Understanding the Pass System
The proposed pass system is a comprehensive accreditation mechanism designed to control access to various venues and facilities during the Games, with access becoming less restrictive as visitors go further from the site. Thus:
- Access to the “grey zone” (or “Silt”) will be strictly regulated and only people and vehicles duly authorized and accredited by the organizer, Paris 2024, or in possession of tickets during the events, will be able to access the sites.
- Access to the “red zone” will primarily involve traffic restrictions, aiming to reduce the risk of a terrorist attack and ensure the security of public flows accessing or leaving a site as well as local residents.
The pass will be issued following registration on a digital platform that will involve collection and processing of personal data, including identification details and possibly biometric information, to authenticate the identities of pass holders. The pass will contain a QR code to streamline entry control in areas where high attendance is expected.
To implement the pass system as planned for the Olympic and Paralympic Games, a database was created on the basis of on an order dated May 2, 2011 on the “files of residents in security zones”.
This order defines the purposes of these files (namely, the management of permits allowing access by persons or vehicles to areas within which restrictions on movement are imposed, in order to prevent disturbances to public order and guarantee the safety of a major event). It also sets out the categories of data that can be recorded, their retention periods, the individuals and entities that can access and receive the data, and the procedures for exercising individuals' rights.
The order was further amended to include new categories of data to carry out the event’s new pass system. In a deliberation of April, 2025, 2024, the CNIL issued an opinion on this recent development and confirmed the legitimacy of data processing to secure exceptional events. However, it has requested certain changes and made a series of recommendations.
CNIL’s Observations and Recommendations
New Categories of Personal Data:
The order authorises the processing of the new categories of data, namely photographs, proof of access, copies of identity documents (national identity card, driving licence, passport or residence permits), as well as copies of registration certificates.
Following the CNIL's observations, the registration of national identity cards, driving licences, passports and residence permits will only be retained for as long as necessary for the issuance of the access pass. The other data will be kept for three months, as was already the case before.
In its opinion, the CNIL also considered that while the collection of the photograph could be justified in view of the extent of the controls to be carried out during the Olympic and Paralympic Games, it should be limited to events of this magnitude only. The published order therefore provides that its collection is not mandatory.
Data Transmission to the Event Organizer:
Under this system, organizers of the Olympic and Paralympic Games must also issue a pass to allow individuals who are not spectators to access the event's venues and facilities.
Regarding this, the CNIL specified that data should only be transmitted to the organizer if the organizer does not already collect the same data independently. Additionally, for individuals seeking access to the venues and facilities hosting a major event (such as coaches, referees, doctors, etc.), an administrative investigation will be conducted before granting access. Spectators and individuals merely seeking access to other locations or buildings in the zone, such as residences or businesses not related to the event, are not subject to these specific investigations.
Conclusion
Hosting such a monumental event entails France's responsibility to adhere to the highest standards of data protection and privacy. The CNIL’s insights and recommendations provide a crucial framework for ensuring that the pass system not only achieves security objectives but also upholds individuals' fundamental rights. Embracing these guidelines enables organizers to foster a secure and privacy-respecting environment for all participants and attendees. Additionally, the CNIL's stance also serves as a pertinent reminder to uphold GDPR principles like data minimization, proportionality, purpose limitation, data security, storage, transparency, and informed consent. It underscores the importance of restricting biometric data usage to essential contexts, with robust safeguards, and establishing a comprehensive governance framework to oversee data processing and ensure regulatory compliance.
Article provided by INPLP members: Charlotte Gerrish and Evane Alexandre (Gerrish Legal, France)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)