Open access internet and free WiFi are ubiquitous. For many denizens of the mobilesphere, especially in urban environments, telephone networks are relics.
It’s therefore not surprising that the French Data Protection Authority (the “CNIL”) recently audited providers of open access Internet services and Wi-Fi hot spots.
Nor is it surprising that many providers are not compliant with French data protection law. In a statement issued on December 22, 2014, the CNIL released a checklist of data protection must-haves:
1. User traffic data can only be retained if useful for the investigation, identification or prosecution of criminal offenses.
In no case are providers authorized to collect the content of users communications, data related to that content, or information consulted by users. If such content or information has been retained it must be deleted.
2. Data retention periods must be limited and proportionate.
Traffic data can only be retained for one (1) year as from collection. Other data (e.g., subscription information) must be regularly deleted if no longer required, such as when a user cancels her subscription or following a long period of inactivity.
3. Users must be provided adequate information about processing of their personal data.
Providers must inform users, through registration forms, publicly displayed notices, IT policies etc., how and by whom their data will be processed. Providers must also implement procedures to manage user requests to access, correct and delete their data.
4. Any tools to monitor users must be compliant with French law.
These tools — such as to ensure workstation security — may provide providers with access to data that are not relevant considering the purpose for which they were collected (e.g., login, password, bank account number). Providers should thus avoid using these tools.
5. Providers must ensure data privacy and security.
In particular, providers’ agreements with network operators must include data security clauses (see Cnil’s sample confidentiality clause here).