French Data Protection Bill

On 13 December 2017, the French Ministry of Justice introduced the French Data Protection Bill (Bill). The Bill amends the current French Data Protection Act 1978, in light of the General Data Protection Regulation (GDPR) and the Law Enforcement Directive.

Most importantly, the Bill repeals the registration formalities for processing activities applicable under current French law. However, it maintains certain formalities for the processing of the most sensitive data (health data for certain types of processing activities; processing involving social security numbers; and processing of biometric and genetic data for the identification or control of identity of persons).

The Bill also makes extensive use of 'opening clauses' to introduce national derogations as allowed under the GDPR, many of which reflect the current position under French law.

For example, while the GDPR provides that a processing of a child's personal data relating to the offer of information society services shall be lawful where the child is at least 16 years old, the Bill currently lowers the age of digital consent to 15 although this is still subject to debate.

The Bill also provides for an action de groupe to obtain injunctions to stop breaches of data protection law and claim damages from individuals, including for distress.

Regarding French law's territorial scope, the Bill specifies that, where the GDPR allows national law to adapt or extend the provisions of the GDPR, French rules will apply to processing activities concerning data subjects residing in France, even if the data controller is not established in France.

The Bill is still being debated by the French Parliament and further amendments are expected prior to adoption. In addition, Article 20 of the Bill authorises the government to amend the legislation by way of Ordonnance for a period of six months after the Bill becomes law, in order to make any necessary amendments to ensure simplicity and consistency. What this means in practice, is that businesses will need to keep a close watch on the French Data Protection Act, even after its adoption.

French data protection authority's tools for GDPR compliance

The French data protection authority (the CNIL) published several tools during 2017, to assist organisations and companies with GDPR compliance, notably:

  • A guide to assist data processors with practical implementation of their GDPR obligations.
  • An open-source software tool to use for Data Privacy Impact Assessments (DPIAs) alongside three guides on conducting DPIAs.
  • A compliance package on "Connected vehicles and personal data" to help industry stakeholders to comply with the GDPR.

The CNIL is also expected to publish GDPR compliance guidelines for small and medium-sized businesses in the coming months.

NISD

The law implementing the Directive on the Security of Network and Information Systems (NISD) into French legislation was enacted on 26 February 2018.

The law provides that operators of essential services (OESs) must apply security measures set by the Prime Minister. These security measures should ensure a level of security appropriate to existing risks and define suitable measures to prevent or reduce the impact of incidents that compromise the security of network and information systems used for the provision of essential services. Moreover, OESs must inform the French Network and Information Security Agency (the ANSSI) of security incidents which have a significant impact on service continuity. Failure to comply with these security requirements will be subject to fines of up to EUR 125,000.

The new law also provides for enhanced security by digital service providers (DSPs). DSPs must ensure a level of network and information systems security necessary to enable them to provide their services in the European Union. DSPs must also inform the ANSSI of security incidents which have a significant impact on service continuity. Failure to comply with these security requirements will be subject to fines of up to EUR 100,000.