France: CNIL requests comments on recommendation of remote monitoring of exams
The French data protection authority ('CNIL') requested, on 1 December 2022, public comments on the Recommendation on Modalities for the Implementation of Remote Monitoring Devices for Online Exams. In particular, CNIL highlighted that increased usage of remote monitoring of exams has become more commonplace, noting in a factsheet that higher education institutions must not use monitoring systems that disproportionately infringe on the privacy of their students.
More specifically, the Recommendation outlines that the implementation of a remote surveillance system, as effective as that carried out on the premises of an exam, would imply the use of particularly intrusive monitoring systems. Accordingly, the Recommendation notes that an establishment deciding to use a remote monitoring solution is responsible for the processing that will be implemented, and for testing the devices envisaged for remote monitoring circumstances that may affect monitoring systems effectiveness.
Notably, the Recommendation provides that exams should be held in a dedicated room under human supervision, and that taking tests remotely, should be an option to students, rather than an obligation. On this, the Recommendation details that the use of remote exams, if compulsory, should be reserved for specific cases taking into account the nature of the test, the interest of students, and context. Moreover, the Recommendation considers that the use of remote exam monitoring systems should not be more effective than in person monitoring, and should not guarantee an equivalent level of monitoring.
In addition, the Recommendation considers the appropriate legal basis to be determined on a case-by-case basis, and that consent cannot be considered as a valid legal bases when the test can only be taken remotely, as students cannot refuse the processing of data related to their examination without suffering negative consequences. On the other hand, the Recommendation concedes that higher education institutions pursuing a mission of public interest may process on this basis, and private higher education institutions may process on the basis of a contract.
Further, the Recommendation provides that higher education establishments must carry out a preliminary analysis of the proportionality of the monitoring measures envisaged, taking into account the nature, duration, and importance of the exams. On preliminary consultation, the Recommendations adds that where remote monitoring devices are used, a data controller must first carry out a Data Protection Impact Assessment ('DPIA'), unless the device used does not create a high risks to the rights and freedoms of data subjects.
Public comments may be submitted here until 1 January 2023.