Following a claim instigated in 2016, the CNIL (the French Data Protection Authority) has sent a formal notice to the Ministry of Higher Education, Research and Innovation, stipulating that the French public post-baccalaureate application and selection procedure is in breach of the French Data Protection Act (FDPA) and they must comply with the act within three months. The breaches are as follows:
- For non-selective training programmes, an algorithm automatically determines the assignment proposals given to the candidates. Article 10 FDPA stipulates that no “decision producing legal effects with regard to a person can be taken solely on the basis of an automated processing of data intended to define the profile of the data subject or to assess certain aspects of his/her personality”.
- Secondly, the candidates’ information stored on the portal is insufficient in the light of the requirements of Article 32 FDPA, with regards to the identity of the data controller, the purpose of the processing and the data subjects’ rights.
- Finally, the access procedure does not allow data subjects to obtain precise information about the algorithm and its functioning. Article 39 FDPA provides that data subjects exercising their access rights must be able to obtain such information. The General Data Protection Regulation (GDPR), which comes into effect in May 2018, contains a set of rules for automated decisions based on profiling.