CE - N° 429571
|CE - 429571|
|Relevant Law:||Article 6(1)(a) GDPR|
Article 6(1)(b) GDPR
Article 6(1)(f) GDPR
|National Case Number/Name:||429571|
|European Case Law Identifier:||ECLI:FR:CECHR:2020:429571.20201210|
|Appeal from:||CNIL (France)|
|Appeal to:||Not appealed|
|Original Source:||Legifrance (in French)|
The French Supreme Administrative Court (Conseil d’Etat) held that the French DPA (CNIL) lawfully issued a guideline ("recommendation") on consent to storage of customer's credit card data by e-commerce websites. The Court also found that said websites do not have a legitimate interest to store credit card data under Article 6(1)(f) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
On 6 September 2018, the CNIL issued a Recommendation on the processing of credit card data in the context of online purchase of goods and services. The recommendation provides that:
(1) Credit card data can only be processed in order to complete a transaction in connection with the performance of a contract;
(2) The storage of such data in order to facilitate subsequent payments is only possible if:
- (a) The data subject has expressed prior and explicit consent; or
- (b) Has taken a subscription offering access to additional services, thus intending to enter in a regular commercial relationship.
Cdiscount, a marketplace website, requested the CNIL to modify those rules. It argued that websites should also be able to store credit card data of customers who can reasonably foresee their data will be stored, on the basis of their purchasing frequency. The CNIL did not meet the demand. Cdiscount is thus seeking the annulment of the decision before the French Administrative Supreme Court.
Dispute[edit | edit source]
Did the CNIL exceed its remit when interpreting Article 6 GDPR in its Recommendation?
Did the CNIL, by requiring prior and explicit consent, wrongly considered credit card data as a special category of personal data (Article 9 GDPR)?
Does the data controller have a legitimate interest to process credit card data of recurring purchasers under Article 6(1)(f)?
Can the recommendation be annulled on the ground that it creates a distortion of competition with foreign economic operators that are not subject to similar legislation?
Holding[edit | edit source]
The Supreme Administrative Court dismisses the appeal, on the following grounds.
On the CNIL's competence to interpret Article 6 GDPR[edit | edit source]
The Court holds that the CNIL acted within its power when interpreting Article 6 GDPR. This power is derived from (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés). These provisions designate the CNIL as Supervisory authority for France under Article 51 GDPR. They also expressly grant the CNIL power to issue guidelines and recommendations in order to help achieving compliance with the GDPR.
On the alleged confusion of credit card data with special categories of data[edit | edit source]
The French Supreme Administrative Court finds that the CNIL only referred to Article 6 GDPR. Thus, the argument is dismissed.
On the legitimate interest to process credit card data of regular customers[edit | edit source]
The French Supreme Administrative Court balances the possible legitimate interest of websites to process such data against the fundamental rights and freedom of data subjects. Relevant elements in this test are the nature of collected data, the purpose and methods of the data processing and the data subject reasonable expectation that its data are not subsequently processed.
Firstly, the Court notes that the storage of credit card data does not stem from any legal obligation. It is not necessary to protect vital interests or the performance of a task carried out in the public interest. Likewise, it is not necessary for the performance of a contract.
Secondly, the Court holds that the storage of credit card data in order to ease future payments does not prevail on customers’ interest to the protection of their data. This conclusion takes in account the sensitivity of this category of data in regard with the damage that would cause any leak. Furthermore, the Court considers that customers cannot reasonably foresee that such data will be stored.
On the distortion of competition[edit | edit source]
The Court holds that the alleged distortion does not affect the recommendation’s lawfulness.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Council of State, 10th - 9th chambers combined, 10/12/2020, 429571 Board of state - 10th - 9th rooms combined N° 429571 ECLI:FR:CECHR:2020:429571.20201210 Mentioned in the tables of the Lebon collection Reading the Thursday December 10, 2020 Rapporteur Ms. Myriam Benlolo Carabot Public reporter M. Alexandre Lallet Lawyer (s) SCP BASEMENT, MOLINIE Full Text FRENCH REPUBLIC IN NAME OF THE FRENCH PEOPLE Considering the following procedure: By a request and two reply memoranda, registered on April 8, 2019, March 2 and November 17, 2020 at the Litigation Secretariat of the Council of State, Cdiscount asks the Council of State: 1 °) to annul for excess of power the implicit decision of the president of the National Commission for Informatics and Freedoms (CNIL) rejecting the request she presented on December 7, 2018 tending to modify deliberation no. ° 2018-303 of September 6, 2018; 2 °) to order the CNIL to re-examine, in the light of the decision to be made, the retention regime for bank card data for non-subscribed customers, within a period of one month from the date of the notification of the decision to be taken; 3) in the alternative, to refer a question to the Court of Justice of the European Union for a preliminary ruling concerning the interpretation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of individuals with regard to the processing of personal data and on the free movement of such data; 4 °) to charge the CNIL the sum of 3,000 euros under the provisions of article L. 761-1 of the code of administrative justice. Having regard to the other documents in the file; Seen: - the Constitution ; - the European Convention for the Protection of Human Rights and Fundamental Freedoms; - the Charter of Fundamental Rights of the European Union; - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016; - Law n ° 78-17 of January 6, 1978; - the code of administrative justice and decree n ° 2020-1406 of November 18, 2020; After hearing in public session: - the report by Ms Myriam Benlolo Carabot, master of requests for extraordinary service, - the conclusions of Mr. Alexandre Lallet, public rapporteur; The floor having been given, after the conclusions, to SCP Piwnica, Molinié, lawyer of the company Cdiscount; Considering the following: 1. It appears from the documents in the file that, by a deliberation of September 6, 2018, the National Commission for Informatics and Freedoms (CNIL) adopted a recommendation concerning the processing of data relating to the payment card in sales matters. of goods or the provision of services at a distance. With this recommendation, the CNIL has indicated that this data can only be collected and processed by a company selling goods or services at a distance to allow the completion of a transaction within the framework of the execution of a contract and that the conservation of this data in order to facilitate any subsequent payments is only possible if the persons to whom these data relate have given prior and explicit consent, unless they have taken out a subscription giving access to additional services, translating their registration into a regular commercial relationship. 2. The Cdiscount company sent the President of the CNIL a request to modify the deliberation of September 6, 2018, in order to authorize the storage of bank card numbers for customers who do not subscribe but whose recurrence of purchases suggests that they can reasonably expect that their bank details will be kept to simplify their subsequent purchases. She requests the cancellation for excess of power of the refusal by the President of the CNIL to this request. 3. On the one hand, under the terms of article 6 of the regulation of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: "1. Processing is only lawful if, and insofar as, at least one of the following conditions is met: a) the data subject has consented to the processing of their personal data for one or more specific purposes; / b) the processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the latter; / c) the processing is necessary for compliance with a legal obligation to which the controller is subject; / d) the processing is necessary to protect the vital interests of the data subject or of another natural person; / e) the processing is necessary for the performance of a task of interest public or under the exercise of e the public authority vested in the controller; / f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require protection of personal data prevail, especially when the person concerned is a child. (...) ". According to recital 47 of the grounds for this regulation:" The legitimate interests of a controller, including those of a controller to whom personal data may be communicated, or '' a third party may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller (.. .) ". 4. On the other hand, Article 58 of the Regulation provides that: "3. Each supervisory authority has all the following authorization and advisory powers: (...) b) issue, of its on its own initiative or on request, opinions for the attention of the national parliament, the government of the Member State or, in accordance with the law of the Member State, other institutions and bodies as well as the public, on any matter relating to the protection of personal data; (...) ". Under the terms of article 11 of the law of January 6, 1978 relating to data processing and freedoms in the version applicable to the dispute: "I. The National Commission for data processing and freedoms is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of the aforementioned Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. It carries out the following missions: (...) 2 ° It ensures that that the processing of personal data is carried out in accordance with the provisions of this law and the other provisions relating to the protection of personal data provided for by laws and regulations, European Union law and international commitments of France. / As such: (...) a bis) It establishes and publishes guidelines, recommendations or standards intended to facilitate the compliance of personal data processing l with the texts relating to the protection of personal data and to carry out a prior risk assessment by data controllers and their subcontractors (...) ". 5. First, by the disputed deliberation, the CNIL confined itself, within the framework of the prerogatives conferred on it by the provisions mentioned in point 4, to giving its interpretation of the provisions of the regulation of 27 April 2016 mentioned in point 3 in as regards the modalities according to which a data controller can legally keep the bank card data of customers of its online shopping services. Consequently, the plea alleging that it incompetently amended that regulation can only be rejected. 6. Secondly, article 9 of the regulation of 27 April 2016 provides that "1. The processing of personal data which reveals racial or ethnic origin, political opinions, religious or philosophical convictions or affiliation union, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sexual life or sexual orientation of a natural person are prohibited. / 2. Paragraph 1 does not apply if one of the following conditions is fulfilled: / a) the data subject has given his explicit consent to the processing of such personal data for one or more specific purposes, except when the Union law or the law of the Member State provides that the prohibition referred to in paragraph 1 cannot be lifted by the data subject (...) ". Contrary to what the Cdiscount company maintains, the CNIL did not base the requirement of prior consent of the persons concerned by the processing operations considered on the provisions of article 9 of the regulation of April 27, 2016, which have just been cited, but on those of its article 6. Consequently, the plea according to which the CNIL would have wrongly assimilated the banking data to sensitive data within the meaning of article 9 of the regulation of April 27, 2016 can only be rejected. 7. Thirdly, it clearly follows from the provisions of Article 6 of the Regulation of 27 April 2016 cited in point 3 that processing of personal data does not meet the requirements of the Regulation, since it is not necessary neither for compliance with a legal obligation to which the controller is subject, nor for the performance of a task of public interest or relating to the exercise of public authority vested in the controller, nor for the protection of the vital interests of the data subject or of another natural person, only if the data subject has consented to the processing of their data, unless the processing is necessary for the performance of a contract to which the data subject is a party or to the execution of pre-contractual measures taken at the latter's request, or as necessary for the purposes of the legitimate interests pursued by the controller or by a third party, on condition, in the latter case, q such legitimate interests may be regarded as prevailing over the interests of the persons concerned or over their fundamental rights and freedoms. To make this assessment, it is necessary to weigh, on the one hand, the legitimate interest pursued by the controller and, on the other hand, the interest or the fundamental rights and freedoms of the data subjects, given with regard in particular to the nature of the data processed, the purpose and methods of the processing as well as the expectations that these persons may reasonably have regarding the absence of further processing of the data collected. 8. On the one hand, it is not disputed that the retention of bank card numbers for certain customers of non-subscriber online shopping sites to facilitate subsequent purchases is neither necessary for compliance with a legal obligation, neither for the performance of a task of public interest, nor for the protection of the vital interests of the data subject or of another person. As regards the performance of a contract to which the person concerned is a party, the retention of the bank card number cannot be justified once this contract has been executed. 9. On the other hand, if the company maintains that the conservation of the bank card number of the customer who made an online purchase is necessary for the purposes of the legitimate interest consisting in facilitating subsequent payments by exempting the customer from it. enter each of its purchases, in particular within the framework of a fast purchase functionality - known as "in one click" - this interest cannot prevail over the interest of the customers to protect this data, taking into account the sensitivity of these banking information and the damages that may result to them from its capture and misuse, and while many customers who use e-commerce sites to make one-off purchases cannot reasonably expect that the companies concerned keep such data without their consent. As a result, the CNIL was rightly able to consider that, in general, the storage of bank card numbers of customers of online shopping sites should be subject to the explicit consent of the person concerned to facilitate subsequent purchases. It follows from there that the plea alleging disregard by the disputed deliberation of the regulation of April 27, 2016 must be rejected. 10. Fourth, the alleged circumstance that the contested deliberation would have the effect of creating a distortion of competition for the benefit of foreign economic operators coming under the regulators of other countries, or not being subject to any regulation, is by it - even, without affecting its legality. 11. It follows from all of the foregoing that, without there being any need to refer a preliminary ruling to the Court of Justice of the European Union, Cdiscount is not justified in requesting annulment for excessive power. of the implicit decision of the president of the CNIL rejecting her request to modify the deliberation of September 6, 2018. Her conclusions for injunction purposes as well as those presented under Article L. 761-1 of the Code of administrative justice must, therefore, be rejected. DECIDES: -------------- Article 1: The request of the Cdiscount Company is rejected. Article 2: This decision will be notified to the Cdiscount Company and to the national commission for data processing and freedoms. ECLI:FR:CECHR:2020:429571.20201210