The French Penal Code contains a number of provisions to penalise cyberattacks and personal data breaches. Articles 226-16 to 226-24 cover offences related to non-compliance with the provisions of the General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés).
These offences include unauthorised use of personal data, fraudulent collection of data, and non-compliance with security and data breach notification obligations.
Article 226-16 of the French Penal Code states that: “The offence, including negligence, of processing or having personal data processed without complying with the formalities required by law prior to their implementation is punishable by five years’ imprisonment and a fine of 300,000 euros […].”
Article 226-18 of the French Penal Code also regulates cases of violation or theft of personal data. This article states that “the collection of personal data by fraudulent, unfair or illegal means is punishable by five years in prison and a fine of €300,000”.
There is also a general article on fraudulent access to an automated data processing system (STAD). Article 321-1 of the Criminal Code states that “fraudulent access to or remaining in all or part of an automated data processing system is punishable by three years’ imprisonment and a fine of €100,000.
If the result is either the deletion or modification of data in the system or a change in the functioning of the system, the penalty is five years’ imprisonment and a fine of €150,000 […]”.
It is also important to maintain paragraph 1 of Article 323-2 of the Criminal Code, which states that “Obstructing or distorting the operation of an automated data processing system is punishable by five years in prison and a fine of 150,000 euros”.
The mental element of the offence of theft or violation of personal data:
The mental element, or criminal intent, is crucial to the classification of these offences. Article 121-3 of the French Penal Code states that ‘there is no crime or offence without the intention to commit it’. This rule means that the perpetrator of a crime or misdemeanour must have intended to commit it in order to be considered responsible, which includes the intention of the conduct and the intention of the result.
Personal data breaches can involve hacking or malicious extraction of personal data. However, some breaches can also be due to negligence, especially when it comes to controllers subject to the obligations of the RGPD, such as lack of security.
To define personal data theft, we need to refer to the general definition of theft. Theft is the fraudulent removal of another person’s property and the moral element is constituted when the perpetrator behaves as the owner of the property, knowing that he or she has no rights over it.
In a decision of 20 May 2015 (No. 14-81.336), the Court of Cassation confirmed the moral element of fraudulent maintenance and theft of data, emphasising that the accused was aware that he was in a protected area, having noticed the presence of access control (login and password).
Despite the initial access being facilitated by a technical error, the data was deliberately maintained and used for personal purposes without authorisation, showing fraudulent intent, which is a moral element required to classify the offences.
Personal data breach is characterised by the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of personal data. The moral element of this type of offence can be due to negligence, such as human error or technical failure, or malicious intent, such as unauthorised access or disclosure for malicious purposes.
The substantive element of the offence of theft or personal data breach:
The decision of the Court of Cassation of 28 June 2017 (No. 16-81.113) illustrates that unauthorised copying of computer files, even if they are freely accessible on an internal network, constitutes theft when the perpetrator acts without the knowledge and against the will of the data owner.
In this case, a lawyer copied his colleague’s personal documents, which were accessible without a password on the shared server of their professional partnership and sent them to the president of the bar association.
The Court ruled that although the files were easily accessible, their appropriation was fraudulent because it was carried out for purposes unrelated to the company’s operations without prior authorisation from the owner of the documents. This decision confirms that the material element of theft can consist of simple unauthorised copying of data, regardless of its technical availability.
Thus, the element of a personal data breach can be the destruction, loss, alteration, unauthorised disclosure or unauthorised access to personal data. Examples are unauthorised use of passwords or installation of spyware.
In a decision of 10 May 2017 (No. 16-81.822), the Criminal Division of the Court of Cassation illustrates the material element of a violation of personal data protection, particularly in the context of unauthorised use of passwords.
In this case, a lawyer installed spyware (keylogger) on the computer of his wife, who is also a lawyer, to access her private correspondence. The Court of Cassation upheld the decision of the Court of Appeal, emphasising that the use of the software for purposes other than monitoring the law firm’s operations constituted an offence of fraudulently maintaining access to the computer system.
Med venlig hilsen / Kind regards
Cabinet Nicolas BRAHIN
Advokatfirma i NICE, Lawyers in NICE
Camilla Nissen MICHELIS
Assistante – Traductrice
1, Rue Louis Gassin – 06300 NICE (FRANCE)
Tel : +33 493 830 876 / Fax : +33 493 181 437
Camilla.nissen.michelis@brahin-avocats.com
www.brahin-avocats.com
Read more