The geolocation system is one of the most innovative technologies of recent years. We are indeed familiar with the multiple uses that this technique allows in fields as varied as transport, medical or security. The undeniable usefulness of this technique does not, however, obscure the risks it poses to the privacy of individuals.
Here we come back to a recent decision of the Council of State, which ruled on the question of determining the person responsible for processing data collected by vehicle geolocation software (Council of State 18 December 2015 Loc Car Dream).
The facts at the origin of the case before the Council of State
In this case, a luxury car rental company (Sarl Loc Car Dream) is concerned, which has been imposed a financial penalty of 5,000 euros by the CNIL (French data protection authority) for failing to comply with its reporting and information obligations concerning the geolocation device with which its 36 rental vehicles are equipped.
Following a complaint lodged by a customer who considered that he had not been informed of the existence of a GPS installed in the rented vehicle, the CNIL, after having given formal notice to the company to comply with the requirements of the law of 6 January 1978 concerning the declaration and information concerning the processing of data implemented, carried out a control on the premises of this company.
In particular, the delegation of oversight was able to ascertain that the geolocation system was in continuous operation, day and night, throughout the duration of the lease and that there was no system to deactivate it. Furthermore, the CNIL considered that the information given orally on the existence of the device, at the time of signing the vehicle rental contract, was insufficient with regard to the requirements of Article 32 of the 1978 Act relating to the information of the person concerned by the processing operation.
The CNIL also noted that the company's computer contained computer files containing driving licences, K-bis extracts and other nominative documents, the processing of which had not been the subject of any formality with the CNIL.
The company will challenge the CNIL's deliberation before the Conseil d'Etat by filing a petition for annulment. In its application, the company claims that it does not own all 36 vehicles equipped with geolocation and therefore cannot be considered as the data controller of the data collected by the device in question.
Belonging to a group of companies, this position of data controller could be held by the group's holding company, ISO CONCEPT, or by the other subsidiary, the BOUDET company, which in fact has concluded the geolocation contract with the service provider.
The decision of the Council of State
After recalling the terms of article 3 of the 1978 law defining the data controller as the person who determines the purposes and means of processing, and true to its method of the cluster of indices, the Conseil d'Etat concludes that Loc Car Dream is the data controller. It thus confirms the financial penalty of 5000 euros as well as its publication on the sites of the CNIL and Légifrance.
Before seeing how the Conseil d'Etat assesses the capacity of data controller in this case with regard to Loc Car Dream, let us recall what vehicle geolocation is and what obligations are imposed on the automated data controller.
The technique of geolocation and its risks for privacy
The geolocation system makes it possible to locate an object or a person with a certain precision, on the order of four to five metres for GPS (Global Position System) and slightly higher for GSM (Global System Mobile).
For GPS, the technique consists of equipping the vehicle with a terminal that will transmit the information collected in real time to a server directly accessible through an Internet connection. Thus, as soon as the beacon embedded in the vehicle is located in an area that can receive the GPS signal, the vehicle can be located from a computer or smartphone and sometimes without installing software according to certain solutions proposed by suppliers.
This technology, with its new forms or applications that now extend to the surveillance of employees, children, license plates or insured persons, has raised some concerns, particularly on the part of the CNIL.
The geolocation system is criticized for being too intrusive and for not always respecting the provisions of article 9 of the Civil Code relating to the right to privacy.
With regard to the geolocation of professional vehicles, a system that consists in tracking in real time the movements of the employee from a web access within the company, the Court of Cassation ensures the proportional nature of the use of geolocation, which necessarily infringes the employee's privacy when it is not justified by the legitimate interests of the employer (Social Chamber, 26 November 2012 n°00-42401).
The CNIL remains vigilant with regard to the geolocation system. It has on several occasions expressed reservations about the use that could be made of this system. Its opinion of 19 December 2013 on the draft law on geolocation in the field of judicial investigations (law of 28 March 2014) allows it to stress that geolocation is "particularly sensitive with regard to individual freedoms".
The Commission has also strongly opposed the practice of insurance companies to geolocate their policyholders' vehicles, an insurance service which exists in some countries under the name of "geolocation". pay as you drive. The CNIL considered that such a system, even if it allows the premiums paid by insured drivers to be modulated, constitutes too obvious an infringement of the freedom to come and go and, above all, makes it possible to hold information on criminal offences (Deliberation 2005-278 of 17 Nov. 2005 MAAF Assurance).
Reporting and information obligations when a processing operation is carried out
However, the legal disputes arising from the use of this new technology are mainly due to non-compliance with certain provisions of the law of 6 January 1978. The data controller sometimes fails either to carry out the formalities for declaring the data processing or to bring to the attention of the person concerned by this processing the various information provided for in Articles 7 and 32 of the 1978 Act.
Thus, Article 22 of this law establishes the principle that automated processing of personal data is subject to a declaration to the CNIL. However, this text and the following articles provide for a few exceptions to this obligation to declare, but these remain limited.
On 16 March 2006, the CNIL itself adopted a standard that simplifies the declaration of geolocation devices installed in vehicles made available to employees. This 2006 simplified standard is one of the elements on which the Conseil d'Etat based its decision in this case to qualify the company as the controller of the processing implemented.
With regard to geolocation there is still an important exception to the obligation of prior declaration, it is provided for in Article 230-32 of the Code of Criminal Procedure (resulting from the law of 28 March 2014 relating to geolocation in judicial matters) and states that "the geolocation technique is intended to locate in real time throughout the French territory of a person without his knowledge".
In this situation, it is the judicial authority that authorizes or rejects the request for geolocation within the framework of the judicial investigation, no formalities with the CNIL are required.
This obligation to declare is provided for in order to better protect the privacy of individuals due to the automated processing of their personal data. Article 6 of the 1978 Act provides in this respect that data must be collected fairly and lawfully. It adds in particular that they are collected for specified purposes. Hence the importance of appointing a data controller who, if necessary, will be responsible for any failure to comply with the provisions of the 1978 Act.
Assessment of the capacity of data controller by the Council of State
Imposing a single person responsible for each automated processing of personal data thus avoids a dilution of responsibilities. Thus, article 3 of the law of 1978 clearly states that the data controller is the one who determines the purposes and means of processing. Moreover, Article 32 of the law provides that the identity of this controller must be brought to the attention of the person concerned by the processing.
In the present ruling, the Council of State bases its decision to classify Loc Car Dream as a data controller precisely on article 3 of the law. The company's sole argument, namely that it does not own all the vehicles fitted with the geolocation device, did not stand up to the cluster method developed here by the Conseil d'Etat.
According to the company in question, the real controller would be BOUDET, another subsidiary of the group of companies to which they belong, as it is the latter which owns a large part of the 36 geolocated vehicles. According to the Commission, the proof of this is that it is the BOUDET company which concluded the geolocation contract with an external software provider.
However, according to the Conseil d'Etat, the fact of having concluded a geolocation contract with a Webmaster is not sufficient to confer on a person the status of personal data controller. More than the legal element, it is more the factual elements that must be taken into consideration in order to get as close as possible to the person who is at the origin of the implementation of the geolocation system.
The magistrates will then resort to a factual analysis of the situation, noting that it is the Loc Car Dream company that signs all vehicle rental contracts with customers, that only an employee of this company has the access code to the computer on which the geolocation software is installed and that it is finally the company that declared in 2008 a commitment to comply with the simplified CNIL standard concerning the processing implemented to geolocate employee vehicles.
It is by this beam of clues that the Council of State will consider the company Loc Car Dream as being responsible for the processing of customers' personal data. In its decision, the Conseil d'Etat took into account the fact that the computer giving access to the geolocation data was available at the common reception desk of the group's companies, but that only the wife of the manager of Loc Car Dream had access to it.
In addition, it should be noted that the Conseil d'Etat holds the company responsible for the element of the commitment to comply with the simplified standard concerning the geolocation of employees, whereas in this case this standard is inapplicable since it concerns customers. This clearly shows the pragmatic nature of the method used by the magistrates. Indeed, they considered as indifferent the fact that the company erroneously declared an undertaking to comply with this CNIL standard, the essential point was in the intention, only the natural or legal person feeling responsible could make such an undertaking.
Generally speaking, with the present decision, the Council of State remains faithful to its case law on the assessment of the status of data controller. In another decision, the magistrates had in fact held that Foncia Groupe was the data controller when it determined the nature of the data collected and the rights of access to the data (CE, 12 March 2014, Sté Foncia Groupe 354629).