Could the failure to declare a customer file to CNIL (French Data Protection Authority) void the sale of such file? By overruling the decision of the Rennes Court of Appeal dated January 17, 2012 that answered this question negatively, the Commercial Chamber of the French Supreme Court (Cour de Cassation) unequivocally answered in the affirmative in its ruling dated June 25, 2013.
This ruling is undoubtedly an important decision since it confirms that compliance with the obligations set forth in the French Data Protection Act ("Loi Informatique et Libertés" or "LIL") is an essential condition for the validity of a component of the goodwill : its customer base. The facts here at hand were quite simple and classic: the acquisition of a business involving the sale of wines to private individuals, including, among other intangible assets, an electronic customer file. The purchaser noticed that the seller had not declared this file to the CNIL. However, the purchaser met some difficulty exercising its rights on the merits, since the first courts were not in favor of cancelling a sale for lack of declaration to the CNIL: indeed, the purchaser commenced an action on the ground of willful deception and non-compliance of the customers file, but its claim was dismissed by the Commercial Court of Saint-Nazaire on September 15, 2010. It then lodged an appeal and petitioned the nullity of the sale of the customer file on the ground of its unlawful purpose, but its claim was rejected again by the Rennes Court of Appeal, which held, in a ruling dated January 17, 2012, that “if the processing of the customer file of Bout-Chard must be subject to a simplified declaration which, in this case, was not filed, the law does not provide that failure to declare the processing of customers file should be sanctioned by the nullity of the file, so that the sale of said file would be void, for unlawful purpose or unlawful cause.”
Under these circumstances, the purchaser decided to lodge an appeal with the French Supreme Court which finally overruled the decision of the Court of Appeal, on the basis of Article 1128 of the French Civil Code and Article 22 of LIL as follows: "by rendering such a decision, whereas any electronic personal data processing file must be declared to CNIL and whereas the sale by Bout-Chard of such an undeclared file, "which was not in commerce", had an unlawful purpose, the Court of Appeal breached the aforementioned provisions."
This decision is remarkable for two reasons: by making a formality before CNIL a criterion for judging the lawfulness of a file that is the purpose of a sale, it shows boldness and gives said decision a practical impact exceeding the usual penalties applicable in cases of non-fulfillment of the formalities set forth by LIL (1); thus, by cancelling the sale of an undeclared file, the decision of Court proves that the obligations set forth by LIL are better taken into consideration (2).
- An Audacious Decision Drawing the Consequences under Civil Law of Non-compliance with the French Data Protection Act
Although the reference to Article 22 of LIL (which provides that automated data processing of personal data must be declared to CNIL) is fully appropriate, in view of the ground of the appellant in cassation (nullity of the sale of the customer file due to the failure to file a declaration with the CNIL), the reference to Article 1128 of the French Civil Code ("only things "which is in the commerce" can be the subject-matters of agreements") is surprising at first glance. Indeed, whereas the lawfulness taken into account for the analysis of the validity of the purpose of the legal transaction is, in general, linked to the nature of the purpose itself (customer base, human body, etc.), in the case at hand, the French Supreme Court analyzed it from the formalities standpoint applicable to this purpose.
This approach is similar to labor law courts reasoning which, in some cases, considered that a dismissal could not be based on a data processing operation1 not declared to the CNIL. On the other hand, the reference to Article 1128 of the French Civil Code to make the purpose of the sale unlawful due to the failure to comply with the formalities relating to that purpose – and therefore to make the sale void – is unprecedented, and the approach is quite audacious.
Indeed, the French Supreme Court considered that in order for the customer file to be lawful and “in the commerce”, it must be declared; otherwise, no legal transaction relating thereto can be made. The reasoning is based on the unlawfulness of any file that is not declared to CNIL. Since the sanction for the unlawfulness of the purpose is the invalidity of the legal transaction contemplated and thus the nullity thereof, this penalty is thus applicable in the case at hand to the sale of the undeclared customer file. The French Supreme Court did not take into account the argument, retained by the Rennes Court of Appeal that nullity is not on the list of the penalties provided for by LIL, and the very good reason, being that it based its decision on civil law to draw the consequences of an unlawfulness resulting from the enforcement of LIL.
The French Supreme Court proceeded as follows: (i) it first analyzed the lawfulness of the file, in accordance with LIL and (ii) it then deduced the impact of the unlawfulness of the file on the agreement of which it is the subject-matter, pursuant to contract law. The French Supreme Court thus provides the personal data protection law an unprecedented practical impact insofar as an element that does not comply with these regulations may now affect the value of the corporate intangible assets.
- An Appropriate Solution Evidencing a Better Recognition of the Obligations set forth by the French Data Protection Act
This solution should undoubtedly reinforce the awareness of companies of the need to comply with personal data protection regulation. Indeed, since the validity of any legal transaction involving the sale of files containing personal data may be challenged, data controllers will necessarily be strongly encouraged to systematically carry out the CNIL declaration formalities.
Thus, under the current acquisition audit practices, sellers may no longer content themselves with stating that they carried out the formalities without providing evidence thereof to purchasers, and purchasers will have to make any and all necessary verifications to ensure that the files that are transmitted to them are lawful, since everything in this regard shall be performed before the sale.
Similarly, if the lawfulness of the purpose of any agreement (such as operating agreements, outsourcing agreements, and any agreement with subcontractors of the data controller) may be considered as the cornerstone of the decision of the French Supreme Court (and not only the lawfulness of the purpose of a sale agreement), it will be necessary to ensure that the required guarantees as to the compliance of the processing operations that are the purposes of the agreements in question, are obtained.
Finally, the – introductory – decision of the French Supreme Court, which only makes reference to the absence of a declaration, should reminds us that the declaration is more than a mere formality as it is the confirmation by the data controller that several obligations have been complied with (information of the data subjects, respect for the principle of proportionality, limited storage duration, security of the processed data, etc.). Thus, if a company contents itself with making an online declaration to evade the consequences of nullity as stated by the French Supreme Court, without complying with its obligations as provided for by LIL, the company must be aware that its file will remain unlawful because its declaration is false…