By Pascale Gelly, CIPP/E
Registering data-processing activities with the CNIL, the French data protection authority (DPA), is not a mere formality. A data controller recently learnt it to his detriment in a case brought up to the Supreme Court level.
The customer database, which he had sold, had not been registered, and the purchaser, seemingly having second thoughts about the purchase, claimed that the sale was null and void because the file was not valid. The argument was followed by the Supreme Court, which considered that the file, object of the sale, was unlawful for failure to be registered with the CNIL.
This decision confirms lawyers’ worst fear when they carry out due diligence and find out that the prior formalities with the DPA have not been accomplished. Of course noncompliance can be cured, but for the future only. So, the very first question one should ask to assess the risk is whether this noncompliance impacts a significant asset of the deal. If it does and the deal still goes ahead, the risk should be considered in the level of warranties negotiated among the parties.
What had seemed to many just a theoretical risk has become now real with this Supreme Court decision. It is actually a much more serious risk than the risk of being sanctioned by the CNIL itself for the mere lack of registration.
In addition, the risk which is more frequently encountered by data controllers, usually in employment relations, is to have the evidence produced by the data processing, e.g., building entrance or connection logs, challenged before courts for being the result of an unlawful processing.
Needless to say, before bringing a criminal claim for security fraud after a security intrusion, one should have registrations well in order or risk to be found guilty of the misdmeanour of failure to register a processing of personal data, as it happened to an individual who made a claim to the police after the theft of his laptop.
Of course, if the regulation is adopted with provisions reducing the level of prior formalities, as contemplated today, these fascinating legal discussions will come to an end, and data controllers will be able to concentrate on practical implementation.
Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at firstname.lastname@example.org.