On October 7, the French Digital Republic Act (the “Act”) was adopted following a widely publicized consultation process. The Act amends the French Data Protection Act and modifies French law in various domains, including consumer protection, electronic payment services, medical research and intellectual property.
The Act constitutes a first step in the implementation of the General Data Protection Regulation (GDPR), which will apply in all EU member states beginning May 25, 2018. The Act in particular establishes new rights for individuals and new powers for the French data protection authority (DPA). Further modifications of the French Data Protection Act implementing the GDPR are forthcoming.
CNIL’s New Powers
Encryption and anonymization
The French DPA (CNIL) is charged with overseeing and promoting the development of encryption technologies. Furthermore, it may create, approve or publish anonymization standards. Interestingly, the Act’s emphasis on security was complemented by industry efforts, as demonstrated by a recent agreement of French telecom operators on the use of encryption for the storage of electronic communications.
Sanctions
The CNIL may issue financial sanctions of up to €3 million for infringements of the French Data Protection Act. It is expected that this limit will be raised to €20 million when the GDPR is fully implemented in France.
Importantly, the Act implements the provisions of the GDPR pertaining to the criteria DPAs may take into account in determining sanctions. More specifically, under the Act, the CNIL may take into account (1) the intentional or negligent character of the infringement; (2) measures adopted to mitigate the damage to the individuals; (3) the extent to which the infringer has cooperated with the CNIL; (4) the categories of personal data affected by the infringement; and (5) the manner in which the infringement became known to the CNIL.
The procedure for issuing sanctions under the French Data Protection Act has been slightly modified, as companies may be sanctioned without the prior issuance of an injunction in cases where the infringement may not be remedied. Such cases will most likely be specified in the upcoming implementing decrees.
Cooperation with other DPAs
The CNIL may audit companies on behalf of a DPA from a country outside the EU that offers an equivalent level of data protection. The CNIL must enter into an agreement that defines the terms of the collaboration with the DPA.
New Rights for Individuals
Right of self-determination
The Act provides that any individual has the right to decide and control the use of his or her personal data. In its comment on the Act, the CNIL highlighted that this provision is inspired by the German constitutional right of informational self-determination.
Right of access and rectification
The Act does not significantly modify the procedure for individuals to access or rectify their personal data. The Act makes it clear, however, that when the data is collected through electronic means, individuals are entitled to make an electronic request for access, rectification or erasure of their personal data.
Right to be forgotten
An individual has a right to obtain the erasure of personal data if the data was collected in the context of an information service and he or she was a minor at the time of collection.
Companies must implement this right within one month following a specific request for erasure. In addition, they must make reasonable efforts to inform data controllers to whom they have disclosed the data of the request for erasure.
Specific exceptions may apply, including when a company needs the personal data for compliance with a legal obligation or litigation purposes.
Data portability
The Act does not introduce provisions on data portability into the French Data Protection Act. Rather, it modifies the French Consumer Code to provide for data portability and makes a clear reference to the direct application of the GDPR’s provisions on data portability.
Consumers have a right to “retrieve” the entirety of their personal data in the systems of any online service provider.
More specifically, online service providers must implement a feature by which consumers may obtain files that have been published online, data that users may access on their profiles, and other types of personal data associated with a user account. In determining whether such other types of personal data are subject to the data portability right, the online service provider will consider whether the data is necessary for the migration of the data to another online service provider, as well as the economic impact of the concerned services, the intensity of the competition between the providers and other financial considerations.
The right to data portability is not absolute and may be limited if, for instance, portability interferes with the protection of business secrets and intellectual and industrial property, or if the data constitutes a “significant enrichment” for the provider the data is being transferred from. The conditions establishing such “significant enrichment” will be defined in a decree.
Notice requirements
The Act adds new notice elements in line with the GDPR. More specifically, privacy notices must indicate applicable data retention periods, or where it is not possible to define a specific period, the criteria used to determine such periods.
A specific provision—which constitutes a particularity of French law—requires that notices clarify that individuals are entitled to give instructions regarding the handling of their personal data after their death.
Rights of the deceased
A detailed process is in place for individuals to exercise control over their data after their death.
Individuals may give general instructions that will apply to the entirety of their personal data or specific instructions for certain sets of personal data.
The French Digital Republic Act is available (in French) here.
The CNIL’s press release on the bill is available (in French) here.
A summary description of the French Digital Republic Act is available (in English) here.
This advisory is published by Alston & Bird LLP’s Privacy & Data Security practice area to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions.