By a judgment of February 24, 2015, the Paris Court of Appeal issued criminal sanctions both against a restaurant “La Closerie des Lilas” and its manager, for misuse of a CCTV system which had been put in place for security purposes and not to monitor employees. It also awarded compensation to the employee for moral damages.
In this case, an employee who had been dismissed was disputing in court the justification for his dismissal. The employer’s lawyer sent two images – which had been extracted from the CCTV system – to the former employee’s lawyer which were meant to justify the dismissal.
The employee then wrote to the CNIL in order to know for which purpose the CCCT system had been notified, and the CNIL answered that the CCTV system had been registered only for security purposes, not for monitoring of employees.
Following this, the images were not produced in court by the employer, and the court ruled that the dismissal was unjustified and that the employer had to pay 33.000 euros to the employee.
Although the CCTV pictures had not been produced in court, the employee argued that his former employer had no right to send them to his lawyer, as this communication was contrary to the purpose for which the CCTV system had been put in place and notified to the CNIL.
This argument was not followed by the Court of First Instance, but the Paris Court of Appeal overruled the first judgment and ruled that the communication of the CCTV images in the context of the trial for the purpose of proving the employee’s behavior, was against the initial security purpose.
The Court therefore ruled that both the company and its manager had committed the offense of using CCTV images for another purpose than those allowed, as stated by Article L254-1 of the French Internal Security Code, which provides that: “installing a CCTV system or maintaining it without permission, conducting video surveillance recordings without permission, failing to destroy them in the prescribed period, falsifying it, hindering the work of the departmental committee of CCTV or of the CNIL, allowing unauthorized persons to access to the images, or using these images for other purposes than those for which they are allowed, is punishable by three years imprisonment and 45,000 euro fine”.
The Court of Appeal exempted the employer from the penalties as the images had not been produced in court, but the employer had to pay his former employee 500 € for moral prejudice resulting from misuse of his personal information, in addition to the 33.000 euros for unjustified dismissal, plus 1000 euros for the cost of the trial.
Such judgment from the Paris Court of Appeal recognizes that privacy harm can result in moral damages for the employee whose pictures were misused, in addition to criminal sanctions. In doing so the Paris Court follows here the same path as the one recently taken - on a much wider scale - by the England and Wales Court of Appeal decision of March 27 2015 in Google v. Vidal-Hall, which also ruled that emotional distress, or moral damage, is recoverable under privacy and data protection law.
This case also illustrates once more the legal importance and consequences of notifying with the CNIL in France: What was sanctioned here was not the lack of notification to the CNIL, as is usually the case in this type of litigations. More sophisticatedly, the Court sanctioned the misuse of the personal data - the CCTV images - contrarily to the purposes mentioned in the notification previously done with the CNIL; and it considered that this was not only a criminal violation which prevented the employer to use the information in court against the employee, but that such misuse also caused a moral damage recoverable under privacy law.
The necessity of using personal information in accordance with notifications registered with the CNIL can prove to be very problematic in practice for companies: The content of a notification is seldom known by more than a small limited group of people, and may also be promptly forgotten as soon as the notification is filed! Notification to the CNIL is too often considered as a mere formality whereas it constitutes in fact the company's legal margin of manoeuvre.
The risk of misuse of the personal data in contradiction with the terms of the notification is therefore huge. To avoid such risk, companies should communicate internally with their employees, as well as externally with their service providers which process personal data on their behalf, concerning the margin of manoeuvre, defined by each notification registered with the CNIL, which must be complied with.