(mise à jour Feb.2022)
The new EU regulation in that matter, the GDPR, applying from the 25 may 2018, while providing rights of access, of correction and of erasure of his personal data to the benefit of the “data subject” (the person concerned by the processing of his personal data) recalls the necessity to refer to administrative or judicial bodies to obtain sanctions, prohibitions and indemnities.
It is then interesting to investigate and to see what can really be made in matter of emergency, when that person considers itself as a victim of a processing by a “controller” i.e. the entity which processes the data.
Are not dealt here the procedures tending to preserve evidences, or execution routes used to implement judicial decisions or to seize properties, nor some specific cases relating, for instance, to processings related to public, administrative, research, or journalistic purposes, or to the repression of intellectual property rights counterfeiting, to the treatment of sensitive content on internet…)
Under French law more and more administrative bodies are empowered with capacites to charge fines and to deliver injunctions in order to preserve the interests of the society, along with traditional prosecutors when legal incriminations are at stake (and to which article 84 of the GDPR refers).
This is the case of the “supervisory authority”, the authority named as this by the new EU GDPR regulation and which, in each Member State and along with its counterparts, intervenes in case of inappropriate use of personal data by a “controller” i.e. a person processing personal data, under this regulation.
The GDPR recalls the possibility for the data subject to lodge a complaint with this “supervisory authority” (art.77) and precises the powers of injunction and of condemnation to fines (art.58 and 83) of this authority, while recalling the necessity for a plaintiff to refer to judicial bodies in order to seek liabilities and to claim for indemnities (art.79, art.82 point 6).
Anyway, before thinking to seek for liabilities, the plaintiff will, above all, seek to stop the damaging situation, as soon as possible. Here he may hesitate with the behaviour to adopt.
The GDPR recommends to follow some amicable steps, and ultimately to refer to the said supervisory authority or to other administrative or judicial bodies.
This process may seem too long and the plaintiff may seek for a quicker answer in front of jurisdictions specialized in emergency procedures.
Let’s try to compare.
The GDPR specific circuit :
The new EU regulation so called GDPR organizes a procedure in order to obtain from the “controller” (the person liable for the data processing) a cessation of the processing of the personal data.
Its article 12 provides that :
“3.The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.”
“4. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.”
However the controller is incited to act quickly and may engage its liability in this regard ;
The article 17 mentions the ability for the plaintiff (the “data subject”) to obtain, from the controller, data erasure on certain grounds, “without undue delay”.
The article 18 combined with the article 21 mentions the ability for the plaintiff to obtain, from the controller, and on certain grounds, as a paliative, a restriction of the processing of data (data is like set aside, hidden, but kept “under the elbow” of the controller), especially when there is a discussion on the legitimate grounds for the processing, and pending the verification whether the legitimate grounds of the controller override those of the data subject.
As a matter of fact a controller shall be tempted to invoke systematically “legitimate interests” to justify the processing, in all the “grey” cases where it is not clearly entitled to process data, and when data is processed for marketing purposes or neighboring purposes.
By the way, on this matter, the article 21 provides, for the benefit of the data subject, on certain grounds and especially when it is made for direct marketing purposes, a right to object to the processing of its personal data, and that the “controller shall no longer process…” and : “Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes”.
So the GDPR organizes a preliminary one to three months administrative stage during which the controller may not give an answer nor satisfy the demand formulated by the data subject, without giving any specific reasons, engaging however its liability if an abusive resistance could be demonstrated by a motivated plaintiff in front of a civil or of a criminal court, or even in front of the supervisory authority.
This may appear somewhat unsatisfying and uncertain to the plaintiff’s view.
The judicial route and the emergency procedures :
Under the French law, preliminary injunctions and damages may be obtained through emergency procedures in order to stop damaging situations.
They are taken at risk of the plaintiff and on a provisional basis which means that a court seized of the merits of the case will always be able to reform the decision undertaken in an emergency context and to condemn the plaintiff for abuse (however « mixed procedures » exist (2021 & 2022 reforms).
The French “code de procédure civile” (mainly the article 808 of the code de procédure civile) requires that the the measure solicited by the plaintiff in this regard is not seriously questionable, i.e. into the extent that the case seems usual and obvious and that there is urgency to take the solicited measures, and that these measures are practicable.
On this subject, for instance, the fact that the adverse party has already issues serious objections when the parties have already engaged discussions about their litigious point is an indication that serious objections may exist. A party who would then attempt to put an ending point to the discussions and to force the satisfaction of its demands by initiating an emergency procedure would then take the risk to be rejected.
However, even in the case where the solicited measure is questionable, an emergency procedure remains available in the case where an imminent damage must be prevented or a “trouble manifestement illicite” (disorder patently illicit, for instance a criminal offense easily qualifiable as such) must be stopped, all notions which suggest that an urgency is implied (art.809 of the code of procedure civile).
However, the demonstration of a manifest disorder may be difficult to make especially without preliminary investigations or discussions.
As regards data processing, the inappropriate use of personal data (including professional data, cf. EU and French case law on the matter) is incriminated by article 226-16 and following of the “code pénal” and punished with imprisonment and fine, and then be revealed, as a “trouble manifestement illicite” allowing to engage an emergency procedure for demanding the withdrawal of the litigious content, and even if a culpability is not yet definitely judged.
The law “Loi n° 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique” (“law for the trust in the digital economy”) said also “LCEN”, confirms that an emergency procedure may also be engaged against a technical intermediary (internet based platforms, search engines, internet providers…), even if it is not the original infringer :
Article 6.I.8 “L’autorité judiciaire peut prescrire en référé ou sur requête, à toute personne mentionnée au 2 ou, à défaut, à toute personne mentionnée au 1, toutes mesures propres à prévenir un dommage ou à faire cesser un dommage occasionné par le contenu d’un service de communication au public en ligne.”
Free translation : “The judicial authority may prescribe, “en référé ou sur requête”, to any person mentioned in 2 [platforms, search engines…] or, failing that, to any person mentioned in 1 [internet providers], any measures likely to prevent damage or to stop an injury caused by the content of a public communication service online.”.
(this text has changed, since, enlarging the judicial possibilities – 17 feb.2022)
The necessity or not to send a formal previous notice before engaging a judicial emergency procedure :
Is a formal previous notice necessary to warn the adversary before engaging a judicial emergency procedure ?
As a rule yes, but a previous formal notice is obviously not recommended in case of real emergency or of real trouble to the public order (for instance : a criminal offense).
On this subject Art. 56 alinéa 3 of the code de procédure civile provides that (attention : reforms) :
“Sauf justification d’un motif légitime tenant à l’urgence ou à la matière considérée, en particulier lorsqu’elle intéresse l’ordre public, l’assignation précise également les diligences entreprises en vue de parvenir à une résolution amiable du litige.”
Free translation : “Unless there is justification relating to the urgency or to the matter in question, in particular when it concerns public order, the summons also specifies the steps taken to reach a friendly settlement of the dispute.”
Even if the inappropriate use of personal data may form the basis of a criminal offense the common sense will require most of the time that a formal previous notice be made and especially considering that the GDPR requires that previous notice.
When a demand concerns matters such as loss reparation and pecuniary claims not implying an urgency, a formal previous notice would have to be addressed to the adversary, detailing the amount claimed.
In the same manner the aforesaid law “Loi n° 2004-575 du 21 juin 2004 pour la confiance dans l’économie numérique” (“law for the trust in the digital economy”) said also “LCEN”, provides, In its articles 6.I.2, 6.I.3 and 6.I.5 that the liability of the technical intermediary cannot be engaged unless it is proven that, being duly notified (and in a certain manner and with certain precautions) it does not have withdrawn the litigious content.
So, in case of emergency, the referral to the specialized judicial body is a gage of rapidity, while the referral , through usual routes, to a criminal or to a civil jurisdiction (or even an administrative jurisdiction) or to an administrative body, such as the “supervisory authority” under the GDPR, may imply long preliminary investigations or discussions before that injunctions be taken or indemnities be granted.
The supervisory authority has powers of injunction and of condemnation to heavy fines (art.83 parag.5, b), but, acting like a prosecutor defending first of all the interests of the society, may be reluctant to act quickly on the mere basis of the claim by an individual and more keen to proceed to enquiries which take time.
The advantage of a referral to the supervisory authority is that it may intervene at the EU level, sometimes in emergency, with the cooperation of other national supervisory authorities. On the contrary, the referral to national civil or criminal courts may be illusory to obtain injunctions and sanctions in cases where foreign aspects are implied. (It is a vertical process / not an horizontal one inter partes)
The criminal jurisdictions intervene mainly to judge criminal liability and to deliver criminal condemnations (mainly imprisonment, fines, accessorily injunctions and indemnities), after thorough investigations.
The civil jurisdictions, in the framework of normal procedures, intervene mainly to judge civil liabilities, to grant indemnities and to deliver injunctions, after a thorough and contradictory discussion.
In COMPARISON the judicial emergency procedure may appear more efficient to solicit, at least at a national level, an immediate cessation of the processing – and alternatively, AT LEAST, an immediate restriction of the said processing without to have to wait the end of a trial on the merits, when the controller is likely to adopt a resistance and a willingness to demonstrate the legitimacy of its processing.
As aforesaid this possibility of “restriction” is provided by the article 18 of the GDPR and this is by the way one of the main contribution of the GDPR compared to the previous EU directive 95/46/CE and to the current French law related to personal data “loi informatique et liberté n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés”