French Ministry of Internal Affairs – Violation Found (France, 2019)

A speed camera calculates the average speed of a vehicle with checkpoints placed on the road equipped with an automatic vehicle licence plate recognition system ("LAPI"), which records car plates and the exact time cars passage. If the maximum speed limit is exceeded, the LAPI automatically sends the data to the relevant public authority which then sends a fine. Thus, these speed cameras process data on all the vehicles passing by the checkpoints, regardless of their speed. This information constitutes personal data on the drivers. Therefore, these devices must comply with the GDPR and the French law "Informatique et Libertés". The CNIL carried out investigations focusing on the data collection and on the implementation of the principle of data protection by design and default. The CNIL ordered the Ministry to comply with Article 24 and 25 GDPR regarding the collection and further processing of personal data linked to vehicles flashed by automatic speed cameras. First, It found that the mechanism used for the processing of the driver’s personal data did not guarantee a sufficient level of security. Secondly, it found that the personal data were stored beyond the time limits provided for by the Order for the creation of automated control system database on 13 October 2004.