A bill "intended to better guarantee the right to privacy in the digital age"1 was adopted by a large majority of the French Senate March 23, ,2010, and immediately transmitted to the French National Assembly for review.
The first objective of the bill is aimed at educating students about the use and exposure of personal information on the Internet, notably through social media. The bill is principally aimed at significantly reinforcing the obligations of data processors, and with increasing the powers of the French data protection agency, the CNIL.
The projected changes are the following:
Extension of the notion of personal data to digital identity (ID)
Personal data is defined by law as, "any data concerning an identified physical person or a person who can be identified, directly or indirectly, by reference to an identification number or one or more elements specific to him or her."2
Among these elements, one can generally find: name, social security number, address, telephone number, etc.
The bill expressly integrates into these elements "any number identifying the holder with access to online communication services with the public," i.e., the electronic ID.
The intent of this bill is therefore to explicitly make the law of 1978 cover all Internet exchanges.
The appointment of a data protection officer (DPO), for the moment only encouraged, could become mandatory in certain cases
The bill provides that where prior authorization of the CNIL is required, principally for the processing of sensitive data (such as medical data, data in which racial origin, political, philosophical or religious opinions, membership in political associations or movements, criminal convictions, etc., appears directly or indirectly) and/or for the interconnection of different files, the data processor must appoint a data protection officer (DPO – 'Correspondant Informatique et Libertés'—CIL) to supervise carrying out the concerned processing.
Under the bill, designation of a DPO is mandatory, however, when more than 100 people are processing personal data. One issue that is not clear from the bill is whether persons working in affiliated companies outside of France will count as part of the 100.
Under the bill, the DPO will be obligated to immediately inform the CNIL of any non-compliance with the French Data Protection Act. This mechanism, therefore, makes data processors liable if they do not immediately signal any non-compliance, as failure to notify is in itself punishable.
The information of persons whose personal data is used is reinforced by the bill
Data processors will also be obliged to inform any person whose personal data is processed, beginning with employees, clients, suppliers, etc., of the existence of this processing, the purpose of such processing, the identity of the data processor, the length of time the data will be held, potential access by other persons to the data, and their remedies against such processing.
- The data processor must immediately, and prior to the processing, inform the person concerned that his or her personal data is going to be processed
- These procedures must for the most part be carried out electronically
- The data processor must also permanently put on its website information that would allow persons whose personal data is processed to exercise their rights
The CNIL's power of review and sanction would be expanded
Under the bill, the CNIL's enforcement powers will be increased as follows:
- The CNIL will be granted the power to make unannounced visits to data processors (with prior authorization from the judge ('Juge des Libertés et de la Détention')
- Fines will be doubled, increasing from €150,000 to 300,000 for a first infringement and from €300,000 to 600,000 for a repeated infringement3
The bill is currently under review, not subject to any specific timeline or priority, by the Law Commission of the French National Assembly, whose vote will prevail. It was reviewed and voted by the Senate in less than two months, and one of its principle architects was the current president of the CNIL, Senator Alex Türk.
The bill is not supported by the French government or by President Sarkozy. It is unlikely to be passed in its current form given that the National Assembly has the reputation of being closer to the business world.
Nevertheless, the existence of the bill demonstrates the importance attached to the protection of personal data by the French lawmaker, who has already strengthened the applicable French regulation resulting from the transposition of the EU Directive 95/46/CE on data protection.
Our team for data protection is at your disposal to discuss the obligations of your company in France concerning the processing and transfer of personal data.