CE - N° 432656

From GDPRhub
CE - N° 432656
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 4(11) GDPR
Article 5 GDPR
Article 7(4) GDPR
Article 9(2)(a) GDPR
Article 9(2)(g) GDPR
Regulation 2015/1502
Regulation 910/2014
Code de justice administrative
Constitution du 4 octobre 1958
Law n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Decided: 04.11.2020
Published:
Parties: La Quadrature du Net
National Case Number/Name: N° 432656
European Case Law Identifier: ECLI:FR:CECHR:2020:432656.20201104
Appeal from:
Appeal to: Not appealed
Original Language(s): French
Original Source: Legifrance (in French)
Initial Contributor: Roka

The French highest administrative court (Conseil d'Etat) dismissed a request to rescind a decree allowing the creation of a biometric authentication system for public service application "Alicem"[1]. The court acknowledged consent was freely given and that the data collection was necessary and proportionate to the purpose.

English Summary

Facts

On May 13th, 2019 the French government adopted a decree 2019-452 allowing the creation of a common biometric authentication system for several government and public service websites applications[2]. This system is part of the FranceConnect project which allows to login public service websites using your login and password of another public service website[3].

The french organization La Quadrature du Net (LQDN) which promotes digital rights and defends freedom of citizens challenged the legality of the decree. The organization argued that the decree is not based on a lawful consent as described in article 4(11) and article 7(4) GDPR and required in article article 9(2)(a) when dealing with sensitive data. LQDN also argued that the data collection was disproportionate to the purpose of the processing.

On this topic, LQDN asked the Conseil d'Etat to refer two preliminary questions to the CJEU:

  • Should the assessment of the validity of the consent be made at the level of each service subject to personal data processing, independently of the existence of another "equivalent" service or at the level of all "equivalent services"?
  • Are the biometric data collected and processed by a mobile application using facial recognition technology for authentication purposes from certain public services and their partners adequate, relevant and not excessive in relation to the purposes for which they are collected and processed?

Lastly, LQDN claimed that the decree was adopted in violation of the procedure required in the then section 27 of the law n° 78-17 Informatique & Libertés (since replaced by article 31(II)) and section 22 of the French 1958 Constitution.

Dispute

Does the Alicem authentication system rely on a lawful and freely given consent of its users ?

Is the data collection of Alicem disproportionate to the purpose of the processing ?

Was the decree adopted in violation of the french procedure ?

Holding

The Conseil d'Etat rejected LQDN's request to rescind the decree 2019-452 allowing the creation of the Alicem application. It also refused to refer the two preliminary questions to the CJEU, considering that it was able to answer them directly.

On the lawfulness of the consent, the court pointed out that article 9(2)(a) allowed the processing of sensitive data based on consent and that recital 42 GDPR states that to be freely given, a consent must be based on a real choice where data subject can opt to refuse the processing without negative consequences. According to the court the fact that Alicem is part of a greater authentication system (FranceConnect) allowing authentication by other means ensures that consent is freely given.

On the proportionality of the data collection, the Conseil d'Etat stated that to this date, there is no existing authentication system offering the same level of guarantee without the use of biometric data. Furthermore, article 7 of the decree allowed the collection of a limited set of data, namely data relating to the user's identification, the biometric credential identification, the terminal equipment of the user and the transaction history associated with the user's account. Article 9 of the decree adds that the latter cannot be transferred to the service provider of which the user is attempting to login.

Therefore, according to the Conseil d'Etat the collection and processing of sensitive data is necessary and proportionate to the purpose of this processing.

Finally, the French court ruled that the government abided by the procedure to adopt the decree as the Conseil d'Etat was sollicited prior to its adoption and there is no countersigning required from any minister for this particular decree.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Conseil d'État, 10th - 9th joint chambers meeting, 04/11/2020, 432656, Unpublished in the Lebon collection
---

Given the following procedure:

By a petition, a reply and two new briefs, registered on July 15, 2019, August 2, 2020, October 7, 2020 and October 8, 2020 at the Secretariat of Litigation of the Council of State, the association "La Quadrature du net" asks the Council of State :

1°) to annul for excess of power Decree No. 2019-452 of May 13, 2019 authorizing the creation of a means of electronic identification called "Certified online authentication on cell phones";

2°) in the alternative, to refer the following questions to the Court of Justice of the European Union for a preliminary ruling and to stay the proceedings pending the Court's reply to those questions:
1 "The assessment of the validity of consent, within the meaning of point 4 of Article 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be made at the level of each service which is the subject of processing of personal data, regardless of the existence of another "equivalent" service or at the level of all "equivalent services"?
2 Are the biometric data collected and processed by a mobile application using facial recognition technology for authentication purposes from certain public services and their partners adequate, relevant and not excessive in relation to the purposes for which they are collected and processed, within the meaning of Article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data?

3°) to charge the State a sum of 4,096 euros pursuant to Article L. 761-1 of the Code of Administrative Justice.

Having regard to the other documents in the file ;

Having regard to :
- Regulation (EU) n°910/2014 of the European Parliament and of the Council of 23 July 2014;
- Regulation (EU) n°2016/679 of the European Parliament and of the Council of 27 April 2016;
- the implementing regulation (EU) 2015/1502 of the Commission of 8 September 2015;
- the law n° 78-17 of January 6, 1978;
- Decree no. 2019-452 of May 13, 2019;
- the code of administrative justice ;

After hearing in public session:

- the report of Mr. Réda Wadjinny-Green, auditor,

- the conclusions of Mr. Alexandre Lallet, public rapporteur ;

Considering the following:

1. The decree of May 13, 2019, which the association "La Quadrature du net" is requesting to be annulled for excess of power, authorizes the implementation by the Minister of the Interior of an automated processing of personal data called "certified online authentication on mobile" (Alicem). Under Article 1 of this decree, the purpose of this processing is to offer French nationals holding a biometric passport and foreign nationals holding a biometric residence permit "the issuance of a means of electronic identification enabling them to identify themselves electronically and to authenticate themselves to public or private bodies, by means of electronic communications terminal equipment equipped with a device enabling the contactless reading of the electronic component of such securities, in compliance with the provisions of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 referred to above, in particular the requirements relating to the level of guarantee required by the teleservice concerned. / The enrolment in this processing by the holder of one of the securities mentioned in Article 2 of this decree gives rise to the opening of an account". Article 4 of this decree stipulates that "The processing mentioned in Article 1 uses a static facial recognition system and a dynamic facial recognition system". Article 10 of the decree provides that the data collected by the facial recognition system are collected for this sole purpose and are "erased as soon as these recognitions are completed". Under the terms of Article 13 of this decree: "The National Agency for Secure Credentials shall, at the time of the application to open the account mentioned in Article 1, inform the user about the use of a static and dynamic facial recognition device and obtain his consent to the processing of his biometric data".

2. The documents in the file and the provisions cited in the previous point show that opening an "Alicem" account enables holders of a biometric passport or residence permit to identify themselves online with public or private partner organizations and to access their teleservices. This service, which takes the form of an application available on the Android operating system, aims to provide users with a high level of guarantee within the meaning of the regulation of July 23, 2014, and thus offer enhanced protection against the misuse or usurpation of their identity in the context of their online procedures. Under the terms of 2.1.2. of the Commission Implementing Regulation of 8 September 2015, this level of guarantee can be achieved if it is verified that the natural person : "is in possession of a biometric or photographic identifier recognised by the Member State in which the application for electronic identity is lodged and that this identifier corresponds to the alleged identity, the element is verified to determine its validity by an authoritative source / and / the applicant is identified as having the alleged identity by comparison of one or more physical characteristics of the person with an authoritative source". To create an "Alicem" account, the user must, among other steps, consent to the processing of biometric data collected through a facial recognition system. If he or she consents, he or she is asked to record a short video from which a facial recognition algorithm verifies that he or she is the legitimate holder of the biometric title on which the digital identity is based, while a living recognition algorithm analyzes the actions performed on the video to detect any attempt at computer attack or deception. Once his identity has been authenticated, the user can finalize his registration. Electronic identifiers are then associated with his account. They enable them to connect to the application and to carry out procedures on partner teleservices. The biometric data collected when the account is created is destroyed. If a user does not consent to processing by facial recognition, he or she cannot create an Alicem account or, consequently, access the application.

On the external legality of the contested decree :

3. Firstly, article 27 of the law of 6 January 1978 relating to data processing, data files and liberties provides, in the wording applicable to the dispute, that: "The processing of personal data implemented on behalf of the State, acting in the exercise of its prerogatives as a public authority, which relates to genetic data or biometric data necessary for the authentication or control of the identity of persons, is authorized by decree of the Council of State, taken after a reasoned opinion has been issued and published by the National Commission for Data Processing and Liberties. When, as in this case, a decree must be issued by the Council of State, the text adopted by the government cannot be different from both the draft it had submitted to the Council of State and the text adopted by the latter.

4. It is apparent from the copy of the minute of the opinion issued by the section of the interior of the Council of State on the draft decree, placed on file by the Minister of the Interior, that the text adopted by the government is identical to the text adopted by the Council of State, subject to the simple rectification of a clerical error in the title of the decree in articles 15 and 16 of that text. Under these conditions, the plea that the contested decree was not adopted by the Council of State must be set aside.

5. Secondly, under the terms of article 22 of the Constitution: "The acts of the Prime Minister shall be countersigned, where appropriate, by the ministers responsible for their execution. The ministers responsible for the execution of a regulatory act are those who are competent to sign or countersign the regulatory or individual measures necessarily involved in the execution of that act. As the impugned decree does not call for enforcement measures on the part of the Keeper of the Seals, the Minister of Justice, the Minister for Territorial Cohesion and Relations with Territorial Communities or the Minister for Overseas Territories, the plea alleging failure to countersign on the part of these ministers must be dismissed.

On the internal legality of the contested decree :

6. In its wording applicable to the dispute, Article 8 of the Law of January 6, 1978 provides that: "I.- It is prohibited to process (...) biometric data for the purpose of uniquely identifying a natural person (...) II.- Insofar as the purpose of the processing requires it for certain categories of data, the following are not subject to the prohibition provided for in I: / 1° Processing operations for which the data subject has given his express consent (...) IV. - Likewise, processing operations, whether automated or not, justified by the public interest and authorized under the conditions provided for in II of Article 26, are not subject to the prohibition provided for in I". According to Article 9(2) of the Regulation of 27 April 2016, known as the General Data Protection Regulation, this prohibition "shall not apply if one of the following conditions is met: / a) the data subject has given his or her express consent to the processing of those personal data for one or more specific purposes (...) ) g) processing is necessary on grounds of substantial public interest on the basis of Union law or the law of a Member State which must be proportionate to the objective pursued, respect the essence of the right to data protection and provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject".

7. Moreover, Article 7 of the Law of January 6, 1978, as it applies to the dispute, provides that: "Processing of personal data must have the consent of the data subject, under the conditions mentioned in Article 4(11) and Article 7 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 mentioned above". Article 4 (11) of the General Data Protection Regulation defines consent as "any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement, by a declaration or a clear positive act, to personal data relating to him or her being processed". Furthermore, Article 7 of the same Regulation states that: "4. When determining whether consent is given freely, the utmost account shall be taken of the question whether, inter alia, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data which is not necessary for the performance of that contract". Recital 42 of the same Regulation states that "Consent should not be regarded as having been freely given if the data subject does not have a genuine freedom of choice or is not able to refuse or withdraw consent without suffering prejudice", while Recital 43 states that : "Consent shall be presumed not to have been freely given if separate consent cannot be given to different personal data processing operations although this is appropriate in the particular case, or if the performance of a contract, including the provision of a service, is subject to consent even though consent is not necessary for such performance".

8. On the one hand, it does not appear from the documents in the file that, for the creation of electronic identifiers, other means of authenticating the identity of the user existed at the date of the contested decree in a completely dematerialised manner with the same level of guarantee as the facial recognition system. It follows that the use of the processing of biometric data authorized by the contested decree must be regarded as required by the purpose of that processing.

9. Furthermore, the documents in the case file show that the teleservices accessible via the "Alicem" application were also accessible, at the date of the contested decree, via the FranceConnect device, the use of which does not presuppose consent to facial recognition processing. Since users who do not consent to the processing provided for in the context of the creation of an Alicem account can access online, thanks to a unique identifier, all of the teleservices offered, they cannot be considered as suffering any prejudice within the meaning of the above-mentioned general regulation on data protection. It follows that the applicant association is not entitled to maintain that the consent of the users of the Alicem application would not be freely collected or, consequently, that the contested decree would, for that reason, infringe the provisions of the general regulations on data protection and the law of 6 January 1978.

10. Moreover, Article 6 of the Law of January 6, 1978, in its wording applicable at the date of the dispute, provides that personal data must be "3° (...) adequate, relevant and not excessive in relation to the purposes for which they are collected and their subsequent processing". For the application of these provisions, data relevant to the purpose of processing are those which are adequate for the purpose of processing and proportionate to that purpose. Article 7 of the contested decree provides for the collection of data relating, firstly, to the identification of the user, secondly, to the identification of his biometric title, thirdly, to the electronic communications terminal equipment he uses and, finally, to the history of the transactions associated with his account, the latter data not being communicated to teleservice providers pursuant to Article 9. In view of their purpose and the purposes of the processing recalled in point 1, the collection of these data must be considered adequate and proportionate to that purpose.

11. It follows from all of the foregoing, without the need to refer questions to the Court of Justice of the European Union for a preliminary ruling, that La Quadrature du net's application must be dismissed, including its conclusions presented under article L. 761-1 of the Code of Administrative Justice.

D E C I D E S :
--------------

Article 1: The request of La Quadrature du net is rejected.
Article 2: The present decision will be notified to La Quadrature du net and to the Minister of the Interior.
A copy will be sent to the National Commission of Data Processing and Liberties.

ECLI:FR:CECHR:2020:432656.20201104