I
wanted to write about data protection, in France, & look at a
case which had reached the highest courts there. However, the recent
cases which reached the Conseil d'État, the highest administrative
court in France, concerned the powers of the French data protection
agency, the CNIL, rather than the substance of data protection or
privacy law. More detail about that can be found in records of CNIL's
deliberations when taking enforcement action. So I thought I'd write
a bit about the CNIL, & look at a recent case where they've taken
action against someone for breach of data protection rules. Of
course, the Google story is the most prominent at the moment, but
that's been well covered elsewhere so I tend to think it's therefore
outwith the remit of this blog.
CNIL
is the Commission
nationale de l’informatique et des libertés,
& was founded in 1978 by statute, to protect personal privacy in
the age of electronic storage of information, that “information
technology may be at the service of the citizen.” The
commission consists of 17 members, comprising 6 senior judges, 2 MPs,
2 Senators, 2 members of the Economic & Social Council, 3
appointed by the government & 1 each by the chairmen of the
Senate & National Assembly. It elects its own chairmen & is
independent of government. The Commission has various functions, such
as giving advice & authorising sensitive data processing, but
also include enforcement action against those infringing data
protection rules, which can include fines levied by the CNIL itself,
up to in extreme cases reporting data protection infringers to the
public prosecutor. Fines can be up to €300,000.
One
instance of enforcement action was taken by CNIL against DSE France,
a property surveying company, in January 2012. DSE France had been
sending unsolicited text messages to people who had placed property
for sale online.
The
company had breached the law on postal & electronic communication
which prohibited automatic communication of any kind with someone who
hadn't consented. They had bought these contact details from online
property advertising companies, the problem being not that they had
done so, but that they had done so without those sellers having
consented to being contacted. The onus was on the company to only buy
contact details from people who had agreed to be contacted. CNIL had
in 2009 & 2011 taken enforcement action against property selling
companies & this had been widely publicised, so DSE couldn't
claim ignorance in dealing with the data sellers. Moreover, at least
one of the contracts with the sellers had stipulated that the data
was to be used for contact by phone only, which wasn't forbidden by
the postal & electronic communication law.
DSE
had also failed to comply with the data protection law requiring
communications to give details of the recipients' rights including
rights to see, correct & delete the information held on them. The
texts only gave details of how to be taken off the mailing list by
replying to the text with “stop”. This wasn't considered
sufficient. Other companies had managed to put the required
information in text messages, even if it meant sending 2 messages to
each person.
It
was also unacceptable that the only way to be removed from the lists
was by replying to the texts or calling a number given, since these
both cost money, & people shouldn't have to pay to exercise their
data protection rights. A phone number to call for this purpose
should be free.
The
CNIL had been alerted to all these problems by 4 complainants who had
received these text messages without having consented to receiving
them, & had unsuccessfully attempted to have their contact
details deleted by DSE, without success. Indeed one person was found
by CNIL's investigators to be still on DSE's files, despite 7
requests to be deleted. CNIL began their process by writing to DSE
asking for their response to the concerns, in July 2010, & asking
them to take action to rectify them. In May 2011, having not received
a response, CNIL contacted them again & received the response
that DSE had taken action to rectify the problems. However, these
measures, such as having a free phone number to call, were
insufficient to meet their obligations.
Consequently,
the CNIL issued a fine of €20,000, & decided to openly publish
its decision.
References
