Freshly presented by the French Government, the new French Data Protection Bill makes a number of important changes to the law on privacy in France. In this article we present the new draft legislation that implements the GDPR under French law. France was one of the first European countries to pass legislation on the protection of the personal data of individuals. The 1978 Loi Informatique et Libertes, amended a first time in 2004 following the adoption of the Loi pour la confiance dans l’economie numerique (Law of Confidence in the Digital Economy), implementing the 2000 European E-commerce Directive as well as a number of provisions of the European 2002 Directive on privacy and electronic communications, a.k.a the “e-Privacy Directive”, has for many years set the benchmark for other EU countries to follow in adopting their own legislation on privacy. The French approach to the regulation of privacy has also greatly influenced the drafting of the 2016 General Data Protection Regulation (GDPR) during the time that the Article 29 Working Party, an informal working group bringing together representatives of the 28 EU Member States data protection authorities, was presided over by the President of the French privacy regulator, the Commission Nationale de l’Informatique et des Libertes, or CNIL.
After the GDPR was published in April 2016, Member States were on alert to amend their national law to incorporate the new European text during the 2-year grace period before the entry in force of the GDPR on May 25, 2018. The draft Loi Informatique et Libertes 2was presented by the French Government on May 14, 2018 in the form of a new adaptation of the 1978 Act, as amended a first time in 2004.
The bill includes five sections, or “Titles”:
- Title I (Articles 1 to 7) addresses the common provisions of Regulation 2016/679 and of Directive 2016/680;
- Title II (Articles 8 to 17) addresses the areas in which the GDPR opens up the possibility for Member States to adopt national rules, the famous “national derogations”, that supplement or supersede (as applicable) the corresponding GDPR provisions;
- Title III (Articles 18 and 19) contains provisions transposing Directive 2016/680;
- Title IV (Article 20) empowers the French Government to adopt measures to improve the readability of the new French data protection legislation;
- Title V (Articles 21 to 24) includes the remaining provisions.
This new law will mean more transparency for French citizens on the use of their personal data. French citizens will also have new rights as relates to their data, such as the right of erasure (a.k.a right to be forgotten) and the right to data portability. The bill, if passed, will also strengthen the rights of French individuals by creating a right to information for the person whose personal data is being processed in connection with criminal matters.
Under the bill, it is prohibited to process personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. It is also prohibited to process genetic data, biometric data, health data, or data about a person’s sex life or sexual orientation.
The additions imposed by the new legislation
The new legislation introduces a number of new ideas. Below is a list of the most drastic changes proposed by the bill:
- Article 1: Entrusts the CNIL, the French privacy regulator, with new missions to promote a secure legal environment for personal data.
- Article 3: Provides that CNIL members may decide on privacy matters outside the presence of a representative of the Government.
- Article 4: Specifies the framework for CNIL members and agents to initiate an audit of processing activities (e.g. onsite visits, communication of all documents).
- Article 8: Permits national law to apply to French residents even when the data controller is not established in France and there are conflicts of laws between Member States as relates to the amount of discretion they have under the GDPR.
- Article 11: Specifies the conditions under which the legislator may authorize the processing of data relating to criminal convictions, offenses or related security measures;
- Article 13: Provides that for where healthcare data is processed for public interest purposes, the CNIL may establish benchmarks, standards and reference guides in consultation with the National Institute of Healthcare Data.
- Article 20: Authorizes the Government to impose the adoption of measures to improve the readability and understanding of the new legislation.
A “digital majority” at age 15
For minors under the age of 15, parental consent will be necessary before social networks can process the data. From the age of 15, minors will be able to register on social networks without parental authorization (the GDPR had suggested an age of 16). Between the ages of 13 and 15, the prior consent of both the parents and child will be required. Under the age of 13, no data at all can be collected.
Class actions are introduced
“Material or moral” damage may open liability to financial compensation. The new bill creates a right to file a class action to claim compensation for misuse of personal data. Legal proceedings may be brought against a data controller or a data processor.
A post-processing control mechanism
Whereas, under the pre-GDPR regime data controllers were required to register their processing activities and, for some types of processing, obtain the authorization of the CNIL before they could process the data, the new law will no longer require registration or prior authorization and will empower data controllers to assess the risk associated with their processing, while the CNIL will only audit the processing after it is effective. As a tradeoff for giving data controllers more autonomy in decision making regarding their processing activities, the CNIL sees its powers reinforced and now has the authority to impose fines for violations of the law of up to the greater of 20 million euros and 4% of a company’s worldwide annual revenue.
The requirements for processing sensitive data under the previous French Law have not changed. Sensitive data includes:
- Biometric data necessary to identify or verify the identity of individuals;
- Genetic data;
- Data using the registration number of a given individual in the national register of natural persons; or
- Healthcare data: the new law will implement new measures for processing personal healthcare data, and will specify the use of this data by manufacturers, who need it to innovate. The challenge was to balance the protection of personal healthcare data with the need to foster innovation.
The powers of the CNIL
The CNIL is one of the EU’s most powerful independent administrative authorities. Its annual report revealed that CNIL opened a record-breaking 8,360 files in 2017. Individuals may lodge a complaint directly with the CNIL, which is different than filing a complaint with the police or the public prosecutor.
Citizens may file a complaint with the CNIL in two circumstances:
- Inability to exercise their right to privacy and freedom;
- Reporting a public or private body for breaching the rules of protection of your personal data
How do you file a claim?
- On the CNIL website
- By sending a letter to: CNIL – 3 Place Fontenoy – TSA 80715 – 75334 PARIS CEDEX 07
What documents do you need to provide with the claim?
- Any document that supports the facts described in the complaint.
The constitutionality control of the new legislation
On May 16th, 2018, seized with a request to review the constitutionality of the bill, the Constitutional Council found most of the text to comply with the Constitution.
French Senators were challenging Article 13 of the bill, which amends Article 9 of the 1978 law that set the standards for processing of personal data related to criminal convictions, offenses or related security measures. Article 13 provides that such treatment may be carried out “under the control of the public authority”, which the Council found contradicted the Constitution. The decision stated that the legislator did not use its authority to its full extent by not specifying which categories of persons were subject to the law or the purposes to be used for such type of processing, which affects the fundamental rights of citizens.
The possibility of an order from the Government:
Following an opinion issued by the CNIL, the Government could, in the 6 months that follow the publication of the new law, order a possible rewriting of the entire law make it easier to understand and facilitate the implementation of the European text into national law.
A new French data protection act was clearly needed to properly address the risks to the rights and freedoms of individuals associated with the advent of new means and techniques of processing personal data in the past 15 years since the French privacy legislation was last amended. Under Article 23 of the GDPR, Member States of the European Union were given the authority to adopt « national derogations » in more than 50 areas of the Regulation. It remains that, due to the rather late presentation of the French biIl, the implementation of the GDPR on May 25, 2018 did not coincide with the passing of a French legislation that would have provided much needed certainty in the treatment that the French regulator would apply to the processing of personal data of French citizens. Until the final version of the bill is adopted, data controllers, but also data processors and French data subjects will need to review the current proposal along with guidance and public decisions issued by the CNIL to get the French regulator’s interpretation of the GDPR in France.
This article was written with the collaboration of Sarah Lasson