France’s National Commission for Data Protection (CNIL) has taken measures against the Ministry of the Interior after identifying what it considers failures in the adequate maintenance of its computerised fingerprint database (FAED).
The privacy watchdog has issued a series of injunctions to the ministry to bring data protection and privacy compliance to FAED. Issues identified by the authorities include apparent illegal storage of data, poor file management, and a lack of information provided to persons whose data is kept on the system.
The Automated Fingerprint File, or FAED, was created in 1987 and collected the fingerprints and palm prints of people implicated in investigations. It also amassed data relating to their civil status. More than 6.2 million people are included in the database, according to a parliamentary report from 2018.
In a decision published on Thursday (30 September), the CNIL criticised the Ministry of the Interior for keeping data not provided for by the legislation. This included the names of victims, license plate numbers of suspects, and the data of people who were no longer considered suspects.
The decree on FAED provides that the data entered may be kept for 10, 15 or 25 years, depending on the nature of the offence and its seriousness. The rules also state that authorities must delete fingerprints and data in the event of a final decision to acquit or dismiss the case.
CNIL noted that at the time of their investigation in 2019, “more than two million records were kept beyond the retention periods provided for by the applicable provisions.”
The supervisory authority also indicated that several million signalling sheets were still kept in paper format in a “manual file”, although the digitalisation of FAED was initiated in 1987.
In the absence of a legal basis for this paper format, CNIL asked the interior ministry to destroy these “seven million ‘signalling’ cards” – even though the information contained in them falls within the legal timeframe.
CNIL said that the State notified it in July 2021 “that more than three million cards had been deleted since the controls were carried out to comply with the old retention periods.”
As regards the “manual file”, the four-year period promised for its destruction by the State “cannot be accepted, given the age of the cards concerned, the duration of the breach and the nature of the data concerned,” the CNIL added.
“Such a disaster in the management of this file is not surprising when we see how other files, notably the TAJ [Traitement d’antécédents judiciaries, Processing of criminal records], are managed and the right to erasure flouted,” stressed Bastien Le Querrec from La Quadrature du Net, contacted by EURACTIV.
He called for “a rethink of police powers, including the use of such files” in the face of the multiplication of these “files without real control”.
Lack of security and information
CNIL also pointed the finger at the ministry for the lack of security of the file, having noted that police can access the database using a password consisting of just eight characters. It also noted a lack of transparent information given to the individuals whose data is stored on the system.
“The persons whose data is processed in the FAED may not even know that the processing exists when, as in the present case, they are not directly informed either at the time of collection of the data or at the time of the decision”, the CNIL emphasised in its deliberation.
It considers this a breach of French law, which provides that persons whose personal data is processed must be informed of those responsible for the processing and its purposes.
The ministry is urged to comply by 31 December 2021 at the latest – except for the deletion of the “physical file”, which must be done by 31 December 2022. The law also provides that the CNIL cannot impose a fine on the State.
[Edited by Luca Bertuzzi/Alice Taylor]