1. Sources and scope of application
French data protection rules are mainly set out in law No. 78-17 of 6 January 1978, as amended in 2004 to transpose European Directive 95/46/EC of 24 October 1995 (the "Data Protection Law"), and in regulation (décret) No. 2005-1309 of 20 October 2005, and are supervised by the Commission nationale de l'informatique et des libertés (the "CNIL").
The Data Protection Law applies to the "processing" of "personal data", which is data on individuals allowing them to be identified, by a "controller" established in France or by a controller established outside the European Union but using processing means (other than equipment used only for transit purposes) located on French territory.
The main rules of the Data Protection Law will be replaced by the European General Data Protection Regulation 2016/679 of 27 April 2016 (the "GDPR") when the latter enters into force on 25 May 2018. The GDPR has been introduced mainly to ensure a more consistent level of protection for natural persons throughout the European Union and to prevent divergences hampering the free movement of personal data within the internal market, thus providing more legal certainty and transparency for economic operators. The GDPR also aims to provide greater protection to individuals especially with regard to online activity of websites located abroad. The new rules will be overall similar albeit more stringent in certain ways. They will also have a wider territorial scope of application, applying not only to controllers established in the European Union but also to processors established in the European Union and, in case goods or services are offered to data subjects in the European Union or when their behavior is being monitored, controllers and processors not established in the European Union.
2. Summary of the main rules
When it applies, the Data Protection Law requires that:
- any processing follow certain basic "principles" set out in article 6 of the Data Protection Law, namely that personal data be: (a) processed lawfully and fairly; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; (c) adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed; (d) accurate and kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; and (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- any processing be "lawful" as per article 7 of the Data Protection Law for amongst others (a) the data subject has given consent to the processing of their personal data, (b) the processing is necessary to comply with a legal obligation to which the controller is subject, (c) the processing is necessary to perform a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract or (d) the processing is necessary for the purposes of the legitimate interests pursued by a controller or a recipient, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject;
- personal data revealing race or ethnic origin, political opinions, religion or beliefs, trade-union membership, health or sex life not be collected or processed and data on criminal convictions or related security measures not be processed, with some exceptions;
- the controller file with the CNIL a declaration or, in certain cases, an authorisation request. The CNIL has adopted simplified norms for most of the usual processings performed by businesses such as for managing badges ("Norm No. 42"), employees ("Norm No. 46"), calls ("Norm No. 47"), clients and prospects ("Norm No. 48"); these can be declared using a simplified declaration. The CNIL has also exempted certain processings, such as in respect of supplier data and, only when collected outside the European Union by controllers established outside the European Union who fall within the scope of application of the Data Protection Loan only because they use the services of a processor located on French territory, certain employee and client data. A normal (not simplified) declaration is required for most other processings, such as for video monitoring, for providing wi-fi access to non-employees, and for implementing a program to promote equality amongst staff of different ethnic origins or sexual orientations. A normal declaration must contain information about the objective of the processing (one per declaration), the recipients, the maximum storage period and other information as set out in Article 30 of the Data Protection Law. No declaration is required if a personal data protection correspondent is appointed, this appointment is notified with the CNIL and the processing does not entail any transfer of personal data outside the EU. An authorisation is required in certain cases, such as for implementing a whistleblowing programme (which is now required for businesses with at least 50 employees);
- the controller provide data subjects with certain information as per article 32 of the Data Protection Law (such as information on his or her rights as well as on whether the controller intends to transfer personal data to a country outside the EU, whereupon article 91 of regulation (décret) No. 2005-1309 requires additional information to be provided: the names of the relevant countries, the information to be provided, the purpose of the transfer, the categories of transferees in such country, the level of protection afforded in said country such as if the country is in the European commission's approved list), and as per the relevant simplified norm as appropriate, if either (a) the data is collected by the controller or (b) the data is collected by someone else if providing this information to data subjects is not impossible and would not involve disproportionate efforts, and this information has not already been provided;
- the controller take appropriate measures to preserve the security and confidentiality of the databased on the type of personal data to be protected. The CNIL has issued specific recommendations in this regard;
- the controller ensure that any processor (meaning any person asked by the controller to process personal data on its behalf) provide sufficient guarantees to preserve the security and confidentiality of the data and enter into the contract with adequate clauses as per article 35 of the Data Protection Law. The GDPR will also saddle processors with obligations,
- data not be stored for longer than is necessary for the purposes for which the personal data are processed (except rare exceptions);
- data subjects can request from the controller access to and rectification of personal data concerning the data subject as well as (in the absence of contrary provision in the relevant contract) object to the processing of such personal data for legitimate purposes. Special provisions apply to children. Furthermore, Norm No. 48 provides that customers may object to (and must be informed that they can object to) the use for prospection of their personal data and transfer thereto to commercial partners for prospection purposes;
- no personal data be transferred to a country outside the EU that is not offering an adequate level of protection except where the processing itself offers that level of protection, for instance by the use of the EU standard clauses or binding corporate rules or reliance on the new U.S. "Privacy Shield" accreditation (replacing the U.S. Safe Harbor accreditation).
3. Special rules on cookies
Rules pertaining to cookies were introduced in article 32 II. of the Data Protection Law for the purposes of transposing European directive 2009/136/EC of 25 November 2009.
To be compliant with French law, for all cookies other than strictly necessary cookies (including functionality cookies and performance cookies, assuming the latter would not meet a 6-prong test to be exempt from the consent requirement), a positive consent is required.
According to the CNIL, a proper way to obtain that consent is to use a banner that reads "By continuing browsing on this site, you accept the use of [Cookies or other trackers] for offering you [For instance, targeted advertising publicity aiming your centers of interest] and [For instance, computing visit statistics]. In order to know more and for parameting the trackers." (with this last sentence containing a hyperlink to the policy and possibly tick boxes to deactivate cookies according to their finality category). The banner should remain on the page until the user clicks on a button in the page (it must not fade out if the user does not click on a button).
In France, the CNIL considers that the consent should be valid for 13 months as from the installation of the cookie (CNIL, délib. n° 2013-378, 5 déc. 2013) so cookies should expire after 13 months.
4. Special rules on direct marketing
Direct marketing "using the details of individuals" through automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail is regulated by article L.34-5 of the Code des postes et des communications, transposing European directive 2002/58/EC (Privacy and Electronic Communication) of 12 July 2002.
These provisions apply to controllers who fall within the territorial scope of application of the Data Protection Law. However, controllers established outside France that fall outside the territorial scope of application of the Data Protection Law are advised to comply with these French rules on direct marketing when targeting the French market; a foreign company would not be able to go to French advertisers with its list of potential clients without justifying to them that the opt-in requirement has been satisfied.
Article L.34-5 provides that direct marketing "using the details of individuals" through automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail is prohibited unless either:
- the individual has given his or her express ("opt in") consent,
- the individuals has already purchased from this very company goods or services "analogous" to those being advertised (and at the time personal data was collected about this individual, this was done in compliance with applicable data protection rules and the individual was given the opportunity to opt out from future advertising using his or her personal details); or
- the unsolicited communication is in respect of a non-profit cause.
Although this is not exactly how Article L.34-5 is written, the CNIL, under pressure from lobby groups, has issued guidelines providing that the above rules (requiring "opt-in") do not apply to emails to individuals acting not as consumers but as professionals, including employees of legal entities, where the solicitation is in relation to the profession of that individual. The CNIL's guidelines provide an example of the IT director of a company, to whom IT services could be offered. In that case, there is no need for the individual to have "opted in" or to have purchased analogous goods or services in the past, but the individual is nevertheless entitled to be informed upon his or her email address being collected that it may be used for solicitation and that he or she has the right to opt out. Solicitation to company email addresses that do not contain the name of an individual (e.g., those starting with "contact@...") are not covered.
In all cases, any message must identify its author and allow the recipient to subsequently opt out.
The maximum period one can keep personal data on individuals who are not clients or employees should also be respected (this time period is typically 3 years for entities that filed a Norm No. 48 simplified declaration to the CNIL).
5. Monitoring and sanctions
The CNIL can carry out an investigation and issue a notice enjoining the violating person to remedy the situation within a certain period, which can be 24 hours in case of extreme emergency. If this notice remains unanswered:
- the violating person can be fined up to €3,000,000; and/or
- an injunction to stop the violating processing may be ordered against the violating person (and withdrawal of the authorisation in case of a processing subject to authorisation).
Blocking access to CNIL agents carrying out an investigation, refusing to communicate information to CNIL agents and communicating false information to CNIL agents are offences that can be sentenced with one year of jail and a fine of €15,000.
Notwithstanding the sanctioning powers of the CNIL, most breaches of the Data Protection Law are offences that can be tried in court with a maximum jail sentence of 5 years and a maximum fine of €300,000 (or five times this amount for a legal entity). Failure to communicate to data subjects the information required by article 32 of the Data Protection Law is however only a 5th category minor offence (contravention) for which there is no jail sentence, and the maximum fine is €1,500 or €3,500 in case of a repeated offence (or five times this amount for a legal entity). In practice, the CNIL is unlikely to ask the general attorney to commence criminal proceedings without first having tried to address the non-compliance, assuming it is not an outrageous violation.
Breach of article L.34-5 of the Code des postes et des communications is sanctioned by a fine of EUR 750 fine for an individual, or EUR 3750 for a company, per communication. It can also lead to a maximum €15,000 administrative fine imposed by the authority in charge of protection of competition and consumers, unless article L.36-11 of same code applies and the authority in charge of electronic communications takes jurisdiction.
In summary, French data protection rules do not merely require one to make a declaration to the CNIL but sets out other rules, like storage limitations and information obligations, and extend to consent to cookies and to direct marketing.
In addition to the GDPR's expanded territorial application, some of the key changes that it will bring when it enters into force are requirements for controllers and processors to establish written procedures and for additional information to be communicated to data subjects. It also replaces the current declaration/authorisation obligation with obligations to conduct a data protection impact assessment where the contemplated processing "is likely to result in a high risk to the rights and freedoms of natural persons" and to consult the CNIL if such assessment indicates that the processing would "result in a high risk in the absence of measures taken by the controller to mitigate the risk".
A European Union "Regulation on Privacy and Electronic Communications" is also being currently prepared. The leaked draft suggests it would become effective at the same time as the GDPR and will modify the above rules on cookies and on direct marketing.