CE - N° 472864
From GDPRhub
| CE - N° 472864 | |
|---|---|
 | |
| Court: | CE (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 32 GDPR article 8 de la loi du 6 janvier 1978 articles 87 and 90 de la loi du 6 janvier 1978 articles L. 233-1 et L. 233-1-1 du code de la sécurité intérieure |
| Decided: | 30.04.2024 |
| Published: | |
| Parties: | Municipality of Beaucaire |
| National Case Number/Name: | N° 472864 |
| European Case Law Identifier: | FR:CECHR:2024:472864.20240430 |
| Appeal from: | France n° MED-2023-006 du 6 février 2023 |
| Appeal to: | Unknown |
| Original Language(s): | French |
| Original Source: | Conseil d'Etat (in French) |
| Initial Contributor: | Nikolaos. Konstantis |
The Supreme Administrative Court upheld the DPA’s decision finding various GDPR violations by a municipality, including the failure to perform a DPIA under Article 35 GDPR for a video surveillance system involving 73 cameras covering public areas.
English Summary
Facts
The French DPA (CNIL) issued a decision against the municipality for multiple violations of the GDPR stemming from a video surveillance system and automatic license plate reading devices.
According to the CNIL, the municipality was not a competent authority entitled under the Internal Security Code (Code de la sécurité intérieure) to implement automated reading devices for the registration plates of vehicles. Additionally, the collection of registration plate data for the sole purpose of responding to the requests of law enforcement officials, exercising their judicial police duties would not correspond to one of the purposes listed in article L. 251-2 of Internal Security Code.
Also, the municipality was obliged to perform the DPIA, because 73 cameras covered the areas accessible to the public, inter alia areas close to major routes of passage and several public services and infrastructure. Hence, data processing at hand posed a high risk to rights and freedoms of natural persons and the duty to perform DPIA under Article 35 GDPR was due.
The CNIL also found the municipality violated Article 32 GDPR for several reasons, including network infrastructure issues, usage of a server operating systems with no update-support for nearly 10 years and no maintained service by the developer, and for insufficient practices regarding the security of passwords used for applications within the community.
The municipality filed an appeal to overrule the decision.
Holding
The French Supreme Administrative Court (Conseil d'Etat) rejected the appeal.
First, the court emphasised that the municipality implemented the devices in question for the sole purpose of responding to the requests of the security forces, i.e., making the data available to the security forces for the exercise of their judicial police duties. However, such a purpose was not provided for in article L. 251-2 of the Internal Security Code, making the activity of the municipality unlawful.
Secondly, the court sustained the argument of CNIL that some data processing posed a high risk to rights and freedoms of natural persons. Consequently, the DPIA had to be performed.
Thirdly, the court found no justification to overrule the violation of Article 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Full Text FRENCH REPUBLIC IN THE NAME OF THE FRENCH PEOPLE Considering the following procedure: By a summary request and a complementary brief, recorded on April 7 and July 7, 2023 at the litigation secretariat of the Council of State, the municipality of Beaucaire requests the Council of State: 1°) primarily, to cancel for abuse of power decision no. MED-2023-006 of February 6, 2023 by which the National Commission for Informatics and Liberties gave it formal notice to take, under a period of six months, various measures in order to comply with the provisions of the general data protection regulations and the law of January 6, 1978 relating to data processing, files and freedoms; 2°) in the alternative, to repeal this decision; 3°) to charge the National Commission for Information Technology and Liberties the sum of 4,000 euros under article L. 761-1 of the administrative justice code. Considering the other documents in the file; Seen : - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016; - Law No. 78-17 of January 6, 1978; - Decree No. 2019-536 of May 29, 2019; - the internal security code; - the administrative justice code; After hearing in public session: - the report of Mr. Emmanuel Weicheldinger, master of requests for extraordinary service, - the conclusions of Mr. Laurent Domingo, public rapporteur; The floor having been given, after the conclusions, to SCP Boré, Salve de Bruneton, Mégret, lawyer for the commune of Beaucaire; Considering the following: 1. It appears from the documents in the file that following a report from the regional audit chamber, a control delegation from the National Commission for Informatics and Liberties (CNIL) carried out, on May 27, 1 July and November 30, 2021, on-site and documentary checks with the municipality of Beaucaire (Gard) in order to check the conformity of the IT and video protection devices of this municipality. By a decision of February 6, 2023, taken in application of II of article 20 of the law of January 6, 1978 relating to computing, files and freedoms, the president of the CNIL ordered the municipality to put an end, within a period of six months, to various breaches, noted by the supervisory delegation, of Article 32 of the regulation of the European Parliament and of the Council of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and the free movement of data, known as RGPD, and articles 87 and 90 of the law of January 6, 1978. The municipality of Beaucaire requests the annulment for abuse of power of this decision. On the breach of articles 87 and 90 of the law of January 6, 1978: 2. Firstly, under the terms of article 87 of the law of January 6, 1978, title III of this law "applies, without prejudice to title I, to the processing of personal data implemented, for the purposes of prevention, detection, investigation and prosecution of criminal offenses or execution of criminal sanctions, including protection against threats to public security and prevention of such threats, by any public authority competent authority or any other body or entity to which has been entrusted, for these same purposes, the exercise of public authority and the prerogatives of public power, hereinafter referred to as competent authority / These processing operations are only lawful if and in. to the extent that they are necessary for the execution of a mission carried out, for one of the purposes set out in the first paragraph, by a competent authority within the meaning of the same first paragraph and where the provisions of Articles 89 and 90 are respected. processing ensures in particular the proportionality of the duration of retention of personal data, taking into account the purpose of the file and the nature or seriousness of the offenses concerned. "Moreover, in its wording applicable on the date of the contested decision, article L. 251-2 of the internal security code provided that: "The transmission and recording of images taken on public roads by the means of video protection may be implemented by the competent public authorities for the purposes of ensuring: / 1° The protection of public buildings and installations and their surroundings; / 2° The safeguarding of installations useful for national defense; / 3° The regulation of transport flows; / 4° Reporting violations of traffic rules; / 5° Prevention of attacks on the security of people and property in places particularly exposed to risks of aggression, theft or drug trafficking as well as the prevention, in areas particularly exposed to these offenses, of fraud customs duties provided for by the last paragraph of article 414 of the customs code and offenses provided for in article 415 of the same code relating to funds originating from these same offenses; / 6° The prevention of acts of terrorism, under the conditions provided for in Chapter III of Title II of this book; / 7° Prevention of natural or technological risks; / 8° Rescue of people and defense against fire; / 9° The security of installations welcoming the public in amusement parks; / 10° Compliance with the obligation to be covered, to operate a land motor vehicle, by insurance guaranteeing civil liability; / 11° Prevention and reporting of offenses relating to the abandonment of garbage, waste, materials or other objects. (...) ". Finally, article L. 233-1 of the internal security code provides: "In order to prevent and repress terrorism, to facilitate the reporting of related offenses, to facilitate the reporting criminal offenses or offenses linked to organized crime within the meaning of articles 706-73 and 706-73-1 of the code of criminal procedure, offenses of theft and receiving stolen vehicles, offenses of smuggling, importation or export committed by an organized gang, provided for and punished by the last paragraph of article 414 of the customs code, as well as the recognition, when they relate to funds originating from these same offenses, of the realization or the attempt of realization financial operations defined in Article 415 of the same code and in order to allow the gathering of evidence of these offenses and the search for their perpetrators, the national police and gendarmerie and customs services may implement fixed or mobile devices automated control of the identification data of vehicles taking photographs of their occupants, at all appropriate points in the territory, in particular in border, port or airport areas as well as on major national or international transit routes. / The use of such devices is also possible by the national police and gendarmerie services, on a temporary basis, for the preservation of public order, on the occasion of special events or large gatherings of people, by decision of the administrative authority", while article L. 233-1-1 of the same code provides that: "In order to facilitate the detection of infractions of the highway code, allow the gathering of evidence of these infractions and the research of their authors as well as implement the provisions of article L. 121-4-1 of the highway code, the national police and gendarmerie services may implement fixed or mobile devices for automated control of identification data vehicles taking photographs of their occupants, at all appropriate points in the territory". 3. It appears from the documents in the file that the video protection system implemented by the municipality of Beaucaire since 1995 included, on the date of the contested decision, 73 cameras installed on public roads and outdoors, six of which were equipped with devices automated reading of vehicle registration plates, and was last authorized by an order from the prefect of Gard dated November 9, 2020. The contested decision states that the processing of personal data linked to the implementation of this device disregards article 87 of the law of January 6, 1978 since the municipality is not a competent authority capable of implementing devices for automated reading of vehicle registration plates in accordance with articles L. 233-1 and L 233-1-1 of the internal security code and, in addition, the collection of registration plate data having the sole purpose of responding to requests from the police for the exercise of their missions. judicial police, relating to offenses, would not correspond to one of the purposes listed in article L. 251-2 of the same code. 4. If articles L. 233-1 and L. 233-1-1 of the internal security code authorize only the customs, police and national gendarmerie services to implement automated control systems for the identification data of vehicles taking photographs of their occupants for the purposes they provide, they do not have the effect of prohibiting the competent authorities from implementing, on the basis of article L. 251-2 of this same code, devices for automated reading of vehicle registration plates. However, these authorities can only do so for one of the purposes listed in this article and in compliance with Title V of Book II of this same code. 5. It appears from the documents in the file that if the commune of Beaucaire is a competent authority within the meaning of articles L. 251-2 of the internal security code and 87 of the law of January 6, 1978, it has not implemented the disputed devices only for the sole purpose of responding to requests from law enforcement by making the data thus collected available to them for the exercise of their judicial police missions. It follows that the CNIL, which moreover did not commit a factual error as to the indetermination of the purposes pursued, rightly held that this purpose is not among those provided for by article L. 251-2 of the internal security code and that the implementation of the disputed measures therefore disregards article 87 of the law of January 6, 1978. Consequently, the commune of Beaucaire is not justified in maintaining that the contested decision would be illegal in that it requires it to cease implementing devices for automated reading of vehicle registration plates. 6. Secondly, under the terms of the first paragraph of article 90 of the law of January 6, 1978, in force since June 1, 2019: "If the processing is likely to generate a high risk for the rights and freedoms natural persons, in particular because it concerns data mentioned in I of Article 6, the data controller carries out an impact analysis relating to the protection of personal data. The provisions of the first paragraph of I of article 130 of the decree of May 29, 2019 taken for the application of this law specify that: "The fact that a type of processing is likely to generate a high risk for the rights and the freedoms of natural persons requiring the carrying out of an impact analysis pursuant to article 90 of the aforementioned law of January 6, 1978 is determined by the use of new technologies, and taking into account the nature, scope, of the context and purposes of the processing". 7. It appears from the documents in the file that the video protection system implemented by the municipality of Beaucaire included, on the date of the contested decision, 73 cameras installed in areas accessible to the public, in particular near major thoroughfares. and several public services and infrastructures. Consequently, the CNIL, which sufficiently justified its decision, accurately qualified the facts by holding that the implementation of the disputed video protection system was, given its nature and its scale, likely to present a high risk for the rights and freedoms of natural persons and therefore required the carrying out of an impact analysis relating to the protection of personal data in application of the provisions cited in point 6. The municipality of Beaucaire is therefore not justified in requesting the annulment of the contested decision in that it required it to carry out such an impact analysis. On breaches of Article 32 of the GDPR: 8. On the one hand, in accordance with I of article 8 of the law of January 6, 1978, the CNIL is the national supervisory authority within the meaning and for the application of the GDPR. It is in particular responsible for informing all data subjects and all data controllers of their rights and obligations and ensuring that the processing of personal data is implemented in accordance with the provisions of the law of January 6, 1978 and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. It may, in this capacity, establish and publish guidelines, recommendations or standards intended to facilitate compliance of the processing of personal data with the applicable texts. Under Articles 19 to 23 of the same law, it can also carry out checks on all processing operations and take corrective measures and sanctions when a processing operation disregards the GDPR or the law of January 6, 1978. 9. On the other hand, under the terms of Article 32 of the GDPR: "1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk, including, among other things, as necessary: / a) pseudonymization and encryption of personal data / b) means to guarantee the constant confidentiality, integrity, availability and resilience of the systems; and processing services; / c) means to restore the availability of and access to personal data within appropriate time frames in the event of a physical or technical incident / d) a procedure to test; , to regularly analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing (...)". 10. Firstly, the contested decision finds a failure to comply with the obligation to ensure the security of personal data subject to processing, provided for by Article 32 of the GDPR, due to the insufficient complexity passwords used for three applications implemented by the municipality of Beaucaire, which could thus lead to a compromise of the accounts and the data they contain. If the reasons for the contested decision include elements also mentioned in a deliberation no. 2022-100 of July 21, 2022 adopting a recommendation relating to passwords and other shared secrets, taken by the CNIL on the basis of the provisions of article 8 of the 1978 law in order to interpret article 32 of the GDPR, the Commission does not consider a breach of the latter article due to a lack of awareness, as such, of this recommendation but has limited, as it could rightly do, to taking into account the elements of this recommendation to assess compliance with the provisions whose sole purpose it is to contribute to the implementation. 11. Secondly, if the contested decision cites extracts from technical recommendations, devoid of normative value, relating to the secure administration of information systems and formulated by the National Information Systems Security Agency, these The elements are only intended to explain good technical practices, in particular updating, which, according to the CNIL, make it possible to guarantee a level of security adapted to the risk in accordance with article 32 of the GDPR for which it is responsible for ensure respect. The Commission was therefore able to legally characterize a breach of this article due to the use by the municipality of an operating system which is no longer updated by its publisher. 12. Thirdly, the municipality does not seriously dispute that, as the CNIL maintains, the additional security systems alone do not ensure an appropriate level of security in the event of obsolescence of an operating system. It is therefore not justified in maintaining that the contested decision would be tainted with illegality by finding, despite the alleged use of such ancillary security systems, a failure to comply with this obligation due to the municipality's accommodation of five servers using an operating system that was no longer maintained by its publisher since July 14, 2015. 13. Fourthly, the contested decision finds a breach of the security obligation imposed by Article 32 of the GDPR due to the lack of segmentation of the network of the municipality of Beaucaire. In doing so, the CNIL set out in the contested decision, as well as its ability to carry out its missions recalled in point 8, the technical measures whose implementation is, according to it, likely to guarantee compliance of the provisions of article 32 of the GDPR. The municipality of Beaucaire, which limits itself to contesting the existence of technical recommendations without establishing that the CNIL disregards the provisions of this article by requiring it to proceed with the segmentation of its network, is therefore not justified in maintaining that the contested decision would therefore be tainted with illegality. On the requests for partial repeal of the contested decision: 14. If the commune of Beaucaire requests the repeal of the contested decision in that it puts it in a position to carry out certain compliance measures, on the grounds that it has complied or is in the process of complying with the updates in dispute, conclusions for the purpose of repealing a decision of formal notice taken in application of the provisions of II of article 20 of the law of January 6, 1978 are not admissible. 15. It follows from all of the above that the commune of Beaucaire is not justified in requesting the annulment of the decision it is contesting. His request must therefore be rejected, including his conclusions seeking the application of article L. 761-1 of the administrative justice code. DECIDED : -------------- Article 1: The request from the municipality of Beaucaire is rejected. Article 2: This decision will be notified to the municipality of Beaucaire and to the National Commission for Information Technology and Liberties. A copy will be sent to the Minister of the Interior and Overseas Territories. Deliberated at the end of the session of April 5, 2024 at which sat: Mr. Rémy Schwartz, deputy president of the litigation section, presiding; Mr. Bertrand Dacosta, Ms. Anne Egerszegi, presidents of chambers; Mr. Olivier Yeznikian, Ms. Rozen Noguellou, Mr. Nicolas Polge, Mr. Vincent Daumas, Mr. Didier Ribes, State Councilors and Mr. Emmanuel Weicheldinger, master of requests in extraordinary rapporteur service. Returned on April 30, 2024. President : Signed: Mr. Rémy Schwartz The rapporteur : Signed: Mr. Emmanuel Weiheldinger The Secretary : Signed: Ms. Claudine Ramalahanoharana ECLI:FR:CECHR:2024:472864.20240430
