La Quadrature du Net – Court Ruling (France, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
La Quadrature du Net challenged a French government decree that allowed a common biometric login system for public services. They argued that the decree didn't have proper consent and collected too much data. This case highlights the importance of lawful consent when handling sensitive information.
What happened
La Quadrature du Net contested a French decree that permitted a biometric authentication system for public services.
Who was affected
Citizens who would use the biometric authentication system for accessing public services were affected.
What the authority found
The court found that the decree lacked a valid legal basis for processing sensitive data, violating consent requirements under GDPR.
Why this matters
This ruling emphasizes that companies must ensure they have proper consent when processing sensitive data. It also sets a precedent for how biometric data should be handled in future cases.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On May 13th, 2019 the French government adopted a decree 2019-452 allowing the creation of a common biometric authentication system for several government and public service websites applicationshttps://www.legifrance.gouv.fr/jorf/id/JORFTEXT000038475477/. This system is part of the FranceConnect project which allows to login public service websites using your login and password of another public service websitehttps://franceconnect.gouv.fr/. The french organization La Quadrature du Net (LQDN) which promotes digital rights and defends freedom of citizens challenged the legality of the decree. The organization argued that the decree is not based on a lawful consent as described in article 4(11) and article 7(4) GDPR and required in article article 9(2)(a) when dealing with sensitive data. LQDN also argued that the data collection was disproportionate to the purpose of the processing. On this topic, LQDN asked the Conseil d'Etat to refer two preliminary questions to the CJEU: *Should the assessment of the validity of the consent be made at the level of each service subject to personal data processing, independently of the existence of another "equivalent" service or at the level of all "equivalent services"? *Are the biometric data collected and processed by a mobile application using facial recognition technology for authentication purposes from certain public services and their partners adequate, relevant and not excessive in relation to the purposes for which they are collected and processed? Lastly, LQDN claimed that the decree was adopted in violation of the procedure required in the then [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037090141/2019-05-12 section 27] of the law n° 78-17 Informatique & Libertés (since replaced by [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822860 article 31(II)]) and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000006527486/2019-07-01 section 22] of the French 1958 Constitution. Does the
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (5)
Other cases involving La Quadrature du Net in FR
Court Ruling
Details
About this data
Cite as: Cookie Fines. La Quadrature du Net - France (2020). Retrieved from cookiefines.eu
Last updated: