Skip to main content

France : a new law authorizing online surveillance to detect tax fraud and customs offences

Online surveillance to detect tax fraud and customs offences introduced by French Finance Act for 2020 

On 28 December, 2019, the French Parliament adopted the Finance Act for 2020, empowering French tax and customs administrations to collect and use any freely accessible data that has been made public by the users of online platforms. The data collected can be used by the authorities to identify the commission of specific tax and custom offences. This controversial law raises a number of legal issues, in particular in relation to the protection of privacy and personal data, which we describe in more detail, below.

The online platforms covered by the law include social networks (Facebook, Twitter, Instagram etc.), market places (Amazon, eBay etc.) and content sharing platforms (Youtube, Dailymotion etc.). The list of offences is narrowly confined and includes notably illicit tobacco trade and false domiciliation claims. Only public-facing data is caught, i.e. no data from private profiles.

Although the collection of online information by public and judicial authorities to detect crime is not new, this practice has until now only been used by the French tax authorities to confirm suspicions of offences, rather than to uncover them in the first place.

Not even the US tax administration (Internal Revenue Service), although known to be one of the most stringent tax administrations of the world, has adopted this approach; it has instead limited its recourse to online information only to corroborate cases already identified as suspicious.

The law was proposed by the French government because it considers that online data is a major source of information in the fight against tax fraud, and that this data is under-exploited. The objective of the law, which took effect on 1 January, is to change the scale in the use of online data by tax and customs administrations by allowing collection of such information by automated means.

We don’t yet know how the collection will occur; no detail is provided in the law regarding the technology that will be employed to systematically aspirate vast amounts of data – although it seems likely that scraping techniques will be used.

The granting of these new powers is subject to a three-year trial period. Interestingly, the French Conseil Constitutionnel has approved the law but highlighted the fact that further examination of its compliance with the French Constitution may need to be conducted at the end of the trial period.

Data Protection Issues

The new law raises a number of issues, including regarding the lawfulness of the techniques which will be used to collect such data; how the collection of such data will conform with the various platforms’ online terms of service, and; the potential unauthorized use of content protected by intellectual property rights, namely copyright.

Deserving particular attention are the questions related to privacy and data protection. Indeed, the approach chosen by the French government appears to contradict certain essential provisions of the recently reinforced data protection legal framework (GDPR and the French data protection law). Three immediate problems we have identified are as follows:
  • First, this new scheme undermines the cornerstone principle of data minimisation (Article 4, 3° of the French data protection law). Indeed, the massive and widespread collection of data authorized by the new provisions will necessarily involve the collection of extra data having no link with the contemplated purposes, including third party data. 
  • Second, the scheme’s compliance with the principles of data accuracy and fairness is questionable (Article 4, 4° and 1° of the French data protection law). Based on the text of the law, there is uncertainty as to whether only data published by the person who is subject to investigation will be collected, or whether collection will also capture third party personal data insofar as it contains information relating to the subject of the investigation. Not only will this collection of third party data increase the risk of processing imprecise and inaccurate data of the person subject of the investigation (information published by a third party about you may be less accurate than information you publish about yourself), but it may also call into question the fairness principle: it is indeed unlikely that such unrelated-party will reasonably expect that his/her online data will be processed by French tax and customs administrations for someone else’s investigation. 
  • Finally, the new scheme is hard to reconcile with the legal framework applicable to the processing of sensitive, special category data, which may be collected as part of the global data collection. Under French data protection law, the processing of sensitive data by tax and custom administrations is permitted subject to satisfaction of the two following cumulative conditions: (i) absolute necessity, and (ii) if such data has been manifestly made public by the data subject him/herself (Article 88 of the French data protection law). However, not only will the data collected not necessarily be made public by the data subject him/herself but by a party unrelated to the case (as mentioned above), but also, no condition of « absolute necessity » is provided for in the new law. 

The French data protection authority (CNIL) was consulted on the text of the law and delivered a very reserved opinion. The regulator notably reminded the government that the publication of information by platform users does not constitute per se an implicit acceptance to use this data for other purposes. The CNIL also highlighted the fact that such general data collection raised issues as to its proportionality and underlined the importance for the concerned tax and customs administrations of having strong privacy by design processes as well as efficient deletion mechanisms in place.

The publication of an implementing decree is expected in May 2020. It should specify the scope of the data that may be collected and provide details regarding the collection and filter.

We will be following developments.


Popular posts from this blog

CNIL’s decision against Google relating to the use of cookies: result of the appeal before the French Conseil d’Etat

On 4 March 2021, the French Conseil d’Etat rendered its decision in the Google vs CNIL case. As a reminder, on 7 December 2020, the CNIL imposed a sanction on Google LLC and Google Ireland Limited (together “ Google ”) for a total amount of 100 million euros for breach of Article 82 of the French Loi Informatique et Libertés (the “ LIL ”) relating to the use of cookies and other tracking technologies (Article 82 transposes Article 5.3 of the ePrivacy Directive). The CNIL found in particular that Google failed to obtain proper consent from data subjects, breached its information obligation and did not provide an efficient objection mechanism, in relation to the use of cookies. The CNIL also issued an injunction ordering Google to comply with article 82 of the LIL within three months, the CNIL being able to impose a €100 000 daily fine in case of non-compliance with such injunction. Google appealed the CNIL’s decision, by way of interim proceedings, in order to obtain the suspension

Proposition de règlement sur les marchés numériques ou Digital Markets Act (« DMA ») et Proposition de règlement sur les services numériques ou Digital Services Act (« DSA ») : principales dispositions

La publication des propositions de règlements DMA et DSA intervenue le 15 décembre 2020 constitue une étape importante de l’ambitieuse réforme de l'espace numérique envisagée par la Commission européenne. Dans le cadre du processus législatif européen, ces propositions doivent maintenant être soumises à l’approbation du Parlement et du Conseil qui leur apporteront probablement des amendements. Le délai moyen pour l’adoption d'un règlement est de 18 mois mais peut être significativement allongé pour des textes très discutés ou controversés ce qui sera vraisemblablement le cas du DMA et du DSA, compte tenu de leur vaste champ d’application, de l’importance des acteurs concernés ainsi que des pouvoirs conséquents qu’ils prévoient de conférer à la Commission.  La présente note donne un aperçu de la structure et des principales obligations applicables aux " gatekeepers ", dans le cas de la DMA (Partie I) et aux fournisseurs de " intermediary services " en ligne,

Le CEPD publie des lignes directrices sur le ciblage des utilisateurs de réseaux sociaux

Le 2 septembre 2020, le Comité Européen de la Protection des Données (CEPD) a adopté des lignes directrices sur le ciblage des utilisateurs de réseaux sociaux, qui sont ouvertes à la consultation publique jusqu'au 19 octobre 2020.   I.                    Contexte   Les réseaux sociaux permettent des échanges massifs de données à caractère personnel. Le ciblage publicitaire fait partie du business model des fournisseurs de réseaux sociaux, qui traitent les données personnelles issues de leur(s) plateforme(s) seuls ou conjointement avec d’autres acteurs.   Le CEPD, conscient des enjeux majeurs relatifs au traitement de données à caractère personnel dans le cadre du ciblage publicitaire sur les réseaux sociaux, a publié des lignes directrices afin de donner un cadre à ce ciblage publicitaire. Il demande principalement aux différents acteurs qui traitent des données de déterminer de manière transparente leurs rôles et responsabilités dans le cadre d'un contrat.   C