The General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. In light of the urgency to adapt Law no. 78-17 dated 6 January 1978 to the new European Union law, the French Government has initiated an accelerated procedure. This procedure led to the adoption in final reading by the French National Assembly of the bill on personal data protection on 14 May 2018. However, some French Senators lodged a constitutional complaint against the said law on 16 May 2018.
The bill on personal data protection aims to adapt the "French Data Protection" Act to the new legal framework called "European data protection package" made of the GDPR and the directive on the processing of personal data implemented in police and judicial matters.
In various fields (notably in the field of medical research), the GDPR has provided a "margin of manoeuvre" for Member States, which have to specify certain provisions, arrange derogations or, on the contrary, strengthen safeguards already provided for by European law.
The bill was adopted by the French National Assembly in final reading on 14 May 2018 and plans an entry into force of the new provisions for 25 May 2018.
On 16 May 2018, some French Senators applied to the French Constitutional Council under Article 61(2) of the French Constitution. They argue that the referred law would, notably, disregard the objective of accessibility and intelligibility of the law and that it would infringe the principle of equality. The French Constitutional Council shall give a decision within a month from the date of referral, unless the French Government asks for the procedure to be accelerated.
The GDPR has an extended scope compared to the scope of the French Data Protection Act. It applies to:
- companies established on the territory of the European Union and which process personal data (Article 3(1)); and
- companies established out of the European Union if they process personal data of European residents in the scope of the offering of goods or services or the monitoring of their behaviour (insofar as the said behaviour takes place within the European Union) (Article 3(2)).
As for now, Article 5 of the French Data Protection Act provides that national law applies when the controller is established in France or, failing that, in the absence of an establishment in France or in the European Union, when the controller uses processing means located on the French territory.
The bill does not amend the current Article 5. However, it adds an Article 5-1 which determines the territorial scope of the French provisions adjusting or completing the GDPR on account of the "margin of manoeuvre" left to Member States. This new article holds the criterion of residence of the data subject, with the exception of the processing referred to in Article 85-2 of the GDPR (processing relating to freedom of expression and information).
Thus, the scopes of the GDPR and the French Data Protection Act do not coincide and some inconsistencies and difficulties of application may be feared.
Corrective actions and penalties
Article 7 of the adopted bill concerns corrective actions and penalties implemented by the restricted committee of the Commission Nationale de I'Informatique et des Libertés (French Commission for Information Technologies and Civil Liberties - CNIL). Articles 45 to 48 as amended by the bill provide for new penalties which may be imposed in case of infringement of the GDPR or the French Data Protection Act (warning, formal notice, penalty). The amount of financial penalties that may be imposed has significantly increased and may reach €20 million or 4% of a company's global annual turnover, pursuant to the GDPR provisions. The bill kept the possibility of making penalties imposed by the restricted committee public.
The bill also creates new penalties, such as periodic penalties "which amount shall not exceed €100,000 per day's delay", which are yet not provided for in the GDPR.
The text referring the bill to the French Constitutional Council from the applying French Senators states, regarding the considerable strengthening of administrative penalties that, "thus, such strengthening of an administrative authority's power to impose penalties should normally come with a proportional increase in rights and safeguards provided to defendants, lest it threaten the balance and fairness of the procedure, constitutionally protected. Yet, as such, it is not the case".
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Where personal data are processed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, the GDPR allows Member States to provide for derogations from some rights of data subjects, in particular the right of access, right to restriction of processing and right to object.
The current French Data Protection Act already provides for certain derogations, in particular regarding the right of erasure of personal data of data subjects who were underage at the time of collection (Article 40) and the retention period (Article 36).
The bill broadens the scope of the current Article 36 of the French Data Protection Act. It introduces derogations from certain rights of data subjects – in particular the right of access, the right to rectification, the right to data portability and the right to object – to the benefit of public archives services when personal data processing is performed for archiving purposes in the public interest, in compliance with Article L. 211-2 of the French Heritage Code.
The bill also provides that derogations from certain rights of data subjects regarding their personal data, which public services archives are benefitting from, may be extended wholly or partly to other types of processing by decree of the French Administrative Supreme Court ("Conseil d'État") (for scientific or historical research purposes or statistical purposes).
Processing in health-related matters
In Chapter IX of the French Data Protection Act, now entitled "Personal data processing in health‑related matters", the bill gathers all provisions regarding processing of health data.
In line with the principle of accountability of actors laid down in the GDPR, the bill provides for a system of declaration of conformity to frames of reference or model regulations enacted by the CNIL in consultation with the Institut National des données de santé (French Institute on Health Data – INDS) and private and public bodies representing the concerned actors. Thus, the data controller will have to report to the CNIL that the contemplated processing is compliant with frames of reference and model regulations. When processing does not comply with these frames of reference, an authorisation from the CNIL is required prior to any implementation.
In addition, an audit committee for the national health data system is created to strengthen control over use of these particularly sensitive data. Even though a decree by the Conseil d'État will specify the composition of the committee and define its operating rules and the ways of conducting the audit, the bill already provides that the president of the CNIL, or his/her representative, must mandatorily be part of the committee as an observer.
Finally, the bill provides that the processing implemented by complementary health organisations, in the scope of their coverage duties, shall fall within the scope of the processing that is not subject to the provisions of the new Chapter IX. French Deputies removed the prohibition – requested by the French Senate – for these organisations to use public health data to determine therapeutic and medical options and select risks, on the basis that these data would be already highly supervised by the applicable law.
Legal age of consent for minors
The GDPR determines digital majority at 16 years, i.e. the age at which a minor may consent alone to the processing of his/her personal data as regards the direct offering of information society services. Nevertheless, it allows Member States to lower this age down to 13 years.
The bill sets legal age at 15 years in France. Therefore, minors under 15 will not be able to consent personally to the processing of their personal data and the processing will be legal only if it was given by the concerned minor together with the holder of parental authority.
This additional condition of double consent (minor's and parents') is highly criticised by the applying French Senators as being impossible and incompatible with the provisions of the GDPR.
The bill strengthens the obligation to inform minors lying on data controllers by imposing that all information and communications with regard to processing are written in "clear and plain language that the minor can easily understand".
Broadening class actions
The law on modernisation of the 21 century justice had already introduced the principle of personal data class actions in 2016. The purpose of this procedure is currently limited to requesting cessation of an infringement of the French Data Protection Act (Article 43ter of the French Data Protection Act).
Using the margin of manoeuvre allowed by the GDPR, the bill extends the purpose of personal data class actions to compensation for material and moral damage arising from an infringement of the GDPR and not only of the French law. The text adopted by French Deputies requires that the plaintiff in the class action suit inform the CNIL when bringing the action, in order for it to submit observations before the court hearing the action.
This new procedure is limited to compensation for damage, which event giving rise to it occurred after 24 May 2018. Thus, the French National Assembly has refused to postpone by two years the entry into force of class actions to obtain compensation as the French Senate requested it.
Furthermore, the bill allows all data subjects to mandate certain associations or organisations in order to exercise on their behalf a claim to the CNIL, to bring an action against the CNIL or a data controller or a processor.
The bill adopted by the French National Assembly does not subordinate personal data class action or an action via a proxy to prior approval of the association by the administrative authority.
Obligation for the data controller as regards consent
Data controllers are bound by Article 28(1) of the adopted bill, where processing is based on the data subject's consent, to prove that the contracts they conclude, as regards online public communications, do not prevent the final user from consenting. This provision aims to favour a choice of diverse services and applications and to protect final users by enabling them to consent effectively to processing of their data by these services and applications installed by default. However, this goes beyond the GDPR's requirements.
Article 28(2) limits the exceptions that data controllers may raise to prove that the contracts concluded do not infringe final users' consent. Data controllers may only rely on a "technical or safety legitimate ground" and not on a "financial reason". Indeed, this last exception has been removed by an amendment voted in a final reading.
Processing in the scope of employment relationships
The GDPR enables Member States to provide for more specific rules to ensure protection of rights and freedoms regarding processing of employees' personal data in the scope of employment relationships.
Certain provisions of the French Labour Code already have an impact on processing of employees' personal data by providing in particular that the employer shall beforehand inform employees (Article L.1222-4) and, where applicable, staff representation bodies (Article L.2312-38), in the event of the use of a control device.
The bill introduces new exceptions to the principle prohibiting processing of sensitive data. Thus, "biometric data strictly necessary for controlling the access to workplaces and devices and applications used in the scope of duties entrusted to employees, agents, interns or service providers" may by exceptionally processed by employees or administrations.
Processing for journalistic purposes
In the scope of personal data processing performed for journalistic purposes, the GDPR allows Member States to introduce the exemptions or derogations they deem necessary to combine the right to personal data protection and the freedom of expression and information.
Even though the current Data Protection Act already provides for such an exemption (Article 67), it limits it, however, to the exercise of the journalistic activity “as a profession”.
The bill made no substantial modifications to the way of performing processing of personal data for journalistic purposes. More particularly, it did not take advantage of the adaptation of French law to comply with community case law, which considers that said exemption applies to journalistic activities which aim to disclose information, opinions or ideas to the public - regardless of how they are disclosed - and which are not reserved to media companies.
Nevertheless, the bill provides that journalists will be able to raise secrecy before the CNIL investigators - when exercising their supervisory powers - for information covered by “the secrecy of journalistic processing sources”.
Appointing a Data Protection Officer
The bill does not provide for any specific provision relating to the appointment of a Data Protection Officer which is thus governed by Article 37 of the GDPR.
The French Senate had introduced an article providing for the establishment by the CNIL of an Ethical Charter for Data Protection Officers, laying down ethical principles and good practices specific to the performance of such duties in public administrations. This article has been removed by the French National Assembly.
It ought to be noted that the French National Assembly removed the possibility for the CNIL of certifying connected objects – introduced by the French Senate - which was supposed to enable to make sure that these objects complied with some standards as regards safety and confidentiality of personal data.
In this bill, the French Government decided to only make the substantive amendments that became essential due to the forthcoming entry into force of the GDPR and the necessity to transpose the directive on the processing of personal data implemented in police and judicial matters.
As authorised by Article 32 of the bill, the French Government will be allowed to redraft, by way of an ordinance, the entire Data Protection Act. Said ordinance shall be adopted within six months as of the enactment of the law. The ratification law itself shall then be adopted within six months following the adoption of the ordinance.
To date, the content and the date of entry into force of the law on personal data protection fall to be determined by the forthcoming decision of the French Constitutional Council. We will keep you informed of the next developments and are available for any further question.