Internet and legal protection of personal data: the Franco-European approach

Personal data (also known as "nominative data"), which make it possible to identify such and such a person, such as the name or the social security number, can be misused by third parties, but can we really control this phenomenon on the Web ? Including if someone has chosen, at one time or another, to make his personal data public?

If certain rights, such as intellectual property rights, make it possible to protect one's creations against unauthorized use, can we in the same way prohibit third parties from using the personal data of others, as if they were a creation, an expression of the person, rather than a simple identifier, police instrument, advertising target or media object?

French and European laws, reflecting each other, can provide elements of response and action.

“Action” since damage suffered in France can trigger the jurisdiction of French civil courts (code of civil procedure, article 46) or criminal courts (penal code, article L113-2), in particular when an offense has a link with France .

The personal data protection regime establishes a principle of requiring the prior consent of the person before any use of their personal data.

French law (Data Protection Act No. 78-17 of January 6, 1978, Article 7, amended by Law No. 2004-801 of August 6, 2004) and the European Directive (Directive No. 95/46 of October 24, 1995 , article 7) make the processing of personal data subject to the prior consent of the persons concerned. By processing data, we usually mean the integration of this data into a collective filing process, more or less automated, which differs from the simple use of data, required by the very function of this data, we will come back to this. .

These provisions make it possible to obtain damages, injunctions and penalties. Thus the fact of collecting personal data by unfair means is punishable by criminal law up to five years' imprisonment and a fine of 300,000 euros (criminal code, articles 226-18, 226-18-1, 226- 19, 226-28).

Article 7 of Law No. 78-17 of January 6, 1978 “Informatique et Libertés” provides in particular that:

A processing of personal data must have received the consent of the person concerned or meet one of the following conditions:

1° Compliance with a legal obligation incumbent on the controller;

2° Safeguarding the life of the person concerned;

3° The performance of a public service mission entrusted to the data controller or the recipient of the processing;

4° The execution, either of a contract to which the data subject is a party, or of pre-contractual measures taken at the latter's request;

5° The fulfillment of the legitimate interest pursued by the controller or by the recipient, subject to not disregarding the interest or the fundamental rights and freedoms of the data subject.

These provisions apply when the means of data processing are located in France (“Informatique et Libertés” law, article 5).

The law does not distinguish whether personal data is publicly available or not. As such, would the personal data collected by a third party when the consent of the person concerned be required be unlawful?

The fact of having published one's own personal data once on such or such website, implicitly or explicitly allowing their public access and their indexing by search engines does not imply, from the subjective point of view in any case, a consent general to see their personal data circulating anywhere and anyhow, in particular for advertising purposes by such and such a media, nor to see them indexed anyhow.

It is however necessary to consider the permission in principle granted to web actors to index public content, this permission being considered as constitutive of the Internet. However, this permission is not unlimited and may be confronted with, for example, the provisions applicable in terms of illicit profit, violation of the peace of the person, infringement of copyright, or with the provisions applicable to public directories, we will come back to this.

In addition to the provisions specific to data processing, other regimes have the effect of sanctioning the unauthorized use of personal data.

Rights to own name and image against invasion of privacy

The unauthorized use of a person's name or image may infer an invasion of privacy and be punished as such, pursuant to Articles 9 and 1382 of the Civil Code and 226-1 of the Criminal Code (up to to one year's imprisonment and a fine of 45,000 euros).

The use in a private setting of another person's personal data does not require the consent of that other person. This is the typical case of keeping a personal address book, referred to in Article 2 of the “Informatique et Libertés” law. Unauthorized disclosure of this data initially held privately may attract civil or criminal penalties for invasion of privacy, depending on the sensitivity of the information disclosed and the extent of its dissemination, the desire to harm stakes.

And also :

– Identity theft, confusion (articles 434-23 and 226-4-1 of the criminal code);

– Scam (scam) (article 313-1 of the penal code);

– Audio and video editing (article 226-8 of the penal code);

– Illegitimate profit (article 1382 of the civil code);

– Defamation (law of 29 July 1881 on the press);

– Abuse of the use of a name as a domain name (article R.20-44-46 of the postal code);

– Breaches of professional secrecy (criminal code, art. 226-13);

– Breach of the secrecy of journalistic sources (law of July 29, 1881 on the press);

– Infringement of copyright (intellectual property code);

– Breach of a contractual obligation of confidentiality;

– Violation of the secrecy of correspondence (penal code).

Does this mean that any use of personal data without the prior consent of the person concerned is prohibited? No, broad exceptions exist in the name of the protection of such broad legitimate interests, mainly: public order, transparency, freedom of expression.

Where is the principle, where is the exception? Nothing seems settled yet if we consider on the one hand that in the computer age the use of personal data necessarily implies a form of "processing" of this data and therefore the generalized application of the rule of prior consent, and on the other hand that freedom of expression, fundamental freedom, as well as other necessities, requires a fluidity incompatible with this rule.

Certain imperatives make it possible to set aside the rule of prior consent

Public order and specific objectives

The keeping of registers is either prohibited or at least subject to constraints, in particular those provided for by the regulations on the protection of personal data (in particular the aforementioned “Informatique et Libertés” law), and sanctioned by heavy criminal penalties.

Nevertheless, the “prior consent” rule can be set aside when the collection of personal data is required for the performance of legal or contractual obligations: the operation of public services, the protection of national security, the fight against crime, the preservation of public health, the security of the Internet, the promotion of scientific work, or even more simply the technical operation of such and such a contractual service.

In these cases the personal data is supposed to be kept confidential and is used only by the authorities or operator services concerned, on a restrictive basis and through specific procedures and regimes. If the data collected under these conditions is improperly disclosed, the rules sanctioning confidentiality may apply and give rise to civil, criminal or disciplinary actions (for example, violation of the secrecy of correspondence punishable by article 226-15 of the criminal code until to 1 year in prison and a fine of 45,000 euros, and 432-9 of the penal code, up to 3 years in prison and a fine of 45,000 euros).

Transparency and public directories: a mixed approach

According to the CNIL (Commission Nationale Informatique et Libertés):

Considering that the publication of lists of subscribers or users of telecommunications networks or services is free, subject to the protection of the rights of the persons concerned; that the processing implemented for the purpose of establishing these lists constitutes automated processing of personal information within the meaning of the law of January 6, 1978; that consequently, the protective provisions of individual freedom and privacy provided for by this law are applicable to the lists of subscribers which, whatever the medium on which they are published (paper medium, or electronic medium), are commonly called directories; (deliberation n°97 – 060 of July 8, 1997).

Articles L34 and L34-5 of the Post and Electronic Communications Code specify that:

“The publication of lists of subscribers or users of electronic communications networks or services is free, subject to the protection of individual rights.

Among the rights guaranteed are those for any person to be mentioned on the lists of subscribers or users published in directories or consultable via an information service or not to be, to oppose the registration of certain data concerning him to the extent compatible with the requirements of the constitution of the directories and the information services for which these lists are intended, to be informed in advance of the purposes for which are established, from these lists, directories and information services and possibilities of use based on search functions integrated into their electronic version, to prohibit the personal information concerning it from being used in commercial transactions, as well as to be able to obtain communication of the said personal information and demand that they be rectified, completed, clarified, updated or deleted, under the conditions provided for in ux articles 39 and 40 of law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms. (art.L34 al.2).

This regime triggers the sanctions provided for by the “Informatique et Libertés” law, ie up to five years' imprisonment and a fine of 300,000 euros, and more in the case of the legal persons involved.

“The prior consent of subscribers to a mobile telephone operator is required for any registration in the lists of subscribers or users drawn up by their mobile operator, intended to be published in directories or consultable via a service information, personal data concerning them.” (art.L34 al.3)

In short, some mentions are published by default, others not, but in all cases the subscriber must be able to intervene, free of charge, to modify the default options (see also decree n°2006-606 of May 27, 2005 , modifying the postal code, articles R10, R10-12).

(Right to be forgotten, right to erasure) – In the judgment Proximus, rendered on October 27, 2022, the Court of Justice of the European Union interprets the provisions of Directive 2002/58 applicable to telephone directories and those of the GDPR.

The transmission of a subscriber's contact details by a telephone operator to a directory must be subject to consent resulting in a opt-in and not a opt out and must be able to be withdrawn as easily as it was given. In addition, when the subscriber exercises his right to be forgotten, he can contact any data controller who will be responsible for communicating the request to other data controllers as well as to online search engines.

Hyperlinks and Constituent Hyperlinking Permission of the Internet

Harmful content available in France may be condemned by French civil or criminal courts. Failure to remove links pointing to such content may be a source of damages, see for example an extract from the LICRA v/ Yahoo saga on http://caselaw.findlaw.com/us-9th-circuit/1144098.html.

Is a website or a search engine authorized to display personal data in its hyperlinks or to use personal data as a search keyword for advertising purposes? No if the personal data is kept secret by the person it concerns or if it is associated with illegal content, not consented to by this person.

There is indeed a general principle of non-responsibility for the fact of hyperlinking, which is considered to be a constituent activity of the Internet. However, when illegal content, for example personal data kept secret, is reported to the installer of the link, the latter becomes responsible if he fails to remove the link and the associated comments. His responsibility is more or less great according to his role and his degree of implication in the illicit act. We will see below that the law organizes notification procedures, in addition to those put in place by the various actors.

On the other hand, the question is more delicate with regard to personal data left in public access at one time or another by the person concerned. These data can be collected by various and varied sites for advertising purposes, to attract clicks, network and content, to sell advertising space.

French case law may seem reluctant to penalize those who use third party names as keywords for advertising referencing, if we stick, for example, to the case law applicable to brand names used as keywords. referencing keys by non-holders of the mark, which does not sanction these “non-holders”.

The fact of using personal data, in particular for advertising purposes without the prior consent of the person but after having left the said data in public access on other sites may be subject to the provisions applicable to public directories, views above, as well as the rules sanctioning illicit profit, infringement of copyright and the peace of persons.

On the other hand, the provisions of the “Informatique et Libertés” law and the rule of prior consent apply again after a reasonable period of time after the person has had the initial public access to their personal data withdrawn.

Could the public data which would not be withdrawn, which would remain accessible by the usual search engines, be reused by third-party sites, in particular those acting as directories?

These directory sites most often display this personal data with advertising content, or with content from people with the same name, thus maintaining a mixture of genres, confusion about the authorship of the content or the identity of the people targeted by this content. Several types of provisions can then be requested to sanction these abuses:

– The law applicable to directories, seen above, not necessarily favorable to the Internet user, it is therefore necessary to check the qualification of “public directory” to set aside this regulation;

– Copyright, sanctioned civilly and criminally, which sanctions the moral right of the author to consent to the disclosure of its contents, and the conditions of this disclosure; the right of short quotation does not authorize a mixing of genres, nor the display of data with unsolicited advertising content;

– The civil sanction of the illicit profit made by a site editor who would attract traffic by displaying or using as a keyword the personal data of a third party without his consent;

– Penal provisions sanctioning the violation of the peace of persons; in this respect, we recall article L226-4-1 of the penal code according to which:

“The act of usurping the identity of a third party or of making use of one or more data of any kind enabling him to be identified with a view to disturbing his peace or that of others, or undermining his honor or on his consideration, is punished by one year's imprisonment and a fine of €15,000.

This offense is punishable by the same penalties when committed on an online public communication network.

Freedom of expression

This fundamental freedom is enshrined in particular in the European Convention on Human Rights (ECHR), in Article 10. Writing about others as part of the exercise of freedom of expression or of artistic creation is permitted in principle. This freedom is supplemented by a series of exceptions to copyright (for example, Article L122-5 of the Intellectual Property Code provides for the possibility of mentioning the existence of a creation on condition of mentioning its author) or the right to personal data (derogations provided for in literary, artistic and journalistic matters by article 67 of the law “IT and freedoms”).

This freedom is however limited by the traditional provisions of the right of the press envisaged by the law of July 29, 1881, in particular the penal provisions as regards insult and defamation.

If the publication of personal data is made without the consent of the interested party, it must be for the purposes of information, creation, training, scientific, political or union discussion, in compliance with the rules applicable to the freedom of the press which require compliance with strict ethics. This deontology can found civil, penal, disciplinary sanctions, a posteriori, or even preventive measures.

These rules are intended to prohibit any behavior that could damage the reputation or dignity of a person, interfere with his life or his private correspondence (think of the "sensational" that sells such a newspaper), incite to violence and discrimination.

Commercial operations remain subject to the rule of prior consent, this is for example the case of social networks which are remunerated by the sale of drained content.

In the context of the right to the press, and for the promotion of freedom of expression, the fact of omitting to request prior consent is not sanctioned but the attempt to obtain this consent will be taken into consideration within the framework civil or criminal actions against, for example, acts of defamation.

It is most often only once the incriminated act has been committed that the invasion of privacy or reputation can be sanctioned within the framework of a civil or criminal action.

By way of illustration, the Mosley case (ECHR, Mosley c/UK, 10 May 2011, n°48009/08 (commented http://www.droits-libertes.org)) indicates that the reproach made to the State for not providing for sanctions for non-compliance with the rule of prior consent is unsuccessful. This case concerned the dissemination of articles and videos revealing a citizen's sex life, which was sanctioned on other grounds.

Specific provisions apply in the context of the protection of the presumption of innocence, and the dignity of the person (article 35 ter, 35 quater of the law of July 29, 1881):

35b

1. – When it is carried out without the consent of the person concerned, the dissemination, by any means whatsoever and whatever the medium, of the image of an identified or identifiable person implicated in the occasion of criminal proceedings but not having been the subject of a judgment of condemnation and showing, either that this person wears handcuffs or shackles, or that he is placed in pre-trial detention, is punished by 15,000 euro fine.
2. – Is punished with the same penalty the fact:

– either to carry out, publish or comment on an opinion poll, or any other consultation, relating to the guilt of a person implicated during criminal proceedings or on the sentence likely to be pronounced against him ;

– or to publish information allowing access to the surveys or consultations referred to in the preceding paragraph.

35c

The dissemination, by any means whatsoever and whatever the medium, of the reproduction of the circumstances of a crime or misdemeanor, when this reproduction seriously undermines the dignity of a victim and is carried out without the agreement of the latter, is punished by a fine of 15,000 euros.

Shares

The procedures provided for by the law of confidence in the digital economy (LCEN)

Some procedures are specific to Internet users and are provided for by the LCEN. The fact that data is disclosed on the Internet leads to the application of specific regulations providing for procedures allowing victims to obtain a rapid removal of the incriminated content by those who have control over it. Victims can notify the irregularities, in sequential order, to the author, the host, the access provider, with the aim of triggering their various responsibilities (for example, technical intermediaries such as hosts do not have obligation of general monitoring of the content they host but must intervene when they are notified), and request the correction or withdrawal of the content, in specific forms. These intermediaries have the obligation to alert the authorities to the most sensitive content (for example: apology for crimes against humanity).

Persons notified must react quickly. A refusal can be challenged in court but it should be specified that the burden of proof rests on the victim. It is she who must demonstrate the improper nature of the content, proof which may prove difficult if this improper nature is not self-evident. The notified person does not have to provide legal advice to the alleged victim, and can prosecute this “victim” for abuse of notification, punishable by article 226-10 of the penal code for up to five years. imprisonment and a fine of 45,000 euros.

The “internet referral” is an accelerated procedure allowing victims to obtain preventive or curative measures before the civil courts (article 6.I.8 LCEN) (be careful, check the successive reforms of the LCEN)

press law

Penal provisions apply (in particular the right of reply provided for by article 13 of the law of July 29, 1881), including to non-professionals of the press, even if they do not benefit from the privilege of secrecy of sources or other statutory privileges enjoyed only by press professionals.

Article 6 V of the LCEN extends to online communication services the provisions of press law, in particular those which establish a presumption of liability of the publication director. This regime is detailed in Article 93-3 of Law No. 82-652 of July 29, 1982 on audiovisual communication, recently amended by HADOPI Law No. 2009-669 of June 12, 2009, Article 27.II, and describes a regime adapted from the classic regime of article 42 of the law of 1881.

Freedom of the press is tempered by a right of reply by any person quoted, and this right is also exercised within the framework of online communication services, as provided for in article 6 IV of the LCEN and decree no. 2007-1527.

Usual prescription in terms of press offences: 3 months from publication (be careful to check the successive reforms in terms of prescription, as well as special prescriptions)

CNIL procedures

The Commission Nationale Informatique et Libertés (“CNIL”) is the institution that intervenes to supervise the implementation of regulations on the protection of personal data. It has its counterpart in each of the Member States of the European Union. The CNIL can issue warnings, regulations, injunctions, financial penalties, and can initiate actions with the competent courts to obtain emergency measures. It can decide to publish the sanctions. It can issue recommendations that will serve as a standard or criterion for interpreting legislation on the protection of personal data and on the concept of privacy, for example with regard to the use of personal data in public archives. and court decisions.

A CNIL procedure can be triggered by any citizen by means of a simple letter.

Criminal courts

The Penal Code brings together in a chapter dedicated to personality attacks the provisions sanctioning violations of privacy, the tranquility of individuals, secrecy, the protection of personal data and respect for the right of reply. Copyright is also criminally sanctioned in the intellectual property code.

Usual prescription in terms of attacks on the personality: 3 years / 1 year (be careful to check the successive reforms in terms of prescription, as well as special prescriptions)

Civil courts:

The civil code makes it possible to obtain damages in compensation for a prejudice if it can be demonstrated a link between this prejudice and an inappropriate use of personal data. This will be particularly the case in matters of copyright, invasion of privacy, illicit profit.

It may also be possible to obtain preventive measures through emergency procedures (referral or request) explicitly provided for in the context of an activity on the Internet by article 6.I.8 of the LCEN.

However, civil law cannot have the effect of adding restrictions to freedom of expression other than those already provided for by the law on the press, called "press offences", such as insult and defamation, and subject to to specific procedural regimes.

Usual civil prescription: 3 years, 5 years (be careful to check the successive reforms in terms of prescription, as well as special prescriptions)

gdpr: emergency procedures against the controller under EU regulations and French law of procedure