In its press release of 4 November 2010 on its strategy to strengthen data protection rules, the EU Commission has listed amongst five key goals a “more effective enforcement of the rules, by strengthening and further harmonising the role and powers of Data Protection Authorities”. The Commission considers that they need to be independent, stating that “their role should be considerably strengthened”, and that “they should be provided with the necessary powers and resources to properly exercise their tasks both at national level and when co-operating with each other”.”
The French CNIL is a good example of an independent and relatively strong and powerful data protection authority as it notably, may carry out on site investigations and issue administrative sanctions. These powers come with certain constraints and responsibilities. Indeed, recent case law emphasises that regulatory authorities with these powers must be mindful of human rights.
The enforcement and investigatory powers of the French data protection authority
Since 2004 the CNIL has been granted the power to take direct enforcement action as it can:
• fine organisations up to €150,000 for the first breach and up to €300,000 in the case of a repeated breach within five years (as an administrative fine);
• issue an injunction to cease processing or cancel an authorisation; and
• issue public warnings and, in the case of bad faith on the part of the data controller, publish its enforcement decision.
Moreover the CNIL has been granted extensive investigation powers: It may access business premises that are used for data processing from 6 am to 21 pm. It may have access to any IT and software system or any data and ask for a transcription by any appropriate means in a format that is “directly usable” for the purpose of the investigation.
Administrative sanctions can be imposed more easily and more quickly than criminal sanctions
Since 2004, the CNIL has progressively increased its investigations and subsequent enforcement actions. By way of example, in 2009, the CNIL received 4.265 complaints for breach of French data protection law (almost the same as in 2008 where there had been 4,244). There were 270 investigations (218 in 2008 and 164 in 2007), 91 compliance notices (126 in 2008), 4 warning (2 in 2008) and 5 financial sanctions for a total amount of € 75,000 (11 financial sanctions for a total amount of €137,100 in 2008). !n 2009 for the first time, the CNIL resorted to summary proceedings, in one instance to order a company to comply within 8 days and in another instance to order the temporary suspension of a processing until a security breach had been cured. Moreover the CNIL reported that it had referred five matters to the public prosecutor in 2008 but has not specified the number for 2009.
Reaction of sanctioned data controllers
There are, however, a number of protected procedural steps to be followed before an administrative sanction can be applied.
• Any investigation at the premises has to comply with rules set out in the law or by the courts.
• Before inflicting a sanction, the data controller must be given a formal notice by the CNIL and have a period of time in which to comply.
• The sanction must be approved by a “restricted committee” at the CNIL based a report from another CNIL member (i.e. one who is not part of the restricted committee) and must consider representations from the data controller and other interested persons.
Sanctioned data controllers have filed claims requesting the cancellation of the CNIL’s enforcement actions. The claims have been filed before the French Conseil d’Etat, which is the French Supreme Court, as regards administrative law and, amongst other things, are based on the European Convention on Human Rights.
Recent case law
The latest ruling of the Conseil d’Etat was rendered in July 2010. An investigation and debt collection agency had been investigated by the CNIL in December 2005 following which it had received a formal compliance notice in relation to its processing. In October 2006 the CNIL undertook a secondary investigation and discovered that part of the compliance notice had not been complied with, as the files still contained sensitive data such as heath data, past convictions and social security numbers and as no adequate archiving policy had been implemented. As a result the CNIL imposed a fine of € 50,000 and ordered that the processing be stopped until it became compliant.
The investigation and debt collection agency acted in summary proceeding to prevent the suspension of the processing. This was refused by the Conseil D’Etatt. It then appealed against the CNIL’s decision and won the case in July 2010.
Right to a fair trial
In urgency proceedings the plaintiff alleged that, given the procedure implemented by the CNIL, it had been deprived of its right to a “fair trial” and that the sanctions inflicted as a result of this procedure should therefore be deemed void.
In February 2008, the Conseil d’Etat ruled that, given its nature, its composition and its powers, the CNIL should be classified as a “tribunal” within the meaning of Article 6-1 of the European Convention on Human Rights.
Therefore, the CNIL must provide a fair trial when using its enforcement powers. However, the Conseil d’Etat indicated that it is not contrary to Article 6 for a regulatory authority, such as the CNIL, to initiate proceedings of its own volition. Moreover, no national or international rule requires separate phases for investigation and sanctions during a trial.
In the case at hand, the Court considered that the CNIL had provided a fair trial. It had carried out an on-site investigation and sent a formal notice requiring the investigation and debt collection agency to comply with the French data protection law. The notice contained both a description of the facts discovered during the investigation and a reminder of the relevant rules that are likely to have been breached. The Conseil d’Etat decided this did not constitute a final decision by the CNIL to sanction the alleged breach. Indeed, the actual decision to impose a fine was taken at a later stage after the data controller had, by its own admission, failed comply with the notice fully. The data controller had been provided with all the information collected by the CNIL during its investigation and upon which the CNIL had based its decision and had made representations as part of the sanction process.
Right to object to entry of premises
In the proceedings to appeal against the decision of the CNIL, the plaintiff alleged that the CNIL had not complied with all the steps required for an on site investigation, and that therefore, the resulting sanction should be cancelled.
In its decision of July 2010, the Conseil d’Etat confirmed previous case law of November 2009, by deciding that the CNIL must inform persons on business premises of their right to object to on-site entry and investigation.
The CNIL can carry out on-site investigations of business premises so long as the local public prosecutor has been informed beforehand. However, if the person responsible for the premises objects, the CNIL may only proceed with the investigation with a court order and under the supervision of the authorising judge (see Article 44 of the French Data Protection Act). The French Data Protection Act does however not provide expressively for the obligation to inform the responsible person of this right to object.
The Conseil d’Etat considered that businesses have the right to “privacy” of business premises under Article 8 of the European Convention on Human Rights. Any interference with these rights must be permitted by law and necessary in a democratic society. Given the extensive and loosely defined investigatory powers granted to the CNIL, the Conseil d’Etat decided that any on-site investigation should, as general rule, be previously authorised by a court. It, however, also considers that the right to object (and subsequent court authorisation) provides an equivalent guarantee but only so long as proper information about the right to object has been provided. A mere reference to Article 44 of the French Data Protection Act is not sufficient.
Due to insufficient information on the right to object being provided in the case at hand, the Conseil d’Etat cancelled the CNIL’s sanctions. It had done the same in November 2009 where it cancelled a fine of €30,000 against two companies for abusive telephone marketing.
The CNIL has indicated it would like a change in law so it can apply for court authorisation by way of ex parte proceedings before each investigation so as to preserve the “element of surprise”.
New increase in power?
The French Senate submitted a new "Draft Law to Reinforce the Right to Privacy in the Digital Age" ("proposition de loi visant à mieux garantir le droit à la vie privée à l’heure du numérique") to the French Parliament in March 2010 which contains several amendments to the French data protection laws.
The enactment of the law would, inter alia, increase the CNIL’s enforcement powers as follows:
• It is expressively provided that the person responsible of premises be informed of their right to object to the on site investigation. But in case of urgency or material breach or to prevent destruction of evidence, the CNIL may directly require an authorisation by the court.
• Fines imposed by the CNIL for violations of the law would be increased to a maximum of €300,000 and €600,000 (instead of the current €150,000 and €300,000).
• Hearings of the restricted committee of the CNIL would be public hearings (drawing on the decision of the Conseil d’Etat that the CNIL is a “tribunal”).
• The CNIL’s decisions to sanction data controllers would be published even where the data controller has not acted in bad faith.
• The CNIL would have the right to produce written observations or to be heard in any civil, criminal or administrative court hearing upon its own volition or at the request of the parties, whereas to date it can only do so at the request of the court itself (or refer an alleged breach to the public prosecutor).
Nota : this article partly reproduces an article dated 18 January by the author in Linklaters’ TMT News