Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Jurisdiction snapshot

Trends and climate

Would you consider your national data protection laws to be ahead or behind of the international curve?

Data protection laws in France are usually ahead of the international curve. Apart from being bound by the new European General Data Protection Regulation, that was adopted by the European Parliament on April 27 2016 and that will enter into effect from May 25 2018, France also enacted on the Digital Republic Act of 2016, NOR: ECFI1524250L on October 7 2016. Among its several objectives, the Law for a Digital Republic implements the ratio legis of the regulation regarding data protection, but also goes beyond the regulation by recognising, among other things, the right for a citizen to decide the fate of his or her personal data after death.

Are any changes to existing data protection legislation proposed or expected in the near future?

Apart from the EU General Data Protection Regulation, which will enter into effect on May 25 2018 and supersede the Data Protection Act 1978 where similar or where it provides for additional protection, and consequently of no effect for specific and specialise issues, there is no further information pertaining to any tentative amendments to be made by the French Legislative Assembly on Data Protection. However, the Commission National Informatique et Liberté (the French data protection authority) has been and will continue to provide regular recommendations and guidelines for a better understanding and application of the regulation and data protection.

Legal framework

Legislation

What legislation governs the collection, storage and use of personal data?

Pending date of effect of the EU General Data Protection Regulation from May 25 2018, the Data Protection Act 1978 constitutes the domestic legal framework governing the collection, storage and use of personal data. The Data Protection Act will remain in force and continue to regulate specific and specialised issues not catered for in the regulation.

Further, several other technical and criminal acts provide for specific rules concerning data protection (eg, the Trust in Digital Economy Act 2004). The entry into effect of the regulation will not repeal these technical and criminal domestic acts. 

Scope and jurisdiction

Who falls within the scope of the legislation?

Personal data controllers fall within the scope of the Data Protection Act 1978. A ‘personal data controller’ is defined as any person or company that determines the means and purpose of personal data processing. ‘Data processing’ encompasses every operation or scope of operations regarding personal data (eg, personal data collection, storage, modification use and deletion).

This legislation applies to a data controller when the processing of personal data forms part of the business activities of at least one of its establishments located in an EU member state, or when it processes personal data by technical or human means that are located in an EU member state.

Other individuals or legal entities can also fall within the scope of the legislation in the application of criminal law provisions (eg, when the victim of a criminal offence is a French national).

However, the following will be bound by the EU General Data Protection Regulation from the date of its effect on May 25 2018:

  • any data controller or processor processing personal data, in the context of its business activities in the European Union (ie, in France), regardless of whether the processing takes place in the European Union; or
  • any data controller or processor not established in the European Union but processing personal data of data subjects which are in the European Union and where the processing activities are related to:
    • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
    • the monitoring of their behaviour as far as it takes place within the European Union.

What kind of data falls within the scope of the legislation?

The Data Protection Act regulates only the processing of personal data. ‘Personal data’ is defined as any information relating to an identified or identifiable natural person. An ‘identifiable person’ is one who can be directly or indirectly identified, particularly by reference to an identification number or one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Are data owners required to register with the relevant authority before processing data?

Before processing personal data, data controllers must by way of a declaration or authorisation inform the Commission National Informatique et Liberté (CNIL) (the French data protection authority). While most processing simply requires a declaration of personal data processing (which includes detailed documentation regarding the type of processed data, the purpose of the processing and the duration of the data storage), the processing of particularly sensitive personal data (eg, medical and biometric data) is subject to CNIL authorisation.

Should the purpose of processing or means of the personal data processing change, the data controller must notify the CNIL of such change by either amending the original declaration or filing a new one.

However, EU General Data Protection data controllers or processors will Moreno longer be subject to these declaration procedures, Data controllers and processors will have to keep a record of all of their data processing and will be expected to provide evidence of their compliance with the new regulation in case of an investigation. However, data controllers or processors will still be subject to the authorisation regime when required by the Data Protection Act.

Is information regarding registered data owners publicly available?

The declarations and authorisations registered by the CNIL are available to the public.

Is there a requirement to appoint a data protection officer?

There are no obligations regarding the appointment of a data protection officer under the Data Protection Act 1978. The designation of a data protection officer must simply be notified to the CNIL.

However, with the entry into force of the General Data Protection Regulation, the appointment of a data protection officer will become mandatory for all public authorities and business entities where the core activities of the controller or processor involve regular and systematic monitoring of data subjects on a large scale or where the entity conducts large-scale processing of sensitive personal data (eg, data revealing ethnic or racial origins, political opinions, religious or philosophical beliefs and sexual orientation).

Enforcement

Which body is responsible for enforcing data protection legislation and what are its powers?

The CNIL is responsible for enforcing the Data Protection Act 1978 in France. Its mission is to inform the general public, personal data controllers and processors regarding their mutual rights and obligations. It also act as an adviser to the government, which implies both publishing reports on personal data practices and issues and directly consulting with officials during the preparation of data protection-related legislation.

The CNIL has extensive punitive powers, which makes it a jurisdictional authority according to the European Convention on Human Rights. The CNIL can issue severe administrative penalties, which are levied only after contradictory examination and are subject to appeal. These repressive powers will be enhanced with the General Data Protection Regulation.

The General Data Protection Regulation also provides that EU member states will be responsible for enforcing criminal provisions relating to personal data. In this regard, the CNIL can notify other data protection authorities of any violations and take legal action itself for such violations. In order to provide efficient documentation of these violations, the CNIL has enhanced investigatory powers which follow various procedures according to whether the data controller agrees to the investigation, the urgency of the situation, the gravity of the violation or whether evidence of the violation is likely to be destroyed.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data collection, storage and processing must follow a set of cumulative rules.

First, the collection and processing must be fair, lawful and conducted in a transparent manner. This obligation is assessed by judges and implies that the data controller must inform data subjects of the processing to which their data is subject.

Processing operations must also serve a specified, explicit and legitimate purpose. Data controllers must submit justification of the purpose of the processing to the Commission National Informatique et Liberté (CNIL) (the French data protection authority) before engaging in such operations. Data collection, use, storage and processing are lawful only insofar as they fall within the declared purpose of the processing; this obligation is strictly interpreted by judges.

The gathered data must be adequate, relevant and not excessive in relation to the declared purpose of the processing. The processed data must also be exact, complete and up to date.

The duration of data storage must be limited in accordance with the purpose of the processing. In most cases data collection requires the consent of the data subject.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The gathered data must be kept only for a duration that is in line with the purpose of its processing. Once the objective of the data collection has been met, the data must be deleted.

However, specific categories of data can and must sometimes be archived, according to relevant legal obligations (eg, a lessor of social housing must keep records of tenants in case of a confidential ministerial investigation) or where the data still holds an interest (eg, if it can be used to meet an obligation or prevent a legal dispute). It can then be stored only for as long as this interest still exists. There is no storage time limit if the data holds a historical, scientific or statistical interest.

The time limit for data storage also varies according to the type of data that is to be stored. For example, cookies can be actively held for 13 months only. As another example, within the European Union internet service providers and web hosts must keep users’ personal information for one year for potential police or judicial investigation needs.

Do individuals have a right to access personal information about them that is held by an organisation?

Individuals have a right to access personal data about them that is held, stored or in any other way processed by a natural or legal person. The data controller must provide direct, free access to the individual’s data on such request. However, certain data – such as data processed by a public entity that holds a national interest (eg, sensitive national security data regarding a data subject which may be used for the conduct of a secret police investigation) – can be accessed indirectly through the CNIL. 

Do individuals have a right to request deletion of their data?

Individuals have a right to oppose and request the deletion of their data for legitimate and decisive reasons.

Individuals also have the right to demand deletion of their data if it is inaccurate, incomplete, obsolete, ambiguous or unlawfully used, transferred or stored. This also applies when the data storage period is excessive in relation to the declared purpose of the processing.

Deletion is not necessarily guaranteed. Depending on the purpose of the processing, certain relevant data may be preserved.

Consent obligations

Is consent required before processing personal data?

Before processing personal data, the data controller must obtain the individual’s explicit, free, specific and informed consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Consent to personal data processing is not required in five cases. The data controller must prove that it fulfils several requirements. In particular, there is no need for consent if:

  • the data controller processes data in order to respect a legal obligation;
  • the data processing is necessary in order to protect the data subject’s life;
  • the data processing is necessary in order to accomplish a mission of public interest;
  • the data processing is necessary in order to sign or fulfil a contract; or
  • the data processing serves a legitimate interest that does not harm the data subject’s own personal interests or rights.

What information must be provided to individuals when personal data is collected?

Upon data collection, the individual must be given information about:

  • the identity of the data controller and its processor (if they participate in the processing);
  • the purpose of the processing;
  • any obligation of the individual to respond and the consequences of failure to respond;
  • the recipients or categories of recipient of the collected data;
  • the individual’s rights concerning his or her data (regarding access, opposition, correction and deletion); and
  • in case of cross border transfer, the conditions of the transfer, the country to which it will be transferred, the level of data protection, the purpose of the transfer and the recipient of the data.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Both French law and the EU Data Protection Regulation state that the data controller and the processor must ensure that the processing and the storage of personal data are carried out in a secure and confidential manner. This includes the obligation not to let any unauthorised person or body access the data. Certain authorities (eg, judges or administrative agents in specific cases) are considered to be authorised by law, as well as any person under the direct authority of the data controller or its subcontractors.

As for actual security measures, the Commission National Informatique et Liberté (CNIL) (the French data protection authority) requires data controllers to undertake systematic risk assessments before processing data and maintain scrutiny over the stability and efficiency of their security systems. 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

If electronic communication service providers (eg, internet service providers) suffer a personal data breach – which includes deliberate security breaches by third parties and accidental loss or corruption of data – they must inform the individuals whose personal data or privacy could be violated without unnecessary delay, unless the CNIL determines that the security measures taken by the target of the data breach are satisfactory, in which case the communication service provider is not required to inform individuals.

Are data owners/processors required to notify the regulator in the event of a breach?

If an electronic communication service provider suffers a personal data breach – regardless of whether it threatens a specific individual’s rights – the CNIL must be informed within 24 hours of discovery of the breach. This notification must include a precise description of the extent and nature of the breach, along with the measures taken or suggested by the data controller in order to remedy the breach and limit subsequent damage. 

Electronic marketing and internet use

Electronic marketing

Are there rules specifically governing unsolicited electronic marketing (spam)?

The Trust in Digital Economy Act 2004 provides that any commercial prospecting by means of telephone, fax or electronic communications is prohibited without the prior agreement of the data subject. Such prospecting must always indicate the address of the prospector and provide the possibility to unsubscribe from these communications. The CNIL controls the application of these rules and can issue fines for unsolicited electronic marketing of up to €3,000 for a natural person and €15,000 for a legal entity.

Cookies

Are there rules governing the use of cookies?

Ordinance 2011-1012 regarding Electronic Communications (August 24 2011) provides that the use of cookies is allowed if the user’s consent is obtained before any data is taken from or stored on the user’s terminal, or if these actions are strictly necessary to fulfil a service that has been specifically demanded by the user.

In practice, this means that websites that use cookies must inform users of:

  • the storage of cookies on their computers;
  • the possibility of managing cookie settings or refusing their use; and
  • the fact that navigating the website implies acceptance of the cookie policy (and details regarding the impact of non-acceptance of cookies on the services provided).

According to the CNIL, cookies can remain active for a maximum period of 13 months.

Data transfer and third parties

Cross-border data transfer

What rules govern the transfer of data outside your jurisdiction?

French legislation (and therefore EU legislation as well) is considered to set the standard for the required level of personal data protection. Thus, cross-border transfers of personal data collected in France are authorised only if the data is transferred to a state that provides a level of protection comparable to that of France and the European Union.

However, there are exceptions to this general rule. The Commission National Informatique et Liberté (CNIL) (the French data protection authority) can officially recognise which states offer satisfactory data protection to data subject and can negotiate with such states regarding the rules applicable to cross-border transfers (EU member states are by default considered as having a sufficient level of data protection; the CNIL usually follows the European Commission’s recognition of foreign states’ level of data protection). Once an agreement is concluded, it can become a framework for both parties to provide a satisfactory protection level.

Otherwise, the European Commission issues standard contractual clauses that, once signed between a private personal data issuer and receiver, ensure compliance with data protection rules. Within an international corporation or group based in multiple states with differing privacy rules, binding corporate rules can be implemented to guarantee compliant cross-border data transfers.

Personal data can also be transferred to states that do not provide a sufficient level of data protection if one of the following conditions is met:

  • The data subject has expressly agreed to the transfer (however, the CNIL does not accept this condition as being fulfilled if the consent is given for repeated or structural data transfers);
  • The transfer is necessary in order to:
    • save a human life;
    • serve a public interest;
    • establish the existence of, defend or exercise a legal claim;
    • consult a public registry;
    • sign or fulfil a contract between the data subject and the data controller; or
    • sign or fulfil a contract between the data controller and a third party acting in the data subject’s interest; or
  • The transfer has been specifically authorised by the CNIL or by decree of the Council of State.

Are there restrictions on the geographic transfer of data?

Personal data can be transferred only to states that provide a satisfactory level of data protection or to other countries under the procedures detailed above. 

Third parties

Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

The transfer of data from a data controller to a processor for data processing must be contractually arranged and set the same security and confidentiality obligations for the processor as for the data controller itself. The new General Data Protection Regulation has enhanced the obligations imposed on processors, which are now similar to those for the controller. 

Penalties and compensation

Penalties

What are the potential penalties for non-compliance with data protection provisions?

Administrative penalties for non-compliance with data protection regulations are adjudicated by the Commission National Informatique et Liberté (CNIL) (the French data protection authority). It can take the form of fines of up to €3 million, injunctions, prohibition from carrying out further data processing or by way of public warnings.

Further, the Criminal Code also lists a number of offences for non-compliance with or violation of data protection legislation. Some types of infringement may lead to a five-year prison term and a €300,000 fine for individuals (the fine is five times higher for legal entities). These penalties are issued by the criminal courts and not by an administrative body such as the CNIL.

Compensation

Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Individuals can demand full compensation for losses suffered as a result of data breach or non-compliance with data protection laws by taking legal action before national authorities.

Under the new regulation, controllers and processors liability may be jointly and severally triggered for material or non-martial damages caused by a processing should either party fail to demonstrate that they have taken appropriate measures to comply with the regulation or its ratio legis. In such circumstances, each of them could be held liable for the entire damage in order to ensure effective compensation of the data subject. Where one data controller or processor is sentenced to fully compensate the data subject, that controller or processor is, however, entitled to claim back from the other controllers or processors involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.

It is also possible to file a class action suit for non-compliance with data protection provisions.

Cybersecurity

Cybersecurity legislation, regulation and enforcement

Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

France has enacted laws regarding a wide range of cybercrime-related offences since 1988 which are updated regularly. As such, wilful and unauthorised access to an automated data processing system is considered an offence in France. Further, additional investigatory powers and tools have been provided to the police to deal efficiently with cybercrime activities and a specialised court has been established. Finally, the cybercrime legislation sanction also involves several personal data related offences, such as unauthorised alteration or modification or even unauthorised processing. 

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

Many guidelines and best practices regarding cybersecurity have been issued by various organisations – including the Commission National Informatique et Liberté (CNIL) (the French data protection authority) and the French National Agency on Cybersecurity – and may be used as a reference in litigation relating to data breaches.

Which cyber activities are criminalised in your jurisdiction?

Aside from the violation of automated data processing systems, numerous cyber activities are criminalised, including internet protocol spoofing, identity theft, hacking, child soliciting or any act inciting terrorism.

Which authorities are responsible for enforcing cybersecurity rules?

Cybersecurity rules are enforced by both the CNIL and other national authorities.

Cybersecurity best practice and reporting

Can companies obtain insurance for cybersecurity breaches and is it common to do so?

Many companies obtain insurance for security breaches. This generally involves an inspection and upgrade of the company’s cybersecurity measures, along with a training session for employees. Insurance both protects against potential damages resulting from cyberattacks and breaches and provides strategic support when under direct cyberthreat or cyberattack.

Such insurance is common only for companies that are likely to be subject to cyberattacks or whose business is directly dependent on data security.

Are companies required to keep records of cybercrime threats, attacks and breaches?

Companies are required to keep records of security breaches that involve personal data theft or corruption.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

Electronic communication service providers are required to report data breaches to the authorities only when personal data is involved.

Are companies required to report cybercrime threats, attacks and breaches publicly?

Electronic communication service providers must notify individuals of data breaches only when their privacy or personal data protection is at stake and the CNIL does not consider that doing so is unnecessary.

Criminal sanctions and penalties

What are the potential criminal sanctions for cybercrime?

Criminal penalties depend on the offence in question. Sentences can include a prison term of one to 10 years and a fine of €15,000 to €500,000 (the fine is five times higher for legal entities).

Penalties are issued by the domestic criminal jurisdictions.

What penalties may be imposed for failure to comply with cybersecurity regulations?

A data controller’s failure to notify the CNIL of a security breach involving personal data can lead to a five-year prison term and a €300,000 fine.