In this case, a company sold a customer database containing contact details of approximately 6,000 wine customers. The purchaser of the database subsequently requested that the sale be declared null and void on various grounds, including the fact that the database had not been registered with the CNIL.
The Legal Position
Article 22 of the French Data Protection Law (Loi Informatique et Libertés) requires that, except where there is an exemption or a legal requirement for an authorization, any automated processing of personal data should be registered with the CNIL by the data controller prior to the start of the relevant data processing activities. Failure to file such processing with the CNIL is a criminal offence punishable by up to five years in prison and a €300,000 fine. (Art. 226-16 of the French criminal code.)
The offence may also be subject to administrative sanctions by the CNIL. In this respect, the CNIL has the option to send a warning to the relevant data controller, impose a fine (of up to €150,000 or €300,000 in case of repeated breaches) or issue an injunction to stop any further processing taking place.
Notwithstanding the above, neither the French Data Protection Law nor any guidance issued by the CNIL refers to such database being unlawful if it is not registered or to the impact of the failure to register on the validity of its sale to a third party.
The Court of Appeal, at the first level of review, did not cancel the sale indicating that “the statute does not anticipate that the lack of registration of the data processing should lead to the database being unlawful.”
French Supreme Court Voids the Sale of the Database Not Registered With CNIL
The Supreme Court overturned the Court of Appeal’s decision based both on Article 22 of the French data protection law and on Article 1128 of the French Civil Code. The latter provides that: “Only things which may be the subject matter of legal transactions between private individuals may be the object of agreements.” The Supreme Court asserted that “a database containing personal data which has not been registered with the CNIL may not be sold.
Therefore, the sale of such a database has to be void by virtue of its subject matter being unlawful.”
The French Supreme Court stated that databases which have not been registered with the CNIL are outside of the realm of commerce.
Registrations with the CNIL allow it to verify that data processing activities comply with the law, and the filing requirements are meant to raise awareness around the data protection rules (i.e., before filing the company would normally make sure it is complying with the law). In practice, however, only a relatively small number of companies actually comply with their obligation to register their processing activities with the CNIL.
This Supreme Court’s decision emphasizes the fact that noncompliance with French data protection laws may now potentially affect the normal course of business transactions (in addition to the risk of incurring criminal and administrative sanctions).
Stéphanie Faber is a member of voxFemina – Paroles d’Experts au Féminin