Decision

Decision no. 2018-765 DC of 12 June 2018

Law related to the protection of personal data

THE CONSTITUTIONAL COUNCIL WAS ASKED TO DECIDE on the law related to the protection of personal data, no. 2018-765 DC, under the conditions set out in Article 61 of the Constitution. In attendance on 16 May 2018: Mr. Bruno RETAILLEAU, Mr. Pascal ALLIZARD, Mr. Serge BABARY, Mr. Jean-Pierre BANSARD, Mr. Philippe BAS, Mr. Jérôme BASCHER, Mr. Arnaud BAZIN, Ms. Martine BERTHET, Ms. Anne-Marie BERTRAND, Ms. Christine BONFANTI-DOSSAT, Mr. François BONHOMME, Ms. Pascale BORIES, Mr. Gilbert BOUCHET, Ms. Céline BOULAY-ESPERONNIER, Mr.Yves BOULOUX, Mr. Jean-Marc BOYER, Mr. Max BRISSON, Ms. Marie-Thérèse BRUGUIÈRE, Mr. François-Noël BUFFET, Mr. François CALVET, Mr. Christian CAMBON, Ms. Agnès CANAYER, Mr. Jean-Noël CARDOUX, Mr. Patrick CHAIZE, Mr. Pierre CHARON, Mr. Alain CHATILLON, Ms. Marie-Christine CHAUVIN, Mr. Guillaume CHEVROLLIER, Mr. Gérard CORNU, Mr. Pierre CUYPERS, Ms. Laure DARCOS, Mr. Mathieu DARNAUD, Mr. Marc-Philippe DAUBRESSE, Ms. Annie DELMONT-KOROPOULIS, Ms. Catherine DEROCHE, Ms. Jacky DEROMEDI, Ms. Chantal DESEYNE, Ms. Catherine DI FOLCO, Mr. Philippe DOMINATI, Mr. Alain DUFAUT, Ms. Catherine DUMAS, Mr. Laurent DUPLOMB, Ms. Nicole DURANTON, Ms. Dominique ESTROSI SASSONE, Ms. Jacqueline EUSTACHE-BRINIO, Mr. Michel FORISSIER, Mr. Bernard FOURNIER, Mr. Christophe-André FRASSA, Mr. Pierre FROGIER, Ms. Joëlle GARRIAUD-MAYLAM, Mr. Jacques GENEST, Ms. Frédérique GERBAUD, Mr. Jordi GINESTA, Mr. Jean-Pierre GRAND, Mr. Daniel GREMILLET, Mr. François GROSDIDIER, Mr. Jacques GROSPERRIN, Mr. Charles GUENÉ, Mr. Jean-Raymond HUGONET, Mr. Benoît HURÉ, Mr. Jean-François HUSSON, Ms. Corinne IMBERT, Ms. Muriel JOURDA, Mr. Alain JOYANDET, Mr. Roger KAROUTCHI, Mr. Marc LAMENIE, Ms. Élisabeth LAMURE, Ms. Christine LANFRANCHI-DORGAL, Ms. Florence LASSARADE, Mr. Antoine LEFÈVRE, Mr. Dominique de LEGGE, Mr. Ronan LE GLEUT, Mr. Jean-Pierre LELEUX, Mr. Henri LEROY, Ms. Brigitte LHERBIER, Mr. Gérard LONGUET, Ms. Vivette LOPEZ, Ms. Viviane MALET, Ms. Marie MERCIER, Ms. Brigitte MICOULEAU, Mr. Alain MILON, Mr. Albéric de MONTGOLFIER, Ms. Patricia MORHET-RICHAUD, Mr. Jean-Marie MORISSET, Mr. Philippe MOUILLER, Mr. Philippe NACHBAR, Mr. Olivier PACCAUD, Mr. Philippe PAUL, Mr. Philippe PEMEZEC, Mr. Stéphane PIEDNOIR, Mr. Jackie PIERRE, Mr. François PILLET, Mr. Rémy POINTEREAU, Mr. Ladislas PONIATOWSKI, Ms. Sophie PRIMAS, Mr. Christophe PRIOU, Ms. Catherine PROCACCIA, Ms. Frédérique PUISSAT, Ms. Isabelle RAIMOND-PAVERO, Mr. Michel RAISON, Mr. Jean-François RAPIN, Ms. Évelyne RENAUD-GARABEDIAN, Mr. Charles REVET, Mr. Hugues SAURY, Mr. René-Paul SAVARY, Mr. Michel SAVIN, Mr. Alain SCHMITZ, Mr. Bruno SIDO, Mr. Jean SOL, Ms. Catherine TROENDLÉ, Mr. Michel VASPART, and Mr. Jean-Pierre VIAL, Senators.

In light of the following texts:

  • the Constitution;
  • Ordinance no. 58-1067 of 7 November 1958 laying down the Institutional Act on the Constitutional Council;
  • Organic Law no. 2017-54 of 20 January 2017 related to independent administrative authorities and public independent authorities;
  • the Treaty on the Functioning of the European Union;
  • Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  • Directive (EU) 2016/680 of the European Parliament and the Council of 27 April 2016 regarding the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JAI
  • the Code of Criminal Procedure;
  • the Code on Relations Between the Public and the Administration;
  • Law no. 78-17 of 6 January 1978 on information technology, data files and civil liberties;
  • the observations of the Government, registered on 31 May 2018;

And having heard the rapporteur;

THE CONSTITUTIONAL COUNCIL WAS ASKED TO DECIDE ON THE FOLLOWING:

  1. The applicant Senators refer to the Constitutional Council the Law related to the protection of personal data. They make claims to the incomprehensibility and contest the constitutionality of certain provisions of its Articles 1, 4, 5, 7, 13, 16, 20, 21, 30 and 36.
  • On the oversight exercised by the Constitutional Council:
  1. Pursuant to Article 88-1 of the Constitution: "The Republic shall participate in the European Union, constituted by States which have freely chosen to exercise some of their powers in common, by virtue of the treaty on European Union and the Functioning of the European Union, as derived from the Treaty signed in Lisbon on 13 December 2007". Thus, transposing a European Union Directive into domestic law as well as abiding by a regulation of the European Union, when a law aims at adapting it to domestic law, are constitutional requirements.

  2. It is the Constitutional Council's responsibility, under the conditions provided for under Article 61 of the Constitution, regarding a law which purpose is to transpose a European Union directive into domestic law, to oversee the respect of this requirement. Likewise for a law which purpose is to adapt a regulation of the European Union into domestic law. However, the control it exercises for this purpose is subject to a double limitation. Firstly, transposing a directive or adapting a domestic law to a regulation cannot conflict with a rule or principle inherent to France's constitutional identity, except that which has been consented to. In the absence of questioning such a rule or principle, the Constitutional Council has no jurisdiction to oversee the constitutionality of legislative provisions that merely draw the necessary consequences of unconditional and precise provisions of a directive or the provisions of a European Union regulation. Secondly, being required to rule before the law is enacted within the time frame established by Article 61 of the Constitution, the Constitutional Council cannot go before the European Union Court of Justice on the basis of Article 267 of the treaty on the Functioning of the European Union. Consequently, only a legislative provision that is manifestly incompatible with the directive it has the purpose of transposing or the regulation that it is adapting into domestic law can be declared as not in accordance with Article 88-1 of the Constitution. In any event, it is the responsibility of administrative and judicial jurisdictions to oversee the compatibility of the law in terms of France's European commitments and, as the case may be, to go before the European Union Court of Justice for a preliminary ruling.

  3. It follows from the Constitution that these constitutional requirements do not have the effect of undermining the division of matters between the area of law and that of regulation such as determined by the Constitution.

  • On the claim of infringement on the objective of the constitutional value of accessibility and comprehensibility of the law.
  1. The applicant senators claim that the contested text infringes on the objective of the constitutional value of accessibility and comprehensibility of the law given the differences that arise from the link between the provisions of the Law of 6 January 1978, as amended, and the Regulation of 27 April 2016 mentioned above. According to them, this lack of comprehensibility is likely to “seriously mislead” citizens regarding the extent of their rights and obligations in terms of personal data protection. The contested law also infringes upon this same objective on the grounds that that it does not clearly regulate the terms of its application in the communities of the overseas countries and territories in which European Union law is not applicable. In fact, according to the applicants, the law of 6 January 1978 is now only comprehensible when included with the provisions of the 27 April 2016 Regulation, which is not applicable in these territories.

  2. The objective of the constitutional value of accessibility and comprehensibility of the law, as written in Articles 4, 5, 6, and 16 of the Declaration of Human and Civic Rights of 1789, requires that the legislature adopt provisions that are sufficiently precise and unambiguously drafted. It must indeed protect subjects of the law against unconstitutional interpretation and arbitrary risk, without entrusting administrative or judicial authorities with the responsibility for establishing the rules, the determination of which has only been granted to the law by the Constitution.

  3. Firstly, the main objective of the contested law is to modify national legislation related to personal data protection in order to adapt national legislation to the Regulation of 27 April 2016 and to transpose the Directive of 27 April 2016 mentioned above. If, for this purpose, the legislature made the choice to modify the provisions of the Law of 6 January 1978 by introducing provisions some of which were formally different from those of the regulation, it does not result in incomprehensibility of the law. Additionally, Article 32 of the contested law allows the Government, through ordinances, to take the relevant measures in the area of the law necessary to rewrite the Law of 6 January 1978 in totality “in order to bring about the formal corrections and the adaptations necessary to simplify and make it consistent as well as to simplify implementation by the individuals in question of the provisions which bring national law into conformity” with European Union law as well as the measures to “make these changes coherent with all of the legislation applicable to the protection of personal data, to bring about modifications that make it necessary to ensure the respect of the hierarchical standards and the drafting consistency of the texts, to harmonise the law, to remedy any potential errors and omissions of the current law and to repeal the provisions that have become inapplicable”.

  4. Secondly, the contested text does not provide for provisions determining its terms of application in the overseas communities. However, Section 3° of Paragraph I of its Article 32 allows the Government, by ordinance, to take the relevant measures in the area of the law necessary to “adapt and extend overseas the provisions established in Sections 1° and 2° regarding its application in Saint Barthelemy, Saint Pierre and Miquelon, New Caledonia, French Polynesia, Wallis and Futuna and in the French southern and Antarctic areas regarding all of the provisions of the above-mentioned Law no. 78-17 of 6 January 1978 falling within the State's authority”.

  5. New Caledonia, French Polynesia, the French southern and Antarctic areas, Wallis and Futuna, Saint Pierre and Miquelon, and Saint Barthelemy are overseas countries and territories falling within the special association with the European Union established in the fourth part of the treaty on the Functioning of the European Union. The Regulation and Directive of 27 April 2016 do not apply there.

  6. Additionally, in New Caledonia, French Polynesia, the French southern and Antarctic areas and Wallis and Futuna, which are governed by the specialised legislative principle, the Law of 6 January 1978 shall continue to apply in its drafting prior to the contested law. In Pierre and Miquelon and Saint Barthelemy, which are governed by the legislative identity principle, the contested law is applicable, including that which refers to the provisions of the Regulation of 27 April 2016.

  7. Consequently, the absence of provisions specifically determining the terms of application of the contested law in the above-mentioned overseas communities does not bring about an infringement on the objective of the constitutional value of accessibility and comprehensibility of the law.

  8. It follows from the foregoing that the claim of infringement on this objective should be set aside.

  • On certain provisions of Article 1:
  1. Article 1 of the contested law modifies Article 11 of the Law of 6 January 1978 regarding the missions of the Commission Nationale de l'Informatique et des Libertés [French National Commission for Information Technology and Civil Liberties]. Pursuant to the second sentence of Part a of Section 4° of this Article 11, as amended, this commission may “be consulted by the Chairperson of the National Assembly, by the Chairperson of the Senate or by the authorized commissions of the National Assembly and the Senate as well as upon the request of a chairperson of a parliamentary group on any bill of law related to the protection of personal data or to the processing of such data”.

  2. According to the applicants, by adopting these provisions without specifying at what time parliamentary examination of the law proposal for consulting the Commission Nationale de l'Informatique et des Libertés is possible, or within what time frame its decision must be handed down, or what publicity may be given to it, the legislature overstepped the scope of its authority and infringed on the requirements of clarity and honesty in parliamentary debate.

  3. According to the second subparagraph of Article 1 of the organic law of 20 January 2017 mentioned above, regarding the basis of the last subparagraph of Article 34 of the Constitution, the law “sets the rules related to the composition and attribution as well as the fundamental principles related to the organization and the functioning of independent administrative authorities and independent public authorities”. It falls on the legislature to fully exercise the competence granted to it under the Constitution, specifically Article 34.

  4. By establishing that the Commission Nationale de l'Informatique et des Libertés may be consulted on a bill of law related to the protection or processing of personal data by the chairperson, by the competent commissions as well as upon request of a chairperson of a parliamentary group, the legislature sufficiently defined the new allocation thus granted to this independent administrative authority. The terms and conditions according to which this ability may be implemented do not fall within the scope of the law.

  5. Consequently, the second sentence of Part a of Section 4° of Article 11 of the Law of 6 January 1978, which does not infringe on either the requirement of clarity and honesty in parliamentary debate, or on any other constitutional requirement, is constitutional.

  • On certain provisions of Article 4:
  1. Article 4 modifies Articles 17 and 18 of the Law of 6 January 1978 related to the procedure followed before the limited panel of the Commission Nationale de l'Informatique et des Libertés, which hands down penalties against data managers or their subcontractors in the event of a breach of the obligations described in the Regulation of 27 April 2016 and the Law of 6 January 1978. Specifically, Section 2° of this Article 4 integrates a second subparagraph to Article 17 of this law in order to establish that the members of the limited panel deliberate without of the presence of the agents of the commission, with the exception of those in charge of holding the session.

  2. The applicants claim that the circumstances under which the agents of the authorities in charge of penalties are placed under the authority of the chairperson of the commission infringes on the principle of impartiality. Furthermore, by not establishing a separation within the commission group between members of the limited panel and the other members, these provisions do not guarantee the separation between the functions of prosecution and investigation and those of judgments and sanctions imposed by this same principle.

  3. According to Article 16 of the 1789 Declaration: “Any society in which no provision is made for guaranteeing rights or for the separation of powers, has no Constitution”.

  4. Neither the principle of the separation of powers nor any other principle or rule with constitutional value precludes that an independent administrative or public authority, acting within the framework of the requirements of public powers, may exercise punishment powers insofar as necessary to accomplish their mission, when exercising this power is part of the measures of law intended to ensure the protection of the constitutionally guaranteed rights and liberties. Specifically, the principles of independence and impartiality arising from Article 16 of the Declaration of 1789 must be respected.

  5. Firstly, the second subparagraph of Article 17 of the Law of 6 January 1978 establishes that among the agents from the Commission Nationale de l'Informatique et des Libertés only the persons in charge of holding the session may be present during the deliberation of the limited panel. The circumstance that these individuals are placed under the authority of the chairperson of this commission does not infringe on the principle of impartiality.

  6. Secondly, neither the contested provisions nor the rest of Article 4 of the contested law modifies the rules related to separation within the Commission Nationale de l'Informatique et des Libertés between, on the one hand, the functions of prosecution and investigation and, on the other, those of judgments and sanctions. Therefore, the applicants' arguments on this point are without merit in terms of the provisions of Article 4.

  7. It follows from the foregoing that the second subparagraph of Article 17 of the Law of 6 January 1978, which does not infringe upon any other constitutional requirement, is constitutional.

  • On certain provisions of Article 5:
  1. Article 5 extends the right of access and communication recognised under Article 44 of the Law of 6 January 1978 to the authorized members and individuals of the Commission Nationale de l'Informatique et des Libertés. Its Section 5° completes this Article 44 with a paragraph V, which excludes the commission's oversight on processing operations carried out, when exercising their judicial roles, by jurisdictions.

  2. The applicants claim that, in terms of the constitutional public powers, by not establishing an exception to the commission's oversight powers, these provisions infringe on the principle of the autonomy of the constitutional public powers from which arises from the separation of powers protected by Article 16 of the Declaration of 1789 and which is inherent to France's constitutional identity.

  3. Firstly, the Commission Nationale de l'Informatique et des Libertés only exercises its oversight powers within the limits and under the guarantees established by the Regulation of 27 April 2016 and the Law of 6 January 1978. Specifically, pursuant to Section 2° of Article 11 of this law, they are only exercised to oversee that the processing of personal data is implemented in compliance with the provisions of the same law and the other provisions related to the protection of personal data established in the legislative and regulatory texts of European Union Law and France's international commitments.

  4. Secondly, and in any case, oversight operations of the Commission Nationale de l'Informatique et des Libertés do not bring into question the regular functioning of the constitutional public powers.

  5. It follows from the foregoing that the claim of infringement on the principle of the separation of powers should be set aside.

  6. Paragraph V of Article 44 of the Law of 6 January 1978, which does not infringe upon any other constitutional requirement, is constitutional.

  • On certain provisions of Article 7:
  1. Section 2° of Article 7 rewrites Article 45 of the Law of 6 January 1978 to establish different measures that may be taken by the Commission Nationale de l'Informatique et des Libertés in the event of a breach of the obligations established in the Regulation of 27 April 2016 and the Law of 6 January 1978. Paragraphs I and II of this Article 45 allow the chairperson of the Commission to respectively issue warnings or formal notices. Its Paragraph III establishes that the chairperson of the Commission, as the case may be, after having issued a warning or formal notice, may ask the Commission's limited panel to rule on one or more measures, for which a 20 million euros fine or, in the event of a company, 4% of its revenue, may be issued, by virtue of the second sentence of its Section 7°.

  2. The applicants claim that, by allowing the chairperson of the Commission Nationale de l'Informatique et des Libertés to issue formal notices likely to be made public, which constitute penalties having the characteristics of punishment, Paragraph II of Article 45 infringes on the principle of impartiality insofar as these measures are investigated and handed down by a single authority. Additionally, according to them, it allows the same behaviour to give rise to additional warnings or formal notices from the chairperson of the Commission and then to penalties decided upon by the limited panel, the first subparagraph of Paragraph III of the same Article 45 infringes on the principle of the proportionality of offences. Furthermore, by not specifying the criteria according to which a cumulative penalty is possible, Paragraph III infringes on the principle of equality before the law. Finally, insofar as the maximum amount of the fine established in the second sentence of Section 7° term of Paragraph III of Article 45 is 20 million euros or, in the event of a company, 4% of its revenue, the legislature should have increased the rights and guarantees of the individuals thus punished, otherwise it infringes on the right to a fair trial.

  3. Article 45 of the Law of 6 January 1978 grants the Commission Nationale de l'Informatique et des Libertés the power to take the measures and sanctions, in order to prevent, bring an end to or punish negligence committed by data processors or their subcontractors, regarding the provisions of the Regulation of 27 April 2016 and of this Law,

  4. Firstly, when a breach is found and when such breach is subject to compliance, the first subparagraph of Paragraph II of Article 45 allows the chairperson of the Commission to provide formal notice to the data processor or its subcontractor to take the measures necessary in this regard. It also seeks to allow its recipient to comply with the Regulation of 27 April 2016 or the Law of 6 January 1978. Its infringement has no consequences. If this formal notice may be made public, upon the chairperson's request and upon the decision of the Commission's office, this publication does not, in this case, carry a sanction that has a punitive effect. Therefore, the claim of infringement on the principle of impartiality should be set aside as being without merit.

  5. Secondly, according to Article 8 of the 1789 Declaration:
    "The law must prescribe only the punishments that are strictly and evidently necessary, and no one may be punished except by virtue of a Law that has been drawn up and promulgated before the offence is committed, and legally applied". The principles thus established do not only relate to penalties established by criminal courts but extend to any sanction that is a punishment. The principle of the necessity of offences and penalties does not preclude that the same actions committed by the same person may be subject to different charges for the purposes of administrative or criminal sanctions under a different set of rules. Should two proceedings be carried out and lead to a cumulative sanction, the principle of proportionality implies, in any case, that the total amount of potential sanctions pronounced do not exceed the highest amount of one of the sanctions incurred.

  6. It follows from Paragraph I of Article 45 of the Law of 6 January 1978 that the warning it establishes is issued by the chairperson of the Commission to the data processor or its subcontractor when “the processing operations intended” may violate the provisions of the Regulation of 27 April 2016 or the Law of 6 January 1978. Thus, this warning is issued, as a preventive measure, to its recipient even before the breach is committed. Thus, it does not constitute a sanction that is a punishment. Therefore, insofar as neither warnings nor formal notices issued by the chairperson of the Commission constitute sanctions that are punitive, the circumstances of sanctions as established in Paragraph III of Article 45 being cumulative with these measures cannot be considered as being a cumulation of sanctions. Consequently, the claim of infringement on the principle of the proportionality of penalties should be set aside.

  7. Thirdly, according to Article 6 of the 1789 Declaration, the law "must be the same for all, whether it protects or punishes". The principle of equality before the law does not prevent the legislature from regulating different situations in different ways, nor does it depart from equality for reasons of public interest, provided that in both cases, the resulting difference in treatment is directly related to the objectives of the law establishing it.

  8. By allowing the chairperson of the Commission Nationale de l'Informatique et des Libertés to call on the limited panel to pronounce one of the measures for sanctions established in Paragraph III of Article 45 when a data processor or its subcontractor has not respected their obligations under the Regulation of 27 April 2016 or the Law of 6 January 1978, as the case may be, as an addition to a warning or a formal notice, the legislature has not instituted any difference in treatment. Consequently, the claim of infringement on the principle of equality before the law should be set aside.

  9. Lastly, the requirements of impartiality, when an independent administrative authority issues a fine, do not vary on the basis of its maximum amount. Consequently, the claim on the infringement on the principle of impartiality of the second sentence of Section 7° of Paragraph III of Article 45 should be set aside.

  10. It follows from the foregoing that Paragraph I, the first subparagraph of Paragraph II and the second sentence of Section 7° of Paragraph III of Article 45 of the Law of 6 January 1978, which do not infringe upon any other requirement of constitutional law, should be ruled constitutional.

  • On certain provisions of Article 13:
  1. Article 13 modifies Article 9 of the Law of 6 January 1978 in order to establish the regime for processing personal data related to criminal convictions, offences or related security measures, when this data processing is not implemented by the competent authorities for criminal purposes within the meaning of the Directive of 27 April 2016.

  2. According to the new first subparagraph of this Article 9 such data processing may be carried out either “under the oversight of the public authority”, or by the individuals established in Sections 1° to 5° of the same article. Among the latter, Article 13 of the contested law, respectively in Sections 1° and 3° of Article 9, adds private legal persons working with the public justice system and natural or legal persons who, as victims or those implicated or on behalf of the latter, are seeking to prepare, to carry out or to take legal action and to enforce a decision handed down.

  3. According to the applicants, these provisions are undermined by negative incompetence [the legislature erroneously delegating the scope of its own powers], in that the legislature did not sufficiently specify the categories of the persons now authorized to implement such processing of criminal data for purposes other than police or judicial purposes. Furthermore, they do not contain the guarantees necessary for the legal protection regarding respect for privacy, specifically in that they do not establish prior administrative authorization of this data processing.

. Regarding Section 1° of Article 13:

  1. Pursuant to Article 34 of the Constitution, statutes determine the rules concerning the fundamental guarantees granted to citizens for the exercise of their civil liberties. It falls on the legislature to fully exercise the competence granted to it under the Constitution, specifically Article 34.

  2. Article 10 of the European Regulation of 27 April 2016 only authorizes processing personal data in terms of criminal circumstances not relating to the Directive also dated 27 April 2016 under certain conditions, among which implementing processing “under the oversight of the public authority” is included. The legislature limited itself to reproducing these terms in the contested provisions, without itself determining either the category of individuals able to act under the oversight of the public authority, or the purposes that must be sought to implement such data processing. Because of the importance that this data processing has and the nature of the information processed, these provisions, by their consequences, have an effect on the fundamental guarantees granted to citizens to exercise their public freedoms. Therefore, the words “under the oversight of the public authority or” are undermined by negative incompetence.

  3. For the reasons established above, the words “under the oversight of the public authority or” mentioned in Section 1° of Article 13 are unconstitutional. The words “criminal convictions, offences or related security measures can only be carried out” appearing in the first subparagraph of Article 9 of the Law of 6 January 1978 are constitutional.

. Regarding Sections 2° and 3° of Article 13:

  1. The freedom proclaimed by Article 2 of the 1789 Declaration includes the right to respect privacy. Owing to this, collecting, recording, keeping, consulting and communicating information of a personal nature must be justified by general interest and implemented in an adequate and proportional manner.

  2. Firstly, on the one hand, by adopting the provisions of Section 2° of Article 13, the legislature sought to allow the processing of personal data related to criminal convictions, offences or related security measures by persons working with the public justice system, such as associations that help victims or support individuals in the justice system. On the other hand, by adopting the provisions of Section 3° of this same article, the legislature also sought to open this ability to victims or those implicated in criminal proceedings, in order to allow them to prepare or to conduct legal proceedings. In so doing, it sought the goal of the public interest.

  3. Secondly, on the one hand, by establishing that these provisions apply to private legal individuals working with the public justice system that are part of the categories, the list of which is established by decree in the Conseil d'État, made after reasoned opinion and published by the Commission Nationale de l'Informatique et des Libertés, as well as persons acting either as victims or those implicated or on behalf of these latter, the contested provisions sufficiently delineate the scope of the persons thus authorized to implement data processing for personal data related to criminal proceedings.

  4. On the other hand, implementing this processing may only be carried out, in the first case, insofar as strictly necessary to the mission of the person working with the public justice system and, on the second hand, for the time frame strictly proportionate to the purposes sought by victims or those implicated. In the latter case, communication to a third party is only possible under the same conditions and in the strictest terms necessary to achieve the same purposes.

  5. Finally, implementing this data processing is subject to complying with the guarantees established by the Regulation of 27 April 2016, and in particular the conditions imposed by its Articles 5 and 6, and those established by the Law of 6 January 1978.

  6. It follows from the foregoing that the legislature, which was not required to establish an authorization procedure prior to the processing of the data in question, did not infringe on the right to the respect for privacy. Nor did it fall short of its competence. Thus, the claims of infringement on Article 2 of the Declaration of 1789 and Article 34 of the Constitution should be set aside.

  7. The terms “private legal persons working with the public justice system that are part of the categories, the list of which is established by decree in the Conseil d'État, made after reasoned opinion and published by the Commission Nationale de l'Informatique et des Libertés insofar as strictly necessary to their mission” appearing in Section 1° of Article 9 of the Law of 6 January 1978, and the provisions of Section 3° of the same article, which do not infringe on any other constitutional requirements, are constitutional.

  • On certain provisions of Article 16:
  1. Article 16 establishes a new drafting of Chapter IX of the Law of 6 January 1978 dedicated to processing personal data in the field of healthcare. Section 3° of Article 53 of this Law, in this new drafting, nevertheless excludes processing implemented for the purposes of ensuring “services are provided by supplementary healthcare insurance organizations”.

  2. The applicants claim that, due to this exclusion, private supplementary healthcare insurance organizations may have access to personal data from healthcare invoices, without having previously obtained the consent of the patients and that these organizations may use this data for “setting the price of insurance” or “for therapeutic or medical choices”. It results in an infringement on “the patient's freedom to choose his/her doctor and the doctor's freedom to choose the therapy that is most adapted to the patient”.

  3. The contested provisions are limited to making exceptions for processing implemented by supplementary healthcare insurance organizations, for their services, regarding applying the particular provisions of Chapter IX of the Law of 6 January 1978 related to healthcare data processing.

  4. Consequently, on the one hand, they do not exempt the same processing with respect to other provisions of the Regulation of 27 April 2016 and the Law of 6 January 1978 related to the principles governing personal data processing and the rights afforded to the persons whose data is collected. In this regard, pursuant to Article 5 of this Regulation, healthcare data gathered within the framework of this processing cannot be subject to further processing that is incompatible with the original purpose of data processing, which can only be, regarding the contested provisions, the service of providing healthcare insurance.

  5. On the other hand, the contested provisions, in any case, do not have the effect of authorizing these organizations to impose upon their insured the choice of a doctor nor to prohibit this latter from making medical decisions.

  6. It follows from all of the foregoing that the claim is wrong on the facts. The words “services provided by supplementary healthcare insurance organizations” appearing in Section 3° of Article 53 of the Law of 6 January 1978, which does not infringe on any other constitutional requirement, is constitutional.

  • On certain provisions of Article 20:
  1. Article 20 introduces a new Article 7-1 in the Law of 6 January 1978 according to which a minor may by himself/herself consent to the processing of personal data “regarding the direct offer of the information company services from the age of 15”. According to the second Subparagraph of this Article: “When a minor is younger than 15, personal data processing is only legal if consent is given both by the minor in question and the parental authority in charge of this minor”.

  2. The applicants claim that the second subparagraph of this Article 7-1 infringes on the requirements applicable to European law that results from Article 88-1 of the Constitution. According to them, by establishing that, when a minor is younger than 15 years old, processing their personal data is only legal if consent is given both by the minor in question and the person entitled to parental authority, the legislature announced a rule that is contrary to the Regulation of 27 April 2016, which requires, in such a case, that consent is only required from one of the parental authorities.

  3. According to Article 8 of the Regulation of 27 April 2016:
    “When Article 6, Paragraph 1, point a) applies, in terms of the direct offer of information company services to children, processing the personal data related to a child is legal when the child is at least 16 years old. When the child is younger than 16, this data processing is only legal if, and insofar as, consent is granted or authorized by the person entitled to the child's parental authority. - The Member States may establish by law a younger age for these purposes as long as this younger age is not below 13”.

  4. It follows that the use of the terms “granted or authorized” that the Regulation allows Member States to establish that either consent must be given related to the minor by their parental authority, or that the minor is authorized to consent by the parental authority, which therefore implies that dual consent is established in the contested text. The contested provisions are thus not manifestly incompatible with the Regulation for which they have adapted national law. The result is that the claim of infringement of Article 88-1 of the Constitution should thus be set aside.

  5. The second subparagraph of Article 7-1 of the Law of 6 January 1978, which does not infringe upon any other constitutional requirement, are constitutional.

  • On certain provisions of Article 21:
  1. Article 21 modifies Article 10 of the Law of 6 January 1978 in order to extend the cases in which, by exception, a decision having legal effects with regard to a person or significantly affecting them may be made on the basis of automated processing of personal data. Based on Section 2° of this Article 10 it is likewise for individual administrative decisions when the processing algorithm used does not relate to sensitive data, that administrative recourse is possible and that information is provided by the use of the algorithm.

  2. The applicants feel that by authorizing the administration to make individual decisions based only on an algorithm, this would lead to renouncing their assessment power over individual situations, and that Section 2° of Article 10 of the Law of 6 January 1978 infringes on the guarantee of rights and Article 21 of the Constitution. These requirements also infringe in the sense that the existence of “self-learning” algorithms may themselves revise the rules that they apply, according to them in this regard, hindering the administration knowing the rules on the basis of which administrative decisions have essentially been made. Furthermore, the applicants deem that, barring sufficient guarantees, the legislature will have infringed “on the principles of the constitutional value governing the exercise of regulatory power” insofar as, on the one hand, there is no guarantee that the rules applied by the algorithms are in compliance with the law and, on the other, the administration would have abandoned their regulatory power to algorithms defining their own rules. The rules applied by this type of algorithm cannot be determined in advance, which also results in an infringement on the “principle of the public nature of regulations”. Finally, the applicants claim that the contested provisions have no normative scope and, barring this, that they are, by their complexity, contrary to the objective of the constitutional value of accessibility and comprehensibility of the law.

  3. Article 21 of the Constitution grants regulatory power to the Prime Minister, subject to the provisions of Article 13.

  4. The contested provisions allow the administration to adopt individual decisions having legal effects or decisions which significantly affect a person only on the basis of an algorithm.

  5. However, firstly, these provisions are limited to authorizing the administration to carry out an individual assessment of the situation, only through an algorithm, based on the rules and criteria defined in advance by the data processor. They have neither the purpose or effect of authorizing the administration to adopt decisions without a legal basis, nor to apply other rules than those of the law in force. Therefore, there is no abandonment of the competence of regulatory power.

  6. Secondly, only having recourse to an algorithm as the basis of an individual administrative decision is subject to compliance with three conditions. On the one hand, in compliance with Article L. 311-3-1 of the Code of the Relationship Between the Public and the Administration, an individual administrative decision must explicitly mention that it has been adopted on the basis of an algorithm and the main characteristics of implementing the latter must be communicated to the person in question, upon their request. It follows that, when the principles of the functioning of an algorithm cannot be communicated without infringing on one of the secrets or interests set out under Section 2° of Article L. 311-5 of the Code of the Relationship Between the Public and the Administration, no individual decision shall be made on the exclusive basis of this algorithm. On the other hand, the individual administrative decision must be subject to administrative recourse, in compliance with the first chapter of the first title of the fourth book of the Code of the Relationship Between the Public and the Administration. The administration sought for this recourse is then required to decide without being exclusively based on the algorithm. Furthermore, the administrative decision, in the event of a dispute, is placed under the judge's review, who may require the administration to disclose the characteristics of the algorithm. Finally, only using an algorithm is excluded if this data processing relates to any of the sensitive data mentioned in Paragraph I of Article 8 of the Law of 6 January 1978, which is personal data “that refers to the alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of a natural person”, genetic data, biometric data, healthcare data, or data related to the sexual life or orientation of a natural person.

  7. Lastly, the data processor must ensure managing the algorithmic processing and its changes in order to be able to explain, in detail and in an intelligible format, to the person in question how the data processing has been implemented to him/her. It results that, as an exclusive basis for an individual administrative decision, algorithms likely to revise by themselves the rules to which they apply cannot be used, without the oversight and validation of the data processor.

  8. It follows from all the foregoing that the legislature defined the appropriate guarantees to safeguard the rights and freedoms of the individuals subject to individual administrative decisions made based exclusively on an algorithm. Thus, the claims of infringement on Article 16 of the Declaration of 1789 and Article 21 of the Constitution should be set aside. Section 2° of Article 10 of the Law of 6 January 1978, which is not devoid of normative scope and is not incomprehensible and does not infringe upon any other constitutional requirement, is constitutional.

  • On certain provisions of Article 30:
  1. Article 30 inserts a new Chapter XIII in the Law of 6 January 1978, including Articles 70-1 to 70-27 and applicable to data processing related to the Directive of 27 April 2016. These provisions govern the processing of personal data implemented “for the purposes of prevention and detection of criminal offences, investigations and prosecutions related to or carrying out criminal sanctions, including the protection against threats to public security and preventing such threats”. The first subparagraph of the new Article 70-1 the specifically determines the persons authorized to implement such data processing. The new Article 70-2 sets the conditions under which sensitive data, under the meaning of Paragraph I of Article 8 of the Law of 6 January 1978, may be subject to such processing.

  2. According to the applicants, these provisions do not sufficiently specify the persons authorized to implement such personal data processing related to offences, investigations or criminal prosecutions Furthermore, they do not define the “appropriate guarantees for the rights and freedoms of the person in question” to which they refer when this data processing includes sensitive data. They result in an infringement on the scope of the legislature's authority.

  3. Firstly, under the first Paragraph of Article 70-1, the provisions of Chapter XIII of the Law of 6 January 1978, governing personal data processing in the criminal domain, on the one hand, apply to the competent public authorities in terms of preventing and detecting criminal offences, investigations and criminal prosecutions and carrying out criminal sanctions, including relating to the protection against threats to public security that may lead to a criminal offence and preventing such threats. They apply, on the other hand, to any organization or entity to which a provision of national law has allowed exercising public authority and the prerogatives of public powers, for the same purposes. In so doing, the legislature sufficiently defined the categories of persons that may implement the processing of the data in question.

  4. Secondly, Article 70-2 sets out that processing personal data is only possible if absolutely necessary, subject to the appropriate guarantees for the rights and freedoms of the person in question, and if it is authorized by a legislative or regulatory provision, if it seeks to protect the vital interests of a natural person or if it relates to data manifestly made public by the person in question. By thus mentioning the “appropriate guarantees for the rights and freedoms”, which are included in those that are established in Chapter XIII of the Law of 6 January 1978, the legislature sought to refer to the rules related to collecting, accessing, and securing the data, determined on a case-by-case basis for the purpose of each data processing. Additionally, by adopting the contested provisions, the legislature did not go beyond the competence attributed to it under Article 34 of the Constitution to set the rules related to the fundamental guarantees granted to the citizens to exercise their public freedoms.

  5. The claim of infringement on Article 34 of the Constitution should thus be set aside. The first subparagraph of Article 70-1 and Article 70-2 of the Law of 6 January 1978, which in any event does not infringe on any other constitutional requirement, sis constitutional.

  • On certain provisions of Article 36:
  1. Article 36 rewrites Article 230-8 of the Code of Criminal Procedure defining the conditions under which references to previous legal proceedings appearing in personal data processing in order to facilitate establishing offences to criminal law may be erased. These provisions establish that the Public Prosecutor has jurisdiction to order the erasure or the rectification of this data, motu proprio or at the request of the person to whom this data pertains. The terms of the fourth to the eighth sentences of the first Subparagraph of Article 230-8 state: “The person in question may make this request immediately following a final decision of acquittal or conviction with no penalty or exemption from mentioning the criminal record, dropped or dismissed cases. In other cases, the person may only make his/her request, on penalty of inadmissibility, if there is no longer any mention of a criminal nature in Bulletin no. 2 of their criminal record. In the event that a decision of discharge or acquittal becomes final, the personal data of the persons in question shall be erased, unless the Public Prosecutor decides that it be maintained, in which case this will be recorded. When the Public Prosecutor decides to maintain the personal data regarding a person for whom the discharge or acquittal decision has become final, they shall advise the individual in question thereof. In the event of a decision to dismiss or to drop the case with no further action, the personal data related to the person in question shall be subject to being recorded, unless the Public Prosecutor orders the erasure of personal data.”

  2. The applicants claim that the fourth to the eighth sentences of the first Subparagraph of Article 230-8 of the Code of Criminal Procedure infringe on the right to respect for privacy when a person has not been subject to a decision that has become final for an acquittal or a conviction with no penalty or no mention in the criminal record, of dropped or dismissed cases cannot request the erasure or rectification of the indications related to them except “if there is no longer any mention of a criminal nature in Bulletin no. 2 of their criminal record”, even if this indication has no relation with the indication at the origin of the request. Furthermore, the distinction indicated in these provisions, in terms of the motu proprio erasure of data, between individuals whose cases have been acquitted and those whose cases have been dropped or dismissed infringes on the principle of equality before the law.

.Regarding the claim of infringement on the right to respect for privacy:

  1. On the one hand, by authorizing the creation of personal data processing documenting criminal records and the access to this data processing by authorities vested by the law with judicial police authority and by certain persons vested with administrative police authority, the legislature sought to provide them a tool to help them with judicial and certain administrative investigations. It also sought the objective of the constitutional value of searching for the authors of infringements and preventing attacks to public order.

  2. On the other hand, particularly sensitive data is mentioned in this file, such data may be examined not only to establish criminal law infringement, to gather proof of these infringements and to find their authors, but also for the purposes of administrative police. Furthermore, the legislature did not establish a maximum retention period of the information recorded. However, on the one hand, the contested provisions allow any person for whom a decision that has become final for an acquittal or a conviction with no penalty or mention in the criminal record, whose cases have been dropped or dismissed, to immediately request that their data be erased or rectified. On the other hand, in the absence of such a decision, the person may demand their data to be erased or rectified as soon as there is no longer any mention of a criminal nature in Bulletin no. 2 of their criminal record. Independently of the legal rules for withdrawal of any mention of a conviction in Bulletin no. 2, the criminal judge may expressly exclude such an indication when they decide on this conviction or by a judgment handed down after the convicted individual requests it. Finally, this indication is erased in the event of rehabilitation acquired legally or through judicial rehabilitation.

  3. It follows from the foregoing that the claim of infringement on the right to respect privacy should be set aside.

. Regarding the claim of infringement on the principle of equality before the law:

  1. In terms of the contested provisions, the legislature treated individuals differently subject to a decision of discharge or acquittal becoming final and those subject to a decision that has been dropped or dismissed. For the former, personal data must be erased motu proprio to its processing, for the latter, the data is kept barring a decision to the contrary by the Public Prosecutor.

  2. However, this difference in treatment corresponds to a difference in situation, the decisions of discharge or acquittal having res judicata authority and hindering this person being again convicted or charged for the same facts while decisions that have been dropped or dismissed are not prohibited from criminal action. This difference in treatment is in line with the purposes of the law, which is to allow data to be kept specifically for the purpose of facilitating establishing criminal law infringements. Thus, the claim of infringement on the principle of equality before the law should be set aside.

  3. It follows from the foregoing that the fourth to the eighth sentences of the first subparagraph of Article 230-8 of the Code of Criminal Procedure, which do not infringe upon any other requirement of constitutional laws, are constitutional.

  • On other provisions:
  1. The Constitutional Council raised no other issues regarding conformity with e Constitution and has no ruling on the constitutionality of any provision other than those brought up in this decision.

THE CONSTITUTIONAL COUNCIL DECIDES:

Article 1. - The terms “under the oversight of the public authority or” mentioned in Section 1° of Article 13 of the law or related to the protection of personal data are unconstitutional.

Article 2. - The following provisions, in their drafting resulting from the contested law, are constitutional:

  • the second subparagraph of Article 7-1 of Law no. 78-17 of 6 January 1978 on information technology, data files and personal freedoms;
  • the terms “criminal convictions, offences or related security measures can only be carried out” appearing in the first subparagraph of Article 9 of the same Law of 6 January 1978, the terms “private legal individuals working with the public justice system that are part of the categories, the list of which is established by decree in the Conseil d'État, made after reasoned opinion and published by the Commission Nationale de l'Informatique et des Libertés insofar as strictly necessary to their mission” appearing in Section 1° and Section 1° of the same article;
  • Section 2° Article 10 of the same law;
  • the second sentence of Section a to 4° of Article 11 of the same law;
  • the second subparagraph of Article 17 of the same law;
  • Paragraph V of Article 40 for the same law;
  • Paragraph I, the first subparagraph of Paragraph II and the second sentence of Section 7° of Paragraph III of Article 45 of the same law;
  • the terms “services provided by supplementary healthcare insurance organizations” appearing in Section 3° of Article 53 of the same law;
  • the first subparagraph of Article 70-1 and Article 70-2 of the same law;
  • the fourth to the eighth sentence of the first subparagraph of Article 230-8 of the Code of Criminal Procedure:

Article 3. - This decision shall be published in the Journal Officiel of the French Republic.

Deliberated by the Constitutional Council in its session of 12 June 2018, in attendance: Mr. Laurent FABIUS, Chairperson, Ms. Claire BAZY MALAURIE, Mr. Valéry GISCARD d'ESTAING, Mr. Jean-Jacques HYEST, Mr. Lionel JOSPIN, Ms. Dominique LOTTIN, Ms. Corinne LUQUIENS, Ms. Nicole MAESTRACCI and Mr. Michel PINAULT.
Made public on 12 June 2018.

JORF no. 0141 of 21 June 2018 text no. 2
ECLI:FR:CC:2018:2018.765.DC

À voir aussi sur le site : Communiqué de presse, Commentaire, Dossier documentaire, Texte adopté, Saisine par 60 sénateurs, Observations du Gouvernement, Liste des contributions extérieures, Dossier législatif AN, Dossier législatif Sénat, Références doctrinales.