Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
Data protection laws in France are usually ahead of the international curve. As they follow the regulations of the European Union, in the context of the EU General Data Protection Regulation that was approved by the European Parliament on April 14 2016 and will directly apply as of May 25 2018, France is currently debating a law (the Law Project for a Digital Republic, NOR: EINI1524250L) that will anticipate some of the provisions of this regulation and extend protection further in a few respects. This law may enter into force before May 25 2018.
Are any changes to existing data protection legislation proposed or expected in the near future?
In addition to the General Data Protection Regulation, several laws containing specific provisions on data protection (eg, the Law Project for a Digital Republic) and amendments to the Data Protection Act are currently under discussion. These proposed changes cover various topics (eg, the geographical locations of data centres).
What legislation governs the collection, storage and use of personal data?
The Data Protection Act 1978 constitutes the domestic legal framework governing the collection, storage and use of personal data.
Several other technical and criminal laws provide specific rules concerning data protection (eg, the Trust in Digital Economy Law 2001).
Scope and jurisdiction
Who falls within the scope of the legislation?
Personal data controllers fall within the scope of the Data Protection Act. A ‘personal data controller’ is any person or company that determines the means and purpose of personal data processing. ‘Data processing’ encompasses every operation or scope of operations regarding personal data (eg, personal data collection, storage, modification use and deletion).
This legislation applies to the data controller when the processing of personal data is part of the activities of at least one of its establishments based in an EU member state, or when it processes personal data by technical or human means that are located in an EU member state.
Other individuals or legal entities can also fall within the scope of the legislation in the application of criminal law provisions (eg, when the victim of a criminal offence is French).
What kind of data falls within the scope of the legislation?
The Data Protection Act regulates only the processing of personal data. ‘Personal data’ is understood as any information relating to an identified or identifiable natural person. An ‘identifiable person’ is one who can be directly or indirectly identified, particularly by reference to an identification number or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Are data owners required to register with the relevant authority before processing data?
Before processing personal data, personal data controllers must register with the national authority for data control (CNIL). While most processing simply requires a declaration of personal data processing (which includes detailed documentation regarding the type of processed data, the finality of the processing and the duration of the data storage), the processing of particularly sensitive personal data (eg, medicinal and biometric data) is subject to formal prior authorisation by the authority.
Should the finality or means of the personal data processing evolve, the data controller must notify the authority of such changes by either amending the original declaration or filing a new one.
However, the new EU General Data Protection Regulation that will apply as of May 25 2018 will not require such declarations. From this date, data controllers will have to document their data processing themselves and will be expected to provide evidence of their compliance with privacy rules on investigation.
Is information regarding registered data owners publicly available?
The declarations and authorisations registered by the CNIL are available to the public.
Is there a requirement to appoint a data protection officer?
There are currently no obligations regarding the appointment of a data protection officer. The designation of a data protection officer must simply be notified to the CNIL.
However, with the entry into force of the General Data Protection Regulation, the appointment of a data protection officer will become mandatory for all public authorities and entities where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale or where the entity conducts large-scale processing of sensitive personal data (eg, data revealing ethnic or racial origins, political opinions, religious or philosophical beliefs and sexual orientation).
Which body is responsible for enforcing data protection legislation and what are its powers?
The CNIL is responsible for enforcing data protection rules in France. Its mission is to inform the public and personal data controllers regarding their mutual rights and obligations. It also plays a consultative role for the government, which implies both publishing reports on personal data practices and issues and directly consulting with officials during the preparation of data protection-related legislation.
The CNIL has extensive penalising powers, which makes it a jurisdictional authority according to the European Convention on Human Rights. The CNIL can issue potentially severe administrative penalties, which are levied only after contradictory examination and are subject to appeal. These penalising powers are to be expanded after the General Data Protection Regulation becomes binding.
The General Data Protection Regulation also provides that EU member states will be responsible for enforcing criminal provisions relating to personal data. In this regard, the CNIL can notify other jurisdictional authorities of data protection violations and take legal action itself for such violations. In order to provide efficient documentation of these violations, the CNIL has advanced investigatory powers which follow various procedures according to whether the data controller agrees to the investigation, the urgency of the situation, the gravity of the violation or whether evidence of the violation is likely to be destroyed.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Personal data collection, storage and processing must follow a set of cumulative rules.
First, the collection and processing must be fair and lawful. This obligation is assessed by judges and implies that the data controller must inform data subjects of the processing to which their data is subject.
Processing operations must also serve a precise, explicit and legitimate purpose. Data controllers must submit justification of the purpose of the processing to the national authority for data control (CNIL) before engaging in such operations. Data collection, use, storage and processing are lawful only insofar as they fall within the declared purpose of the processing; this obligation is strictly interpreted by judges.
The gathered data must be adequate, relevant and not excessive in relation to the declared purpose of the processing. The processed data must also be exact, complete and up to date.
The duration of data storage must be limited in accordance with the purpose of the processing. In most cases data collection requires the consent of the data subject.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The gathered data must be kept only for a duration that accords with the purpose of its processing. Once the objective of the data collection has been met, the data must be deleted.
However, specific data can and must sometimes be archived, according to relevant legal obligations (eg, a lessor of social housing must keep records of tenants in case of a confidential ministerial investigation) or where the data still holds an interest (eg, if it can be used to meet an obligation or prevent a legal dispute). It can then be stored only for as long as this interest still exists. There is no storage time limit if the data holds a historical, scientific or statistical interest.
The time limit for data storage also varies according to the type of data that is to be stored. For example, cookies can be actively held for 13 months only. As another example, within the European Union internet service providers and web hosts must keep users’ personal information for one year for potential police or judicial investigation needs.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals have a right to access personal data about them that is held, stored or in any other way processed by a natural or legal person. The data controller must provide direct, free access to the data for the individual. However, certain data – such as data processed by a public entity that holds a national interest (eg, data that is important for the conduct of a confidential police investigation) – can be accessed indirectly through the CNIL.
Do individuals have a right to request deletion of their data?
Individuals have a right to oppose the processing of their data for legitimate, decisive reasons.
Individuals also have the right to demand deletion of their data if it is inaccurate, incomplete, obsolete, ambiguous or unlawfully used, transferred or stored. This also applies when the data storage period is excessive in relation to the declared purpose of the processing.
Deletion is not necessarily guaranteed. Depending on the purpose of the processing, certain relevant data may be preserved.
Is consent required before processing personal data?
Before processing personal data, the data controller must obtain the individual’s explicit, free, specific and informed consent.
If consent is not provided, are there other circumstances in which data processing is permitted?
Consent to personal data processing is not required in five cases. The data controller must prove that it fulfils all requirements for one of these cases. In particular, there is no need for consent if:
- the data controller processes data in order to respect a legal obligation;
- the data processing is necessary in order to protect the data subject’s life;
- the data processing is necessary in order to accomplish a mission of public interest;
- the data processing is necessary in order to sign or fulfil a contract; or
- the data processing serves a legitimate interest that does not harm the data subject’s own personal interests or rights.
What information must be provided to individuals when personal data is collected?
Upon data collection, the individual must be given information about:
- the identity of the data controller and its subcontractors (if they participate in the processing);
- the purpose of the processing;
- any obligation of the individual to respond and the consequences of failure to respond;
- the recipients or categories of recipient of the collected data;
- the individual’s rights concerning his or her data (regarding access, opposition, correction and deletion); and
- if the data will be transferred internationally, the conditions of the transfer, the country to which it will be transferred, the level of data protection, the purpose of the transfer and the recipient of the data.
Data security and breach notification
Are there specific security obligations that must be complied with?
Both French law and the EU Data Protection Directive state that the data controller must ensure the security and confidentiality of the personal data that it processes. This includes the obligation not to let any unauthorised person or body access the data. Certain authorities (eg, judges or administrative agents in specific cases) are considered to be authorised by law, as well as any person under the direct authority of the data controller or its subcontractors.
As for actual security measures, the national authority for data control (CNIL) requires data controllers to undertake systematic risk assessments before processing data and maintain surveillance over the stability and efficiency of their security systems.
Are data owners/processors required to notify individuals in the event of a breach?
If electronic communication service providers (eg, internet service providers) suffer a personal data breach – which includes deliberate security breaches by third parties and accidental loss or corruption of data – they must inform the individuals whose personal data or privacy could be violated without unnecessary delay, unless the CNIL determines that the security measures taken by the target of the data breach are satisfactory, in which case the communication service provider is not required to inform individuals.
Are data owners/processors required to notify the regulator in the event of a breach?
If an electronic communication service provider suffers a personal data breach – regardless of whether it threatens a specific individual’s rights – the CNIL must be informed within 24 hours of discovery of the breach. This notification must include a precise description of the extent and nature of the breach, along with the measures taken or suggested by the data controller in order to remedy the breach and limit subsequent damage.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
The Trust in Digital Economy Law provides that any commercial prospecting by means of telephone, fax or electronic communications is prohibited without the prior agreement of the data subject. Such prospecting must always indicate the address of the prospector and provide the possibility to unsubscribe from these communications. The CNIL controls the application of these rules and can issue fines for unsolicited electronic marketing of up to €3,000 for a natural person and €15,000 for a legal entity.
- the storage of cookies on their computers;
- the possibility of managing cookie settings or refusing their use; and
According to the CNIL, cookies can remain active for a maximum period of 13 months.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
French legislation (and therefore EU legislation as well) is considered to set the standard for the required level of personal data protection. Thus, cross-border personal data transfers are normally possible only if the data is transferred to a state that provides a level of protection comparable to that of France.
However, there are exceptions to this general rule. The national authority for data control (CNIL) can officially recognise which states offer satisfactory data protection and can negotiate with such states regarding the rules applicable to cross-border transfers (EU member states are by default considered as having a sufficient level of data protection; the CNIL usually follows the European Commission’s recognition of foreign states’ level of data protection). Once an agreement is concluded, it can become a framework for both parties to provide a satisfactory protection level.
Otherwise, the European Commission issues standard contractual clauses that, once signed between a private personal data issuer and receiver, ensure compliance with data protection rules. Within an international corporation or group based in multiple states with differing privacy rules, binding corporate rules can be implemented to guarantee compliant cross-border data transfers.
Personal data can also be transferred to states that do not provide a sufficient level of data protection if one of the following conditions is met:
The data subject has expressly agreed to the transfer (however, the CNIL does not accept this condition as being fulfilled if the consent is given for repeated or structural data transfers);
The transfer is necessary in order to:
- save a human life;
- serve a public interest;
- establish the existence of, defend or exercise a legal claim;
- consult a public registry;
- sign or fulfil a contract between the data subject and the data controller; or
- sign or fulfil a contract between the data controller and a third party acting in the data subject’s interest; or
The transfer has been specifically authorised by the CNIL or by decree of the Council of State.
Are there restrictions on the geographic transfer of data?
Personal data can be transferred only to states that provide a satisfactory level of data protection or to other countries under the procedures detailed above.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
The transfer of data from a data controller to a subcontractor for processing must be contractually arranged and set the same security and confidentiality obligations for the receiver as for the data controller itself. The EU General Data Protection Regulation should also create many possibilities for the subcontractor to inherit most – if not all – of the data controller’s obligations, should its role exceed that of a simple performer for the data controller.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Administrative penalties for non-compliance with data protection regulations are administered by the national authority for data control (CNIL). It can issue fines for natural persons of up to €150,000 for a first violation and €300,000 for a second violation occurring less than five years after the first violation.
The Criminal Code also lists a number of offences for non-compliance with or violation of data protection legislation, the gravest of which can lead to a five-year prison term and a €300,000 fine for individuals (the fine is five times higher for legal entities). These penalties are issued by national crime authorities.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Individuals can demand compensation for losses suffered as a result of data breach or non-compliance with data protection rules by taking legal action before national authorities. It is also possible to file a class action suit for non-compliance with data protection provisions.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
France has laws covering specific offences that can occur only digitally, although most of the offences and penalties stipulated in these laws have simply been adapted from previous legislation to account for the current digital environment – for example, certain offences may constitute an aggravating factor when a crime is committed on the Internet (especially for child pornography).
As an example of this, a cyberspace-related offence that has been introduced into French criminal law is the automated data processing system violation, created by Law 92-685 (July 22 1992). This law prohibits fraudulent (ie, wilful and unauthorised) access to an automated system. This offence is aggravated if data in the system is extracted, modified or expanded, or if the functions of the system are altered or corrupted.
In a similar way, personal data-related offences are penalised pursuant to the Criminal Code.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
Many guidelines and best practices regarding cybersecurity have been issued by various organisations – including the national authority for data control (CNIL) – and may be used as a reference in litigation relating to data breaches.
Which cyber activities are criminalised in your jurisdiction?
Aside from the violation of automated data processing systems, numerous cyber activities are criminalised, including internet protocol spoofing, identity theft and ‘happy slapping’ (ie, physical assaults filmed on mobile devices and online dissemination of such footage).
Which authorities are responsible for enforcing cybersecurity rules?
Cybersecurity rules are enforced by both the CNIL and national authorities.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Many companies obtain insurance for security breaches. This generally involves an inspection and upgrade of the company’s cybersecurity measures, along with a training session for employees. Insurance both protects against potential damages resulting from cyberattacks and breaches and provides strategic support when under direct cyberthreat or cyberattack.
Such insurance is common only for companies that are likely to be subject to cyberattacks or whose business is directly dependent on data security.
Are companies required to keep records of cybercrime threats, attacks and breaches?
Companies are required to keep records of security breaches that involve personal data theft or corruption.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Electronic communication service providers are required to report data breaches to the authorities only when personal data is involved.
Are companies required to report cybercrime threats, attacks and breaches publicly?
Electronic communication service providers must notify individuals of data breaches only when their privacy or personal data protection is at stake and the CNIL does not consider that doing so is unnecessary.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Criminal penalties depend on the offence in question. Sentences can include a prison term of one to 10 years and a fine of €15,000 to €500,000 (the fine is five times higher for legal entities).
Penalties are issued by the national criminal jurisdictions.
What penalties may be imposed for failure to comply with cybersecurity regulations?
A data controller’s failure to notify the CNIL of a security breach involving personal data can lead to a five-year prison term and a €300,000 fine.