expected on the banks of the Seine for the opening ceremony, with police and security personnel who, themselves, are not limitless, the authorities are counting on the use of new technologies: smart cameras (i.e. equipped with facial recognition devices), drones, etc. While these technologies will often increase the control and investigation capacities to fight insecurity, they will also contribute to increasing the attack surface. Indeed, the large quantities of data collected in this context are accessible remotely, which facilitates the task of malicious third parties, or even simply increases the likelihood of human error, which could lead to a data leak or loss. This type of incident can ruin reputations or prevent a sporting event from running smoothly. In this way, in an increasingly connected world, cybercrime is becoming an extension of crime. This is why the deployment of these technologies, during a global event such as the 2024 Olympic Games, must be accompanied by extensive digital protection and investigation resources to prevent cyberattacks but also to provide a cure for the victims thereof.”
|
|
|
|
The CNIL's priority topics for 2023, issues with high stakes for data subjects
|
|
|
|
In 2023, the CNIL will focus on four new areas of control. The first subject is the use of "augmented" or "intelligent" cameras by local authorities, which will have to ensure strict compliance with the regulations, notwithstanding the security imperatives that motivate their installation. The deployment of these cameras is a major issue for the people concerned, especially in the run-up to the 2024 Olympic Games. The second issue is the use of the credit incident file (overdrafts, loans and over-indebtedness), which banks must consult before granting credit to an individual. The CNIL reminds us that, since registration in this file is likely to deprive people of a loan, the accuracy of the data contained therein is essential, and that it will focus its controls on access authorisations to the file and its regular updating after financial incidents have been resolved. The management of health records is once again one of the CNIL's priority issues as the computerisation of patient data continues. Lastly, the fourth and final topic focuses on the tracking of users by mobile applications for the purposes of advertising, statistics and the implementation of technical tools. Like cookies for websites, the CNIL wishes to control these identifiers set up by applications, often in violation of the regulations, as the users have neither consented nor even been informed.
|
|
|
|
Geolocation: CNIL sanction against CITYSCOOT
|
|
|
|
On 16 March 2023, the CNIL imposed a penalty of 125 000 euros on CITYSCOOT, a company specialising in the rental of self-service electric scooters for short periods. During the inspection, which was carried out as part of the CNIL's priority inspections for 2020, it was found that the company was collecting geolocation data from the scooter every 30 seconds during its rental period and was keeping a record of the journeys made. CITYSCOOT was thus sanctioned for having, on the one hand, failed to comply with its obligation to minimise the data collected, as an identical service without almost permanent geolocation of customers could be offered. On the other hand, it is accused of failing to comply with the obligation to contractually control the processing carried out by a processor in accordance with Article 28 of the GDPR. Lastly, the CNIL reproached CITYSCOOT for having failed in its obligation to inform the user, and to obtain his/her consent, for the use of the reCAPCHA mechanism provided by GOOGLE. On 7 July 2022, the CNIL sanctioned UBEEQUO, a short-term car rental company, because it also geolocated its vehicles almost permanently.
For more information, click here
|
|
|
|
Data security: update of the CNIL guide
|
|
|
|
On 3 April 2023, the CNIL announced the update of its “guide to security of personal data” which recalls, through 17 factsheets, the basic precautions that should be systematically implemented as well as the measures intended to further strengthen data protection. The main updates concern factsheets n°2 “Authenticating users” (to include the notion of password entropy and to abandon the obligation to renew passwords for “classic” user accounts), n°4 “Tracing operations and managing incidents” (to include details on logging), n°12 “Supervising IT developments”, and n°15 “Securing exchanges with other organisations”, to take into account the changes and recommendations published by the CNIL on these subjects throughout the year.
|
|
|
|
Tuesday 23 May 2023 from 1.30 pm |
|
|
|
The CNIL has organised a conference to mark its 45th anniversary on the theme of “Acting for a responsible digital future”.
|
|
|
|
This Speakers (researchers, lawyers, journalists and representatives of public and private organisations) will discuss the evolution of IT tools over the last 45 years, the history of the first French independent administrative authority created by the 1978 Data Protection Act, but also the prospects and innovations to come.
It is possible to follow this event online by registering here.
|
|
|
|
The Intellectual Property and Digital Law Team at klein • wenner
Fortified by in-depth experience, klein • wenner's attorneys in the Intellectual Property and Digital Law Team, who are experts in the digital sector and in GDPR, have developed a transversal practice unique in the area of data law. We work with other experts (in cybersecurity, SI/data governance and other areas), and our team offers a global, cooperative approach to all issues relating to data (privacy, intellectual property, cybersecurity and open data - *with klein • wenner's Public Law team).
|
|
|
|
La Lettre du DPO is a publication of klein • wenner which processes your data in accordance with the regulation regarding personal data. To learn more, click here
|
|
|
|
|
|
|
|
