France’s Law for a Digital Republic (“Law”), adopted earlier this month, creates significant new obligations for data controllers and online services providers – particularly platform operators. Some key data protection provisions of the Law are immediately effective: increased maximum administrative fines; expanded notice obligations for data controllers; and a specific Right To Be Forgotten for minors. Those provisions are described below.
Other provisions, including the creation of a right to direct the use of one’s data after death, enhanced transparency and fairness obligations vis-à-vis consumers and enhanced confidentiality obligations for telecom operators and online public communication services providers, will not be fully effective until the adoption of implementing decrees. A new right of data portability for consumers, similar to the data portability right under the EU General Data Protection Regulation (“GDPR”), will take effect May 25, 2018. Those provisions will be described in other blog posts.
Maximum administrative fine raised from EUR 150,000 to EUR 3M; CNIL enforcement authority reinforced
Under the Law, and effective immediately, the French data protection authority (the “CNIL”), is empowered to order administrative fines of up to EUR 3M. Previously, the maximum fine was EUR 150,000 , or EUR 300,000 for a repeat violation. The Law specifies that when determining the amount of a fine the CNIL must take into account several factors, which largely echo those set forth in the GDPR.
In cases of extreme urgency the CNIL is now also entitled to issue a cease and desist to comply within 24 hours. When the infringing party does not comply, the CNIL may issue a warning, a fine or an injunction. When it is not possible in fact for the infringing party to comply with the law, the CNIL can order a fine without first issuing a cease and desist (but due process must still be followed).
The CNIL will also be able to conduct inspections on behalf of comparable authorities in non-EU countries that offer an adequate level of protection to personal data. The CNIL must enter into an agreement describing the relations between the authorities.
Expanded notice requirements
Effective immediately, notices to data subjects must specify the period during which personal data will be retained; where this is impossible, the criteria for determining the retention period must be specified.
Notices must also mention the data subject’s right to issue directives for the disposition of personal data after death.
Post mortem rights
The Law creates a new right for each data subject to issue directives relating to the disposition of his or her personal data after death. While some provisions relating to post mortem rights await an implementing decree to take effect, others could be considered of immediate application:
- The data subject can designate a person to exercise his or her rights after death.
- Except where the decedent’s directives specifically state otherwise, heirs are entitled to exercise the decedent’s rights for purposes enumerated in the Law, including to ensure that controllers take into account the data subject’s death, close the decedent’s user accounts and stop processing decedent’s personal data.
- Online communication service providers must inform users what is done with their personal data upon death, and must allow users to decide whether their personal data should be transferred upon death.
Right to be forgotten for minors
In a nod to Recital 65 of the GDPR, the Law provides that persons who were minors at the time their personal data was collected in connection with information society services are entitled to have their personal data erased promptly by the data controller. If the controller shared the data with another controller, the first controller must take reasonable measures (including technical measures) to inform the third party that the data subject has demanded the erasure of all links to the data, or any copy or replication of the data. If the data is not erased or the controller does not respond within one month, the data subject may petition the CNIL, which has 3 weeks to issue its decision. The data controller’s obligation to erase a minor’s personal data is subject to five exceptions, similar to those forth in the GDPR.