In a summary addressed to the Minister of the Interior and published Thursday, February 10, the Court of Auditors points out a number of shortcomings in the Paris video protection plan. The body considers the device “expensive” and “unsuitable”, and recommends that the police headquarters of the capital review the legal framework of video protection, in order to draw the consequences of the evolution of European regulations relating to the protection personal data.
The public-private partnership contract signed in 2010 with the company IRIS PVPP, a subsidiary of Ineo and Citelum, and valid until 2026, was initially concluded for 225.1 million euros. But it reached 343 million euros at the end of 2020, and should double, in the long term, compared to the initial budget, to rise between 433 and 481 million euros, alerts the Court of Auditors. According to the report, these additional costs are linked to a set of additional needs that are looming, such as artificial intelligence (video intelligence) and the 2024 Olympics.
The Prefecture of Police has installed 1,000 cameras in public spaces in Paris since 2010. From 2015, the project changed in dimension, after the attacks in the capital, moving to nearly 4,000 cameras in its own right and more of 37,000 interconnected cameras in Ile-de-France.
A total of six recommendations make up the report. The Court of Auditors raises a certain number of criticisms concerning the uses. She describes that “the lack of evaluation of the effectiveness and efficiency of the Paris video protection project (PVPP) has persisted since 2010, while its geographical distribution and its uses could be improved”. The Prefecture of Police has, for example, “neither aggregate data on these uses nor indicators to assess their effectiveness”, beyond certain “emblematic” cases, indicates the report. Added to this is a distribution of cameras deemed unequal, since the Court of Auditors notes that the deployment of the surveillance device is concentrated “in the central districts of Paris” as well as the “main axes of circulation”, and less in “the most criminogenic areas of the capital”.
A legal framework to be reviewed with regard to the GDPR
In fact, the Court of Auditors observes that, at the end of 2020, the network consisted of 3,762 own cameras, 1,482 shooting sites, and 37,800 cameras accessible by interconnection. Overall, the images are used by nearly 4,600 active and authorized agents, spread over 85 operating sites, within a regional perimeter made up of its own interconnected fiber optic network.
For the Court of Auditors, the video protection plan in Paris, as it has been deployed for 12 years, must now be the subject of a more “explicit” strategy. In its report, the body recommends the establishment at the level of the Paris police headquarters of “strategic-level governance involving monitoring of the project by the prefect, general secretary of the administration, and bringing together the departments of support and the active directions of the prefecture”.
The report also returns to the legal framework of the project deemed “unsuitable”. According to the Court of Auditors, this would not take into account developments in technologies and practices, since the framework “has not yet drawn the consequences of the new legal framework relating to the protection of personal data which entered into force in May 2018”. Like the CNIL previously, the Court of Auditors recalls in this respect that “the partitioning between the video protection regime and that of the protection of personal data must be called into question”. In a deliberation of January 26, 2021 providing an opinion on a bill relating to global security, the CNIL explained that “many provisions of the internal security code (CSI), which constitutes the general legal framework in this area, are obsolete since the evolution of the regulations on the protection of personal data which took place in 2018”. The CNIL pointed out in particular in this respect that these provisions do not “allow data controllers to know the actual status of their obligations in this area, nor the data subjects to know how to exercise their rights”.
Better regulate internal controls
On the aspect of technologies for the automatic processing of video streams, the Court observes that the Prefecture of Police has launched “a few experiments”, without their results being “up to expectations”. Thus, “the potential of the PVPP, which makes it possible to increase the surveillance capacity tenfold, at a much lower cost than with human resources, has not been fully exploited”, she writes.
Finally, the Court of Auditors points the finger at a “lacunary” internal control. It indicates that “the departmental commission of video protection, in which the prefect of Police is both the petitioner and the person in charge of the authorization, does not exercise a posteriori control and this cannot be based exclusively on the CNIL” . In addition, risk analysis “is still lacking”, underlines the report, which recommends a better distribution of roles between the different actors and recommends that the police headquarters equip itself with automated tools in order to “better help in the detection of non-compliant uses”.
Questioned by AFP, the police prefecture declared that it had already committed to the implementation of certain recommendations of the Court, in particular to “strengthen the system of steering, governance and control of video protection”.