12/11/2019France: Privacy Regulator Slams Speed Camera Practices
Lax security and overcollection of personal information by speed cameras threaten privacy, according to government watchdog.
The French government is violating privacy laws in its use of speed cameras according to a report released last week by an independent regulator. The National Commission on Informatics and Liberty (CNIL), whose members are drawn from the French parliament and other government agencies, concluded that serious reforms are needed to bring automated ticketing machines into compliance privacy laws requiring that personal data not be kept not longer than is necessary "for the purposes for which they are processed."
The commission's review found that the speed cameras operated by the Ministry of Interior maintained data on photo ticket recipients going all the way back to 2005, exceeding a specific regulation allowing such data to be kept for only ten years.
Data are also being kept on drivers who have done nothing wrong. Images of motorists are also being kept after the photos are taken by average speed cameras, which are usually installed on limited-access highways. These devices record the passing of all vehicles as they enter a particular stretch of highway. A second camera a certain distance, say two miles up the road, takes a second photograph. The device then derives a speed estimate based on the amount of time taken to traverse the known distance between the two cameras.
Average speed data on innocent drivers is supposed to be purged within 24 hours. Instead, officials have been storing that personal information for up to a year. The system has also been storing partial plate numbers from innocent vehicles for more than four years, contrary to the rules.
"The CNIL points out that partial registration plate numbers constitute personal data, provided that they are linked, as in this case, to a time stamp and the location of the section radar and are likely to be cross-checked with other data, in particular photographs concerning the vehicle and its passengers," Marie-Laure Denis wrote in his report. "Therefore, the 24-hour retention period applies both to complete registration plate numbers and to truncated registration plate numbers."
The commission also noted lax security measures that allowed the speed camera data systems to be easily compromised.
"The delegation noted three series of breaches, which could affect the security of personal data processing operations carried out in the context of section radar: a lack of robustness of passwords for connection to the [speed camera], unsatisfactory traceability of access, and inadequate management of access rights to the application by the Ministry of the Interior service provider," Denis wrote.
The commission ordered the Interior Ministry to revise its practices to come into compliance with privacy laws.
A copy of the report (in French) is available in a 300k PDF file at the source link below.