Debated in Parliament since 9 December 2015, the French Digital Bill was subject to a Senate vote on 3 May 2016, two weeks before publication of the General Data Protection Regulation (GDPR) in the EU’s Official Journal.
The Digital Bill as voted for by the French Senate on 3 May 2016 includes a data localization provision: “Data shall be stored in a data center located within any EU Member State territory, without prejudice to international agreements to which France and the EU are parties. They cannot be subject to a transfer to a third country“. The Bill’s data localization provision may be incompatible with Article 44 of the GDPR and perhaps the current Data Protection Directive 95/46, as it places stricter requirements on the transfer of personal data outside of the EU than provided for under those documents.
The territorial scope of the data localization requirement is unclear. Is its scope limited to data controllers established only on French territory? What about data controllers located in Germany that process data on French citizens but use processors outside the EU?
Senator Eliane Assassi originally introduced the data localization amendment by arguing that “storing [the] personal data of French citizens within the EU territory ensures implementation of EU data protection rules“, adding that “the ruling of the CJEU striking down Safe Harbor… makes this implementation all the more critical“.
At a deeper level, the amendment reflects French politicians’ desire to defend France’s “digital sovereignty”. Several reports over the last two years have highlighted the need for France to assert its digital sovereignty over non-French Internet service providers, often referred to in France by the acronym “GAFA” (Google, Apple, Facebook and Amazon). What digital sovereignty means in practice is unclear; certain aspects appear designed to help French start-ups, which are allegedly at a disadvantage compared to their US counterparts; other aspects of digital sovereignty focus on the ability of French law enforcement authorities to access data when needed. An overarching political concern is that the data-driven ecosystems of large US-based service providers seem to operate outside of the reach of French laws, which is politically unacceptable. This assertion is in fact not true, because the major Internet service providers are regularly involved in French court and administrative proceedings. French laws do apply to most online activities. Nevertheless, the theme of “digital sovereignty” is politically popular, and the data localization amendment adopted by the Senate confirms this trend as, according to Senator Christophe-André Frassa, the purpose of the amendment is to reassert France’s digital sovereignty.
Although Axelle Lemaire, secretary of State for Digital Technology, requested withdrawal of the amendment, she commented as follows:
“Within the EU territory, data flows are free, in the same way that goods and people circulate freely. The EU Regulation provides a trustworthy and secure framework. The issue lies in the application of EU standards to transfers outside of the EU. The Privacy Shield agreement has received lukewarm reviews from national Data Protection Authorities (the Article 29 Working Party).
The obligation to store sensitive data on national territory already exists for biometric data, judicial data, health data or data relating to national defense; data related to minors could also be added to the list.
France may only have an influence within the EU framework. On this subject, an opinion from the Parliament regarding a debate on the Privacy Shield would be relevant“.
Incompatibility with the provisions of the General Data Protection Regulation
But the text voted for by the Senate is not consistent with Article 44 of the GDPR or even with current Data Protection Directive 95/46 since it places a more absolute restriction on the transfer of personal data outside the EU.
The French amendment raises the question: “Can France do whatever it wants during the two year period before the GDPR’s provisions take effect?” According to the Court of Justice of the European Union (CJEU), Member States must ensure “simultaneous and uniform” application of regulations (CJEU, 7 February 1973, Commission v. Italian Republic, C-39/72, §17).
In our view, France cannot adopt measures inconsistent with the GDPR during the two year implementation period, which means that the proposed data localization amendment, if included in the final version of the text of the Digital Bill, would violate EU law.
Subject to the “fast track” legislative process, the Bill will not be subject to a second reading in each house. Now that the French Senate has voted through its version of the Digital Bill, the text will be debated within a Joint Committee composed of representatives from both houses of Parliament.