Cybersecurity and Data Protection Issues at the 2024 Paris Olympic Games

Écrit par Marius Saussereau

The 2024 Paris Olympic and Paralympic Games are expected to represent a prime target for cybercriminals due to the international visibility of the event and the diversity of sensitive data at stake. According to the International Olympic Committee (IOC) and cybersecurity experts, the 2024 Paris Olympic Games could be the target of 4 billion attempted cyberattacks in July 2024. This estimate is based on the relentless increase in cyber threats during major sporting events, such as the 450 million cyberattack attempts recorded during the 2021 Tokyo Olympics. 

Potential cyber threats include DDoS attacks, ransomwares, phishing attempts and disinformation campaigns. These attacks could target athletes, delegations, accredited media and spectators. Sensitive data, such as athletes' health information and biometric data, are particularly at risk. Furthermore, these threats will not be limited to Olympic Games participants alone but will also target all organizations processing data or owning information systems in France, particularly in Paris. 

The ANSSI (the French Cybersecurity Agency) has set up a security framework for the Olympics, focusing on five main areas: 

  1. Improving knowledge of cyberthreats to organizations during the Games. 

  1. Securing critical information systems. 

  1. Protecting sensitive data. 

  1. Raising awareness of the Olympic Games ecosystem 

  1. Preparing a response in the event of a cyber-attack. 

Specific cybersecurity measures, such as physical and logical access management policies, incident and password management, as well as business continuity planning (BCP) and disaster recovery planning (DRP), need to be implemented or reinforced. 

The 2024 Paris Olympic and Paralympic Games promise to be a massive event, welcoming over 15 million visitors from all over the world. However, this massive influx will bring considerable challenges about in terms of physical security and personal data protection. The French authorities have, therefore, sought to put in place stringent measures to guarantee the security of individuals and infrastructures, while respecting people’s rights.  

This article aims at exploring the legislation that governs security around this global event, the way in which data is collected, and the cybersecurity measures that have been put in place. 

Physical Safety of Major Sporting Events 

Regulations on safety measures during the Olympics 

There are 3 reference texts governing these measures:  

- Law no. 2023-380 of 19 May 2023 relating to the 2024 Olympic and Paralympic Games authorizing intelligent video surveillance systems until 31 May 2025 on an experimental basis, which will add up to the video surveillance systems already deployed; 

- The order of 29 April 2019 amending the order of 2 May 2011utomated processing of personal data (called "files of residents in security zones") initiated upon major events such as the Olympic Games. This decree introduces traffic restrictions in certain areas, and access management procedures involving on personal data processing; 

- CNIL notice no. 2024-034 dated 25 April 2024 advising on the modification of this order, allowing the processing of new categories of data, the addition of new acceding entities and recipients, as well as the update of provisions relating to the exercise of rights. In particular, the CNIL noted that the Ministry of the Interior had taken into account its requests regarding data retention and recommendations on IT security for processing. 

Physical Access Management 

Physical access management is crucial to guarantee the security of Olympic venues. The "Olympic Pass" system will be used to identify and authenticate visitors using IDs, badges and other electronic devices. Personal data will be stored in secure databases and managed by the UTL (Unité de Traitement des Demandes d'Accès), the processing unit for the access requests, who will verify and grant access. 

Several security perimeters will be established, including zones forbidden for non-organizers and restricted areas around Olympic venues. Since May 13, 2024, an online platform has simplified the management of exemptions and facilitated access to restricted areas for authorized individuals. Technological devices, such as electronic locks, barriers and security gates will reinforce access control. 

 

Data protection requirements regarding enhanced video surveillance 

Data Collection and Processing 

The JOP 2024 law specifies the requirements for processing personal data in the context of intelligent video surveillance systems. The data collected must be relevant, adequate and representative, and its processing must be fair and ethical, based on objective criteria to prevent bias and error. Processing must also allow for human control and include appropriate security measures. This technology aims to detect predetermined events, in real time, such as the presence of abandoned objects, weapons, crowd movements or gunfire, without resorting to facial recognition or biometric data processing. 

The data collected may not be used for facial recognition nor biometric data processing, and must be limited to specific security situations. Data controllers must ensure these intelligent video surveillance systems are compliant with legal requirements, in particular by providing data protection impact assessments.  

Intelligent video surveillance systems include cameras using machine vision and drones capable of monitoring event sites and public transport. The law requires that the collected data cannot be interconnected with other personal data processing, nor can it be used as the basis for any individual administrative or judicial decision. The implementation of these systems is subject to strict compliance, security and traceability requirements, supervised by the CNIL (the French data protection authority).  

Personal information and rights 

Prior information of the public is essential to ensure transparency and fairness of data processing. The procedures for informing data subjects are set out in the decree "CNIL notice no. 2024-034 dated 25 April 2024". However, exceptions are provided for when circumstances prohibit information or when the act of informing is in contradiction with security objectives. For example, public information may be omitted if it would compromise national security. 

Data subjects may exercise their rights of access, rectification, erasure and restriction of processing directly before the data controller. The CNIL has pointed out that derogations to the right to information must be limited and justified to guarantee the protection of individual rights enshrined in the GDPR.  

Reviews and feedback 

Several associations have lodged complaints with the CNIL, arguing that the use of algorithmic video surveillance constitutes a serious infringement to privacy rights. They fear that this technology will be extended after the Olympics, beyond the security objectives initially intended. 

The French Data Protection Authority acknowledges the legitimacy of security objectives for the Olympic Games but stresses the risks to privacy and human rights. It insists on the importance of a strict legal framework, limiting the use of these devices to specific situations without resorting to facial recognition or biometric analysis. The CNIL also calls for ethical reflection on the use of these technologies, to prevent them from becoming commonplace and to guarantee the protection of personal data. 

Marius Saussereau
Précédent

OSINT (Open Source INTelligence) : quel cadre légal ?
Suivant

Sensibilisation RGPD : quelle stratégie adopter en 2024