On 7 October 2016, a new French Digital Republic Bill came into force, modifying a number of provisions of the French Data Protection Act and other data protection related regulations. The Bill:
- modifies the rights of data subjects and the obligations of data controllers;
- increases the powers of the CNIL;
- introduces a new provision on data portability into the consumer protection code; and
- amends the code of electronic communication to extend the secrecy of correspondence.
Please read on for a brief explanation of each of these modifications.
The new Bill modifies the rights of data subjects and the obligations of data controllers, in the following ways:
- A new General Principle is enshrined in Article 1 – for all persons to determine, and control, the manner in which their personal data is used;
- The introduction of increased protection of children – the Data Protection Act now provides (i) a framework for the protection of minors in the context of medical research and (ii) for a “right to be forgotten” specific to minors and an accelerated procedure for the exercise of this right;
- The possibility of specifying what happens to your data after death – depending on the circumstances, instructions can be entrusted to a third party certified by the CNIL or to the data controllers (with the express consent of the data subject). In the absence of instructions from the deceased during their lifetime, the heirs will have the opportunity to exercise certain data control rights;
- ‘Fair Information’ to data subjects must include information about data retention policies or, if this is impossible, the criteria used for determining for how long the data will be retained; and
- The right of a data subject to “exercise his rights electronically” where personal data has been collected electronically.
The Bill also increases the powers of the CNIL:
- The CNIL now has power to impose more stringent sanctions – the maximum fine that the CNIL can impose has risen from €150,000 to €3 million. Other sanctioning powers have been changed and notably the CNIL can now order the company in breach to notify the breach to all affected data subjects;
- Provision is made for improved international cooperation between the CNIL and the data protection authorities from other countries;
- The CNIL may now intervene to a greater extent in the legislative process including automatic publication of the CNIL’s opinions.
The Bill introduces a new provision on data portability into the consumer protection code that will only become effective in May 2018 when the General Data Protection Regulation (GDPR) becomes enforceable. The code provides that the consumer has “in all circumstances” a right to recover “all” of his data – in other words, to port his data to another provider. This right will be exercised in accordance with Article 20 of the GDPR. Online communications service providers must offer a free of charge functionality to the consumer for the recovery of all the relevant files or data (see further below for what this includes). They must take all necessary measures to this end, in terms of the programming interface and the transmission of the information necessary for the change of supplier. However, this obligation is subject to confidentiality in industrial and commercial matters and intellectual property rights. The obligation will not be imposed on “small suppliers” (based on the number of user accounts that have been connected in the last six months).
Relevant data includes:
- all files uploaded by the consumer;
- data resulting from the use of the user account (excluding data that has been significantly enhanced by the supplier); and
- “other data” associated with the consumer’s user account (facilitating the change of the service provider and with certain limitations).
Furthermore, the Bill amends the code of electronic communication to extend the secrecy of correspondence, in particular, to:
- extend the obligation of secrecy to OTTs;
- define what elements are protected by confidentiality (i.e. the content, the identity of the correspondents, and, if applicable, the header of the message and the attached documents);
- define the use that can be made with the consent of the user (automated analysis for advertising, statistics or service improvement); and
- define the type of consent (express, specific to each processing and at least once a year).