Municipality of Beaucaire – Court Ruling (France, 2024)

The French DPA (CNIL) issued a decision against the municipality for multiple violations of the GDPR stemming from a video surveillance system and automatic license plate reading devices. According to the CNIL, the municipality was not a competent authority entitled under the [https://www.legifrance.gouv.fr/codes/texte_lc/LEGITEXT000025503132/ Internal Security Code] (Code de la sécurité intérieure) to implement automated reading devices for the registration plates of vehicles. Additionally, the collection of registration plate data for the sole purpose of responding to the requests of law enforcement officials, exercising their judicial police duties would not correspond to one of the purposes listed in article L. 251-2 of Internal Security Code. Also, the municipality was obliged to perform the DPIA, because 73 cameras covered the areas accessible to the public, inter alia areas close to major routes of passage and several public services and infrastructure. Hence, data processing at hand posed a high risk to rights and freedoms of natural persons and the duty to perform DPIA under Article 35 GDPR was due. The CNIL also found the municipality violated Article 32 GDPR for several reasons, including network infrastructure issues, usage of a server operating systems with no update-support for nearly 10 years and no maintained service by the developer, and for insufficient practices regarding the security of passwords used for applications within the community. The municipality filed an appeal to overrule the decision. The French Supreme Administrative Court (Conseil d'Etat) rejected the appeal. First, the court emphasised that the municipality implemented the devices in question for the sole purpose of responding to the requests of the security forces, i.e., making the data available to the security forces for the exercise of their judicial police duties. However, such a purpose was not provided for in article L. 251-2 of the Internal Security Code, making the ac