Paris Court of Justice, interim order, March 4, 2021, No. 21-51823
On March 4, 2021, the Paris Judicial Court ordered the main French internet service providers (ISPs) to immediately block access to a site hosting a file disclosing the personal health data of nearly 500,000 people.
Created following cyberattacks targeting the information systems of 28 French laboratories, this file was initially shared on the Darknet before being made publicly accessible on the internet. It contained so-called "sensitive" data, including medical treatments and information on pathologies.
Having been informed of the leak by the media, the French Data Protection Authority (CNIL) unsuccessfully requested the removal of the offending file from the Guernsey-based website publisher, and then from its California-based hosting provider. The CNIL then filed an emergency injunction against the four major French internet service providers (Orange, SFR, Free, and Bouygues Telecom) to have the database in question or the website hosting it rendered inaccessible.
By an order dated March 4, 2021, the first vice-president of the Paris Judicial Court granted the CNIL's requests and ordered ISPs to implement " all the most appropriate and effective targeted monitoring measures to ensure the effective blocking of the online public communication service " of disputed content on their networks, without delay and for a period of eighteen months.
This emergency decision illustrates the powers of action of the CNIL in matters of breach of confidentiality of personal data, in particular with regard to health data.
