Even the French Data Protection Authority (CNIL – Commission Nationale de l’Information et des Libertés) can be sued for the violation of its own recommendations. Following is its recommendation regarding the anonymization of personal data on jurisprudence databases (deliberation n°01-0577 from the November 29, 2001).
On April 11, 2013, the CNIL sanctioned Total Raffinage Marketing for several breaches of the Act of January 6, 1978 regarding the setting up of an electronic voting system. The company E., which created the electronic system, was not prosecuted, but participated freely in the proceeding. The decision was published on the CNIL website and on Legifrance.
The company E., having not been sued in that proceeding, asked the President of the CNIL to remove its name from the published decision. The CNIL refused this request by decision of August 19, 2013.
The company E. then brought a claim before the Conseil d’Etat (supreme administrative court) on grounds of exceedance of powers, asking for the invalidation of the CNIL’s decision.
The Conseil d’Etat:
- invalidated the August 19, 2013 decision explaining that the CNIL had to accept the company E. anonymization request as it was not prosecuted
- ordered the CNIL to proceed with the anonymization of the document within fifteen days starting from the notification of that decision.
To conclude, this decision confirms that National Data Protection Authorities are, of course, also subjected to data protection's legal framework.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.