Evidence That Infringes Data Protection Law Can Be Admissible In Court If It Is 'Indispensable': A New Ruling From France

• Published date: 14 December 2020
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Data Protection, Trials & Appeals & Compensation
• Law Firm: lus Laboris
• Author: Ms Anne-Laure Périès (Capstan Avocats) and Basile Moore (Capstan Avocats)

The French Court of Cassation has ruled in a decision of 25 November 2020 that the production of evidence that is unlawful under the Data Protection Act is not systematically inadmissible in court proceedings.

Background

In this case, an employee had been dismissed for serious misconduct for sending electronic requests for information to a client and competitor company by impersonating client companies. Thanks to an IT expert using the log files stored on the employer's servers, the IP address from which the disputed messages were sent was identified as that of the employee. This proof was established by means of a bailiff's report.

The employee contested his dismissal, arguing that the evidence produced by his employer was unlawful, since the disputed files had not been declared to the French data protection authority, the CNIL.

Reminder: data protection law in France since the entry into force of the GDPR

Since 25 May 2018 (the date the GDPR took effect), the protection of personal data is no longer based on prior control by the CNIL (via normal or simplified declarations, requests for authorisations, etc.) but on a 'principle of responsibility' according to which data controllers must ensure that their data processing complies with the applicable regulations on the protection of personal data and be able to demonstrate their compliance in the event of a CNIL inspection.

The Paris Court of Appeal ruled that the dismissal was justified, considering that no prior declaration was necessary for this type of data processing.

Admissibility of evidence that is not lawful under the Data Protection Act but 'indispensable'

The Court of Cassation, which heard the dispute on further appeal, had to rule on two questions.

First question: Should log files containing IP addresses be declared to the CNIL?

According to the Court of Cassation, the answer was yes. To the extent IP addresses make it possible to indirectly identify a natural person, they are indeed personal data within the meaning of the French Data Protection Act (Loi Informatique et Libertés). Their processing in the context of a logging file should have given rise to a prior declaration to the CNIL.

Second question: should the fact the evidence obtained by the employer through data processing should have been declared to the CNIL automatically lead to its rejection by the trial judges?

The Court of Cassation ruled that it should not be automatically rejected. In accordance with European Court of Human...