In addition to calling for the adoption of the EU Regulation in 2015, the CNIL has expressed its wish list of provisions to be included in the Digital Law contemplated by the French government.

The CNIL requests the protection of personal data to become a constitutional right and a strengthening of the right of access, which is the cornerstone of the protection of personal data. Individuals should be given information about the source and the duration of retention of data relating to them. It would impose more stringent governance practices by data controllers as data retention is one of the most complex obligations to comply with. This suggestion is in line with the commission’s proposal on the regulation. Individuals should be allowed to exercise their rights electronically and should receive a confirmation that they have exercised their rights to be able to provide evidence. It implies additional boxes to add to the checklist by those working on Privacy by Design for applications.

It is suggested to create a right to be forgotten, going beyond the right to be delisted, for minors (under 18), in order to enable them to protect their online reputation. Minors, as opposed to adults, would not have to justify having legitimate grounds to object to the data processing.

Taking another stand in favor of BCR after the creation of a service dedicated to BCR last year, the authority asks for the possibility to grant a standard data transfer authorization (autorisation unique) to each company who transfers data under approved BCR, so that it does not have to request data transfer authorizations for each and every data transfer it operates out of France.

The CNIL also calls for an increase in the level of administrative sanctions, in the interim period of the entry into force of the regulation, as the highest sanction it can order is of EUR 150,000 (EUR 300,000 in case of repetition), which is very low in comparison with the two percent (commission proposal) or five percent (parliament proposal) of global turnover provided in the draft regulation. The introduction of a collective action, whether specific or general, is also expected. The secretary of state for digital matters agrees, as appeared from her speech before the National Assembly on January 14.

An important change would result in the acknowledgement of a co-controllership between stakeholders involved in a data processing, including the liability of data processors, as French data protection law as it is drafted today does not recognize this concept.

The CNIL also wishes to have control powers over data processing relating to national security and an improvement in its dealings with public institutions, including the Parliament for improved consultation process.

The question is whether this digital law could be finalized before the regulation and be compatible with it. The draft has been expected since 2013. The analysis of the public consultation launched this winter has been announced for the end of February and a draft bill for the second semester, once the European Commission has released its digital action plan. The secretary of state announced several measures including a right to control the data, called right to informational self-determination, and measures in favor of the expansion of open data.