Since May 25, 2018, compliance with the EU General Data Protection Regulation became compulsory for all organizations based within the European Union, or based outside of the EU, when they are dealing with personal data of EU data subjects.
Of course, harmonization of legal provisions across the EU member states is not without its political, cultural and practical challenges. How are EU domestic courts going to react when faced with contradictory provisions from other jurisdictions in cases which have an international dimension, and especially when non-EU organizations, which are nonetheless striving to comply with EU privacy and disclosure laws, miss the mark in terms of legal application?
An emergency judgment rendered by the Grenoble High Court on 4th July 2018 gave us a clear illustration as to the French approach to key GDPR principles in a case which was also, in part, subject to U.S. law.
This article sets out the scope of that judgment in light of the legal climate, the French court’s approach to failure by data controllers to respect data subject rights, whether by negligence or otherwise, and the political undertones that the decision may yield.
A geographical mistake with serious consequences for individual rights
The Grenoble case concerned the unlawful transmission of a French person’s data by a French bank to U.S. authorities in order to combat against tax fraud.
Indeed, the U.S. law, the Foreign Account Tax Compliance Act, enables U.S. tax authorities to detect U.S. nationals living outside of the country, and who holds accounts abroad, to ensure that these nationals comply with their U.S. tax obligations.
Consequently, non-U.S. financial institutions must disclose relevant information about financial accounts held by any of its clients who are identified as a “U.S. person”.
In accordance with a decision from the CNIL dating back to 2015 (pre-GDPR), the CNIL expressly permitted the transfer of personal data relating to U.S. persons residing in France to the U.S. tax authorities, in compliance with FATCA. Such personal data necessarily includes special categories of data (also known as sensitive data defined under Article 9 of the GDPR).
According to Article 9, there is a general prohibition on processing sensitive personal data, unless specific grounds are respected. The judges addressed this point in their judgment, which is further set out below.
In the Grenoble case, the claimant held both Canada and French nationalities – being originally from Ottawa, Canada, and since, obtaining French nationality (having lived in France since 1980). Unfortunately, the claimant was the victim of an administrative mistake (or rather a geographical one) made by the bank with which he had an account.
In 2014, the claimant’s bank informed him that he was considered a U.S. person and requested that he send confirmation of his nationality. The bank advised him that should he fail to do so, the bank would automatically transfer his personal data to the U.S. tax authorities.
The claimant submitted that he had telephoned his bank to advise them that his place of birth, the city of Ottawa, was in fact the capital of Canada, and not the small town in Illinois in the U.S., meaning that there was therefore no lawful justification for transferring his data outside of France. The bank did not accept this justification and transferred the client’s data to U.S. authorities without further notice.
The claimant first became aware of this transfer in 2017 and commenced emergency proceedings before the court, requesting the judge to enjoin the bank to respect his right to be forgotten and to order the rectification of the data transmitted to the U.S. authorities.
Data controller failings
Under French law, the issue at hand in the Grenoble case was whether the transfer of the claimant’s personal data made by the bank to the U.S. authorities was negligent or not.
Unsurprisingly, the French judges ruled that the transfer was manifestly negligent. Indeed, the court highlighted that just because Ottawa is the name of both a Canadian and U.S. city did not automatically permit the bank to erroneously prefer the American city over the Canadian (and correct) one.
The court therefore ordered that the claimant’s personal data be deleted and further enjoined the bank to immediately take all necessary steps to procure that the American authorities also delete all personal data held about the claimant. Pursuant to the terms of the judgment, failure by the bank to do would result in a financial penalty being applied to the bank.
From a privacy law perspective, the court ruled that the bank also breached its obligations as data controller because it did not seek the claimant’s consent to transfer the data and also failed to take his telephone call into account. Under the GDPR, consent needs to be freely given, specific and informed and constitute an unambiguous indication of an individual’s wishes, by which he or she, by a statement, or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her, which is required when dealing with sensitive, financial information (see Articles 4 and 9, GDPR).
On the facts, such consent was clearly absent in the present case.
Therefore, in accordance with the GDPR, the Grenoble judges gave significant weight to the claimant’s lack of consent, rather than guaranteeing the bank’s and the U.S. tax authorities’ interests.
An implied political message aimed at keeping French personal data far away from U.S. authorities?
Is the decision a little harsh? It will be interesting to see how the French and other EU courts will rule on similar cases when there has not been manifest negligence in respect of the data subject’s birth location. This case clearly decides in favor of the GDPR requirements rather than those set out in the FATCA - but then the decision is of course justified as the claimant was not a U.S. person, and therefore was not concerned by the U.S. law.
Although the Grenoble High Court’s ruling is the right one given the facts of the case, is it possible that this decision nonetheless reflects an underlying French political wish to limit the access U.S. authorities have to French consumers’ personal data?
In a report prepared by the French Committee on Foreign Affairs, the spokesperson referred to the existence of a "mental block” in France, related to the fact that the “impetus [from the FATCA law] came from the United States” and that “the idea of aligning ourselves [i.e., French citizens and organizations] with a model that was developed by the Americans hurts us ".
A key example of this “mental block,” which extends beyond personal data, was the adoption of the French Blocking Statute in 1968. Indeed, U.S. and U.K. civil procedure obligations relating to “discovery” allow these Anglo-Saxon judges to order data disclosure against French parties in respect of information held in France. The French Blocking Statute actually prevents French nationals from complying with such disclosure orders from foreign courts or authorities.
Ironically however, the existence of this French law does not seem to have slowed down U.S. authorities, as since 2010, the CNIL revealed an increase in the number of discovery orders from Americans courts directed towards French parties.
A European overreaction? Perhaps, but various factors, such as the Snowden revelations or more recently, Cambridge Analytica, may actually justify France and the EU’s reluctance to transfer data outside of the EEA, and particularly to territories such as the U.S.
In light of this, will the GDPR become the new European excuse to avoid EU parties from complying with laws from non-EU countries which require EU organizations and citizens to transfer data in accordance with their respective, non-EU national rules?
From a legal point of view, the decision from the Grenoble High Court offers insight on the as to how the French Courts are likely to interpret the GDPR provisions in respect of international data transfers outside of the EEA - the answer is, a strict one.
photo credit: Solidarité via photopin (license)