France’s Law for a Digital Republic, under discussion for more than a year, was published on Oct. 7, 2016 and creates significant new obligations for data controllers and online platform operators. As reported here, some key data protection provisions of the Law are immediately effective, whereas other data protection provisions will take effect in 2017 and 2018.

Post mortem rights to control one’s data

The Law creates a new right for each data subject to issue directives relating to the disposition of his or her personal data after death. Those directives may be general or specific or both; general directives can be stored with a third party certified by the CNIL and the CNIL will keep a record of those directives (the publication of the implementing decree relating to the CNIL record is expected in March 2017). Specific directives are stored with the relevant data controller.

As previously reported, other provisions governing post mortem rights could be considered of immediate application:

  1. The data subject can designate a person to exercise his or her rights after death.
  2. Except where the decedent’s directives specifically state otherwise, heirs are entitled to exercise the decedent’s rights for purposes enumerated in the Law, including to ensure that controllers take into account the data subject’s death, close the decedent’s user accounts and stop processing decedent’s personal data.
  3. Online communication service providers must henceforth inform users what is done with their personal data upon death, and must allow users to decide whether their personal data should be transferred upon death.

Data portability enshrined in the French Consumer Code

As from May 25, 2018, consumers will have a right of data portability for all their data. Personal data portability will be determined by the EU General Data Protection Regulation, and portability of all other data will be determined by the French Consumer Code.

Under this new right of consumer data portability, providers of online communication services to the public will be required to offer consumers a free service to recover (i) all files uploaded by the consumer, (ii) all data that result from the use of the consumer’s user account and that can be consulted by the consumer (except data that has been significantly enriched by the provider); and (iii) other data associated with the consumer’s user account (a) that simplifies a change of provider, or access to other services, or (b) where identification of the data takes into account the value of the services, competition between providers, usefulness for the consumer, and the frequency and economic impact of the use of the services.

These provisions will not apply to providers with active user accounts below a certain threshold, which will be determined by decree. A decree will also set forth a list of types of data enrichment that will be presumed insignificant and that consequently will not justify a refusal to “port” data.

Given the CNIL’s expansive interpretation of the definition of personal data, and the vagueness of the new Consumer Code provisions, this new right could prove difficult to apply in practice.