29 Avr Personal data protection and database IPR – Warning : Invest in Compliance or your IPR is worthless.
Companies invest a lot of money to develop software and gather information on clients to create database. It is a very interesting marketing tool i.e. to target the clientele, to expend it, to spread commercial news etc.
Therefore, database are companies’ valuable assets, which sometimes are worth a lot.
Personal data protection is a burning issue since the NSA/Snowden case. Personal data are collected en masse through everyday new logged technology devices (GPS, smartphones, tablets, computers, connected devices etc.). A lot of people and institutions point out the risk of wrongful use of these data for security, political or business purposes.
Big technology companies (such as Google, Facebook, Apple) are trying to liberalize the data protection legislation in Europe in order to make database an easy, cheap and money-making business asset.
The legislation pertaining to database stems from the European Directive n°96/9, dated 11th March 1996 (“the Database Directive”). Its article 3 states that a database is protected by an intellectual property right, on some conditions, the main being that the producer of the database has invested in the constitution of the database.
The Database Directive has been transposed all over the EU, making the law on database applicable for more than 500 million of individuals.
Personal data legislation in Europe has been enacted in 1995, by the Data Protection Directive n°95/46/EC of the 24th October 1995 (“the Data Protection Directive”). In France, the violation of the national legislation adopted in accordance with the Data Protection Directive results in two types of sanctions:
– a criminal penalty can be pronounced by criminal courts,
– and since 2006, the Data Protection Commission (“Commission Nationale Informatique et Libertés” or “CNIL”) can impose financial sanctions up to 150.000€.
However in practice, companies do not invest a lot in compliance with data protection law. They consider the risk of sanction from the CNIL too low to bother. On the other hand, sanctions pronounced by criminal courts are very low. Hereafter are a few examples to emphasize on that point.
1. Criminal sanctions: according to the French Criminal Code, a breach of the DPA can be punished with a 300.000 € fine and a five-year maximum prison term. However, Courts never rule that harshly. For instance, a private investigator had put a GPS under the car of the person he was following. The collection of personal data (the whereabouts of the victim) was of course not declared to the Data Protection Commissioner. The private investigator was sanctioned by a fine of 4.000 €.
2. Financial sanctions: the CNIL is entitled to sentence a wrongdoer to a fine going from 150.000 € up to 300.000 € maximum. The average financial sanction is more in the region of 20.000 €, except for Google which got a 150.000 € fine for breach of the confidentiality provisions of the DPA. Even this amount is really low for Google.
So, from a company’s perspective, not complying with the law is not that costly.
A recent decision may change the landscape.
In a case decided on the 25th June 2013, the French Cour de cassation (Supreme Court) ruled that the sale of a customer database must be held null and void when the database does not comply with data protection law.
The facts were as follows: the company Bout-Chard was specialized in selling wine. It collected data on clients (addresses, telephone numbers and so on) and gathered them in a digital file. This file was sold to a Mr Doe.
Later on, Mr Doe discovered that he was not entitled to use that file since it had not been stated to the French Information Commissioner’s Office. He then sued Bout-Chard to obtain that the contract be held null and void.
The argument was that since Bout-Chard did not comply with the foresaid compulsory formality, the customer file was not legally existent and, therefore, the sale’s subject matter was illicit, making the sale null and void.
The Court of Appeal refused to follow this reasoning. On the contrary, the Supreme Court held that this formality was necessary to make the sale valid.
The consequences of that case are very important on the parties’ side: the client may claim to be reimbursed from the sale price. From the seller’s perspective, the clients file is worth nothing.
The practical consequences is that lawyers (in-house or in law firms) must be aware that when they negotiate and draft M&A contracts or deal with accounts of a company, they shall give particular attention to data protection law compliance.
It also means that companies selling or renting customers files or organizing mailings for advertisers shall first get advices from legal practitioners on the formalities they have to fulfill.
In any circumstances, companies investing money in gathering personal data to create database shall also invest time on data protection compliance and lawyers assisting during these processes shall fulfill their obligation to fully advice their clients on that matter, keeping themselves from putting their professional liability on the line.
Article written with Cécile GUYOT, Pupil