TJ Paris, ord. ref., 4 March 2021, n° 21-51823
On March 4, 2021, the Paris Court of Justice ordered the main French internet service providers (ISPs) to immediately block access to a site hosting a file disclosing the personal health data of nearly 500,000 people.
Constituted following cyberattacks that targeted the information systems of 28 French laboratories, this file was initially shared on the Darknet , before being made accessible to the public on the Internet. It contained so-called “sensitive” data, in particular medical treatments or information on pathologies.
Informed by the media of this leak, the National Commission for Computing and Liberties (CNIL) had in vain requested the removal of the disputed file from the publisher of the site based in Guernsey, then from the host of the latter domiciled in California. The CNIL had then summoned the four major French Internet service providers (ISPs) (Orange, SFR, Free and Bouygues Télécom) to see the database in question or the site rendered inaccessible, from hour to hour. hosting.
By an order dated March 4, 2021, the First Vice-President of the Paris Judicial Court granted the CNIL's requests and ordered ISPs to implement " all the most appropriate and effective targeted surveillance measures as to ensure the effective blocking of the online public communication service ” of the disputed content on their networks, without delay and for a period of eighteen months.
This emergency decision illustrates the powers of action of the CNIL in terms of breaches of the confidentiality of personal data, in particular with regard to health data.