back

Data Protection newsflash - 2

Article IT and Data Protection Competition, Retail and Consumer Law Commercial and International Contracts | 15/02/12 | 4 min. | Florence Chafiol

THE CNIL SETS ITS SIGHTS ON THE PROTECTION OF HEALTH DATA

 

In a decision dated January 9, 2011, the CNIL (French Data Protection Authority) censured a host of health data for having made false representations.


Indeed, Article L.111-8 of the French Public Health Code requires hosts of health data to be approved by the Health Minister, upon the advice of the CNIL.

Hosts must therefore provide in their approval application certain information including, inter alia, the measures taken to ensure the security of processed data pursuant to Article 34 of French Data Protection Act no. 78-17 of January 6, 1978, known in French as the “loi Informatique et Libertés”. In this respect, the host is required, in particular, to provide information on the IT monitoring and security systems set up and on existing internal control procedures.

Based on the data security assurances presented by the applicant, the CNIL issues its advice which it then submits to the Minister.

In the case at hand, the host had represented in its application that it encrypted all hosted data using a “strong encryption” process.  It was thus granted the Health Minister’s approval.

During an on-site inspection in early 2011, the CNIL discovered that not all of the health data was encrypted, and that the data which was protected was only done so by way of a simple encryption created internally.

The CNIL’s sanction committee considered that this constituted a violation of the above mentioned provisions of the French Public Health Code and the loi Informatique et Libertés, and ruled that the data was thus processed unlawfully.  On these grounds, it issued a warning against the host.

Now, warnings issued by the CNIL are deemed to be real sanctions and so on this basis may be made public, like in this case.

If, following a warning, the person or company concerned does not remedy the situation, the CNIL may levy a financial penalty.  Indeed, the CNIL has its own power to levy penalties and may, without bringing the matter before the courts, order fines of up to EUR 300,000.

In any event, this recent decision demonstrates the CNIL’s growing interest in the security of health data and, more generally, in the security of personal data.  The recent studies and consultations launched by the CNIL on smartphones and Cloud computing, for instance, are also an indication of this.

To conclude, it is interesting to note that, even though no financial penalty was ordered, approved hosts considered this decision to be very detrimental to the profession and regret, in this respect, that the CNIL did not publicly disclose the identity of the host in question, so that only that host would be affected and not the entire profession.  Especially when the relevant stakeholders have no doubts about whom this host is.


Website hosts are required to comply with the provisions of the loi Informatique et Libertés

In a decision of December 15, 2011, the Montpellier Court of Appeal clearly ruled that the application of the Act for Trust in the Digital Economy (French acronym: LCEN) of June 21, 2004 does not preclude the application of the loi Informatique et Libertés of January 6, 1978.

Therefore, a website host (in this particular case, a website called Over-blog.com providing users with disk space and software tools to create their own blogs) may also be considered a “data controller” within the meaning of the loi Informatique et Libertés and thus be required to comply with the provisions of said Act.

In this case, a user who regularly used a pseudonym to participate in forums on the Over-blog.com website complained that other users had disclosed his true identity without him knowing and that true or supposed information about his private life had been disclosed, and that defamatory allegations had been made against him.
Considering that this constituted a breach of his privacy, the user had asked the host to remove all mentions of his real name on the website.

The host did not respond to his request, on the grounds that it is a simple host within the meaning of the LCEN, and not a publisher, and so was not liable for the content of the publication, except in strict circumstances when the unlawful nature of such content is known.

Despite the fact that such argumentation on the grounds of the LCEN was legally questionable, the Court ruled that, in any event, the LCEN does not preclude the application of the loi Informatique et Libertés, which clearly provides that “everyone has the right to object, for legitimate reasons, to the processing of any personal data concerning him” (Article 38 of the Act).

Now, in this particular case, the Court ruled that the host, as part of the blog publishing service it offers users, collects and processes personal data concerning those users, by determining the means and purpose of such processing.  Consequently, in this case, the host could be qualified as a “data controller” within the meaning of the Act and, on this basis, was required to comply with the provisions of the abovementioned Article 38 and comply with the request to remove the data.

On this basis, the Court enjoined the host to remove the data in question within 15 days, subject to a penalty of EUR 400 per day late after such deadline.

As these were summary proceedings, the Court did not rule on the claim for damages.

This is an interesting decision which creates, for the hosts of websites, new obligations that go further than those set forth stricto sensu in the LCEN, at least when the host can be legally qualified as a “data controller”.



Florence Chafiol-Chaumont - Partner
Chloé Minet - Senior associate

 

 

Explore our collection of PDF documents and enrich your knowledge now!
[[ typeof errors.company === 'string' ? errors.company : errors.company[0] ]]
[[ typeof errors.email === 'string' ? errors.email : errors.email[0] ]]
The email has been added correctly