3 min

The Policeman Was On A Walk Through The Files

Cybercrime - December 03, 2019

(By Olivier Iteanu, Barrister)

This is a rare case that the Conseil d’État [Council of State, French supreme court for administrative justice] informed us about in a decision rendered on 24 April 2019[1]. A gendarmerie captain was punished with fifteen days’ leave from work for illegally consulting “gendarmerie files”. These unlawful consultations concerned his daughter’s employer as well as some of his family members. All in all, this gendarme reportedly admitted having consulted more than three hundred individual citizen files without legitimate and legal justification. As the policeman contested the sanction—after having acknowledged the facts during the investigation—the administrative courts were seized of this appeal, which resulted in this unprecedented decision by the highest court of the administrative order of France.


LOVEINT, A Little-Known But Very Real Phenomenon

In cybercrime, it has often been said that the first abuses come from within the organization itself. With regards to the processing of personal data, it is human and tempting to consult the system for personal needs. We can also do it to offer a service, for free or—even worse—for a fee. After all, it is so easy, seemingly not so “mean” and sometimes rewarding. For the controller, practice is a nightmare. It is difficult to prevent these behaviours from within. In the American NSA[2], we call it the LOVEINT (we illegally access data for our love partner (LOVE) or out of interest (INT)). In his book “Data and Goliath”, Bruce Schneier, quoting Edward Snowden and a 12-month audit of the NSA carried out between 2011 and 2012, reveals that this practice was reportedly noted 2,776 times on the processing of the National Security Agency, an agency of the US Department of Defense. He adds that the figure should be much higher, because this information comes from the NSA itself… Obviously, the larger the file, the more people are authorized to access it, the greater the risk of LOVEINT developing. There is no reason why this type of behaviour should be limited to public files, and we do not dare to imagine what is happening across the Atlantic in certain large companies, giant collectors of personal data from all over the world containing all kinds of information.


A Phenomenon That Is Difficult To Counter

In the present case, the gendarmerie captain clearly had a special authorisation to access a “gendarmerie file” without further clarification. It can be assumed that this file included fairly intrusive information about the natural persons who were in it. It is obvious that such data cannot be consulted for personal purposes. In law, the point does not raise any difficulties. This is a breach of the principles laid down in Article 5 of the GDPR, according to which, in particular, personal data shall not be processed in a manner incompatible with the purposes for which they were originally collected. These breaches are punished by the possible administrative fine imposed by the CNIL [French data protection authority] on the controller—in this case, the gendarmerie, i.e. the French State. For the gendarme as a natural person, in addition to the disciplinary sanction, Article 226-21 of the French Criminal Code provides for a penalty of up to five years of imprisonment and a fine of up to €300,000.

But the difficulty of these deviances is not legal here. It is of a practical and evidentiary nature. How can we identify and demonstrate that a rightful claimant—one who has the right of access to a processing operation—has violated its principle of purpose during a consultation? What matters here is much more the importance of educating within the organisation to remind us of the limits of the right of access to and consultation of the processing operation, and the technical and organisational set up to limit and detect unlawful consultation. All this must be wrapped up in good legal practices, so that these measures to limit access and consultation of a processing operation can be made enforceable and licit (since they are often related to cyber surveillance) to validate the evidence.

[1] On the case law website legalis.net <https://www.legalis.net/jurisprudences/conseil-detat-7eme-ch-decision-du-24-avril-2019/>

[2] National Security Agency

Send this to a friend