The French bill on the protection of personal data, the French Data Protection Act 2 (in French), was officially enacted June 20.
The purpose of the FDPA 2 is to bring national law into line with the European Data Protection Package, adopted by the European Parliament and the Council April 27, 2016, which consists of the following texts:
- Regulation (EU) 2016/679 on the protection of individuals with regard to personal data, which constitutes the general framework for data protection and is directly applicable from May 25, 2018.
- Directive (EU) 2016/680 on the processing operations carried out for the purpose of preventing, detecting, investigating and prosecuting criminal offenses or carrying out criminal sanctions, to be transposed by May 6, 2018, at the latest, which transposition by the FDPA 2 will not be analyzed here.
In order to bring national law into line with the GDPR, the government has made the "symbolic" choice not to repeal the founding law on this matter, the French Data Protection Act No. 78-17 of 6 January 1978. As a result, the FDPA 2 amends the current FDPA. It replaces the logic of prior formalities (notification or prior authorization by the CNIL) with the philosophy introduced by the GDPR of enhanced accountability of stakeholders.
To this end, the FDPA 2 minimally adapts the Data Protection Act. In addition, while the GDPR is directly applicable, it contains some 56 references to national law; the FDPA 2 uses some of them. And finally, the FDPA 2 itself provides that the FDPA may still be subject to major changes at a later stage that could occur fairly soon.
The minimal adaptation of the French Data Protection Act
The FDPA 2 removes from the FDPA provisions contrary to the GDPR and completes it with the necessary provisions, including the following:
- French data protection authority's missions are broadened (Article 1): The CNIL will be able to implement tools (guidelines, recommendations, reference documents, codes of conduct, standard security regulations) fulfilling the dual objective of facilitating the compliance of processing operations with the data protection requirements and risk assessment by controllers and their processors. In addition, the CNIL will be able to approve certifying bodies and to certify persons, products and procedures as being compliant with the GDPR and national law.
- Control methods of the CNIL agents are reinforced and may lead them to use “assumed” identities (Article 5): TCNIL agents may request the communication of any document, take a copy, and may collect on the spot or on convocation any useful information. In the exercise of this right, secrecy may not be opposed to them, except in the case of attorney-client privilege, the secrecy of sources of journalistic processing and, in some cases, medical secrecy. In addition, CNIL agents will be able to carry out online checks under assumed identities, the conditions of which will be specified by a decree taken by the Council of State issued after consultation of the CNIL.
- Joint control operations with data protection authorities of other member states are made possible (Article 6): When a joint control operation takes place on the French territory, CNIL agents will be present alongside the agents of the other authorities. The CNIL shall communicate to the other authorities the relevant information and may empower their agents to exercise powers of verification and investigation under its control.
- Measures and sanctions taken by the CNIL are substantially reinforced (Article 7) : The chair of the CNIL will be able to warn controllers and processors of the illegality of the envisaged processing operations or to give them a formal notice. If they do not comply with the obligations imposed by the GDPR or national law, the chair can also decide to defer the case to the sanction committee. The sanction committee may decide to issue a reminder; an injunction for compliance under daily penalty (up to 100,000 euros per day), which is notable innovation; a temporary or definitive limitation of the processing; the withdrawal of a certification; the suspension of data transfers to a third country; the withdrawal of a decision approving a binding business rule; or a fine up to EUR 10 or 20 million euros or 2 percent to 4 percent of worldwide turnover, depending on the violation.
- The notion of sensitive data is broadened (Article 8): The FDPA 2 repeats the GDPR ban principle on the processing of sensitive data and expands the current scope of this data. Biometric and genetic data will now be regarded as sensitive data.
- The prior formalities are mostly abolished (Article 11): Most prior formalities are abolished and will be replaced by the obligation to carry out a privacy impact assessment when the processing operation is likely to pose a high risk to the rights and freedoms of individuals. However, some prior notification and authorization will continue to exist (i) for the processing of the national security number (NIR - see below), and (ii) for heath data.
The implementation of several opening clauses provide by the GDPR
The FDPA 2 does not take full advantage of all the opening clauses left to the member states by the GDPR but only implements part of them. In its opinion of November 30, 2017, on the draft bill, the CNIL considered that this selection was "judiciously" made. It includes the following provisions:
- The clarification of the scope of application of national law (Article 10): In case of divergent legislations between member states due to the scope of action left by the GDPR, national law will apply where the data subject resides in France, even if the controller is not established in France. However, as regards the freedom of expression and information, the law of the member state in which the controller is established will apply.
- An open data approach for judicial decisions (Article 13): Re-users of court decisions will be able to process data relating to offenses for the purpose of making all decisions of the administrative and judicial courts available to the public in open data, subject to respect of the data subjects' privacy and after analyzing the risk of re-identification.
- The definition of the age for “digital majority” (Article 20): The age of consent, or digital majority, is established at 15 years. The data controller is then required to deliver the information "in clear and easily accessible language." The National Assembly has also developed the conditions of a dual-consent mechanism specifying that it should be given jointly by the minor concerned and the legal guardian.
- The broadening of class-action’s scope to compensation (Article 25): This action may be brought with a view either to bringing an end to the breach, or to engage the liability of the person who caused the damage in order to obtain compensation for the material and moral damage suffered, or both. The person who caused the damage may only be held liable if the event giving rise to the damage occurred after May 24, 2018.
- The possibility for the Conseil d’Etat (French supreme administrative court) to temporarily suspend international data transfer at the request of the CNIL (Article 27): The law implements the decision of the CJEU ruling of October 6, 2015, (the Schrems ruling) by allowing the CNIL to lodge a request with the Council of State to temporarily suspend a data transfer under an adequacy decision before the data transfer is contested. The Council of State must then refer the question of the validity of the adequacy decision to the CJEU for a preliminary ruling.
Potential for significant changes to the FDPA soon
The FDPA may still be subject to major changes in the near future. Indeed, Article 32 of the FDPA 2 empowers the government to proceed by ordinance to a general rewriting of the FDPA in order to improve the intelligibility and consistency with all legislation relating to the protection of personal data. This means that the FDPA will undergo major changes in the near future but without any debate before the Parliament.
photo credit: Rob Oo Vive la France! via photopin (license)