CE - 466115

From GDPRhub
Revision as of 10:29, 21 February 2024 by Nzm (talk | contribs)
CE - 466115
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 5 GDPR
Article 46 GDPR
Decided: 30.01.2024
Published:
Parties: Association of Accidental Americans
National Case Number/Name: 466115
European Case Law Identifier: ECLI:FR:CECHR:2024:466115.20240130
Appeal from: CNIL
Appeal to:
Original Language(s): French
Original Source: Légifrance (in French)
Initial Contributor: nzm

The French Supreme Administrative Court considered that the automatic transfers of tax data between France and the United States under the FATCA Agreement did not infringe Articles 5 and 46 GDPR.

English Summary

Facts

The Association of Accidental Americans (“Association”) sought the annulment of the decision of 23 May 2022 by which the French DPA (“CNIL”) ordered the closure of its complaint seeking the suspension of automatic transfers of tax data operated between France and the United States pursuant to the international agreement concluded on 14 November 2013 (“FATCA Agreement”).

The Association appealed the decision in front of the French Supreme Administrative Court (“Conseil d’Etat”).

Holding

Firstly, Article 5 GDPR states that processing must respect data minimization and storage limitation. The Association had considered that by analyzing the US Treasury and statements by the US tax authority, the transfer of personal data to the US authorities under the FACTA Agreement did not meet the data minimization requirement since (i) little or no use would be made of this data by these authorities due to the lack of resources available and (ii) there would be a lack of reciprocity between the American and European authorities as regards to the transmission of this data.

The Conseil d’Etat considered that since it was not disputed that the processing at issue served a legitimate purpose of improving compliance with tax obligations and provides for procedures for selecting, collecting and processing data that was appropriate and proportionate to that purpose, the circumstances alleged could not lead to this processing as being regarded as failing to comply with the data minimization requirement. Furthermore, the Conseil d’Etat noted that the mere fact that the 'FATCA' agreement does not contain any stipulations on the length of time for which transferred data may be retained did not in itself, in view of the safeguards provided by US law, and in particular the Privacy Act of 1974, imply a failure to comply with Article 5(1)(e) GDPR.

Secondly, the Association had held that although the Conseil d’Etat had ruled that the FATCA Agreement did not infringe Article 46 GDPR in previous decisions, this analysis should necessarily be called into question because of legal developments subsequent to said decisions. The Conseil d’Etat noted that the invalidation of the Privacy Shield following the Schrems II decision did not prohibit transfers to from the European Union to the United States all together. Transfers could still be made on the basis of Article 46 or 49 GDPR. The Conseil d’Etat considered that this judgment, which in itself had no bearing on the lawfulness of transfers between the United States and France of personal data carried out between public authorities on the basis of Article 46 GDPR, did not make it possible to characterise the contested CNIL decision as unlawful in the light of that Article.

The Conseil d’Etat also considered that failure to comply with EDPS guidelines, recommendations and good practices could not, in itself be relied upon in support of an action brought against a CNIL decision to close a complaint.

The Association also had argued that the requirements relating to the existence of an independent internal control mechanism that guaranteed the security of the data was not in place. The Conseil d’Etat considered that this plea was not accompanied by details enabling its merits to be assessed.

Fourthly, the fact that the FATCA agreement did not provide for any mechanism for suspending the transfer of data in the event of a dispute between the parties or litigation before the courts of the other State party to the agreement could not prevent the French administrative authorities from suspending such transfers in the event of failure to comply with the GDPR.

Lastly, the fact that the FATCA agreement does not contain any clause relating to automated individual decision-making on the basis of the data transferred was not such as to vitiate the data transfers carried out under that agreement as being in breach of the GDPR.

Consequently, the Conseil d’Etat considered that the CNIL gave sufficient reasons for its decision and that there was no need to refer to the Court of Justice of the European Union since the dispute did not raise any new question of interpretation. Therefore, the Conseil d’Etat rejected the claim.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Full Text

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Considering the following procedure:

By a summary request, a supplementary brief, two reply briefs and a new brief, recorded on July 26 and October 26, 2022 and March 8, April 14 and May 25, 2023 at the litigation secretariat of the Council of State, the association Accidental Americans asks the Council of State:

1°) to annul the decision of May 23, 2022 by which the president of the National Commission for Information Technology and Liberties (CNIL) closed her complaint seeking the suspension of automatic transfers of tax data carried out between France and the United States in application of the so-called “FATCA” agreement;

2°) to order the CNIL to order the suspension of these automatic transfers of tax data between France and the United States;

3°) in the alternative, to stay the proceedings and refer the following questions to the Court of Justice of the European Union for a preliminary ruling:
- "Articles 5, 44 and 46 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of natural persons with regard to the processing of personal data and to free movement of these data, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, must they be interpreted as meaning that they oppose the automatic transfer to a third State of the tax data of taxpayers residing in the territory of the Member State concerned but having the nationality of that third State, based on an instrument referred to in paragraph 2(a) of Article 46 of this regulation, without this instrument or any other relevant element of the legal system of this third State does not provide guarantees linked in particular, on the one hand, to the temporal limitation of conservation, on the other hand, to internal control mechanisms and finally, to the conditions of termination of this instrument. ;
- "The provisions of Article 96 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of natural persons with regard to the processing of personal data and to free movement of these data, and repealing Directive 95/46/EC (general data protection regulation), in that they would potentially be interpreted as allowing the maintenance in force of an international agreement ratified by a Member State before the entry into force of Regulation No. 2016/679, even when the stipulations of this agreement are contrary to the requirements of data protection law as interpreted, subsequent to this entry into force, by the Court of Justice of the Union European Union, disregard the Charter of Fundamental Rights of the European Union, in particular its Articles 8 and 52§3, as well as Article 6§1 of the Treaty on European Union and Articles 16 and 267 of the Treaty on the functioning of the European Union' ";

4°) to charge the State the sum of 4,000 euros under article L. 761-1 of the administrative justice code.

Considering the other documents in the file;

Seen :
- the Constitution ;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- the Charter of Fundamental Rights of the European Union;
- Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016;
- the modified Franco-American tax convention of August 31, 1994;
- the agreement between the Government of the French Republic and the Government of the United States of America of November 14, 2013;
- Law No. 2014-1098 of September 29, 2014;
- the administrative justice code;

After hearing in public session:

- the report of Mrs Alexandra Bratos, auditor,

- the conclusions of Mr. Laurent Domingo, public rapporteur;

The floor having been given, after the conclusions, to SCP Spinosi, lawyer for the Association of Accidental Americans;

Considering the note under deliberation, recorded on January 22, 2024, presented by the Association of Accidental Americans;

Considering the following:

1. The Association of Accidental Americans requests the annulment for abuse of power of the decision of May 23, 2022 by which the president of the National Commission for Information Technology and Liberties (CNIL) declared the closure of her complaint seeking to the suspension of automatic transfers of tax data operated between France and the United States pursuant to the international agreement concluded on November 14, 2013 between the Government of the French Republic and the Government of the United States of America, known as the agreement " FATCA.

2. Under the terms of article 8 of the law of January 6, 1978 relating to data processing, files and freedoms: "I.- The National Commission for Data Processing and Freedoms is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679 of April 27, 2016. It carries out the following missions:/ (...) 2° It ensures that the processing of data to personal character are implemented in accordance with the provisions of this law and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. :/ (...) d) It handles complaints, petitions and complaints lodged by a data subject or by a body, organization or association, examines or investigates the subject matter of the complaint, to the extent necessary, and informs the author of the complaint of the progress and outcome of the investigation within a reasonable time, in particular if further investigation or coordination with another supervisory authority is necessary (... ) ".

3. It follows from the provisions mentioned in point 2 that it is up to the CNIL to proceed, when it receives a complaint or a claim relating to the implementation of its powers, to examine the facts who are at the origin and to decide on the follow-up to be given to them. To this end, it has a broad power of appreciation and may take into account the seriousness of the alleged breaches with regard to the legislation or regulations that it is responsible for enforcing, the seriousness of the evidence relating to these facts, the date on which they were committed, the context in which they were committed and, more generally, all the general interests for which it is responsible. The author of a complaint may refer the CNIL's refusal to respond to it to the judge for abuse of power. It is up to the judge to censure it, if necessary, for reasons of external illegality and, on the grounds of the merits of the decision, in the event of an error of fact or of law, of a manifest error of appreciation or misuse of power.

On the pleas alleging failure to comply with Article 5 of Regulation (EU) 2016/79 of the European Parliament and of the Council of April 27, 2016, relating to the protection of natural persons with regard to the processing of personal data and to the free movement of this data (GDPR):

4. Article 5 of the regulation of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (GDPR) provides that: " 1. Personal data must be:/ (...) c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization); (...) / e) kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed (...) (limitation of retention) (...) ".

5. The applicant association maintains, firstly, based in particular on an analysis by the US Treasury and declarations by the head of the US tax administration, that the transfer of personal data to the US authorities implemented within the framework of the “FATCA” agreement would not meet the data minimization requirement resulting from c) of paragraph 1 of Article 5 of the GDPR, since, on the one hand, these data would be little or not used by these authorities due to the lack of resources available to do so and, on the other hand, that there is a lack of reciprocity between the American and European authorities regarding the transmission of this data. However, since it is not seriously contested that the processing in dispute meets the legitimate aim of improving compliance with tax obligations and provides for methods of choice, collection and processing of data that are adequate and proportionate to this purpose, the circumstances alleged by the request, and which moreover correspond to a situation likely to evolve, cannot lead to considering the transfer of the data in question from France to the United States as disregarding the requirement of minimization Datas.

6. Secondly, if the applicant association relies on the judgment of the Court of Justice of the European Union of February 24, 2022 "SS" SIA c/ Valsts ienemumu dienests (C-175/20) to argue that the absence of a time limit set for the retention of data would also disregard the requirement that infringements of the right to the protection of personal data must be limited and proportionate, this judgment, which moreover concerned a collection of data carried out in the framework of a tax audit, does not object to the absence of temporal limitation on the collection of data but simply specifies that it is the responsibility of the data controller to establish that he has sought to minimize the quantity of personal data to be collected with regard to the objective pursued by the processing. Furthermore, the sole circumstance that the "FATCA" agreement does not include stipulations on the retention period of the transferred data does not imply, in itself, taking into account the guarantees provided by American law, and in particular by the American federal law of 1974 on the protection of personal data, not contested by the requesting association, a disregard of article 5 of the GDPR.

7. It follows that the arguments based on disregard for this article of the GDPR can only be dismissed.

On the grounds of failure to comply with Article 46 of the GDPR:

8. On the one hand, article 44 of the regulation of April 27, 2016 provides that: "A transfer, to a third country or to an international organization, of personal data which is or is intended to be the subject of 'processing after this transfer may only take place if, subject to the other provisions of this Regulation, the conditions defined in this chapter are respected by the controller and the processor, including for subsequent transfers of data of a personal nature departing from the third country or from the international organization to another third country or to another international organization. All the provisions of this chapter are applied in such a way that the level of protection of natural persons guaranteed by this regulation is not compromised". Under the terms of Article 45 of the same regulation: "1. A transfer of personal data to a third country or to an international organization may take place when the Commission has established by decision that the third country, a territory or one or more specific sectors in this third country, or the international organization in question ensures an adequate level of protection. Such a transfer does not require specific authorization (...)". Article 46 thereof provides that: "1. In the absence of a decision pursuant to Article 45(3), the controller or processor may not transfer personal data to a third country or to a third party. international organization only if it has provided appropriate guarantees and on the condition that the persons concerned have enforceable rights and effective legal remedies. / 2. The appropriate guarantees referred to in paragraph 1 may be provided, without this requiring an specific authorization from a supervisory authority, by: / a) a legally binding and enforceable instrument between public authorities or bodies; [...] ". Under its Article 49: "In the absence of an adequacy decision under Article 45(3) or appropriate safeguards under Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or to an international organization can only take place under one of the following conditions: (...) / d) the transfer is necessary for important reasons of public interest; (...) ".

9. Furthermore, Article 70 of the regulation of April 27, 2016 relating to the European Data Protection Board (EDPS), provides that: "The committee shall ensure the consistent application of this regulation. To this end, the committee, on its own initiative or, where applicable, at the request of the Commission, has the following missions: (...) / f) to publish guidelines, recommendations and good practices in accordance with point e) of this paragraph, with a view to further specifying the criteria and conditions applicable to decisions based on profiling under Article 22(2).

10. It follows from the provisions cited in point 8 that a transfer to a country third to the European Union of personal data being or intended to be the subject of processing after this transfer can in principle only take place 'for the benefit of a so-called adequacy decision of the European Commission, finding that the third country or part of it ensures an adequate level of protection of personal data, or, in the absence of such decision, if the data controller or its subcontractor has provided appropriate guarantees and the data subjects have enforceable rights and effective legal remedies, in accordance with Article 46 of the GDPR. Failing this, a transfer or a set of transfers of personal data to a third country may take place, by way of derogation, in one of the "special situations" provided for in Article 49 of the GDPR, in particular if the transfer is " necessary for important reasons of public interest". Finally, when no exemption for special situations is applicable, the last paragraph of paragraph 1 of Article 49 of the GDPR authorizes a non-repetitive transfer, affecting only a limited number of data subjects, necessary for the purposes of legitimate interests compelling pursuits by the controller which are not overridden by the interests or rights and freedoms of the data subject, and provided that the controller has evaluated all circumstances surrounding the data transfer and has offered, on the basis of this assessment, appropriate guarantees with regard to the protection of personal data.

11. The applicant association maintains, primarily, that if the Council of State, ruling on the dispute, has, by its decision nos. 424216, 424217 of July 19, 2019, judged that the "FATCA" agreement did not disregard not Article 46 of the GDPR, this analysis should necessarily be called into question due to legal developments which follow it.

12. Firstly, by its judgment of July 16, 2020 Data Protection Commissioner against Facebook Ireland Ltd and Maximillian Schrems (C-311/18), the Court of Justice of the European Union, on the one hand, ruled that Article 46 of the GDPR must be interpreted as meaning that the appropriate guarantees, enforceable rights and effective legal remedies required by these provisions must ensure that the rights of persons whose personal data are transferred to a third country on the basis of standard data protection clauses benefit from a level of protection substantially equivalent to that guaranteed within the European Union by this regulation, read in the light of the Charter of Fundamental Rights of the European Union and, on the other hand, ruled that there was no need, following the invalidation of the adequacy decision of the European Commission for the transfer of personal data between the European Union and the States- United, to maintain the effects of this decision in order to avoid the creation of a legal vacuum, taking into account the exemptions for special situations provided for in Article 49 of the GDPR. It thus follows that, in the absence, on the one hand, of an adequacy decision from the European Commission taken on the basis of Article 45 of the GDPR and, on the other hand, of appropriate guarantees, enforceable rights and effective legal remedies satisfying the requirements of Article 46 of the same regulation, a transfer of personal data remains possible in the special situations mentioned in Article 49, in particular for important reasons of public interest. This judgment, which has no impact, in itself, on the legality of transfers between the United States and France of personal data carried out between public authorities on the basis of article 46 of the GDPR, does not allow characterize the illegality of the CNIL's contested decision with regard to this article.

13. Secondly, disregard of the stipulations of the EDPS guidelines, recommendations and good practices, which are not binding, cannot, in itself, be usefully invoked in support of an action directed against a decision to close a complaint from the CNIL. Subsequently, the publication of Guidelines 2/2020 relating to Article 46(2)(a) and (3)(b) of Regulation (EU) 2016/679 for transfers of personal data between public authorities and bodies established in the EEA and those established outside the EEA of the European Data Protection Board on December 15, 2020, which recommend, in particular, the presence, in international agreements serving as a basis for international data transfers of a personal nature, stipulations relating to the limitation of data retention and automated individual decision-making as well as termination clauses, does not make it possible to characterize a lack of knowledge, by the CNIL, of the provisions of article 46 of the GDPR, the requesting association not alleging, moreover and in any event, that American law does not include appropriate guarantees within the meaning of the aforementioned provisions, whereas it follows from the provisions cited in point 10 that such Guarantees need not necessarily result from the agreement and may be provided for by national law.

14. Thirdly, the argument based on failure to understand the requirements relating to the existence of an independent internal control mechanism and minimum guarantees of security of the data in question is not accompanied by the details enabling it to be assessed. the merits.

15. Fourthly, the fact that the “FATCA” agreement does not provide for any mechanism for suspending the transfer of data in the event of a dispute between the parties or a dispute before the authorities of the other State party to the agreement cannot prevent the suspension of such transfers by French administrative authorities in the event of ignorance of the GDPR.

16. Fifth and last, the fact that the “FATCA” agreement does not include any clause relating to automated individual decision-making on the basis of the data transferred is not likely to affect the transfers of data carried out in the framework of this agreement of disregard of the GDPR. The applicant association, which does not maintain that American law would not provide appropriate guarantees, nor does it maintain that the data transferred would be used for such purposes.

17. Consequently, the argument based on failure to comply with Article 46 of the GDPR, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights and Article 8 of the European Convention for the Protection of Human Rights man and fundamental freedoms can only be dismissed, as well as, consequently, the argument based on failure to comply with Article 49 of this same regulation.

On the other grounds of the request:

18. For the reasons mentioned in points 5 to 17, the CNIL, which provided sufficient reasons for its decision, neither disregarded its powers nor committed a manifest error of assessment in closing the applicant association's complaint.

19. It follows from all of the above, without there being any need to refer the preliminary questions raised in the alternative to the Court of Justice of the European Union, since the dispute does not raise any new question of interpretation of the European Union law, that the applicant association is not justified in requesting the annulment of the decision it is contesting. Its conclusions for the purposes of an injunction must, consequently, be rejected, as well as its conclusions presented under article L. 761-1 of the administrative justice code.

DECIDED :
--------------
Article 1: The request of the Association of Accidental Americans is rejected.
Article 2: This decision will be notified to the Association of Accidental Americans, to the Minister for Europe and Foreign Affairs and to the National Commission for Information Technology and Liberties.
A copy will be sent to the Minister of the Economy, Finance and Industrial and Digital Sovereignty.

Deliberated at the end of the meeting of January 17, 2024 at which sat: Mr. Rémy Schwartz, deputy president of the litigation section, presiding; Mr. Bertrand Dacosta, Ms. Anne Egerszegi, presidents of chambers; Mr Olivier Yeznikian, Ms Rozen Noguellou, Mr Nicolas Polge, Mr Vincent Daumas, Mr Didier Ribes, State Councilors and Ms Alexandra Bratos, auditor-rapporteur.

Returned on January 30, 2024.

President :
Signed: Mr. Rémy Schwartz
The rapporteur:
Signed: Ms. Alexandra Bratos
The Secretary :
Signed: Ms. Chloé-Claudia Sediang

The Republic requests and orders the Prime Minister as far as he is concerned or any commissioners of justice as required with regard to common law remedies against private parties, to ensure the execution of this decision.
For compliant shipping,
For the litigation secretary, by delegation:

ECLI:FR:CECHR:2024:466115.20240130