On 6 November 2009, the French Senate (the Sénat) drafted a new Bill aimed at guaranteeing the right to privacy in the digital era. This Bill follows a Report, issued on 27 May 2009, in which the Senate stated that current legislation is inadequate in the face of new "digital memory" technology which allows individuals' activities to be monitored (such as mobile geo-location, RFID, bluetooth, IP adress, behavioural targeting and social networks). The purpose of the Bill is to amend the French Data Protection Act, strengthen the powers of the French data protection authority (CNIL), protect privacy, and expressly recognise IP addresses as personal data. If adopted, it will fundamentally change the French data protection system.
Definition of IP addresses as personal data
Since the French courts challenged the assumption that IP addresses are personal data, senators want to integrate IP addresses into the legal definition of personal data (Art 2). This would constitute an innovation in the French law which, since 1978, has had a global definition which does not include a list of specific types of personal data (as in the directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and in the Convention of the Council of Europe of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data). The current definition can encompass technological innovations but an express list of personal data would compel online entities such as ISPs, e-commerce companies and online advertising sales agencies to comply with to the obligations which result from the status of personal data (information, access, rectification, etc).
Prior consent to the set-up of cookies
The current wording of the Bill also requires controllers to obtain the consent of users before storing information in their computer. This measure applies to cookies.
Increase of data controller obligations
The appointment of a data protection officer, created by the Act of 2004 (which enacted Directive 95/46/CE), is currently optional. Over 5,500 organisations have already appointed an officer. Through this Bill, the Sénat wants such an appointment to become mandatory for public or private organisations in which more than 50 people have access to personal data directly, or are in charge of the implementation of personal data processing.
Data controllers would also have to reinforce security measures to preserve the security and confidentiality of personal data. In case of a security breach, the data controller would have to notify the CNIL, which would then decide whether the data subjects should be informed of the breach.
Improving individuals' rights
Designed to improve the level of privacy, the Bill requires that individuals are given better information about their rights. Data controllers should provide information on their data processing activities "in a clear, specific and easily accessible" manner. If the controller has a website, they will have to provide information on its website "in a clear, accessible and permanent" manner. The data subject would be able to exercise their right of access and object more easily to the processing of their data, including, where the controller has a website, being able to exercise their rights electronically.
According to the Bill, controllers would have to be able to indicate the origin of the data in order to allow a data subject to track the owner of the original file and, possibly, to exercise of his rights of access, rectification and objection to the processing. Furthermore, the Bill distinguishes between the data subject's right to object to commercial use of the collected data and the data subject's right to suppress data after it has been processed.
Increase of the CNIL's powers
The Bill reinforces the powers of the CNIL by increasing the threshold of financial penalties. Currently, the financial penalties imposed are limited to €150,000, or €300,000 in the event of a repeat offence within five years. These amounts would be changed to €300,000 and €600,000 respectively. The CNIL's decisions to sanction data controllers would be published more frequently (even where the breach is unintentional) and the jurisdictional powers of the CNIL would be reinforced. The CNIL would be able to present its written or oral observations, to the appropriate civil, penal or administrative court or tribunal. According to the Sénat, the aim is that the CNIL would be placed, in terms of amount of penalties, at the same level as the Spanish data protection authority.
Currently, the CNIL's hearings are not public. The Bill proposes to make public all CNIL hearings which may lead to sanctions.
The Bill will now be examined by a Senate Committee, then discussed and submitted to a general vote before it is transferred to the Assemblée Nationale.