(Conseil d’État, Judgement of 4 November 2020 of the joined 10th and 9th Chambers, La Quadrature du Net vs French State)
The Alicem app complies with the principles of the GDPR regarding the processing of biometric data, consent, and the relevant, adequate, and non-excessive data collection.
Decree No 2019-452 of 13 May 2019 authorized the creation of electronic identification means called Alicem (for ‘Authentification en ligne certifiée sur mobile’, or Certified Online Identification on Mobile Phone). The organization ‘La Quadrature du Net’ appealed that decision to the Conseil d’État for an excess of power. Furthermore, it put forward two preliminary questions that should be referred to the CJEU. The first pertains to the assessment of the validity of consent and to whether it must be granted upon every access to service subject to personal data processing, regardless of the existence of another service ‘of the same nature’ or of ‘equivalent services’. The second question concerns the adequate, relevant, and non-excessive collection of biometric data and its processing, in relation to the purposes of such collection and processing, by a mobile phone application involving facial recognition technology for authentication in some public services and their partners.
Alicem Is ‘Designed’ To Protect The Consent of Users
The goal of the Alicem app is to provide French nationals in possession of a biometric passport and foreign nationals holding a biometric residence permit with an electronic identification procedure allowing for electronic identification and login to public or private organizations. This procedure involves an electronic communication device enabling contactless reading of the electronic component of those credentials, in accordance with the provisions laid down by the regulation of the European Parliament and the Council of 23 July 2014, including the warranty requirements provided by the aforementioned online service. The processing uses a system of static and dynamic facial expression recognition. The collected data is only used for the purpose of facial recognition and is deleted at the end of the procedure. Upon receiving the quest to open the account, the ‘Agence nationale des titres sécurisés’ (France’s National Secure Credentials Agency) informs the user regarding the use of a facial recognition system and asks for their consent for the processing of their biometric data. The user then records a short video based on which a facial recognition algorithm certifies they are the legitimate owner of the biometric credential serving as the basis for the digital identity. Meantime, a living recognition algorithm analyses the behavior of the subject in the video to identify any attempt of fraud or cyberattack. The electronic credentials linked to their account allow the owner of the biometric passport or residency permit to sign in on public or private partner organizations, to access their online services, and to have stronger protection against abusive uses and identity fraud connected to their online operations.
The Conseil d’État Rejects The Appeal
The Conseil d’État immediately dismissed the complaints on the external legality of the regulation – arguing that it respects the rules regarding the identity of the text with the draft regulation submitted by the government –. and on the countersigning of the ministers concerned.
As for the matter of internal legality, the first question pertains to the legality of biometric data processing. The Conseil d’État recalls the prohibition in principle under Article 8 of the Law of 6 January 1978 on biometric data procession for the sole purpose of uniquely identifying a natural person. However, this interdiction is not absolute given that Article 9 of the GDPR allows for derogations if the individual explicitly consented to the processing of such personal data for one or more specific purposes, for example, when “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”
Regarding the purpose of the processing, the Conseil d’État ruled that the case evidence does not demonstrate that at the time of the contested decree there were other ways to certify the identity of the user in an entirely digital manner with the same level of security as facial recognition. Therefore, the processing of biometric data allowed by the contested decree must be viewed as required for the purpose of said processing. As for the adequate and proportional collection of data, the Conseil d’État testifies that it is solely used to identify the user, the biometric credential, the electronic communication device used by the individual, and eventually to establish a history of transactions linked to their account (data are forbidden from being shared with online services providers), thus respecting the law requirements.
The question of freedom of consent was also examined. The administrative judge defended that no citizen is pressured into this, as at the time of the contested ruling, the online services available on the Alicem app were also accessible through the FranceConnect system, which does not presuppose consent to facial recognition processing. Users who do not use Alicem are not deprived of access to online processing offered by those services, and thus they are not prejudiced against under the GDPR.
For these reasons, the Conseil d’État rejects the request of ‘La Quadrature du Net’ and does not refer the preliminary questions to the CJEU. This judgment develops the existing case law in regard to the practical applications of the GDPR.
 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.