A customer had lodged a complaint with the CNIL in relation to its bank’s insufficient protection of passwords used to access accounts online. Following an investigation, the CNIL sanctioned the bank on 10 December 2015. It subsequently informed the complainant that the procedure had given rise to a sanction, but did not provide any information on the nature of its sanction and that the complaint procedure had thus been closed. The complainant appealed the CNIL’s decision to close the case (i) for lack of information on the nature the sanction and (ii) for insufficient information about the sanction. Based on the summarised annual list of sanctions available on the CNIL’s website, it seems that the sanction was only a non-public warning, and therefore, the name of the bank was not disclosed.
In its decision of 19 June 2017, the State Council ruled that, following a complaint, a complainant was entitled to receive information on the nature of the offence sanctioned by the CNIL, as well as the nature (and quantum) of the sanction, including when the sanction had been made public, subject to any confidentiality rules imposed by law.
The State Council rejected the claim for annulment of the CNIL’s decision and pointed out that an appeal could only be lodged against the CNIL’s refusal to act on a complaint. The State Council could also censure the CNIL in the event of an error of fact or of law, of manifest error of assessment or misuse of powers. However, following the CNIL’s decision to investigate a complaint, the complainant could no longer bring proceedings for (i) the purpose of challenging the decision taken by the CNIL at the end of the investigation, irrespective of the grounds, nor (ii) the CNIL’s decision to close a complaint procedure.