CE - N° 429571: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 39: Line 39:
|Party_Link_5=
|Party_Link_5=


|Appeal_From_Body=CNIL
|Appeal_From_Body=CNIL (France)
|Appeal_From_Case_Number_Name=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Status=
Line 80: Line 80:


====On the CNIL's competence to interpret Article 6 GDPR====
====On the CNIL's competence to interpret Article 6 GDPR====
The Court holds that the CNIL acted within its power when interpreting Article 6 GDPR. This power is derived from Article 11(I) and I(2°)(a bis) of the French data protection law (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés). These provisions designate the CNIL as Supervisory authority for France under Article 51 GDPR. They also expressly grant the CNIL power to issue guidelines and recommendations in order to help achieving compliance with the GDPR.
The Court holds that the CNIL acted within its power when interpreting Article 6 GDPR. This power is derived from <!-- Can´t find this reference neither in the decision nor in the law.  --> (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés). These provisions designate the CNIL as Supervisory authority for France under Article 51 GDPR. They also expressly grant the CNIL power to issue guidelines and recommendations in order to help achieving compliance with the GDPR.


====On the alleged confusion of credit card data with special categories of data====
====On the alleged confusion of credit card data with special categories of data====
Line 104: Line 104:


<pre>
<pre>
RÉPUBLIQUE FRANCAISE
Council of State, 10th - 9th chambers combined, 10/12/2020, 429571
AU NOM DU PEUPLE FRANCAIS
Board of state - 10th - 9th rooms combined


Vu la procédure suivante :
    N° 429571
    ECLI:FR:CECHR:2020:429571.20201210
    Mentioned in the tables of the Lebon collection


Par une requête et deux mémoires en réplique, enregistrés les 8 avril 2019, 2 mars et 17 novembre 2020 au secrétariat du contentieux du Conseil d'Etat, la société Cdiscount demande au Conseil d'Etat :
Reading the Thursday December 10, 2020
Rapporteur
    Ms. Myriam Benlolo Carabot
Public reporter
    M. Alexandre Lallet
Lawyer (s)
    SCP BASEMENT, MOLINIE
Full Text
FRENCH REPUBLIC
IN NAME OF THE FRENCH PEOPLE


1°) d'annuler pour excès de pouvoir la décision implicite de la présidente de la Commission nationale de l'informatique et des libertés (CNIL) rejetant la demande qu'elle a présentée le 7 décembre 2018 tendant à la modification de la délibération n° 2018-303 du 6 septembre 2018 ;
Considering the following procedure:


2°) d'enjoindre à la CNIL de réexaminer, à l'aune de la décision à intervenir, le régime de conservation des données de cartes bancaires pour les clients non abonnés, et ce dans un délai d'un mois à compter de la notification de la décision à intervenir ;
By a request and two reply memoranda, registered on April 8, 2019, March 2 and November 17, 2020 at the Litigation Secretariat of the Council of State, Cdiscount asks the Council of State:


) à titre subsidiaire, de saisir à titre préjudiciel la Cour de justice de l'Union européenne d'une question portant sur l'interprétation du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l'égard du traitement de données à caractère personnel et à la libre circulation de ces données ;
1 °) to annul for excess of power the implicit decision of the president of the National Commission for Informatics and Freedoms (CNIL) rejecting the request she presented on December 7, 2018 tending to modify deliberation no. ° 2018-303 of September 6, 2018;


) de mettre à la charge de la CNIL la somme de 3 000 euros au titre des dispositions de l'article L. 761-1 du code de justice administrative.
2 °) to order the CNIL to re-examine, in the light of the decision to be made, the retention regime for bank card data for non-subscribed customers, within a period of one month from the date of the notification of the decision to be taken;


3) in the alternative, to refer a question to the Court of Justice of the European Union for a preliminary ruling concerning the interpretation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data;


Vu les autres pièces du dossier ;
4 °) to charge the CNIL the sum of 3,000 euros under the provisions of article L. 761-1 of the code of administrative justice.


Vu :
- la Constitution ;
- la convention européenne de sauvegarde des droits de l'homme et des libertés fondamentales ;
- la charte des droits fondamentaux de l'Union européenne ;
- le règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 ;
- la loi n° 78-17 du 6 janvier 1978 ;
- le code de justice administrative et le décret n° 2020-1406 du 18 novembre 2020 ;


Having regard to the other documents in the file;


Après avoir entendu en séance publique :
Seen:
- the Constitution ;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- the Charter of Fundamental Rights of the European Union;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law n ° 78-17 of January 6, 1978;
- the code of administrative justice and decree n ° 2020-1406 of November 18, 2020;


- le rapport de Mme Myriam Benlolo Carabot, maître des requêtes en service extraordinaire,


- les conclusions de M. Alexandre Lallet, rapporteur public ;
After hearing in public session:


La parole ayant été donnée, après les conclusions, à la SCP Piwnica, Molinié, avocat de la société Cdiscount ;
- the report by Ms Myriam Benlolo Carabot, master of requests for extraordinary service,


- the conclusions of Mr. Alexandre Lallet, public rapporteur;


The floor having been given, after the conclusions, to SCP Piwnica, Molinié, lawyer of the company Cdiscount;


Considérant ce qui suit :


1. Il ressort des pièces du dossier que, par une délibération du 6 septembre 2018, la Commission nationale de l'informatique et des libertés (CNIL) a adopté une recommandation concernant le traitement des données relatives à la carte de paiement en matière de vente de biens ou de fourniture de services à distance. Par cette recommandation, la CNIL a indiqué que ces données ne peuvent être collectées et traitées par une société vendant des biens ou des services à distance que pour permettre la réalisation d'une transaction dans le cadre de l'exécution d'un contrat et que la conservation de ces données afin de faciliter d'éventuels paiements ultérieurs n'est possible que si les personnes auxquelles ces données se rapportent ont donné préalablement et explicitement leur consentement, à moins qu'elles aient souscrit un abonnement donnant accès à des services additionnels, traduisant leur inscription dans une relation commerciale régulière.


2. La société Cdiscount a saisi la présidente de la CNIL d'une demande de modification de la délibération du 6 septembre 2018, afin d'autoriser la conservation des numéros de cartes bancaires pour les clients non abonnés mais dont la récurrence des achats laisse supposer qu'ils peuvent raisonnablement s'attendre à ce que leurs données bancaires soient conservées pour simplifier leurs achats ultérieurs. Elle demande l'annulation pour excès de pouvoir du refus opposé par la présidente de la CNIL à cette demande.
Considering the following:


3. D'une part, aux termes de l'article 6 du règlement du 27 avril 2016 relatif à la protection des personnes physiques à l'égard du traitement de données à caractère personnel et à la libre circulation de ces données : " 1. Le traitement n'est licite que si, et dans la mesure où, au moins une des conditions suivantes est remplie : a) la personne concernée a consenti au traitement de ses données à caractère personnel pour une ou plusieurs finalités spécifiques ; / b) le traitement est nécessaire à l'exécution d'un contrat auquel la personne concernée est partie ou à l'exécution de mesures précontractuelles prises à la demande de celle-ci;/ c) le traitement est nécessaire au respect d'une obligation légale à laquelle le responsable du traitement est soumis; / d) le traitement est nécessaire à la sauvegarde des intérêts vitaux de la personne concernée ou d'une autre personne physique; /e) le traitement est nécessaire à l'exécution d'une mission d'intérêt public ou relevant de l'exercice de l'autorité publique dont est investi le responsable du traitement; / f) le traitement est nécessaire aux fins des intérêts légitimes poursuivis par le responsable du traitement ou par un tiers, à moins que ne prévalent les intérêts ou les libertés et droits fondamentaux de la personne concernée qui exigent une protection des données à caractère personnel, notamment lorsque la personne concernée est un enfant. (...) ". Selon le considérant 47 des motifs de ce règlement : " Les intérêts légitimes d'un responsable du traitement, y compris ceux d'un responsable du traitement à qui les données à caractère personnel peuvent être communiquées, ou d'un tiers peuvent constituer une base juridique pour le traitement, à moins que les intérêts ou les libertés et droits fondamentaux de la personne concernée ne prévalent, compte tenu des attentes raisonnables des personnes concernées fondées sur leur relation avec le responsable du traitement (...) ".
1. It appears from the documents in the file that, by a deliberation of September 6, 2018, the National Commission for Informatics and Freedoms (CNIL) adopted a recommendation concerning the processing of data relating to the payment card in sales matters. of goods or the provision of services at a distance. With this recommendation, the CNIL has indicated that this data can only be collected and processed by a company selling goods or services at a distance to allow the completion of a transaction within the framework of the execution of a contract and that the conservation of this data in order to facilitate any subsequent payments is only possible if the persons to whom these data relate have given prior and explicit consent, unless they have taken out a subscription giving access to additional services, translating their registration into a regular commercial relationship.


4. D'autre part, l'article 58 du règlement dispose que : " 3. Chaque autorité de contrôle dispose de tous les pouvoirs d'autorisation et de tous les pouvoirs consultatifs suivants : (...) b) émettre, de sa propre initiative ou sur demande, des avis à l'attention du parlement national, du gouvernement de l'État membre ou, conformément au droit de l'État membre, d'autres institutions et organismes ainsi que du public, sur toute question relative à la protection des données à caractère personnel ;(...) ". Aux termes de l'article 11 de la loi du 6 janvier 1978 relative à l'informatique et aux libertés dans sa version applicable au litige : " I. La Commission nationale de l'informatique et des libertés est une autorité administrative indépendante. Elle est l'autorité de contrôle nationale au sens et pour l'application du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 précité. Elle exerce les missions suivantes : (...) 2° Elle veille à ce que les traitements de données à caractère personnel soient mis en oeuvre conformément aux dispositions de la présente loi et aux autres dispositions relatives à la protection des données personnelles prévues par les textes législatifs et réglementaires, le droit de l'Union européenne et les engagements internationaux de la France. / A ce titre : (...) a bis) Elle établit et publie des lignes directrices, recommandations ou référentiels destinés à faciliter la mise en conformité des traitements de données à caractère personnel avec les textes relatifs à la protection des données à caractère personnel et à procéder à l'évaluation préalable des risques par les responsables de traitement et leurs sous-traitants (...) ".
2. The Cdiscount company sent the President of the CNIL a request to modify the deliberation of September 6, 2018, in order to authorize the storage of bank card numbers for customers who do not subscribe but whose recurrence of purchases suggests that they can reasonably expect that their bank details will be kept to simplify their subsequent purchases. She requests the cancellation for excess of power of the refusal by the President of the CNIL to this request.


5. En premier lieu, par la délibération litigieuse, la CNIL s'est bornée, dans le cadre des prérogatives que lui confèrent les dispositions mentionnées au point 4, à donner son interprétation des dispositions du règlement du 27 avril 2016 mentionnées au point 3 en ce qui concerne les modalités selon lesquelles un responsable de traitement peut légalement conserver les données de cartes bancaires des clients de ses services d'achat en ligne. Par suite, le moyen tiré de ce qu'elle aurait incompétemment modifié ce règlement ne peut qu'être écarté.
3. On the one hand, under the terms of article 6 of the regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: "1. Processing is only lawful if, and insofar as, at least one of the following conditions is met: a) the data subject has consented to the processing of their personal data for one or more specific purposes; / b) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the latter; / c) the processing is necessary for compliance with a legal obligation to which the controller is subject; / d) the processing is necessary to protect the vital interests of the data subject or of another natural person; / e) the processing is necessary for the performance of a task of interest public or under the exercise of e the public authority vested in the controller; / f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail, especially when the person concerned is a child. (...) ". According to recital 47 of the grounds for this regulation:" The legitimate interests of a controller, including those of a controller to whom personal data may be communicated, or '' a third party may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller (.. .) ".


6. En deuxième lieu, l'article 9 du règlement du 27 avril 2016 dispose que " 1. Le traitement des données à caractère personnel qui révèle l'origine raciale ou ethnique, les opinions politiques, les convictions religieuses ou philosophiques ou l'appartenance syndicale, ainsi que le traitement des données génétiques, des données biométriques aux fins d'identifier une personne physique de manière unique, des données concernant la santé ou des données concernant la vie sexuelle ou l'orientation sexuelle d'une personne physique sont interdits. / 2. Le paragraphe 1 ne s'applique pas si l'une des conditions suivantes est remplie: / a) la personne concernée a donné son consentement explicite au traitement de ces données à caractère personnel pour une ou plusieurs finalités spécifiques, sauf lorsque le droit de l'Union ou le droit de l'État membre prévoit que l'interdiction visée au paragraphe 1 ne peut pas être levée par la personne concernée (...) ". Contrairement à ce que soutient la société Cdiscount, la CNIL n'a pas fondé l'exigence de consentement préalable des personnes concernées par les traitements considérés sur les dispositions de l'article 9 du règlement du 27 avril 2016 qui viennent d'être citées, mais sur celles de son article 6. Par suite, le moyen selon lequel la CNIL aurait à tort assimilé les données bancaires à des données sensibles au sens de l'article 9 du règlement du 27 avril 2016 ne peut qu'être écarté.
4. On the other hand, Article 58 of the Regulation provides that: "3. Each supervisory authority has all the following authorization and advisory powers: (...) b) issue, of its on its own initiative or on request, opinions for the attention of the national parliament, the government of the Member State or, in accordance with the law of the Member State, other institutions and bodies as well as the public, on any matter relating to the protection of personal data; (...) ". Under the terms of article 11 of the law of January 6, 1978 relating to data processing and freedoms in the version applicable to the dispute: "I. The National Commission for data processing and freedoms is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of the aforementioned Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. It carries out the following missions: (...) 2 ° It ensures that that the processing of personal data is carried out in accordance with the provisions of this law and the other provisions relating to the protection of personal data provided for by laws and regulations, European Union law and international commitments of France. / As such: (...) a bis) It establishes and publishes guidelines, recommendations or standards intended to facilitate the compliance of personal data processing l with the texts relating to the protection of personal data and to carry out a prior risk assessment by data controllers and their subcontractors (...) ".


7. En troisième lieu, il résulte clairement des dispositions de l'article 6 du règlement du 27 avril 2016 citées au point 3 qu'un traitement de données à caractère personnel ne satisfait aux exigences du règlement, dès lors qu'il n'est nécessaire ni au respect d'une obligation légale à laquelle le responsable du traitement est soumis, ni à l'exécution d'une mission d'intérêt public ou relevant de l'exercice de l'autorité publique dont est investi le responsable du traitement, ni à la sauvegarde des intérêts vitaux de la personne concernée ou d'une autre personne physique, que si la personne concernée a consenti au traitement de ses données, sauf à ce que le traitement soit nécessaire à l'exécution d'un contrat auquel la personne concernée est partie ou à l'exécution de mesures précontractuelles prises à la demande de celle-ci, ou à ce qu'il soit nécessaire aux fins des intérêts légitimes poursuivis par le responsable du traitement ou par un tiers, à la condition, dans ce dernier cas, que ces intérêts légitimes puissent être regardés comme prévalant sur les intérêts des personnes concernées ou sur leurs libertés et droits fondamentaux. Pour porter cette appréciation, il y a lieu de mettre en balance, d'une part, l'intérêt légitime poursuivi par le responsable du traitement et, d'autre part, l'intérêt ou les libertés et droits fondamentaux des personnes concernées, eu égard notamment à la nature des données traitées, à la finalité et aux modalités du traitement ainsi qu'aux attentes que ces personnes peuvent raisonnablement avoir quant à l'absence de traitement ultérieur des données collectées.
5. First, by the disputed deliberation, the CNIL confined itself, within the framework of the prerogatives conferred on it by the provisions mentioned in point 4, to giving its interpretation of the provisions of the regulation of 27 April 2016 mentioned in point 3 in as regards the modalities according to which a data controller can legally keep the bank card data of customers of its online shopping services. Consequently, the plea alleging that it incompetently amended that regulation can only be rejected.


8. D'une part, il n'est pas contesté que la conservation des numéros de cartes bancaires pour certains clients des sites de commerce en ligne non abonnés pour faciliter des achats ultérieurs n'est nécessaire ni au respect d'une obligation légale, ni à l'exécution d'une mission d'intérêt public, ni à la sauvegarde des intérêts vitaux de la personne concernée ou d'une autre personne. S'agissant de l'exécution d'un contrat auquel la personne concernée est partie, la conservation du numéro de carte bancaire ne saurait se justifier une fois ce contrat exécuté.
6. Secondly, article 9 of the regulation of 27 April 2016 provides that "1. The processing of personal data which reveals racial or ethnic origin, political opinions, religious or philosophical convictions or affiliation union, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sexual life or sexual orientation of a natural person are prohibited. / 2. Paragraph 1 does not apply if one of the following conditions is fulfilled: / a) the data subject has given his explicit consent to the processing of such personal data for one or more specific purposes, except when the Union law or the law of the Member State provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject (...) ". Contrary to what the Cdiscount company maintains, the CNIL did not base the requirement of prior consent of the persons concerned by the processing operations considered on the provisions of article 9 of the regulation of April 27, 2016, which have just been cited, but on those of its article 6. Consequently, the plea according to which the CNIL would have wrongly assimilated the banking data to sensitive data within the meaning of article 9 of the regulation of April 27, 2016 can only be rejected.


9. D'autre part, si la société soutient que la conservation du numéro de carte bancaire du client qui a procédé à un achat en ligne est nécessaire aux fins de l'intérêt légitime consistant à faciliter des paiements ultérieurs en dispensant le client de le saisir à chacun de ses achats, notamment dans le cadre d'une fonctionnalité d'achat rapide - dite " en un clic " - cet intérêt ne saurait prévaloir sur l'intérêt des clients de protéger ces données, compte tenu de la sensibilité de ces informations bancaires et des préjudices susceptibles de résulter pour eux de leur captation et d'une utilisation détournée, et alors que de nombreux clients qui utilisent des sites de commerce en ligne en vue de réaliser des achats ponctuels ne peuvent raisonnablement s'attendre à ce que les entreprises concernées conservent de telles données sans leur consentement. Par suite, la CNIL a pu à bon droit estimer que, de façon générale, devait être soumise au consentement explicite de la personne concernée la conservation des numéros de cartes bancaires des clients des sites de commerce en ligne pour faciliter des achats ultérieurs. Il suit de là que le moyen tiré de la méconnaissance par la délibération litigieuse du règlement du 27 avril 2016 doit être écarté.
7. Thirdly, it clearly follows from the provisions of Article 6 of the Regulation of 27 April 2016 cited in point 3 that processing of personal data does not meet the requirements of the Regulation, since it is not necessary neither for compliance with a legal obligation to which the controller is subject, nor for the performance of a task of public interest or relating to the exercise of public authority vested in the controller, nor for the protection of the vital interests of the data subject or of another natural person, only if the data subject has consented to the processing of their data, unless the processing is necessary for the performance of a contract to which the data subject is a party or to the execution of pre-contractual measures taken at the latter's request, or as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, on condition, in the latter case, q such legitimate interests may be regarded as prevailing over the interests of the persons concerned or over their fundamental rights and freedoms. To make this assessment, it is necessary to weigh, on the one hand, the legitimate interest pursued by the controller and, on the other hand, the interest or the fundamental rights and freedoms of the data subjects, given with regard in particular to the nature of the data processed, the purpose and methods of the processing as well as the expectations that these persons may reasonably have regarding the absence of further processing of the data collected.


10. En quatrième lieu, la circonstance alléguée que la délibération litigieuse aurait pour effet de créer une distorsion de concurrence au bénéfice d'opérateurs économiques étrangers relevant des régulateurs d'autres pays, ou n'étant soumis à aucune régulation, est, par elle-même, sans incidence sur sa légalité.
8. On the one hand, it is not disputed that the retention of bank card numbers for certain customers of non-subscriber online shopping sites to facilitate subsequent purchases is neither necessary for compliance with a legal obligation, neither for the performance of a task of public interest, nor for the protection of the vital interests of the data subject or of another person. As regards the performance of a contract to which the person concerned is a party, the retention of the bank card number cannot be justified once this contract has been executed.


11. Il résulte de tout ce qui précède que, sans qu'il y ait lieu de saisir la Cour de justice de l'Union européenne à titre préjudiciel, la société Cdiscount n'est pas fondée à demander l'annulation pour excès de pouvoir de la décision implicite de la présidente de la CNIL rejetant sa demande tendant à la modification de la délibération du 6 septembre 2018. Ses conclusions à fins d'injonction ainsi que celles présentées au titre de l'article L. 761-1 du code de justice administrative doivent, par voie de conséquence, être rejetées.
9. On the other hand, if the company maintains that the conservation of the bank card number of the customer who made an online purchase is necessary for the purposes of the legitimate interest consisting in facilitating subsequent payments by exempting the customer from it. enter each of its purchases, in particular within the framework of a fast purchase functionality - known as "in one click" - this interest cannot prevail over the interest of the customers to protect this data, taking into account the sensitivity of these banking information and the damages that may result to them from its capture and misuse, and while many customers who use e-commerce sites to make one-off purchases cannot reasonably expect that the companies concerned keep such data without their consent. As a result, the CNIL was rightly able to consider that, in general, the storage of bank card numbers of customers of online shopping sites should be subject to the explicit consent of the person concerned to facilitate subsequent purchases. It follows from there that the plea alleging disregard by the disputed deliberation of the regulation of April 27, 2016 must be rejected.


10. Fourth, the alleged circumstance that the contested deliberation would have the effect of creating a distortion of competition for the benefit of foreign economic operators coming under the regulators of other countries, or not being subject to any regulation, is by it - even, without affecting its legality.


11. It follows from all of the foregoing that, without there being any need to refer a preliminary ruling to the Court of Justice of the European Union, Cdiscount is not justified in requesting annulment for excessive power. of the implicit decision of the president of the CNIL rejecting her request to modify the deliberation of September 6, 2018. Her conclusions for injunction purposes as well as those presented under Article L. 761-1 of the Code of administrative justice must, therefore, be rejected.


D E C I D E :
 
 
DECIDES:
--------------
--------------


Article 1er : La requête de la Société Cdiscount est rejetée.
Article 1: The request of the Cdiscount Company is rejected.
Article 2 : La présente décision sera notifiée à la Société Cdiscount et à la commission nationale de l'informatique et des libertés.
Article 2: This decision will be notified to the Cdiscount Company and to the national commission for data processing and freedoms.
 
 
ECLI:FR:CECHR:2020:429571.20201210
</pre>
</pre>

Latest revision as of 09:50, 10 September 2021

CE - 429571
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
Decided: 10.12.2020
Published:
Parties: Cdiscount
CNIL
National Case Number/Name: 429571
European Case Law Identifier: ECLI:FR:CECHR:2020:429571.20201210
Appeal from: CNIL (France)
Appeal to: Not appealed
Original Language(s): French
Original Source: Legifrance (in French)
Initial Contributor: Tsek

The French Supreme Administrative Court (Conseil d’Etat) held that the French DPA (CNIL) lawfully issued a guideline ("recommendation") on consent to storage of customer's credit card data by e-commerce websites. The Court also found that said websites do not have a legitimate interest to store credit card data under Article 6(1)(f) GDPR.

English Summary

Facts

On 6 September 2018, the CNIL issued a Recommendation on the processing of credit card data in the context of online purchase of goods and services. The recommendation provides that:

(1) Credit card data can only be processed in order to complete a transaction in connection with the performance of a contract;

(2) The storage of such data in order to facilitate subsequent payments is only possible if:

  • (a) The data subject has expressed prior and explicit consent; or
  • (b) Has taken a subscription offering access to additional services, thus intending to enter in a regular commercial relationship.

Cdiscount, a marketplace website, requested the CNIL to modify those rules. It argued that websites should also be able to store credit card data of customers who can reasonably foresee their data will be stored, on the basis of their purchasing frequency. The CNIL did not meet the demand. Cdiscount is thus seeking the annulment of the decision before the French Administrative Supreme Court.

Dispute

Did the CNIL exceed its remit when interpreting Article 6 GDPR in its Recommendation?

Did the CNIL, by requiring prior and explicit consent, wrongly considered credit card data as a special category of personal data (Article 9 GDPR)?

Does the data controller have a legitimate interest to process credit card data of recurring purchasers under Article 6(1)(f)?

Can the recommendation be annulled on the ground that it creates a distortion of competition with foreign economic operators that are not subject to similar legislation?

Holding

The Supreme Administrative Court dismisses the appeal, on the following grounds.

On the CNIL's competence to interpret Article 6 GDPR

The Court holds that the CNIL acted within its power when interpreting Article 6 GDPR. This power is derived from (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés). These provisions designate the CNIL as Supervisory authority for France under Article 51 GDPR. They also expressly grant the CNIL power to issue guidelines and recommendations in order to help achieving compliance with the GDPR.

On the alleged confusion of credit card data with special categories of data

The French Supreme Administrative Court finds that the CNIL only referred to Article 6 GDPR. Thus, the argument is dismissed.

On the legitimate interest to process credit card data of regular customers

The French Supreme Administrative Court balances the possible legitimate interest of websites to process such data against the fundamental rights and freedom of data subjects. Relevant elements in this test are the nature of collected data, the purpose and methods of the data processing and the data subject reasonable expectation that its data are not subsequently processed.

Firstly, the Court notes that the storage of credit card data does not stem from any legal obligation. It is not necessary to protect vital interests or the performance of a task carried out in the public interest. Likewise, it is not necessary for the performance of a contract.

Secondly, the Court holds that the storage of credit card data in order to ease future payments does not prevail on customers’ interest to the protection of their data. This conclusion takes in account the sensitivity of this category of data in regard with the damage that would cause any leak. Furthermore, the Court considers that customers cannot reasonably foresee that such data will be stored.

On the distortion of competition

The Court holds that the alleged distortion does not affect the recommendation’s lawfulness.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Council of State, 10th - 9th chambers combined, 10/12/2020, 429571
Board of state - 10th - 9th rooms combined

    N° 429571
    ECLI:FR:CECHR:2020:429571.20201210
    Mentioned in the tables of the Lebon collection 

Reading the Thursday December 10, 2020
Rapporteur
    Ms. Myriam Benlolo Carabot 
Public reporter
    M. Alexandre Lallet 
Lawyer (s)
    SCP BASEMENT, MOLINIE 
Full Text
FRENCH REPUBLIC
IN NAME OF THE FRENCH PEOPLE

Considering the following procedure:

By a request and two reply memoranda, registered on April 8, 2019, March 2 and November 17, 2020 at the Litigation Secretariat of the Council of State, Cdiscount asks the Council of State:

1 °) to annul for excess of power the implicit decision of the president of the National Commission for Informatics and Freedoms (CNIL) rejecting the request she presented on December 7, 2018 tending to modify deliberation no. ° 2018-303 of September 6, 2018;

2 °) to order the CNIL to re-examine, in the light of the decision to be made, the retention regime for bank card data for non-subscribed customers, within a period of one month from the date of the notification of the decision to be taken;

3) in the alternative, to refer a question to the Court of Justice of the European Union for a preliminary ruling concerning the interpretation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data;

4 °) to charge the CNIL the sum of 3,000 euros under the provisions of article L. 761-1 of the code of administrative justice.


Having regard to the other documents in the file;

Seen:
- the Constitution ;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- the Charter of Fundamental Rights of the European Union;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law n ° 78-17 of January 6, 1978;
- the code of administrative justice and decree n ° 2020-1406 of November 18, 2020;


After hearing in public session:

- the report by Ms Myriam Benlolo Carabot, master of requests for extraordinary service,

- the conclusions of Mr. Alexandre Lallet, public rapporteur;

The floor having been given, after the conclusions, to SCP Piwnica, Molinié, lawyer of the company Cdiscount;



Considering the following:

1. It appears from the documents in the file that, by a deliberation of September 6, 2018, the National Commission for Informatics and Freedoms (CNIL) adopted a recommendation concerning the processing of data relating to the payment card in sales matters. of goods or the provision of services at a distance. With this recommendation, the CNIL has indicated that this data can only be collected and processed by a company selling goods or services at a distance to allow the completion of a transaction within the framework of the execution of a contract and that the conservation of this data in order to facilitate any subsequent payments is only possible if the persons to whom these data relate have given prior and explicit consent, unless they have taken out a subscription giving access to additional services, translating their registration into a regular commercial relationship.

2. The Cdiscount company sent the President of the CNIL a request to modify the deliberation of September 6, 2018, in order to authorize the storage of bank card numbers for customers who do not subscribe but whose recurrence of purchases suggests that they can reasonably expect that their bank details will be kept to simplify their subsequent purchases. She requests the cancellation for excess of power of the refusal by the President of the CNIL to this request.

3. On the one hand, under the terms of article 6 of the regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: "1. Processing is only lawful if, and insofar as, at least one of the following conditions is met: a) the data subject has consented to the processing of their personal data for one or more specific purposes; / b) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the latter; / c) the processing is necessary for compliance with a legal obligation to which the controller is subject; / d) the processing is necessary to protect the vital interests of the data subject or of another natural person; / e) the processing is necessary for the performance of a task of interest public or under the exercise of e the public authority vested in the controller; / f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail, especially when the person concerned is a child. (...) ". According to recital 47 of the grounds for this regulation:" The legitimate interests of a controller, including those of a controller to whom personal data may be communicated, or '' a third party may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller (.. .) ".

4. On the other hand, Article 58 of the Regulation provides that: "3. Each supervisory authority has all the following authorization and advisory powers: (...) b) issue, of its on its own initiative or on request, opinions for the attention of the national parliament, the government of the Member State or, in accordance with the law of the Member State, other institutions and bodies as well as the public, on any matter relating to the protection of personal data; (...) ". Under the terms of article 11 of the law of January 6, 1978 relating to data processing and freedoms in the version applicable to the dispute: "I. The National Commission for data processing and freedoms is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of the aforementioned Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. It carries out the following missions: (...) 2 ° It ensures that that the processing of personal data is carried out in accordance with the provisions of this law and the other provisions relating to the protection of personal data provided for by laws and regulations, European Union law and international commitments of France. / As such: (...) a bis) It establishes and publishes guidelines, recommendations or standards intended to facilitate the compliance of personal data processing l with the texts relating to the protection of personal data and to carry out a prior risk assessment by data controllers and their subcontractors (...) ".

5. First, by the disputed deliberation, the CNIL confined itself, within the framework of the prerogatives conferred on it by the provisions mentioned in point 4, to giving its interpretation of the provisions of the regulation of 27 April 2016 mentioned in point 3 in as regards the modalities according to which a data controller can legally keep the bank card data of customers of its online shopping services. Consequently, the plea alleging that it incompetently amended that regulation can only be rejected.

6. Secondly, article 9 of the regulation of 27 April 2016 provides that "1. The processing of personal data which reveals racial or ethnic origin, political opinions, religious or philosophical convictions or affiliation union, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sexual life or sexual orientation of a natural person are prohibited. / 2. Paragraph 1 does not apply if one of the following conditions is fulfilled: / a) the data subject has given his explicit consent to the processing of such personal data for one or more specific purposes, except when the Union law or the law of the Member State provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject (...) ". Contrary to what the Cdiscount company maintains, the CNIL did not base the requirement of prior consent of the persons concerned by the processing operations considered on the provisions of article 9 of the regulation of April 27, 2016, which have just been cited, but on those of its article 6. Consequently, the plea according to which the CNIL would have wrongly assimilated the banking data to sensitive data within the meaning of article 9 of the regulation of April 27, 2016 can only be rejected.

7. Thirdly, it clearly follows from the provisions of Article 6 of the Regulation of 27 April 2016 cited in point 3 that processing of personal data does not meet the requirements of the Regulation, since it is not necessary neither for compliance with a legal obligation to which the controller is subject, nor for the performance of a task of public interest or relating to the exercise of public authority vested in the controller, nor for the protection of the vital interests of the data subject or of another natural person, only if the data subject has consented to the processing of their data, unless the processing is necessary for the performance of a contract to which the data subject is a party or to the execution of pre-contractual measures taken at the latter's request, or as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, on condition, in the latter case, q such legitimate interests may be regarded as prevailing over the interests of the persons concerned or over their fundamental rights and freedoms. To make this assessment, it is necessary to weigh, on the one hand, the legitimate interest pursued by the controller and, on the other hand, the interest or the fundamental rights and freedoms of the data subjects, given with regard in particular to the nature of the data processed, the purpose and methods of the processing as well as the expectations that these persons may reasonably have regarding the absence of further processing of the data collected.

8. On the one hand, it is not disputed that the retention of bank card numbers for certain customers of non-subscriber online shopping sites to facilitate subsequent purchases is neither necessary for compliance with a legal obligation, neither for the performance of a task of public interest, nor for the protection of the vital interests of the data subject or of another person. As regards the performance of a contract to which the person concerned is a party, the retention of the bank card number cannot be justified once this contract has been executed.

9. On the other hand, if the company maintains that the conservation of the bank card number of the customer who made an online purchase is necessary for the purposes of the legitimate interest consisting in facilitating subsequent payments by exempting the customer from it. enter each of its purchases, in particular within the framework of a fast purchase functionality - known as "in one click" - this interest cannot prevail over the interest of the customers to protect this data, taking into account the sensitivity of these banking information and the damages that may result to them from its capture and misuse, and while many customers who use e-commerce sites to make one-off purchases cannot reasonably expect that the companies concerned keep such data without their consent. As a result, the CNIL was rightly able to consider that, in general, the storage of bank card numbers of customers of online shopping sites should be subject to the explicit consent of the person concerned to facilitate subsequent purchases. It follows from there that the plea alleging disregard by the disputed deliberation of the regulation of April 27, 2016 must be rejected.

10. Fourth, the alleged circumstance that the contested deliberation would have the effect of creating a distortion of competition for the benefit of foreign economic operators coming under the regulators of other countries, or not being subject to any regulation, is by it - even, without affecting its legality.

11. It follows from all of the foregoing that, without there being any need to refer a preliminary ruling to the Court of Justice of the European Union, Cdiscount is not justified in requesting annulment for excessive power. of the implicit decision of the president of the CNIL rejecting her request to modify the deliberation of September 6, 2018. Her conclusions for injunction purposes as well as those presented under Article L. 761-1 of the Code of administrative justice must, therefore, be rejected.



DECIDES:
--------------

Article 1: The request of the Cdiscount Company is rejected.
Article 2: This decision will be notified to the Cdiscount Company and to the national commission for data processing and freedoms.


ECLI:FR:CECHR:2020:429571.20201210