The French Parliament is about to pass a Law that will enable the French Data Protection Authority (the CNIL) to conduct on-line inspections.
Unlike many data protection authorities in Europe, the CNIL has significant onsite inspection powers, which it uses more and more often. Indeed, the number of its inspections rose from 96 in 2005 to 270 in 2007, reaching 458 in 2012 (the most recent numbers available).
Within this framework, the CNIL can have access, between 6 a.m. and 9 p.m., to all premises, facilities or establishments used to process personal data and which are for professional purposes (Article 44 of the French Data Protection Act, FDPA). The person in charge of the premises may object to the CNIL’s inspection, which is generally unannounced. In such event, the Commission’s Chairman can petition the custodial judge (juge des libertés et de la détention) for an order authorizing it to proceed with the inspection. With this order in hand, the CNIL can perform the inspection that was planned initially, and, if necessary, accompanied by the police. The person in charge of the premises then no longer has the right to object to the inspection, under penalty of committing obstruction of justice. Within the framework of this inspection, CNIL agents may ask to be provided with any useful document and take copies of them.
At the end of the inspection, a report shall be prepared “in the presence of all parties” and must be signed by the CNIL agents and person in charge of the premises. This report must specifically state the inspection’s nature, day, time and place, indicate the persons met and any statements they make. Lastly, the report must provide a list of the exhibits and documents copied.
Quickly presently above, the law in force looks particularly complete and precise. Inspections, the related report and the documents gathered are largely the basis of the evidence that the CNIL uses in its penalty procedures.
This being said, what about inspections not “onsite”, but “online”? Do the terms provided by Article 44 of the FDPA apply to them? Some of its provisions appear to be a bit tricky to transpose to cyberspace, such as the “person in charge of the premises” exercising the right to object, indicating the “persons met” in the report or the signing of the report, which was prepared “in the presence of all parties”, just to mention a few examples.
The FDPA is surprisingly silent about online inspections. Admittedly, there is no specific provision, but also no prohibition mentioned. The resulting legal uncertainty explains why, when the CNIL wants to have violations of the law committed online officially noted for evidentiary purposes, as with all other authorities, companies and individuals, it resorts to a court bailiff to prepare a report.
This formalism is not very well adapted to applying the CNIL’s inspection powers in cyberspace, which it does have as regulator. This is what will likely lead the Parliament to modify the FDPA in the near future.
Indeed, Article 48 bis of the bill on consumer rights, already adopted by the Senate and the National Assembly, introduces a new paragraph in the aforementioned Article 44. This paragraph provides that CNIL agents may now, “from an online public communication service, consult data that are freely accessible or made accessible, including through carelessness, negligence or by an act by a third party, if need be, by accessing and keeping data in automated processing systems for the time required for their findings. They may retranscribe the data by any appropriate processing in documents that may be directly usable for the needs of the inspection.”
Regarding the inspection report, the act now states that it, “shall be prepared in the presence of all parties when the verifications and visits take place onsite”, which, by contrast, means that the report is prepared unilaterally when the verifications are performed online.
This legislative change is particularly significant. It confers on the CNIL an online investigative power that is comparable to, or even greater than, the power conferred on it for onsite verifications. Indeed, these digital verifications are carried out without the possibility of exercising a right to object, without the website’s manager being informed and, as such, without a report being prepared in the presence of all parties.
This being said, implementing this new power raises certain legal issues. The main issue is the fact of taking into account the criteria that define the territorial scope of the FDPA, which the CNIL is in charge of enforcing. Indeed, the FDPA applies only to data controllers “established” in French territory or who “use means of processing located in French territory” (Article 5 of the FDPA).
Consequently, within the framework of an online inspection, it will be essential to establish that FDPA does indeed apply to a website which, although accessible from France, may not have an establishment in France. In this latter case, the CNIL will then have to prove that means of processing are used in France. However, proving this may turn out to be very complicated and, therefore, this may become a source of litigation given certain IT architectures and technologies used (Cloud), which make it sometimes difficult to determine the location of the means of processing used at any given time.
Despite this legal difficulty, there is no doubt that this new online investigative resource, which is quick and inexpensive, will probably lead the CNIL to considerably increase the number of its verifications and, consequently, the penalty procedures resulting from them.
In substance, this new investigative resource should allow the Commission to verify websites in terms of legal notices, information provided to persons or obtaining consent for cookies. It should also enable the CNIL to assess the security level of the protection of personal data and IT systems and, where appropriate, report a data breach and sanction it.