CNIL (France) - SAN-2023-016

From GDPRhub
CNIL - CNIL-SAN-2023-016
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(b) GDPR
Article 20, Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms
Type: Complaint
Outcome: Upheld
Started: 27.01.2023
Decided: 09.11.2023
Published: 14.11.2023
Fine: n/a
Parties: Ministry of Economy, Finance and Industrial and Digital Sovereignty
National Case Number/Name: CNIL-SAN-2023-016
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: National Commission for Informatics and Freedoms (in FR)
Initial Contributor: R_e_

The French DPA found that two French Ministries had breached Article 5(1)(b) GDPR. The Ministries had used the email addresses of 2,346,303 public servants to share a video promoting the pension reform - against the original purposes of the data processing, limited to administrative communications to employees.

English Summary[edit | edit source]

Facts[edit | edit source]

1,590 complaints were received by the French DPA against the Ministry of Economy, Finance and Industrial and Digital Sovereignty (the Ministry of Economy) and the Ministry of Transformation and Public Service (the Ministry of Transformation) regarding an email sent on 26 January 2023 to the civil service sector, containing a short video in which the Minister of Transformation spoke about the pension reform. The complaints primarily concerned the receipt of political communications and, in some cases, about receiving the email when the data subjects were no longer public officials.

The DPA enquired with the DPO of both Ministries about the applicable legal basis for the email, the origin of the data used to send the email, the recipients of the email, the number of persons concerned by the process, the identity of the controller(s), the purposes of the processing and any evidence of the lawfulness of the processing.

On 2 February 2023, the DPO replied indicating that the email had been sent to 2,346,303 people and that the data originated from a database containing all active, incumbent and non-incumbent public agents registered online.

Following this, the DPA appointed a rapporteur to conduct an investigation. At the end of which, the rapporteur presented a breach of purpose limitation under Article 5(1)(b) GDPR. The processing in question aimed to send a message involving political communication, which was incompatible with the original collection of the data: limited to administrative communications to employees. Thus, on 26 October 2023, the rapporteur and the company presented oral observations to the DPA.

Holding[edit | edit source]

Firstly, the DPA confirmed that the ministries were joint controllers under Article 26 GDPR. This could be gathered by the DPO's evidence as to the respective roles of the Ministries in sending the email and the fact that they were both full-function Ministries. For example, the Ministry of Transformation gave instructions on embedding the video so it could be watched in the email and that statistics on the opening rate, viewing rate and number of clicks on the accompanying PowerPoint should be collected; thereby defining the purposes and means of the processing. On the other hand, the Ministry of Economy was a joint controller by implementing the automated processing of personal data.

Secondly, on the alleged breach of Article 5(1)(b) GDPR, the joint controllers disputed the political nature of the processing as the general content and video of the email was an informative communication about the impacts of the proposed reform. In this regard, the DPA disagreed since the email was sent by one of the Ministers responsible for the pension reform and the general tone of the message intended to convince people of the need for and merits of the reform. The DPA also recalled a previous decision which held that the automated processing of personal data of public officials, which purpose is limited to a communication of an administrative nature, cannot be used for a communication of a political nature.

Hence, the DPA found that the use of the database was against the original purpose of processing and breached Article 5(1)(b) GDPR.

Therefore, the DPA handed down a 'call to order' against the joint controllers for breaching Article 5(1)(b) GDPR, and no fine was issued in line with Article 20 of Law No. 78-17, where the processing of personal data is carried out by the State.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training n°SAN-2023-016 of November 9, 2023 concerning the Ministry of Transformation and Public Service and the Ministry of the Economy, Finance and Industrial and Digital Sovereignty

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Christine MAUGÜÉ and Ms. Isabelle LATOURNARIE-WILLEMS, and Mr. Bertrand of MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to Decree No. 2019-536 of May 29, 2019 as amended taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated June 13, 2023;

Having regard to the report of Ms Sophie LAMBREMON, Commissioner Rapporteur, notified on June 22, 2023:

-to the Ministry of Transformation and Public Service;

-and to the Ministry of the Economy, Finance and Industrial and Digital Sovereignty;

Having regard to the written observations submitted by the Ministry of Transformation and Public Service on July 20, 2023;

Considering the other documents in the file;

Were present during the restricted training session on October 5, 2023:

- Mrs Sophie LAMBREMON, commissioner, heard in her report;

As representatives of the ministries:

- Mr […];

- Mr […].

The representatives of the Ministries of Transformation and Public Service and of Economy, Finance and Industrial and Digital Sovereignty having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The National Commission for Information Technology and Liberties (hereinafter “the CNIL” or “the Commission”) has received 1,590 complaints relating to the receipt on January 26, 2023 of an email sent by the electronic address “ne-pas-repondre@dgfip.finances.gouv.fr” and whose subject was “Pension reform: Message from Stanislas Guerini to civil service agents”. The email contained a link to a video lasting 6 minutes and 36 seconds entitled "Pension reform: Message from Stanislas Guerini to civil service agents" in which the Minister of Transformation and Public Service spoke .

2. The complaints targeted the Ministry of the Economy, Finance and Industrial and Digital Sovereignty (hereinafter “Ministry of the Economy”) and the Ministry of Transformation and Public Service. Generally speaking, the complainants describe the email they received as a "political communication", and the use, by the Directorate General of Public Finances (DGFiP), of their personal data, for sending this email. by the Ministry of Public Transformation and Service. In addition, some complainants claimed to have been recipients of the email even though they are no longer public officials.

3. By email of January 27, 2023, the Commission services questioned the data protection officer of the two ministries (hereinafter "the DPO") on the following points: the applicable legal basis, the origin of the data used to send the email, the recipients of the email, the number of people affected by the processing, the identity of the data controller(s), the purposes of the processing, any prior information that may have been provided in order to facilitate the exercise rights, and any supporting element of the lawfulness of the processing. Two reminder emails were sent by the CNIL to the DPO on January 30 and February 1, 2023.

4. On February 2, 2023, the DPO responded by indicating in particular that the email had been sent to 2,346,303 people and specifying that this number corresponds to that of all active agents, tenured and non-tenured, registered in the digital space security of the public agent (ENSAP).

5. By email of February 14, 2023, the CNIL services requested additional information from the DPO, who responded on February 17, 2023 by attaching a copy of the email exchanges between the DGFiP and the general directorate of administration and the civil service (DGAFP) having preceded the sending of the disputed email to public officials deemed to be active.

6. For the purposes of examining these elements, the President of the Commission, on June 13, 2023, appointed Ms. Sophie LAMBREMON as rapporteur on the basis of article 39 of decree no. 2019-536 of May 29, 2019 amended.

7. At the end of her investigation, the rapporteur, on June 22, 2023, notified the ministries of a report detailing the breach of Article 5-1-b) of the general data protection regulation (hereinafter " GDPR") which it considered constituted in this case. This report proposed to the restricted formation to issue a call to order against the ministries. He also proposed that this decision be made public and no longer allow the ministries to be identified by name at the end of a period of two years from its publication.

8. On July 20, 2023, the Minister of Transformation and Public Service produced his observations in response to the sanction report. It was then confirmed to the CNIL services that this response was common to the two ministries targeted by the procedure.

9. By letter dated August 17, 2023, the rapporteur informed the ministries that the investigation was closed, in application of article 40, III, of amended decree no. 2019-536 of May 29, 2019.

10. By letter of September 7, 2023, the ministries were informed that the file was included on the agenda of the restricted training of October 5, 2023.

11. By email of October 4, 2023, the ministries were informed of the postponement of the restricted training session. By letter dated October 12, they were informed that its date was set for October 26, 2023.

12. The rapporteur and representatives of the ministries were heard during the restricted training session.

II- Reasons for the decision

A- On the quality of joint processing managers of the ministries

13. The data controller is defined, under the terms of Article 4, point 7, of the GDPR, as "the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing. Under Article 26 of the GDPR: “When two or more controllers jointly determine the purposes and means of the processing, they are joint controllers.”

14. The processing at issue in this procedure is the use of the electronic addresses of public officials for the purposes of sending the email of January 26, 2023 with the subject "Pension reform: Message from Stanislas Guerini to civil service agents ", hereinafter "the treatment".

15. The rapporteur considers that the Ministry of Transformation and Public Service and the Ministry of the Economy must be considered jointly responsible for the processing in question, taking into account, on the one hand, that it involves two full-time ministries and on the other hand, elements communicated by the DPO regarding the respective roles of the DGAFP and the DGFIP in sending the disputed email to “state agents”.

16. In defense, the ministries do not dispute their joint responsibility.

17. Firstly, the restricted panel notes that it appears from the email exchanges between the two directorates that the DGAFP asked the State pension service (SRE) of the DGFiP on January 16, 2023 to send a communication to State agents "on the measures included in the pension bill currently being prepared", specifying that this would take the form of two separate messages, "one aimed at active workers, the other at destination of pensioners", before finally returning to his request by an email of January 18, 2023, specifying "It is ultimately a question of addressing only active agents". The same exchanges show that the DGAFP transmitted to the DGFiP the message to send to active agents, asking the following questions: "is it possible to embed the video so that it can be viewed in the e-mail ? " and " What statistics could you obtain? We will notably ask for the opening rate, the viewing rate of the video and even the number of clicks on the attached ppt if possible ". It thus appears that the DGAFP, wishing to send a communication to active State agents on pension reform, has defined the purposes of the processing. Then, by requesting the DGFiP to send the email and giving it instructions relating to the content and form of the communication, the DGAFP defined the means of processing. The restricted training also notes that it appears from the exchanges between the DGFiP and the DGAFP of January 23, 2023 that the DGFIP carried out technical tests with a view to sending the email and that it "gave the functional go for sending from the mass mail [on] Thursday January 26".

18. The restricted panel thus considers that the Ministry of Transformation and Public Service, through the DGAFP, participated in determining the purposes and means of the processing.

19. Secondly, article 1 of decree no. 2022-1446 of November 21, 2022 setting out the terms of processing of ENSAP provides that “the general directorate of public finances implements the automated processing of personal data called “ENSAP.

20. If Decree No. 2022-842 of June 1, 2022 relating to the responsibilities of the Minister of Transformation and the Public Service provides for functional authority of this Minister over the DGFiP, for "questions relating to public budgetary and accounting management and the State's real estate policy", it follows from the DPO's writings that the administration considers that the action of the DGFiP in sending this message exceeded this framework and that its action then fell within the authority of the Economy Minister. The restricted training also considers that by using the ENSAP file and by determining some of the means of the processing in question, the Ministry of the Economy, through the DGFiP, has also determined the purposes and means of the processing.

21. The restricted panel considers, taking into account these elements, that the Ministry of Transformation and Public Service and the Ministry of the Economy must be considered jointly responsible for the processing in question.

B- On the failure to comply with the obligation to process data in a manner compatible with the purposes for which they were collected pursuant to Article 5, paragraph 1, b) of the GDPR

22. Article 5.1.b) of the GDPR provides that “Personal data must be: / (…) collected for specific, explicit and legitimate purposes, and not subsequently processed in a manner incompatible with these purposes ; (…) “.

23. The rapporteur notes that the electronic addresses used in the context of the processing in question are those collected under Decree No. 2022-1446 of November 21, 2022 setting out the terms of the processing of ENSAP and that they were processed manner incompatible with the purposes provided for by the said decree to send a message relating to a communication of a political nature.

24. In defense, the ministries maintain that the SRE, which operates the ENSAP processing within the DGFiP "provides information to nationals of the retirement plan for civil and military civil servants of the State, particularly with regard to the right to 'information on pensions', and that it thus acted in its mission of public interest of information. They indicate that they however take note of the reactions triggered by the communication in question and that a census of the contact details of users who have expressed themselves to no longer receive information from ENSAP has been carried out so that they are excluded from possible future communications. Furthermore, an evolution of the ENSAP interface, planned for December 2023, will allow users to directly refuse the receipt of information emails.

25. The ministries then contest the qualification of political communication retained by the rapporteur by asserting in particular that the user had the choice of watching or not the video attached to the email, and that "the sending was not intended to promote the project of reform, but rather to inform, as an employer, public officials on the specific areas concerning them and the very concrete impact that could result for them. In this regard, the ministries consider that the various subjects covered in the video (such as taking into account the arduousness of so-called active categories or the explanations provided on progressive retirement) as well as the powerpoint were purely informative, without the format of the speech by the minister himself constitutes a characteristic element of a political communication, the minister of transformation and public service being able, as a public employer, to address directly and personally to all of the public officials on all administrative and human resources management issues.

26. Firstly, the restricted panel notes that, as indicated by the DPO of the two ministries to the CNIL services, the electronic addresses used in the context of the processing in question come from a contemporary extraction from ENSAP and relate to active agents. The restricted training recalls that when processing is governed by a regulatory act, its purposes can only be those authorized by this act.

27. Under the terms of Article 1 of Decree No. 2022-1446 of November 21, 2022 setting out the terms and conditions for the processing of ENSAP, "the purpose of this processing is to provide public officials with a secure digital space offering services personalized documents relating to State pensions, pay and elections of staff representatives in the State civil service. As such, it allows the public agent: 1° To have a tool of exchange and communication with the administration; 2° To have an archiving space for documents relating to State pensions (…) and pay". It follows from these provisions that the processing in question only allows the administration to send emails to public agents informing them that a document is available on the ENSAP platform in order to offer them personalized services.

28. Secondly, the restricted training recalls that the automated processing of personal data of public officials whose purpose is limited, by the regulatory act which governs them, to a communication of an administrative nature, cannot be used for a communication of a political nature (CNIL, FR, September 3, 2020, Sanction, n°SAN 2020-005, published; CNIL, FR, September 3, 2020, Sanction, n°SAN 2020-006, published; CNIL, FR, July 24, 2018, Sanction, No. SAN 2018-007, published). She notes that the email of January 26, 2023 in question is signed by the Minister of Transformation and the Public Service and refers in particular to a video containing an official speech from him presenting the pension reform. The restricted training notes that this video contains - as indicated by the ministries - concrete details on the way in which the pension system would evolve, as does the powerpoint entitled "For our pensions: a project of justice, balance and progress. However, this sending comes shortly after the presentation by the minister in January 2023 of the envisaged reform, and this before the adoption of the project by Parliament. The restricted training also considers that certain terms used and the general content of the message aim to convince of the necessity and merits of the reform: "we must work longer to preserve our pay-as-you-go pension model"; “our distribution system to which we are all attached […] protects the most vulnerable”; the measures are described as “measures of justice, of progress”; finally, the reform "will allow us very concretely, I hope to have demonstrated it to you with some very concrete axes, to improve our system without hiding the fact that yes, we are asking an effort from each of you and for that , I want to thank you ". Finally, contrary to what is usually done for communications via ENSAP (for computer security reasons), the email received by the agents did not invite them to consult a message in ENSAP, but contained the message with a link to a video hosted on a third-party service.

29. Thus, contrary to what the ministries maintain, the email signed by the minister, the format of the video and the general content of the message do not correspond to a communication between public officials and their administration. If it is open to the administration to communicate to its agents all the information necessary for the exercise of their mission or relating to their status as public agent, it can only do so in compliance with the provisions governing the files that she uses. More generally, respect for the principle of purpose implies that processing operations instituted for the needs of the public service or the employment of public agents are not used for the purposes of political communication with public agents. The restricted panel considers that, in this case, the approach is a political communication action on the part of one of the ministers responsible for said reform.

30. The restricted panel concludes that the ENSAP file was used for political communication purposes and that the processing in question does not correspond to the purpose provided for by the decree constituting this processing of "communication between the agent and administration. The use of ENSAP for sending these messages therefore disregards Article 1 of Decree No. 2022-1446 of November 21, 2022 which sets the purposes of the processing.

31. It follows from the above that by using the electronic addresses of active public officials collected under ENSAP processing to communicate on pension reform, the Ministry of Transformation and Public Service and the Ministry of the Economy , Finance and Industrial and Digital Sovereignty, joint controllers of the processing, processed said personal data in a manner incompatible with the purpose of the collection in breach of Article 5.1.b) of the GDPR.

II. On the corrective measure and its publicity

32. Under the terms of III of article 20 of the law of January 6, 1978 as amended:

"When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Liberties may also , if necessary after having sent him the warning provided for in I of this article or, where applicable in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncement, after adversarial procedure, one or more of the following measures:

1° A call to order; […] "

33. Under 7° of III of article 20 of the law of January 6, 1978 as amended, in the event that the processing of personal data is implemented by the State, a fine cannot be imposed. administrative.

34. The rapporteur proposes to the restricted formation that a call to order be issued against the Ministry of Transformation and Public Service and the Ministry of the Economy, Finance and Sovereignty industrial and digital. She also suggests that this decision be made public.

35. The ministries dispute the existence of a breach.

36. The restricted panel considers that, in the present case, the breach committed justifies a call to order against the ministries for the following reasons.

37. The restricted training notes the particularly large number of people concerned, the email addresses of 2,346,303 people having been used to make them recipients of this communication.

38. In view of the nature of the joint data controllers who have public authority prerogatives, the restricted training considers it necessary to raise awareness among the ministries on the use of personal data held by the administration as part of its missions and of which the processing must comply with the applicable legal and regulatory framework.

39. Finally, and for the same reasons, the restricted panel considers it necessary for its decision to be made public. It notes, on this point, that the public has demonstrated, in recent months, a strong interest in questions relating to the processing of their personal data by the State, as evidenced by the unprecedented number of complaints received at the outcome of this communication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• Pronounce, with regard to the breach constituted in article 5-1-b) of regulation (EU) no. 2016/679 of April 27, 2016 relating to data protection:

-a call to order against the Ministry of Transformation and the Public Service;

-a call to order against the Ministry of the Economy, Finance and Industrial and Digital Sovereignty;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the ministries by name at the end of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within two months of its notification.