DataGuidance spoke with Cécile Martin, Special International Counsel at Proskauer Rose LLP, at the International Association of Privacy Professionals’ Conference in Brussels in November 2016. Cécile discussed the passing of the Digital Republic Bill and its implications for organizations, as well as the latest developments regarding employee monitoring in France and the upcoming changes with the GDPR.

Indeed, a lot of changes are taking place in France in terms of data privacy.

First, the Digital Republic Bill, which passed in October 2016 in France initiated a lot of changes for companies and organizations in terms of Privacy. As an example, pursuant to this new Bill, data subjects have now the right to know how long their data is stored, decide how their data will be used after their death, or request that personal data be deleted without delay when it was collected at a time when data subjects were minors.

Furthermore, sanctions to be taken by the French Data Protection Agency have increased from €150,000 up to €3 Million euros. Companies should know that this new Bill is only an anticipation of the GDPR that will come into force in 2018 in Europe.

Thus, with the Digital Republic Act, France has sent a clear message that it is taking personal data protection very seriously and is keen to establish strong safeguards to protect personal data. Even though the GDPR is going to establish a harmonized data protection regime across Europe, EU member states can adopt additional data protection rules on specific topics, and therefore, country-specific laws will continue to apply meaning that businesses may still need to comply with different national laws when processing personal data across Europe.

Second, there have also been an increased focus given to issues relating to employee monitoring this year in France.

The French Supreme Court continues to sharpen its case law regarding the possibility to monitor employees at the workplace.

Generally, to lawfully monitor an employee under French law, employers have to comply with 3 different steps:

  1. Informing and consulting the employees’ representatives bodies about the contemplated monitoring. It generally takes 3 months;
  2. Informing the employees of the monitoring;
  3. Filing the monitoring system with the CNIL. This is quite fast as it can be done online.

However, once it is done, employers still have to remain cautious in the way the monitoring is done if they want to be able to take appropriate sanctions against their employees since the French Supreme Court tends to consider that:

  • the emails received or sent by an employee on his professional email account are considered as being professional emails, except if they are formally identified by the employees as being personal, which means that they can be open and read by the employer.
  • the emails received and sent by an employee through his personal webmail from the professional workstation cannot be open and read by the employers without the authorization of a judge.

In terms of biometry, the French Data Protection Agency (“CNIL”) announced, on September 27, 2016, that it had updated its biometrics doctrine to take into consideration technological changes (meaning that there is no longer a distinction between biometric data processing with trace (e.g. DNA) and biometric data processing without trace (e.g. voice). Now, the CNIL discerns between biometric data processing which enables data subjects to keep the control of their biometric data and ones which do not offer such a protection.

In particular, the CNIL adopted 2 new single authorisations encompassing biometric access control systems in the workplace.

  • The Authorisations take into consideration the principles enacted by the GDPR given that companies must be able to document the characteristic of the data processing, demonstrate the proportionality of the data processing, and comply with the principles of Privacy by Default and by Design.
  • The new Authorisations impose 3 main obligations on organisations regarding a lawful use of biometrics in the workplace.
    • Firstly, businesses must ensure the use of biometrics is justified, considering whether less intrusive means could be employed (e.g. access to premises with a badge if the company does not operate in a high-risk sector).
    • Secondly, entities should favour Privacy by Default or by Design solutions, in order to limit the risk of misuse of biometric data.
    • Finally, organisations need to properly justify, document and safeguard the storage of such data. The adoption of measures to minimise the risk to privacy such as encryption are also encouraged.

Click here to view Cécile Martin’s full interview with DataGuidance.