France: one more step to ensure consistency of the new French data protection law
Blog Healthcare Law Matters

On 12 December 2018, the French Government issued an ordinance finalizing, at the legislative level, the alignment of the French Data Protection Law (“FDPL”) with the General Data Protection Regulation[3] (“GDPR”) and the Directive 2016/680[4].

Following-up the adoption of the GDPR, the French Law No. 2018-493 related to personal data protection[5] modified the FDPL to adapt the French data protection legislative framework to the GDPR and provide for French specificities where Member States were given leeway by the GDPR.

However, as pointed out by the French data protection authority (“CNIL“)[6]:

• some of the provisions of the FDPL, though formally unchanged by the Law No. 2018-493, were no longer applicable as they were replaced by the GDPR provisions (e.g. information clause on collection forms, means of processing as a criteria of application of FDPL);
• the FDPL was not mentioning all the new rights and obligations as provided by the GDPR, although applicable, e.g. right to portability or requirement to conduct privacy impact assessment (“PIA“); and
• the FDPL was not applicable in the same manner to oversees French Territories.

Article 32 of the French Law No. 2018-493 dealt with these issues by giving the French Government a 6-months deadline to release an ordinance redrafting, as a whole, the FDPL (“Ordinance“). In this respect, the main goal of the new published Ordinance was to simplify and ensure more consistency of the FDPL while correcting errors and omissions.

1- A change of structure of the new FDPL to make it more easily readable and some new provisions

The FDPL, as modified by the French Law No. 2018-493 and the Ordinance, encompasses 128 new articles. The new architecture of the FDPL distinguishes in five Titles the different legal regimes:

• Title 1 sets forth the general provisions which constitute common rules applicable to all processing of personal data, namely provisions regarding: the data protection principles including definitions and material and territorial scope (Chapter 1); the missions and powers of the CNIL (Chapter 2); the National identifier [NIR] (Chapter 3); the remaining prior formalities to be carried out with the CNIL (request for authorization or opinion) (Chapter 4); the data protection specific legal recourses (Chapter 5); and the references to the criminal code applicable in the event of infringement to the Data Protection Law (Chapter 6).
• Title 2 deals with processing carried out under the GDPR and includes general provisions such as: provisions with respect to the material scope of application of the GDPR, principles governing the age of minority for France which is 15 year-old (Chapter 1); provisions regarding the rights of the data subjects (Chapter 2); obligations of data controllers and data processors (including with respect to clinical studies, records of processing, PIA, etc.) (Chapter 3); specific provisions regarding the electronic communications sector (Chapter 4); and provisions regarding deceased people (Chapter 5).
• Title 3 applies to processing carried out under the Directive (EU) 2013/280 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
• Title 4 details the provisions which do not fall under the scope of the GDPR, namely the data processing in the context of State safety and defense.
• Title 5 extends the application of the FDPL to oversees French Territories providing homogeneous rules over the national territory.

The Ordinance also brings some semantics amendment, i.e. change of “nominative information” in “personal data” (donnée à caractère personnel in French).

More importantly the Criminal Code is modified to adapt to the new GDPR’s obligations, e.g., accountability obligation, data protection by design and by default, obligation to keep a record of processing or to ensure security of personal data (Article 226-17 of the Criminal Code as of 1st June 2019).

The re-drafting and new structure of the FDPL is a significant improvement from the French Law No. 2018-493. However, as mentioned by the CNIL, several provisions still need to be clarified[7] and the use of many referral to other Article makes it difficult for French organizations to apply the FDPL and smoothly carry out the GDPR implementation process, in particular for small and medium-size companies.

2- Main provisions of FDPL concerning Member State’s leeway

Among the clarifications resulting from the Ordinance, it is worth mentioning few keys specificities of the new FDPL:

• Territorial scope: FDPL reminds that FDPL applies to personal data processing carried out in the context of the activities of an establishment of a data controller or data processor located in the French territory, whether or not the processing takes place in France[8]. French specific data protection provisions resulting from the leeway provided by the GDPR, will apply to the extent the data subject resides in France, including when the data controller is not established in France[9].
• Post mortem right: French law provides for a legal framework pertaining to the processing of personal data of deceased people. Data subjects have the right to be informed of their post-mortem rights, i.e. the right to determine general or specific directives related to the storage, the erasure, the communication of their personal data after their death. Specific directive are registered with the concerned data controller. Clauses limiting such right are deemed null and void[10]. In this respect, a related implementing decree is still expected.
• Age of consent: French law lowers the age of minor’s consent to 15 years[11] to consider it as valid for the processing of personal data in the context of direct offers of information society services.
• Automated individual decision-making, including profiling: FDPL confirms the prohibition of decisions based solely on automated decisions , with two exceptions:
  • as already set forth in Article 22.2(a) and (c), provided however that a clear information is given regarding the rules defining the processing and the main characteristics of its implementation are communicated to the data subjects.
  • for individual administrative decisions by Administrative authorities, provided that special categories of data are not processed and that a detailed explanation is provided to the data subjects on the conditions of the data processing.
• Representation of data subjects and class action: The class action was already introduced by French Law No 2016-1547 of 18 November 2016. Article 38 of FDPL sets forth the conditions to be met in order to undertake such action without data subject mandate as provided under Article 80 (2) of the GDPR. Article 37 of the FDPL further deals with cases in which an association or organization can be appointed by a data subject to exercises his/her rights on behalf of the data subject as provided by Article 80(1) of the GDPR. The CNIL states in its Deliberation No 2018-349 of November 15th 2018 that this provision of FDPL is more restrictive than the GDPR (notably with respect to the requirement of 5 years of existence for an association to have the right to represent a data subject which is not a condition set forth by the GDPR) and calls for a change of this Article in order to align it with article 80(1) of the GDPR.
• Cookies: The Cookies information and right to oppose requirements remain unchanged at this stage. They merely have been removed from the provision regarding the obligation to informed data subjects and placed in the Chapter IV concerning the specific rights and obligations applicable to personal data processing in the electronic communications sector[12]. This will most likely change with the adoption of the draft “ePrivacy Regulation”.
• Occupational medicine and the provision of social care: We note that the Ordinance does not explicitly set forth a legal ground for the processing of health data for the purpose of occupational medicine, the assessment of the working capacity of the employee or the provision of social care or treatment[13]. Indeed, although, these purposes were provided by the GDPR[14] as possible exceptions to the principle of prohibition of processing of special categories of data (including health data), it still requires a Member State legal ground to be applicable. We thus should refer to legal obligation of the employer to organize services of occupational medicine[15] in the workplace.

3- Last steps

Although the redrafting Ordinance has now been published, it will enter into force with the implementing decree, no later than 1 June 2019.

The French Parliament should adopt a final bill ratifying such Ordinance. The bill should be presented before the Parliament within 6 months from the date of publication of the ordinance, i.e. before 13 May 2019.

In the meantime, the Law No. 2018-493 of 20 June 2018 remains applicable, “AS IS”.