On October 7, the French Digital Republic Act (the “Act”) was adopted following a widely-publicized consultation process. The Act amends the French Data Protection Act, and also modifies French law in various domains, including consumer protection, electronic payment services, medical research, and intellectual property.
The Act constitutes a first step in the implementation of the General Data Protection Regulation (“GDPR”), which will apply in all EU Member States as from May 25, 2018. The Act in particular establishes (i) new powers for the French data protection authority (“DPA”), and (ii) new rights for individuals. Further modifications of the French Data Protection Act implementing the GDPR are forthcoming.
I. CNIL’s New Powers
1. Encryption and Anonymization
- The French DPA (the “CNIL”) is charged with overseeing and promoting the development of encryption technologies. Furthermore, it may create, approve or publish anonymization standards.
- Interestingly, the Act’s emphasis on security was complemented by industry efforts, as demonstrated by a recent agreement of French telecom operators pertaining to the use of encryption for the storage of electronic communications.
2. Sanctions
- The CNIL may issue financial sanctions of up to 3 Million Euro for infringements of the French Data Protection Act. It is expected that this limit will be raised to 20 Million Euro when the GDPR is fully implemented in France.
- Importantly, the Act implements the provisions of the GDPR pertaining to the criteria DPAs may take into account in determining sanctions. More specifically, under the Act, the CNIL may take into account (i) the intentional or negligent character of the infringement, (ii) measures adopted to mitigate the damage to the individuals, (iii) the extent to which the infringer has cooperated with the CNIL, (iv) the categories of personal data affected by the infringement, and (v) the manner in which the infringement became known to the CNIL.
- The procedure for the issuing of sanctions under the French Data Protection Act has been slightly modified, as companies may be sanctioned without the prior issuance of an injunction in cases where the infringement may not be remedied. Such cases will most likely be specified in the upcoming implementing Decrees.
3. Cooperation with Other DPAs
- The CNIL may audit companies on behalf of a DPA from a country outside the EU which offers an equivalent level of data protection. The CNIL must enter into an agreement with the DPA which defines the terms of the collaboration.
II. New Rights for Individuals
1. Right of Self-Determination
- The Act provides that any individual has the right to decide and control the use of his or her personal data. In its comment on the Act, the CNIL highlighted that this provision is inspired by the German constitutional right of informational self-determination.
2. Right of Access and Rectification
- The Act does not significantly modify the procedure for individuals to access or rectify their personal data. The Act makes it clear, however, that where the data is collected through electronic means, individuals are entitled to make an electronic request in relation to access, rectification or erasure of their personal data.
3. Right to be Forgotten
- An individual has a right to obtain the erasure of personal data if the data was collected (i) in the context of an information service, (ii) and he or she was a minor at the time of collection.
- Companies must implement this right within one month following a specific request for erasure. In addition, they must take reasonable efforts to inform data controllers to whom they have disclosed the data of the request for erasure.
- Specific exceptions may apply, including where a company needs the personal data for compliance with a legal obligation or litigation purposes.
4. Data Portability
- The Act does not introduce provisions on data portability into the French Data Protection Act. Rather, it modifies the French Consumer Code to provide for data portability and makes a clear reference to the direct application of the GDPR’s provisions on data portability. Those provisions will only enter into force as of May 2018.
- Consumers have a right to “retrieve” the entirety of their personal data in the systems of online communication service providers.
- More specifically, online communication service providers must implement a feature by which consumers may obtain (i) files that have been published online, (ii) data which users may access on their profiles, and (iii) other types of personal data associated with a user account. In determining whether such other types of personal data are subject to the data portability right account will be taken of whether the data is necessary for the migration of the data to another online service provider, as well as the economic impact of the concerned services, the intensity of the competition between the providers, and other financial considerations.
- The right to data portability is not absolute, and may be limited if for instance portability interferes with the protection of business secrets, intellectual and industrial property, or if the data constitutes a “significant enrichment” for the provider from which the data are being transferred. The conditions establishing such “significant enrichment” will be defined in a Decree.
5. Notice Requirements
- The Act adds new notice elements in line with the GDPR. More specifically, privacy notices must indicate applicable data retention periods, or where it is not possible to define a specific period, the criteria used to determine such periods.
- A specific provision – which constitutes a particularity of French law – requires that notices clarify that individuals are entitled to give instructions regarding the handling of their personal data after their death.
6. Rights of the Deceased
- A detailed process is in place for individuals to exercise control over their data after their death.
- Individuals may give general instructions which will apply to the entirety of their personal data, or specific instructions for certain sets of personal data.
The French Digital Republic Act is available (in French) at: https://www.legifrance.gouv.fr/affichTexte.do;jsessionid=C20E780B75854FDE5726606581D18C9A.tpdila21v_2?cidTexte=JORFTEXT000033202746&categorieLien=id
The CNIL’s press release on the bill is available (in French) at: https://www.cnil.fr/fr/projet-de-loi-pour-une-republique-numerique-quel-impact-pour-la-cnil-et-la-protection-des-donnees
A summary description of the French Digital Republic Act is available (in English) at: https://www.republique-numerique.fr/pages/digital-republic-bill-rationale