When the 2020 finance bill (No. 2272) was tabled last September in the National Assembly, one article from this bill was particularly noted: Article 57, and with good reason.
This article, whose title appearing in the bill is: ” possibility for the tax and customs administrations to collect and use the data made public on the websites of social networks and platform operators“, provides, for a period limited to 3 years, that the French tax administration and the customs and excise tax administration may collect and exploit, by means of computerised and automated processing using no facial recognition systems, freely accessible content published on the internet by users of online platform operators mentioned in section 2 of point I of Article L. 111-7 of the Consumer Code, in order to search for offences like those mentioned in Article 1728 (1) (b) and (c), Articles 1729, 1791, 1791-ter, sections 3, 8 and 10 of Article 1810 of the General Tax Code, as well as Articles 411, 412, 414, 414-2 and 415 of the Customs Code.
This article also provided that this data could be kept for a maximum period of 1 year from its collection and destroyed at the end of this period, but that this data could be kept within the framework of criminal, tax or customs proceedings until the end of the procedure.
So to illustrate this point, we take the example of the authorised agent who collects your data on an online platform, and decides to sue you in the context of an ESPF (examination of personal tax situation): your data will be kept until the end of it.
However, if your data is recovered and you are not ultimately the subject of any prosecution (criminal, tax or customs), your data should be automatically deleted after one year – but what about the deletion of this data? Will this deletion be automatic, as indicated, or will we have to make a request for it? Provided that the person has been informed that their data has been collected.
A document was published on the National Assembly website “reporting on the progress of the work of the rapporteur for opinion, Mr Philippe Latombe”, dated 28 October 2019 and called: “Article 57 of the 2020 Finance Bill (No. 2272)”, which provides that: “Article 57 specifies the procedures for exercising access and opposition rights, in compliance with the provisions of the European data protection regulation which would govern processing of this nature and the Law of 6 January 1978 relating to data processing, files and freedoms.
By virtue of these provisions and in the absence of details contrary to Article 57, the right to information of the persons concerned would apply ipso jure and without restriction, under the conditions provided for in Article 48 of the aforementioned Law of 6 January 1978. ».
But as indicated above, it is still necessary for the person whose data has been collected to know that it has been collected in order to be able to exercise their right of access to it.
In addition, we wonder greatly about “the software” that will collect your data: will it be able to erase it by itself after a year, or will this require human intervention; in the second case, will this need to be rigorously monitored for all data to be deleted by a specific date? Besides, how can we make a distinction between the data that could prove useful in the fight against tax fraud and the rest of it? By collecting data from internet users on a huge scale, isn’t there a risk of it being misused? Collected data that is useless in the search for tax or customs offences would certainly be deleted within 30 days, but will still have been collected and exploited? Can we not see this as an attack on the privacy of internet users?
How could the National Assembly validate this Article 57 of this project No. 2272? Knowing that the National Commission on Information Technology and Liberties had warned in September that this would greatly affect internet users’ privacy.
So yes, safeguards have been taken since the representatives wanted to prohibit this from being subcontracted to a private company, just as only “strictly necessary” data must be collected, but what about what is meant by “strictly necessary”? Who can determine what is and what isn’t?
It will therefore be imperative to carefully examine the future decree of the Council of State which will have to frame this new practice.
Moreover, this Article 57 would not have to appear on this bill, indeed a certain number of authors but also the Council of State did not fail to point out that “it concerns neither the resources nor the charges of the State and they are not moreover relative to the base, the rate and the methods of recovery of taxes of any kind which do not affect the budgetary balance”; consequently it does not have to appear in the finance law.
The finance has committee remained closed to these various criticisms.
The members of the National Assembly see in this article the possibility of improving tax fraud detection and strengthening the targeting of tax audits. This would provide a more important panel of information to the tax administration in its fight against tax fraud (knowing that the latter already has automated data processing called “fraud targeting and request valuation”, while allowing it not to remain helpless in the face of technical and computing advances.
If certain authors thought that this Article 57 of this bill would be declared contrary to the Constitution by the Constitutional Council, in light of the various questions it raises and in particular with regard to its inclusion within the 2020 finance bill, they were wrong.
In its Decision No. 2019-796, dated 27 December 2019, the Constitutional Council decreed that Article 154 (named Article 57 in the bill) had its place in the finance law, indeed the Constitutional Council states in point 78 of its decision that: “Article 154 of the referred law aims, in order to combat tax fraud, to provide the tax and customs administrations with a new control system for tax collection. This article therefore has its place in a finance law. »
Concerning the provisions of Article 154, the Constitutional Council recalled that it was necessary to reconcile the right to respect for privacy (Article 2 of the Declaration of Human and Citizen Rights) with the objective with constitutional value of fighting against tax fraud.
The Constitutional Council recalls that by granting such powers to the tax and customs administrations, the legislator wished to reinforce these administrations’ means of control in order to enable them to fight tax fraud effectively; however, the Constitutional Council recognises that such provisions may dissuade internet users from using online services or at least reduce their use, which undermines their freedom of expression and communication.
The Constitutional Council also recalls that in addition to helping to combat tax fraud, these provisions will be regulated since they are limited for the purposes of researching certain offences, which are exhaustively listed.
The Constitutional Council recalls that thirdly, the data likely to be collected and exploited must meet two cumulative conditions:
- That this data is freely accessible on an online public communication service, which excludes data accessed by entering a password or after registering on the site with the information;
- That this data is made public by the site’s users, moreover this data must relate only to the person who deliberately disclosed it.
The Constitutional Council recalls certain safeguards, such as the fact that this data can only be collected and exploited by agents authorised to do so, and that the processing of this data could not include any facial recognition system.
The Constitutional Council provides some clarifications in paragraph 89: “data which is manifestly unrelated to the breaches and infringements sought or which constitute sensitive data is destroyed at the latest within five days of being collected, without any other use possible of this data during this period. The other data must be destroyed within 30 days if it is not such as to contribute to detecting breaches or infringements. »
It also states in paragraph 90 that “it follows that no criminal, tax or customs procedure can be initiated without an individual assessment of the person’s situation by the administration, which cannot then rely exclusively on the results of automated processing”. Moreover, those affected by the collection and use of their data will be able to benefit from the guarantees on access to the data, rectification and erasure of this data, as well as restriction of its processing. But once again, as stated above, the data subject must still have been informed of the collection and use of their data…
The Constitutional Council concludes by recalling that the implementation of data processing, both with regard to its creation and its use, must be proportionate to the aims pursued.
For the Constitutional Council, in view of the limits and guarantees provided by the legislator in drafting this Article 154, this makes it possible to reconcile “the right to respect for privacy and the objective of constitutional value of the fight against fraud and tax evasion. It also follows that interference with the exercise of freedom of expression and communication is necessary, appropriate and proportionate to the objectives pursued. »
Note, however, that the Constitutional Council declared “the automated collection and exploitation of data for searching the breach provided for in Article 1728 (1) (b) of the General Tax Code, which sanctions, with an increase of 40%, failure or delay in filing a tax return within 30 days of receiving a formal notice. However, in such a situation, the administration, which has given the taxpayer notice to file their declaration, is already aware of a breach of tax law, without having to resort to the automated device for collecting personal data. Consequently, by allowing the implementation of such a device for the simple investigation of this breach, the contested provisions entail, for the right to respect for privacy and to freedom of expression and communication, an infringement which cannot be regarded as proportionate to the aim pursued. Consequently, the words “b and” appearing in the first paragraph of paragraph I of Article 154 are contrary to the Constitution. »
The rest of paragraph I of Article 154, according to the Constitutional Council, does not ignore any other constitutional requirement, and is in compliance with the Constitution.
Therefore, with regard to this decision, it would seem that there is now a need to be extra-vigilant with regard to the data published on websites and accessible to the public.