Despite a lack of agreement between the Senate and the National Assembly, France has finally passed its new data protection law, 11 days prior to the entry into application of the EU General Data Protection Regulation (GDPR) on May 25.
In addition to several provisions strengthening the powers of the French Data Protection Authority (CNIL), you will find here an overview of some of the main deviations from GDPR:
- Territorial scope. French rules adopted on the basis of GDPR apply to the extent the data subject is a French resident, even when the data controller is not established in France (with an exception for processing carried out for journalistic purposes or the purpose of academic, artistic or literary expression). So, for example, if a German business targets French customers, it will have to comply not only with the GDPR requirements, but also with the French specific rules (and presumably with German specific rules as well). The same goes if you are an Asian or American business. However, if a German newspaper processes personal data of a French resident for journalistic purposes, then French law would not apply and the newspaper would only have to comply with the GDPR and German law requirements.
- Processing of the social security number. A decree will detail the categories of data controllers who may process the national registration number (NIR) and the purposes for which NIR may be processed. However, NIR processing previously authorized by the CNIL may continue until May 25, 2020 (provided they are not modified) without having to be mentioned in that decree.
- Prior formalities. Prior formalities with the CNIL disappear, bar a few exceptions (in particular with respect to the processing of health data that will continue to be subject either to a declarations of conformity to specific requirements defined by the CNIL or a CNIL authorization), and are replaced by a control a posteriori.
- Processing of criminal records. The law clarifies that it is possible for individuals and private entities to process personal data relating to criminal convictions and offences to prepare and exercise their rights in the context of legal proceedings.
- Children’s consent. 15-year-olds can consent alone to the processing of their personal data in relation to the direct offer of online services. Below 15, the processing is lawful only if the consent is given jointly by the minor and the holder(s) of parental responsibility. You should however keep in mind that this does not affect the general rules regarding capacity to enter into a contract. So for example, it might still be necessary to obtain the consent of the holder(s) of parental responsibility for a child to register on certain applications or websites, even though he/she is over 15.
Specific provisions are provided for minors involved in health research, studies and evaluation which give the minor of 15 or more, the right to oppose to an access by the holders of parental responsibility to the minors personal data used in the context of such health research, studies and evaluation.
- Consent validity and contracts. The law provides for an obligation, for data controllers, to demonstrate that the contracts they enter into do not constitute an obstacle to end users’ consent and freedom to access the applications and services of their choice on their electronic devices. For example, electronic device makers should not enter into contracts forcing them to offer to end users certain services installed by default on the devices, without any other alternative, and collecting personal data to monetize them. This provision is an application of the data privacy by design and default principles and of the requirement that data controllers be able to demonstrate the data subjects’ consent where processing is based on consent.
In addition to that general statement, the law provides some examples of what would constitute an obstacle to valid consent (e.g., restricting the end user’s choices, without any legitimate technical or security reasons, notably during the initial setting of the terminal equipment).
- Transparency. The obligation to provide a short information notice when personal data is collected via a form is maintained in the French law, whereas the GDPR does not specifically provide for a similar requirement.
- Limitations to data subjects’ rights in certain circumstances. Data subjects’ rights can be restricted notably to avoid obstructing administrative investigations, inquiries or procedures, to safeguard the prevention, investigation, detection and prosecution of criminal offences, as well as of administrative enquiries, or to protect the rights and freedoms of others.
- Data breach notification. A decree will restrict the obligation of notification under article 34 of the GDPR for national security, defense and public security purposes with respect to certain processing necessary for compliance with a legal obligation or for the performance of a task carried out by the data controller in the public interest.
- Class action. Class action litigants will be entitled both seek injunctive relief and claim compensation for their material and moral losses. However, litigants will may only claim compensation if what caused the loss occurred after May 24, 2018. In terms of who can bring data protection class actions, there is no change (limited to associations or trade unions), and individuals are still not be able to bring such class actions by themselves through their attorney.
The law also contains specific provisions regarding the processing of health data and for the implementation of the EU Data Protection Directive on Police and Criminal Justice Cooperation into French law.
In terms of next steps, this final version of the law must still pass the constitutional review before promulgation, which could delay its entry into force. If everything goes well, the law will become applicable at the same time as the GDPR on May 25. However, it has already been reported that Senators intend to ask a constitutional review, which could delay the entry into force of the new law (the French Constitutional Council must rule within one month, or 8 days in urgent cases). As the case may be, this would not prevent the GDPR to apply in France as of May 25, but this may still have some operational impacts for the CNIL for instance, as this would notably make the cooperation with the other EU supervisory authorities difficult.
Regarding enforcement actions, the CNIL has already indicated that it will distinguish between fundamental principles, which will continue to be subject to strict compliance checks, and new obligations or rights, for which the CNIL will help organizations have a good understanding of the new rules and how to implement them. Provided that an organization acts in good faith, engages in the compliance process and cooperates, controls are unlikely to lead to sanctions during the first months following May 25. It will nevertheless be necessary to get up to speed quickly with both the GDPR requirements and the specific French rules in order to avoid high fines.