A bill currently under discussion before the French Parliament should result in tightened sanctions against organizations found to be in breach of data protection law. New sanctions provided under the bill are a reflection of the forthcoming General Data Protection Regulation (the "GDPR").
The bill entitled "For a Digital Republic" (the "Bill"), adopted at first reading by the French National Assembly on 26 January 2016 and currently before the French Senate under a fast-track procedure, significantly reinforces powers of the French Data Protection Authority (the "CNIL") to impose administrative fines. The Bill is likely to come into force in the first half of 2016.
In its current state, this omnibus Bill introduces changes in substantive data protection law. Among other things, it provides data subjects with a right to "data portability", a right to additional information on the processing of their personal data (period of retention of data), and it intends to regulate the processing of personal data after the death of the data subjects. In addition, the Bill amends Article 47 of the French Data Protection Act (the "FDPA") in such a way as to strengthen powers of the CNIL to impose administrative fines on data controllers in case of violation of the FDPA. The types of sanctions that may be pronounced by the CNIL however remain unchanged.
Under the current legislative framework, the administrative fines imposed by the CNIL cannot exceed €150,000 for the first violation of the FDPA. In case of recurrence of the violation of the FDPA within 5 years from the final definitive decision to sanction, the administrative fine can be increased to up to €300,000 or, against undertakings, to up to 5% of their annual turnover of the previous financial year (excluding taxes) within the limit of €300,000.
Pursuant to recent amendments, the Bill includes administrative fines which are similar to the ones set forth in the GDPR, in its current form. This aligns the penalties at national level and at European level for breaches of data protection provisions. The Bill provides for two levels of fines:
- the highest level provides for fines of up to €20,000,000 or, in case of an undertaking, 4% of the total worldwide annual turnover (based on the financial year preceding the violation), whichever of the two is higher; and
- the lowest level provides for fines of up to €10,000,000 or, in case of an undertaking, 2% of the total worldwide annual turnover (based on the financial year preceding the violation), whichever of the two is higher.
The highest level of fine is presented as the principle and will apply to the vast majority of breaches, including violations of the data subjects' rights (e.g., right of access). By exception, the lowest level of fine will apply in limited and listed situations (e.g., processing of personal data without undertaking the required formalities within the CNIL, breach of data security). In any event, fines imposed by the CNIL shall be proportionate to the seriousness of the violation and the benefits that flowed from such violation.
By increasing the sanctioning powers of the CNIL, the Bill anticipates the entry into force of the GDPR to occur in two years. Indeed, at the end of last year, the GDPR was agreed upon following trilogue negotiations between the three European institutions: the Council, the European Parliament and the European Commission. The GDPR will now be submitted to the Council for adoption at first reading and then to the European Parliament for approval. It is expected to come into force in Spring 2016 but will not be applicable before Spring 2018.