On July 22, 2014, the French Data Protection Authority (“CNIL”) found that a luxury car rental company had failed to comply with the French data protection law with respect to the implementation of a customer geolocation system. In particular, the CNIL considered that the rental company had failed (i) to fulfill the formalities required prior to processing customer geolocation data, (ii) to limit the collection of geolocation data to cases of non-return or theft of vehicles, (iii) to inform its customers of the aforementioned processing, and (iv) to ensure the security of the data.

In October 2012, a customer filed a complaint with the CNIL regarding the geolocation system implemented in connection with its rental luxury cars. In December 2012, the CNIL sent a first letter to the rental company summarizing the provisions of the French Data Protection Law pertaining to the implementation of a geolocation system. This letter remained unanswered, which led the CNIL to send two successive letters in January and March 2013. Likewise, these letters remained unanswered and the CNIL decided to conduct an on-site inspection in June 2013. Following such inspection, the CNIL sent a cease and desist letter to the rental company, requiring the latter to comply with applicable data protection law. However, the rental company failed to ensure such compliance, which was brought to light following a subsequent investigation. As a result of the foregoing, the CNIL ordered the rental company to pay a EUR 5,000 fine.

The CNIL’s decision was based on the following legal grounds:

  • First, the rental company had failed to file with the CNIL the required declarations prior to processing personal data in connection with (i) the geolocation of cars rented to customers, and (ii) customer management.
  • Second, the CNIL considered that the rental company had failed to comply with the principles of adequacy, relevance and non-excessive nature of the data. Indeed, the geolocation system was set for a 24/7 use and could not be deactivated, and therefore the car rented by customers could be located at any time by the rental company. The system thus enabled the collection and processing of various numerous data, including time and location-related data, that the CNIL considered as excessive in relation to the purposes for which it had been collected. The CNIL found that the rental company should have limited the collection of geolocation data to cases where the vehicle is stolen or not returned.
  • In addition, the CNIL considered that the rental company had failed to fulfill its obligation to give adequate notice to customers. In this respect, the rental company claimed that customers were verbally informed of the geolocation system. However, the CNIL noted that the rental company had not provided any evidence to support its claim. The CNIL thus considered that the rental company had not demonstrated that its customers were duly informed. It has to be noted that in its decision the CNIL does not consider that the customers’ consent would have been required. The CNIL further ruled that the rental company had failed to demonstrate its compliance that it had notified customers regarding the processing of their data for customer management generally.
  • Last, the CNIL stated that the rental company had failed to comply with its obligation to ensure the security of customers’ data. During on-site inspection, the CNIL had accessed the geolocation software at issue from a computer located at the reception desk of the company, and noted that the authentication process to access this software only required a user name and a password that had not been renewed since it had been set up (more than two years prior), as no password management policy was in place.