In this case, an employee had been dismissed for serious misconduct for sending electronic requests for information to a client and competitor company by impersonating client companies. Thanks to an IT expert using the log files stored on the employer’s servers, the IP address from which the disputed messages were sent was identified as that of the employee. This proof was established by means of a bailiff’s report.
The employee contested his dismissal, arguing that the evidence produced by his employer was unlawful, since the disputed files had not been declared to the French data protection authority, the CNIL.
Reminder: data protection law in France since the entry into force of the GDPR
Since 25 May 2018 (the date the GDPR took effect), the protection of personal data is no longer based on prior control by the CNIL (via normal or simplified declarations, requests for authorisations, etc.) but on a ‘principle of responsibility’ according to which data controllers must ensure that their data processing complies with the applicable regulations on the protection of personal data and be able to demonstrate their compliance in the event of a CNIL inspection.
The Paris Court of Appeal ruled that the dismissal was justified, considering that no prior declaration was necessary for this type of data processing.
Admissibility of evidence that is not lawful under the Data Protection Act but ‘indispensable’
The Court of Cassation, which heard the dispute on further appeal, had to rule on two questions.
First question: Should log files containing IP addresses be declared to the CNIL?
According to the Court of Cassation, the answer was yes. To the extent IP addresses make it possible to indirectly identify a natural person, they are indeed personal data within the meaning of the French Data Protection Act (Loi Informatique et Libertés). Their processing in the context of a logging file should have given rise to a prior declaration to the CNIL.
Second question: should the fact the evidence obtained by the employer through data processing should have been declared to the CNIL automatically lead to its rejection by the trial judges?
The Court of Cassation ruled that it should not be automatically rejected. In accordance with European Court of Human Rights case law (ECHR, 10 October 2006, L.L. v. France, no. 7508/02, s40; ECHR, 13 May 2008, N.N. and T.A. v. Belgium, no. 65097/01, s42), the Court of Cassation stated that the unlawfulness of evidence under the Data Protection Act should not systematically lead to its being ruled inadmissible. Indeed, the trial judges must examine, in the context of a proportionality review, whether the infringement of the employee’s private life caused by the production of this evidence is justified with regard to the employer’s ‘right to evidence’, whether the evidence is ‘indispensable’ to the exercise of this right and strictly proportionate to the aim pursued.
In this case, unlike the Court of Appeal, the Court of Cassation held that ‘the evidence was unlawful’ and without taking a position on the merits, ruled that the Court of Appeal should have conducted the proportionality review needed to accept (if appropriate), that the unlawfully obtained evidence could be admitted in the proceedings. This means the case will have to be retried by the Paris Court of Appeal (composed of a different bench of judges).
Comment: the evolution of the Court of Cassation’s thinking
This ruling marks an important development in the Court of Cassation’s case law concerning the unlawfulness of evidence obtained by data processing that should have been declared to the CNIL.
Until recently, it considered that this evidence should be systematically rejected, so that if the only evidence of the fault at the origin of an employee’s dismissal was unlawful, the dismissal was necessarily not founded in a real, serious cause (Cass. soc., 8 October 2014, no. 13-14.991).
Nevertheless, in the ruling above, the Court clearly states that the production of evidence must be ‘indispensable’, confirming its judgment of 30 September 2020 (Cass. soc, 30 September 2020, no. 19-12.058) in which it allowed the production in court of extracts from an employee’s private Facebook account that infringed her right to a private life. In that case, the Court ruled the production of this evidence had to be ‘indispensable’ for the employer to exercise its right to evidence and the infringement of privacy must be proportionate to the aim pursued (see here for analysis of the case).
This recent case law could be usefully invoked by employers in the event of litigation. It also highlights the need to protect and include data extracted from a log files and IP addresses as personal data in the company’s internal processing registers.
Cass. soc., 25 Nov. 2020, no. 17-19.523 FP-P+B+R+I