CE - N° 472864

From GDPRhub
Revision as of 22:58, 25 July 2024 by Nikolaos.konstantis (talk | contribs) (Created page with "{{COURTdecisionBOX |Jurisdiction=France |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=CE |Court_Original_Name=Conseil d'Etat |Court_English_Name=Supreme Administrative Court |Court_With_Country=CE (France) |Case_Number_Name=N° 472864 |ECLI=FR:CECHR:2024:472864.20240430 |Original_Source_Name_1=Conseil d'Etat |Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000049501435 |Original_Source_Language_1=French |Original_Source_Languag...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CE - N° 472864
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 32 GDPR
article 8 de la loi du 6 janvier 1978
articles 87 and 90 de la loi du 6 janvier 1978
articles L. 233-1 et L. 233-1-1 du code de la sécurité intérieure
Decided: 30.04.2024
Published:
Parties: Municipality of Beaucaire
National Case Number/Name: N° 472864
European Case Law Identifier: FR:CECHR:2024:472864.20240430
Appeal from: France
n° MED-2023-006 du 6 février 2023
Appeal to: Unknown
Original Language(s): French
Original Source: Conseil d'Etat (in French)
Initial Contributor: Nikolaos. Konstantis

The Conseil d'Etat held an appeal for abuse of power submitted by a municipality against a sanction decision by the CNIL.

English Summary

Facts

According to the decision, on video surveillance systems and automatic license plate reading devices communal networks are not intended to support them under the current regulations, even with the sole objective of being able to respond to requisitions from judicial authorities.Regarding the respect for the security of personal data under Article 32 GDPR, the municipality is sanctioned for network infrastructure issues, using server operating systems that have not been updated for nearly 10 years, and for insufficient practices regarding the security of passwords used for applications within the community.The CNIL can validly use the ANSSI standards to assess the levels of security of personal data for which it is responsible under Article 32 GDPR (hence the need for a comprehensive approach to these issues within the GDPR/SSI organization implemented in our structures, even if it does not fall solely under the IT department, for example) In this case, the CNIL was initially seized by a report from a CRC; which raises questions about the omniscience though the term might be too strong – of CRC controls.

Holding

According to the Conseil d'etta the appeal of the municipality of Beaucaire is rejected and the present decision will be notified to the municipality of Beaucaire and to the CNIL

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Full Text

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Considering the following procedure:

By a summary request and a complementary brief, recorded on April 7 and July 7, 2023 at the litigation secretariat of the Council of State, the municipality of Beaucaire requests the Council of State:

1°) primarily, to cancel for abuse of power decision no. MED-2023-006 of February 6, 2023 by which the National Commission for Informatics and Liberties gave it formal notice to take, under a period of six months, various measures in order to comply with the provisions of the general data protection regulations and the law of January 6, 1978 relating to data processing, files and freedoms;

2°) in the alternative, to repeal this decision;

3°) to charge the National Commission for Information Technology and Liberties the sum of 4,000 euros under article L. 761-1 of the administrative justice code.

Considering the other documents in the file;

Seen :
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law No. 78-17 of January 6, 1978;
- Decree No. 2019-536 of May 29, 2019;
- the internal security code;
- the administrative justice code;

After hearing in public session:

- the report of Mr. Emmanuel Weicheldinger, master of requests for extraordinary service,

- the conclusions of Mr. Laurent Domingo, public rapporteur;

The floor having been given, after the conclusions, to SCP Boré, Salve de Bruneton, Mégret, lawyer for the commune of Beaucaire;

Considering the following:

1. It appears from the documents in the file that following a report from the regional audit chamber, a control delegation from the National Commission for Informatics and Liberties (CNIL) carried out, on May 27, 1 July and November 30, 2021, on-site and documentary checks with the municipality of Beaucaire (Gard) in order to check the conformity of the IT and video protection devices of this municipality. By a decision of February 6, 2023, taken in application of II of article 20 of the law of January 6, 1978 relating to computing, files and freedoms, the president of the CNIL ordered the municipality to put an end, within a period of six months, to various breaches, noted by the supervisory delegation, of Article 32 of the regulation of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and the free movement of data, known as RGPD, and articles 87 and 90 of the law of January 6, 1978. The municipality of Beaucaire requests the annulment for abuse of power of this decision.

On the breach of articles 87 and 90 of the law of January 6, 1978:

2. Firstly, under the terms of article 87 of the law of January 6, 1978, title III of this law "applies, without prejudice to title I, to the processing of personal data implemented, for the purposes of prevention, detection, investigation and prosecution of criminal offenses or execution of criminal sanctions, including protection against threats to public security and prevention of such threats, by any public authority competent authority or any other body or entity to which has been entrusted, for these same purposes, the exercise of public authority and the prerogatives of public power, hereinafter referred to as competent authority / These processing operations are only lawful if and in. to the extent that they are necessary for the execution of a mission carried out, for one of the purposes set out in the first paragraph, by a competent authority within the meaning of the same first paragraph and where the provisions of Articles 89 and 90 are respected. processing ensures in particular the proportionality of the duration of retention of personal data, taking into account the purpose of the file and the nature or seriousness of the offenses concerned. "Moreover, in its wording applicable on the date of the contested decision, article L. 251-2 of the internal security code provided that: "The transmission and recording of images taken on public roads by the means of video protection may be implemented by the competent public authorities for the purposes of ensuring: / 1° The protection of public buildings and installations and their surroundings; / 2° The safeguarding of installations useful for national defense; / 3° The regulation of transport flows; / 4° Reporting violations of traffic rules; / 5° Prevention of attacks on the security of people and property in places particularly exposed to risks of aggression, theft or drug trafficking as well as the prevention, in areas particularly exposed to these offenses, of fraud customs duties provided for by the last paragraph of article 414 of the customs code and offenses provided for in article 415 of the same code relating to funds originating from these same offenses; / 6° The prevention of acts of terrorism, under the conditions provided for in Chapter III of Title II of this book; / 7° Prevention of natural or technological risks; / 8° Rescue of people and defense against fire; / 9° The security of installations welcoming the public in amusement parks; / 10° Compliance with the obligation to be covered, to operate a land motor vehicle, by insurance guaranteeing civil liability; / 11° Prevention and reporting of offenses relating to the abandonment of garbage, waste, materials or other objects. (...) ". Finally, article L. 233-1 of the internal security code provides: "In order to prevent and repress terrorism, to facilitate the reporting of related offenses, to facilitate the reporting criminal offenses or offenses linked to organized crime within the meaning of articles 706-73 and 706-73-1 of the code of criminal procedure, offenses of theft and receiving stolen vehicles, offenses of smuggling, importation or export committed by an organized gang, provided for and punished by the last paragraph of article 414 of the customs code, as well as the recognition, when they relate to funds originating from these same offenses, of the realization or the attempt of realization financial operations defined in Article 415 of the same code and in order to allow the gathering of evidence of these offenses and the search for their perpetrators, the national police and gendarmerie and customs services may implement fixed or mobile devices automated control of the identification data of vehicles taking photographs of their occupants, at all appropriate points in the territory, in particular in border, port or airport areas as well as on major national or international transit routes. / The use of such devices is also possible by the national police and gendarmerie services, on a temporary basis, for the preservation of public order, on the occasion of special events or large gatherings of people, by decision of the administrative authority", while article L. 233-1-1 of the same code provides that: "In order to facilitate the detection of infractions of the highway code, allow the gathering of evidence of these infractions and the research of their authors as well as implement the provisions of article L. 121-4-1 of the highway code, the national police and gendarmerie services may implement fixed or mobile devices for automated control of identification data vehicles taking photographs of their occupants, at all appropriate points in the territory".

3. It appears from the documents in the file that the video protection system implemented by the municipality of Beaucaire since 1995 included, on the date of the contested decision, 73 cameras installed on public roads and outdoors, six of which were equipped with devices automated reading of vehicle registration plates, and was last authorized by an order from the prefect of Gard dated November 9, 2020. The contested decision states that the processing of personal data linked to the implementation of this device disregards article 87 of the law of January 6, 1978 since the municipality is not a competent authority capable of implementing devices for automated reading of vehicle registration plates in accordance with articles L. 233-1 and L 233-1-1 of the internal security code and, in addition, the collection of registration plate data having the sole purpose of responding to requests from the police for the exercise of their missions. judicial police, relating to offenses, would not correspond to one of the purposes listed in article L. 251-2 of the same code.

4. If articles L. 233-1 and L. 233-1-1 of the internal security code authorize only the customs, police and national gendarmerie services to implement automated control systems for the identification data of vehicles taking photographs of their occupants for the purposes they provide, they do not have the effect of prohibiting the competent authorities from implementing, on the basis of article L. 251-2 of this same code, devices for automated reading of vehicle registration plates. However, these authorities can only do so for one of the purposes listed in this article and in compliance with Title V of Book II of this same code.

5. It appears from the documents in the file that if the commune of Beaucaire is a competent authority within the meaning of articles L. 251-2 of the internal security code and 87 of the law of January 6, 1978, it has not implemented the disputed devices only for the sole purpose of responding to requests from law enforcement by making the data thus collected available to them for the exercise of their judicial police missions. It follows that the CNIL, which moreover did not commit a factual error as to the indetermination of the purposes pursued, rightly held that this purpose is not among those provided for by article L. 251-2 of the internal security code and that the implementation of the disputed measures therefore disregards article 87 of the law of January 6, 1978. Consequently, the commune of Beaucaire is not justified in maintaining that the contested decision would be illegal in that it requires it to cease implementing devices for automated reading of vehicle registration plates.

6. Secondly, under the terms of the first paragraph of article 90 of the law of January 6, 1978, in force since June 1, 2019: "If the processing is likely to generate a high risk for the rights and freedoms natural persons, in particular because it concerns data mentioned in I of Article 6, the data controller carries out an impact analysis relating to the protection of personal data. The provisions of the first paragraph of I of article 130 of the decree of May 29, 2019 taken for the application of this law specify that: "The fact that a type of processing is likely to generate a high risk for the rights and the freedoms of natural persons requiring the carrying out of an impact analysis pursuant to article 90 of the aforementioned law of January 6, 1978 is determined by the use of new technologies, and taking into account the nature, scope, of the context and purposes of the processing".

7. It appears from the documents in the file that the video protection system implemented by the municipality of Beaucaire included, on the date of the contested decision, 73 cameras installed in areas accessible to the public, in particular near major thoroughfares. and several public services and infrastructures. Consequently, the CNIL, which sufficiently justified its decision, accurately qualified the facts by holding that the implementation of the disputed video protection system was, given its nature and its scale, likely to present a high risk for the rights and freedoms of natural persons and therefore required the carrying out of an impact analysis relating to the protection of personal data in application of the provisions cited in point 6. The municipality of Beaucaire is therefore not justified in requesting the annulment of the contested decision in that it required it to carry out such an impact analysis.

On breaches of Article 32 of the GDPR:

8. On the one hand, in accordance with I of article 8 of the law of January 6, 1978, the CNIL is the national supervisory authority within the meaning and for the application of the GDPR. It is in particular responsible for informing all data subjects and all data controllers of their rights and obligations and ensuring that the processing of personal data is implemented in accordance with the provisions of the law of January 6, 1978 and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. It may, in this capacity, establish and publish guidelines, recommendations or standards intended to facilitate compliance of the processing of personal data with the applicable texts. Under Articles 19 to 23 of the same law, it can also carry out checks on all processing operations and take corrective measures and sanctions when a processing operation disregards the GDPR or the law of January 6, 1978.

9. On the other hand, under the terms of Article 32 of the GDPR: "1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk, including, among other things, as necessary: / a) pseudonymization and encryption of personal data / b) means to guarantee the constant confidentiality, integrity, availability and resilience of the systems; and processing services; / c) means to restore the availability of and access to personal data within appropriate time frames in the event of a physical or technical incident / d) a procedure to test; , to regularly analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing (...)".

10. Firstly, the contested decision finds a failure to comply with the obligation to ensure the security of personal data subject to processing, provided for by Article 32 of the GDPR, due to the insufficient complexity passwords used for three applications implemented by the municipality of Beaucaire, which could thus lead to a compromise of the accounts and the data they contain. If the reasons for the contested decision include elements also mentioned in a deliberation no. 2022-100 of July 21, 2022 adopting a recommendation relating to passwords and other shared secrets, taken by the CNIL on the basis of the provisions of article 8 of the 1978 law in order to interpret article 32 of the GDPR, the Commission does not consider a breach of the latter article due to a lack of awareness, as such, of this recommendation but has limited, as it could rightly do, to taking into account the elements of this recommendation to assess compliance with the provisions whose sole purpose it is to contribute to the implementation.

11. Secondly, if the contested decision cites extracts from technical recommendations, devoid of normative value, relating to the secure administration of information systems and formulated by the National Information Systems Security Agency, these The elements are only intended to explain good technical practices, in particular updating, which, according to the CNIL, make it possible to guarantee a level of security adapted to the risk in accordance with article 32 of the GDPR for which it is responsible for ensure respect. The Commission was therefore able to legally characterize a breach of this article due to the use by the municipality of an operating system which is no longer updated by its publisher.

12. Thirdly, the municipality does not seriously dispute that, as the CNIL maintains, the additional security systems alone do not ensure an appropriate level of security in the event of obsolescence of an operating system. It is therefore not justified in maintaining that the contested decision would be tainted with illegality by finding, despite the alleged use of such ancillary security systems, a failure to comply with this obligation due to the municipality's accommodation of five servers using an operating system that was no longer maintained by its publisher since July 14, 2015.

13. Fourthly, the contested decision finds a breach of the security obligation imposed by Article 32 of the GDPR due to the lack of segmentation of the network of the municipality of Beaucaire. In doing so, the CNIL set out in the contested decision, as well as its ability to carry out its missions recalled in point 8, the technical measures whose implementation is, according to it, likely to guarantee compliance of the provisions of article 32 of the GDPR. The municipality of Beaucaire, which limits itself to contesting the existence of technical recommendations without establishing that the CNIL disregards the provisions of this article by requiring it to proceed with the segmentation of its network, is therefore not justified in maintaining that the contested decision would therefore be tainted with illegality.

On the requests for partial repeal of the contested decision:

14. If the commune of Beaucaire requests the repeal of the contested decision in that it puts it in a position to carry out certain compliance measures, on the grounds that it has complied or is in the process of complying with the updates in dispute, conclusions for the purpose of repealing a decision of formal notice taken in application of the provisions of II of article 20 of the law of January 6, 1978 are not admissible.

15. It follows from all of the above that the commune of Beaucaire is not justified in requesting the annulment of the decision it is contesting. His request must therefore be rejected, including his conclusions seeking the application of article L. 761-1 of the administrative justice code.

DECIDED :
--------------

Article 1: The request from the municipality of Beaucaire is rejected.
Article 2: This decision will be notified to the municipality of Beaucaire and to the National Commission for Information Technology and Liberties.
A copy will be sent to the Minister of the Interior and Overseas Territories.

Deliberated at the end of the session of April 5, 2024 at which sat: Mr. Rémy Schwartz, deputy president of the litigation section, presiding; Mr. Bertrand Dacosta, Ms. Anne Egerszegi, presidents of chambers; Mr. Olivier Yeznikian, Ms. Rozen Noguellou, Mr. Nicolas Polge, Mr. Vincent Daumas, Mr. Didier Ribes, State Councilors and Mr. Emmanuel Weicheldinger, master of requests in extraordinary rapporteur service.

Returned on April 30, 2024.
President :
Signed: Mr. Rémy Schwartz

The rapporteur :
Signed: Mr. Emmanuel Weiheldinger

The Secretary :
Signed: Ms. Claudine Ramalahanoharana

ECLI:FR:CECHR:2024:472864.20240430