CNIL orders Credit Lyonnais to pay fine 45000

18 October 2006

Ariane Mole

The CNIL has ordered a French bank, "Crédit Lyonnais", (the Bank) to pay a fine of €45,000.00. Thus, the CNIL decided for the first time to make use of its new powers under the Data Protection Act of 6 August 2004.

The Bank was sanctioned for inadequate processing of personal data concerning its debtors, and for refusing to answer the CNIL's requests, since it took the CNIL more than one year plus two on-site controls, to obtain the required explanations and the suppression of the illegal filings.

This fine by the CNIL sends a strong signal to all controllers, either private or public, which process personal data: by sanctioning the Bank, the CNIL has publicly advertised its willingness to exercise all its powers, including its financial powers.

The CNIL also ordered publication of a summary of its decision in two French newspapers, "Le Figaro", which is widely read, and "La Tribune", a well-known financial magazine.

The CNIL took its decision in June 2006, and posted it on its website at the beginning of September 2006 [1].

I. The facts

In November 2004 and in 2005, the CNIL received four complaints from clients of the Bank, who disagreed with the bank registering them on the central files of debtors held by the "Banque de France" at national level.

One client complained that the Bank had registered his identity as a debtor to the Credit Incidents National File of Debtors ("FICP"), and that his data had not been removed from FICP even though he had paid his debt. This was contrary to French law, which provides that data concerning an unpaid debt to a bank or a credit company, which is centralised in the national file and therefore is accessible to all other banks and credit companies, must be removed once the debt is paid.

The CNIL questioned why the Bank had not updated the data removing it from the FICP. As the CNIL considered that the answers it received, after many requests, were not satisfactory (the Bank explained that the data relating to the exact circumstances of the filing could not be found) the CNIL decided to investigate on-site, and checked the electronic archives of the Bank. Whilst investigating, the CNIL found that a technical incident, due to a change of processor, had prevented several clients who had paid their debts from being withdrawn from the FICP, as is required by the law.

As the existence of the technical incidents had never been revealed to the CNIL by the Bank, despite various letters and phone calls from the CNIL, the CNIL considered that the Bank was guilty, on the one hand, of incorrect registrations on the FICP, and on the other hand, of refusing to cooperate with the CNIL, which is a criminal offence.

The three other complaints related to illegal registrations in another national file held by the Banque de France, which relates to credit card incidents and is meant to centralise data on persons who misuse their credit cards and therefore are forbidden to use such cards for two years.

The Bank refused to answer the CNIL's requests as to why such filings had been made, on the grounds of professional secrecy. After the CNIL ordered the Bank to answer, it appeared that the clients' names had been filed on the list, due to unpaid credits or for invalid cheques. Since the non-payments did not result from any use of their credit cards; the Bank should not have used this national file on credit card incidents to register its debtors, and had recorded the debtors' names in the incorrect central national file.

The CNIL considered that the Bank had infringed the adequacy principle, according to which personal data must not be retained after the purpose for which they were collected and processed is fulfilled and that the Bank had opposed to the CNIL's investigation powers.

II. Apart from the fact that it is a strong warning addressed to all persons processing personal data, the decision from the CNIL contains many interesting elements, which can be summarised as follows:

  1. The case emphasises the importance for data controllers to establish internal procedures, in order to avoid deterioration of the relationship with the CNIL. Too often, a mere complaint becomes a difficult case just because the letter received from the CNIL is not dealt with in time, or is not answered by the appropriate department within the company. The CNIL's decision against the Bank makes it very clear that any request from the CNIL for explanations cannot be taken lightly, and that the CNIL has powers to check on- site whether the answers provided are accurate.

  2. The Bank had told the CNIL that it could not find the reasons why the client's name had been kept on the national file of debtors, since the data had been removed. Therefore the CNIL underlined in its decision that the adequacy principle does not mean that such data must be destroyed but instead that it must be archived on a separate file with restricted access, so that the CNIL can access such data where required in order to understand what has happened. Again, this should have an impact on internal procedures carried out by data controllers.

  3. Finally the decision raises the questions as to whether information can be withheld from the CNIL on grounds of banking secrecy, or professional secrecy.

The Bank cited banking secrecy as a reason not to disclose information to the CNIL; the CNIL held that the Bank did so in bad faith. The legal problem however remains, since the amended French Data Protection Act provides, in its article 21, that professional secrecy can be used as a grounds for not disclosing information to the CNIL. Therefore, banks, credit or insurance companies, and, more generally, any body bound by professional secrecy, may hesitate to answer the CNIL's requests despite the Crédit Lyonnais case, especially since violation of professional confidentiality is a criminal offence.

One solution would be for the CNIL to ask the individual to waive professional confidentiality; this could be done in by means of a letter- which would then allow the data controller to answer the CNIL's requests without breach of professional confidentiality, and within the law.

The CNIL has warned that it will in the near future decide on other sanctions and/or fines.

[1]" Délibération de la CNIL n° 2006-174 du 28 juin 2006 prononçant une sanction pécuniaire à l'encontre du Crédit Lyonnais (LCL)".