Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?
Data protection laws in France are usually ahead of the international curve. Apart from being bound by the new EU General Data Protection Regulation (GDPR) that was adopted by the European Parliament on 27 April 2016 and that entered into effect on 25 May 2018, France also enacted an updated version of the Data Protection Act 1978 (LOI 2018-493 du 20 juin 2018 relative à la protection des données personnelles, NOR JUSC1732261L). This new version aims to comply with all of the GDPR requirements and identify issues that should be dealt with under national law, such as the digital coming of age.
Are any changes to existing data protection legislation proposed or expected in the near future?
- the broader scope of application of the regulation;
- changes to cookies rules; and
- stronger direct marketing rules.
What legislation governs the collection, storage and use of personal data?
Since the EU General Data Protection Regulation (GDPR) came into force on 25 May 2018, the Data Protection Act 1978 no longer provides the main domestic legal framework governing the collection, storage and use of personal data. However, the Data Protection Act will remain in force and continue to regulate specific and specialised issues not catered for by the GDPR.
Several other technical and criminal acts provide for specific rules concerning data protection (eg, the Trust in Digital Economy Act 2004), which have not been affected by the enforcement of the GDPR.
Scope and jurisdiction
Who falls within the scope of the legislation?
Personal data controllers fall within the scope of the Data Protection Act 1978. A ‘personal data controller’ is defined as any person or company that determines the means and purpose of personal data processing. ‘Data processing’ encompasses every operation or scope of operations regarding personal data (eg, personal data collection, storage, modification, use and deletion).
This legislation applies to a data controller when the processing of personal data forms part of the business activities of at least one of its establishments located in an EU member state or when it processes personal data by technical or human means that are located in an EU member state.
Other individuals or legal entities can also fall within the scope of the legislation in the application of criminal law provisions (eg, when the victim of a criminal offence is a French national).
However, the following have been bound by the GDPR, as of 25 May 2018:
- any data controller or processor processing personal data, in the context of its business activities in the European Union (ie, in France), regardless of whether the processing takes place in the European Union; and
- any data controller or processor not established in the European Union but which processes the personal data of data subjects which are in the European Union and where the processing activities relate to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the European Union; or
- the monitoring of their behaviour as far as it takes place within the European Union.
What kind of data falls within the scope of the legislation?
The GDPR regulates only the processing of personal data. ‘Personal data’ is defined as any information relating to an identified or identifiable natural person. An ‘identifiable person’ is one who can be directly or indirectly identified, particularly by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
Are data owners required to register with the relevant authority before processing data?
EU General Data Protection data controllers or processors are no longer subject to the declaration procedures under the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL). Data controllers and processors must keep a record of all of their data processing and are expected to provide evidence of their compliance with the new regulation in case of an investigation. This register must be exhaustive regarding:
- the legal basis;
- the purpose of the processing;
- the type of data being processed; and
- the duration of data storage.
However, data controllers or processors remain subject to the authorisation regime when required by the Data Protection Act. The authorisation system remains under French law only for two cases specific to the health sector, namely:
- processing for the purpose of public interest; and
- automated processing for the purpose of research or studies in the field of health, as well as the evaluation or analysis of care or prevention practices or activities.
Biometric data processing was supposed to remain under the authorisation regime after the GDPR; however, the updated Data Protection Act states that this type of processing is forbidden unless it falls under the exceptions provided under Article 8(II).
Is information regarding registered data owners publicly available?
The declarations and authorisations registered by the CNIL are publicly available but have not been updated since 25 May 2018 and may not be available in the near future.
Is there a requirement to appoint a data protection officer?
With the enforcement of the GDPR, the appointment of a data protection officer (DPO) is mandatory for:
- all public authorities;
- business entities where the core activities of the controller or processor involve the regular and systematic monitoring of data subjects on a large scale; and
- business entities in France where the entity conducts large-scale processing of sensitive personal data (eg, data revealing ethnic or racial origins, political opinions, religious or philosophical beliefs and sexual orientation).
The DPO is a major asset to understanding and respecting the obligations of the GDPR, which facilitates dialogue with data protection authorities and reduces the risk of litigation. In France, even if an organisation is not formally obliged to appoint a DPO, the CNIL strongly recommends that it appoints an internal person to be responsible for ensuring GDPR compliance.
Which body is responsible for enforcing data protection legislation and what are its powers?
The CNIL is responsible for enforcing the Data Protection Act 1978 and the GDPR. It aims to inform the general public, personal data controllers and processors regarding their mutual rights and obligations. It also acts as an adviser to the government, which implies both publishing reports on personal data practices and issues and directly consulting with officials during the preparation of data protection-related legislation.
The CNIL has extensive punitive powers, which makes it a jurisdictional authority according to the European Convention on Human Rights. The CNIL can issue severe administrative penalties, which are levied only after contradictory examination and are subject to appeal. These repressive powers will be enhanced with the GDPR.
The GDPR also provides that EU member states will be responsible for enforcing criminal provisions relating to personal data. In this regard, the CNIL can notify other data protection authorities of any violations and take legal action itself for such violations. To provide efficient documentation of these violations, the CNIL has enhanced investigatory powers which follow various procedures according to:
- whether the data controller agrees to the investigation;
- the urgency of the situation;
- the gravity of the violation; or
- whether evidence of the violation is likely to be destroyed.
The European Data Protection Board (EDPB) replaces the Article 29 Working Party (WP29) under the GDPR. The EDPB is composed of the head of one supervisory authority of each EU member state and of the European data protection supervisor, or their respective representatives. The EPDB must act independently when performing its tasks or exercising its powers. The EDPB, among other things, examines questions covering the application of the GDPR and issues guidelines, recommendations and best practices in order to encourage its consistent application.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Both EU and domestic laws set cumulative rules regarding personal data collection, storage and processing.
First, the collection and processing must be fair, lawful and conducted in a transparent manner. This obligation is assessed by judges and implies that the data controller must inform data subjects of the processing to which their data is subject.
Processing operations must also serve a specified, explicit and legitimate purpose.
The gathered data must be adequate, relevant and not excessive in relation to the declared purpose of the processing. The processed data must also be exact, complete and up to date.
The duration of data storage must be limited in accordance with the purpose of the processing. In most cases, data collection requires the consent of the data subject.
Data controllers need not submit justification for the processing to the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), before engaging in such operations. Indeed, the new principle of accountability makes controllers responsible for justifying all processing operations to the CNIL if required, with the exception of certain data for which the data controller must obtain prior CNIL authorisation.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Data must be kept only for as long as it is needed for processing. Once the objective of the data collection has been met, the data must be deleted.
However, specific categories of data can and must sometimes be archived, according to relevant legal obligations (eg, a lessor of social housing must keep records of tenants in case of a confidential ministerial investigation) or where the data still holds an interest (eg, if it can be used to meet an obligation or prevent a legal dispute). It can then be stored only for as long as this interest still exists. There is no storage time limit if the data holds a historical, scientific or statistical interest.
The time limit for data storage also varies according to the type of data that is stored (eg, cookies can be actively held only for 13 months). Further, within the European Union internet service providers and web hosts must keep users’ personal information for one year for the purposes of potential police or judicial investigation.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals have the right to access their personal data which is held, stored or in any other way processed by a natural or legal person. The data controller must provide direct, free access to the individual’s data on request. However, certain data – such as data processed by a public entity that is of national interest (eg, sensitive national security data regarding a data subject which may be used for the conduct of a secret police investigation) – can be accessed indirectly through the CNIL.
Do individuals have a right to request deletion of their data?
Individuals have the right to oppose and request the deletion of their data based on several grounds, but deletion may not be guaranteed depending on the purpose of the processing. Thus, certain relevant data may be preserved.
There are additional rights given to EU individuals, including the following:
- Right to rectification – an individual’s right to make modifications to their data if it is inaccurate, incomplete, obsolete or unlawfully used, transferred or stored.
- Right to restriction of processing – the right to object to the processing of some data if it is used in an unlawful manner.
- Right to data portability.
- Right to object to automated individual decision making – the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which has legal repercussions or otherwise significantly affects them.
Is consent required before processing personal data?
Before processing personal data, the data controller must obtain the individual’s explicit, free, specific and informed consent.
If consent is not provided, are there other circumstances in which data processing is permitted?
Consent for personal data processing is not required in the following cases if the data controller can prove that it fulfils several requirements:
- the data controller processes data to respect a legal obligation;
- the data processing is necessary to protect the data subject’s life;
- the data processing is in the public interest;
- the data processing is necessary to sign or fulfil a contract; or
- the data processing serves a legitimate interest that does not harm the data subject’s own personal interests or rights.
What information must be provided to individuals when personal data is collected?
Upon data collection, the individual must be given information about:
- the identity of the data controller and its processor (if they participate in the processing);
- the purpose of the processing;
- any obligation of the individual to respond and the consequences of a failure to respond;
- the recipients or categories of recipient of the collected data;
- the individual’s rights concerning their data (regarding access, opposition, correction and deletion);
- in the case of cross-border transfer:
- the conditions of the transfer;
- the country to which it will be transferred;
- the level of data protection;
- the purpose of the transfer; and
- the recipient of the data; and
- in the case of profiling, the extent to which the profiling can lead to automated decision making and how the data subject can object to this.
Data security and breach notification
Are there specific security obligations that must be complied with?
Both French law and the EU General Data Protection Regulation (GDPR) state that data controllers and data processors must ensure that the processing and storage of personal data are carried out in a secure and confidential manner. This includes the obligation not to let any unauthorised person or body access the data. Certain authorities (eg, judges or administrative agents in specific cases) are authorised by law, as well as any person under the direct authority of the data controller or its subcontractors.
As for actual security measures, the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), requires data controllers to undertake systematic risk assessments before processing data and maintain scrutiny over the stability and efficiency of their security systems.
Moreover, the EU Directive on the Security of Network and Information Systems (NIS) came into force in France on 25 May 2018. The directive aims to raise levels of the overall security and resilience of network and information systems across the European Union. It provides the legal framework for the following:
- To ensure that EU member states have a national framework in place so that they are equipped to manage cyber security incidents and oversee the application of the directive. This includes a national cyber security strategy, a Computer Security Incident Response Team (CSIRT) and a national NIS competent authority or authorities.
- To set up a cooperation group among EU member states to support and facilitate strategic cooperation and the exchange of information. Member states will also need to participate in a CSIRT network to promote swift and effective operational cooperation on specific network and information system security incidents, as well as sharing information about risks.
- To ensure that organisations within vital sectors which rely heavily on information networks (eg, utilities, healthcare, transport and digital infrastructure sectors) are identified by each EU member state as operators of essential services (OES). The OES must take appropriate and proportionate security measures to manage risks to their network and information systems, and they must notify the relevant national authority of any serious incidents. Industry participation is therefore crucial in the implementation of the directive.
Are data owners/processors required to notify individuals in the event of a breach?
When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must communicate the personal data breach to the data subject without undue delay. The notification must describe in clear and plain language the nature of the personal data breach and contain (at least) this information and actions taken to repair the breach.
It is not necessary to inform the individuals involved if:
- the data controller has implemented the appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it (eg, encryption);
- the data controller has taken subsequent measures which ensure that there is no longer any high risk to the rights and freedoms of data subjects; or
- it would involve disproportionate effort, in which case there should be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Are data owners/processors required to notify the regulator in the event of a breach?
In the case of a personal data breach, the data controller must without undue delay and no later than 72 hours after having become aware of it, notify the breach to the supervisory authority, unless this personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
The notification must at least:
- describe the nature of the personal data breach, including (where possible) the categories and approximate number of data subjects and records concerned;
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures proposed or taken by the data controller to address the personal data breach, including (where appropriate) measures to mitigate its possible adverse effects.
Electronic marketing and internet use
Are there rules specifically governing unsolicited electronic marketing (spam)?
The Trust in Digital Economy Act 2004 provides that any commercial prospecting by means of telephone, fax or electronic communication is prohibited without the prior agreement of the data subject. Such prospecting must always indicate the address of the prospector and offer the possibility to unsubscribe from the communications. The French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), controls the application of these rules and can issue fines for unsolicited electronic marketing of up to €3,000 for a natural person and €15,000 for a legal entity.
The EU General Data Protection Regulation (GDPR) has implemented rules for cases in which an individual is associated with online identifiers provided by their devices and applications, including internet protocol addresses, cookie identifiers or other identifiers (eg, radio frequency identification tags). These processes may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of and identify natural persons.
Restrictions on decisions based solely on automated processing (which may include profiling) apply if the decision has legal repercussions or otherwise significantly affects the data subject. Using the example of online credit decisions and e-recruiting, Recital 71 clarifies that the objectionable element is the lack of human intervention and that individuals have the right not to be subject to such decisions. This could either be interpreted as a prohibition on such processing or a stipulation that the processing may take place but that individuals may object to it. This ambiguity is present in the GDPR and EU member states differ in their approaches. Such significant automated processing can be used if it:
- is necessary to enter into or perform a contract between a data subject and controller;
- has been authorised by union or member state law; or
- has the individual’s explicit consent.
- the storage of cookies on their computers;
- the possibility of managing cookie settings or refusing their use; and
According to the CNIL, cookies can remain active for a maximum of 13 months.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
EU and French legislation is considered to set the standard for the required level of personal data protection. Therefore, cross-border transfers of personal data collected in the European Union are authorised only if the data is transferred to a state that provides the level of protection comparable to that of France and the European Union.
However, there are exceptions to this general rule. The French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), can officially recognise which states offer satisfactory data protection to a data subject and can negotiate with such states regarding the rules applicable to cross-border transfers (EU member states are by default considered as having a sufficient level of data protection; the CNIL usually follows the European Commission’s recognition of foreign states’ level of data protection). Once an agreement is reached, it can become a framework for both parties to provide a satisfactory protection level.
Otherwise, the European Commission issues standard contractual clauses that, once signed between a private personal data issuer and receiver, ensure compliance with data protection rules. Within an international corporation or group based in multiple states with differing privacy rules, binding corporate rules can be implemented to guarantee compliant cross-border data transfers.
Personal data can also be transferred to states that do not provide a sufficient level of data protection if one of the following conditions is met:
- The data subject has expressly agreed to the transfer (however, the CNIL does not accept this condition as being fulfilled if the consent relates to repeated or structural data transfers).
- The transfer is necessary in order to:
- save a human life;
- serve a public interest;
- create, defend or exercise a legal claim;
- consult a public registry;
- sign or fulfil a contract between the data subject and the data controller; or
- sign or fulfil a contract between the data controller and a third party acting in the data subject’s interest.
- The transfer has been specifically authorised by the CNIL or by decree of the Council of State.
Are there restrictions on the geographic transfer of data?
Personal data can be transferred only to states that provide a satisfactory level of data protection or to other countries under the procedures detailed above.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
Data transfers from a data controller to a data processor must be contractually arranged and set the same security and confidentiality obligations for the processor as for the data controller itself. The new EU General Data Protection Regulation (GDPR) has enhanced the obligations imposed on data processors, which are now similar to those for the data controller.
Penalties and compensation
What are the potential penalties for non-compliance with data protection provisions?
Administrative penalties for non-compliance with data protection regulations are adjudicated by the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL). Penalties can take the form of fines of 2% to 4% of the company’s global annual turnover or €10 million to €20 million – whichever is higher – depending on the offence, injunctions, prohibition from carrying out further data processing or by way of public warnings.
Further, the Criminal Code lists a number of offences for non-compliance with or violation of data protection legislation. Some types of infringement may lead to a five-year prison term and a fine of up to €300,000 for individuals and €1.5 million for legal entities. These penalties are issued by the criminal courts and not by an administrative body, such as the CNIL.
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?
Individuals can ask for full compensation for losses suffered as a result of a data breach or non-compliance with data protection laws, by taking legal action before national authorities.
Under the new regulation, data controller and data processor liability may be jointly triggered for material or non-material damages caused by data processing, especially if it fails to demonstrate that it has taken appropriate measures to comply with the regulation or its ratio legis. In such circumstances, each of them could be held liable for the entire amount of damages in order to ensure that the data subject is sufficiently compensated. A data controller or processor which has been held fully liable for the damages is entitled to claim back from the other controllers or processors any compensation corresponding to their responsibility.
It is also possible to file a class action suit for non-compliance with data protection provisions.
Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?
France has enacted laws regarding a wide range of cybercrime-related offences since 1988 which are regularly updated. As such, wilful and unauthorised access to an automated data processing system is considered an offence. Further, additional investigatory powers and tools have been provided to the police to deal efficiently with cybercrime activities and a specialised court has been established. Finally, the cybercrime legislation sanction also involves several personal data-related offences, such as unauthorised alteration or processing.
What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?
Many guidelines and best practices regarding cybersecurity have been issued by various organisations, including the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), and the National Agency on Cybersecurity – and may be used as a reference in litigation relating to data breaches.
Which cyber activities are criminalised in your jurisdiction?
Aside from the violation of automated data processing systems, numerous cyber activities are criminal offences, including:
- internet protocol spoofing;
- identity theft;
- child soliciting; or
- any act inciting terrorism.
Which authorities are responsible for enforcing cybersecurity rules?
Cybersecurity rules are enforced by both the CNIL and other national authorities.
Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?
Many companies obtain insurance for security breaches. This generally involves an inspection and upgrade of the company’s cybersecurity measures, along with an employee training session. Insurance both protects against potential damages resulting from cyberattacks and breaches and provides strategic support when under direct cyberthreat or cyberattack.
Such insurance is common only for companies that are likely to be subject to cyberattacks or which business is directly dependent on data security.
Are companies required to keep records of cybercrime threats, attacks and breaches?
Companies are required to keep records of security breaches that involve personal data theft or corruption.
Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?
Electronic communication service providers are required to report data breaches to the authorities only when personal data is involved.
Are companies required to report cybercrime threats, attacks and breaches publicly?
The CNIL considers it necessary that electronic communication service providers notify individuals of data breaches only when their privacy or personal data protection is at stake.
Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?
Criminal penalties depend on the offence in question. Sentences can include a prison term of one to 10 years and a fine of €15,000 to €500,000 for individuals and €75,000 to €2.5 million for legal entities.
Penalties are issued by the domestic criminal jurisdictions.
What penalties may be imposed for failure to comply with cybersecurity regulations?
A data controller’s failure to notify the CNIL of a security breach involving personal data can lead to a five-year prison term and a fine of up to €300,000 for individuals and €1.5 million for legal entities.