Cdiscount – Court Ruling (France, 2020)

On 6 September 2018, the CNIL issued a Recommendation on the processing of credit card data in the context of online purchase of goods and services. The recommendation provides that: (1) Credit card data can only be processed in order to complete a transaction in connection with the performance of a contract; (2) The storage of such data in order to facilitate subsequent payments is only possible if: *(a) The data subject has expressed prior and explicit consent; or *(b) Has taken a subscription offering access to additional services, thus intending to enter in a regular commercial relationship. Cdiscount, a marketplace website, requested the CNIL to modify those rules. It argued that websites should also be able to store credit card data of customers who can reasonably foresee their data will be stored, on the basis of their purchasing frequency. The CNIL did not meet the demand. Cdiscount is thus seeking the annulment of the decision before the French Administrative Supreme Court. Did the CNIL exceed its remit when interpreting Article 6 GDPR in its Recommendation? Did the CNIL, by requiring prior and explicit consent, wrongly considered credit card data as a special category of personal data (Article 9 GDPR)? Does the data controller have a legitimate interest to process credit card data of recurring purchasers under Article 6(1)(f)? Can the recommendation be annulled on the ground that it creates a distortion of competition with foreign economic operators that are not subject to similar legislation? The Supreme Administrative Court dismisses the appeal, on the following grounds. = The Court holds that the CNIL acted within its power when interpreting Article 6 GDPR. This power is derived from (Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés). These provisions designate the CNIL as Supervisory authority for France under Article 51 GDPR. They also expressly grant the CNIL power to issue guidelines and recommendations