On June 25, 2013, the French Supreme Court rendered a corner-stone decision for all agreements dealing with personal data.
In 2008, a company sold its electronic customer file to its successor in business. It quickly came to light that most of the information was outdated or irrelevant and that the file had not been notified to the CNIL (the French data protection authority). The buyer then sued the seller for cancelling the sale, on the grounds that the file did not comply with the agreement, and that the purpose of the sale was unlawful.
The French Supreme Court decided that the sale must be cancelled and that the price paid be reimbursed, in light of the following considerations:
- Any electronic file of personal data must be notified to, or authorized by, the CNIL in compliance with Act n°78-17 of January 6, 1978 relating to Data Protection (the "French Data Protection Act");
- Non-compliance with the French Data Protection Act implies that the file falls outside the remit of “objects which can be traded” and may not be subject to a legal transaction, as provided for by article 1128 of the French civil code (thereby applying to a non-registered file the same legal regime as for the human body!);
- The purpose of the sale was therefore unlawful, rendering the sale null and void, although such nullity is not expressly provided for in the French Data Protection Act.
In recent years, compliance with the French Data Protection Act has mainly been enforced in the areas of administrative sanctions by the CNIL and in that of the value of evidence gathered through electronic means in employment-related disputes. The result of this recent decision is to bring to light an additional legal tool enforcing the French Data Protection Act.
This decision demonstrates the significant risk incurred when entering into agreements which deal with personal data whose compliance with the French Data Protection Act has not been fully assessed. When the validity of the agreement is faced with such risk, taking measures to ensure compliance and performing due diligence becomes mandatory. In addition, this risk needs to be addressed not only for sales of customer files, but more importantly in our data-centric world, in any agreements involving the processing of personal data such as sourcing and outsourcing arrangements as well as most M&A transactions.