The French data protection authority (the CNIL) already has powers to investigate and issue administrative sanctions. However, the exercise of these powers has raised a number of questions, even leading to litigation before the Supreme Court (Conseil d’Etat).
As detailed in one of our previous articles , in February 2008 the Supreme Court held that the CNIL, “considering its nature, composition and powers, could be classified as a tribunal within the meaning of Article 6-1 of the European Convention on Human Rights” and that, accordingly, it must respect the requirement for fair trial.
Law No. 2011-334 of 29 March 2011 relating to the rights’ defender (“défenseur des droits”) amends the existing French data protection law of 6 January 1978 with a view to guaranteeing the equitable nature of the CNIL, whilst reinforcing some of its powers.
1. Control visits
The CNIL has powers to carry out on-site inspections between 6 am and 9 pm, after giving notice to the State prosecutor. The responsible for the premises may object, in which case the inspection cannot take place until a judicial authorisation has been granted (article 44 of the French data protection law).
• The new legislation expressly provides that from now on the CNIL must inform the responsible for the premises that he has the right to object to the inspection.
In the event of an objection, the matter will be brought before the judge of liberties and custody (juge des libertés et de la détention).
This reflects the persistent views of the Supreme Court on the basis of article 8 of the European Convention on Human Rights (the fundamental right to respect one’s place of residence, which also applies to premises used for professional purposes).
• However, when “the urgency or seriousness of the circumstances causing the inspection, or the risk of destruction or concealment of documents justifies it”, the inspection can take place without giving prior notice to the responsible for the premises, and without the ability for him to object, providing that the CNIL has obtained prior consent from the judge of liberties and custody.
Such an inspection would then take place under the authority and control of the judge of liberties and custody, in the presence of either the responsible for the premises (who may be assisted by his lawyer) or, failing that, in the presence of two witnesses who are not subject to the CNIL’s authority nor that of the judge. The new law does not specify how these witnesses should be identified as such, and this could lead to future debate, in particular if the responsible for the premises sees this as a way to delay or oppose the proceedings…
The court order is immediately binding and provides that at any time a request for the inspection to be suspended or terminated can be made to the judge. The order sets out the appeals procedure and the relevant statutes of limitation.
Appeals following the judge’s decision or the outcome of the inspection are brought before the first Président of the Court of Appeal.
This change in law is in response to a request from the CNIL, which wishes to be able to retain an element of surprise in order to preserve evidence.
2. Guaranteeing the right to a fair trial by separating the roles of investigation and sanction
Although the Supreme Court has not ruled in favour of the arguments put forward by claimants on the absence of separation of the “investigation” and “sanction” phases that would infringed article 6-1 of the EU Convention on Human Rights (right to a fair trial), the law of 29 March 2011 provides for the CNIL’s powers to be separated.
Previously, the role of the CNIL’s restricted committee (formation restreinte) was not only to issue formal notices (in particular at the end of an inspection), but also to issue administrative sanctions in the event of non-compliance with the notices.
• The formation restreinte still issues administrative sanctions, but it is now the President of the CNIL who issues formal notices (article 45 of the French data protection law).
• The six members of the formation restreinte elected by the CNIL are excluded from certain functions, including (i) becoming a CNIL officer (which excludes the President and vices Presidents of the CNIL in particular); (ii) receiving claims, petitions and complaints; (iii) informing the State prosecutor of infringements and commenting in criminal proceedings; and (iv) carrying out inspections (article 17 of the French data protection law).
• Finally, the position of President of the CNIL is incompatible with any other professional activities, any elected State position and any interest, whether direct or indirect, in a company in the electronic communications or computer sector, which has a more general effect of ensuring the independence of the CNIL itself.
3. Extension of publication of CNIL decisions
In order to strengthen their deterrent nature of the sanctions, the following can now be published (article 46 of the French data protection law):
• all administrative sanctions, including warnings; and
• formal notices;
regardless of whether the data processor was acting in good faith.
These provisions are especially important, since they will enable the CNIL to rely more on companies’ desire to protect their reputation than the deterrent nature of the administrative sanctions.