On 9 February 2018, the French National Assembly adopted at first reading the new draft data protection law implementing the EU General Data Protection Regulation (“GDPR”) and EU Data Protection Directive on Police and Criminal Justice Cooperation into French law.
After two days of discussion and 180 amendments reviewed, the French National Assembly has adopted the draft law aimed at adapting the French data protection framework in anticipation of the entry into application of the GDPR on next May 25.
A couple of amendments are worth mentioning, in particular with respect (i) to the age of consent for the processing of personal data of children, (ii) the replacement of prior formalities by a control a posteriori, except in certain specific cases where formalities are maintained, (iii) a new right to information in criminal matters and (iv) the new right to claim damages in the context of a data protection class action.
- Indeed, the National Assembly has decided to exercise Member States’ right to derogate from the GDPR and lowered to 15 the age of consent for children using information society services. While some MPs militated to maintain this age at 16 years old, others pushed to lower it to 13, arguing that as soon as children own a smartphone, it is in practice almost impossible to control their use of social networks. The National Assembly settled on 15 years old, which is the age at which children usually enter middle school and are mature enough to control their own Internet usage.
- Data processing is no more subject to prior formalities. However companies must ensure their protection and notify any data protection violation without undue delay. The data subject rights are reinforced and the sanctions increased. However, certain prior formalities (in particular authorizations) are maintained for the processing of certain sensitive data, notably “biometric data necessary for identification purpose or identity control of natural persons“.
- The draft law creates a right to information and the right for the data subject to exercise directly his/her rights of access, rectification and erasure of their data in files implemented in the context of criminal matters. The files concerned are : the national file on genetic imprints, the black list on individuals prohibited from access to stadiums or the criminal records (traitement des antécédents judiciaires). One of the amendment provides for the proportionality of data retention terms in light of the purpose of the file and the nature and severity of the infringement.
- As regards data protection class actions, the draft law builds on the class action mechanism implemented by the “Modernization of the judiciary in the 21st century” of 18 November 2016, which did not allow class action litigants to claim damages, but only seek injunctive relief. While this restriction could conceivably be explained by the fact that it may be difficult to prove individual damages, it should be noted that Article 80 of the GDPR allows Member States to provide that certain bodies, organizations and associations have the right to exercise a data subject’s rights to an effective judicial remedy, including financial compensation . Now if the draft bill is definitively adopted by the Parliament, class action litigants should be entitled to claim compensation for the material and moral losses. There is however no change in respect of who can bring data protection class actions (associations or trade unions), and individuals should still not be able to bring such class actions by themselves through their attorney.
Numerous amendments were rejected (e.g., creation of a moral right on the personal data, prohibition of the installation by default of Google on smartphones and web browsers, etc.). One of them was particularly interesting for businesses, as it was aimed at granting processing authorized by the CNIL prior to 25 May 2018 a “presumption of compliance” for 3 years. However, this amendment was not sustained as the GDPR has already given organizations a 2 year lead-in period to allow them to bring their processes and systems in line with the new requirements before the 2018 deadline.
In terms of next steps, the draft law should now be subject to a solemn vote on 13 February 2018 by the French National Assembly, before being transmitted to the Senate, which will review also it. Eventually, a joint committee will meet to decide the final version of the new data protection law before 25 May 2018. Therefore it is important to keep in mind that, although it gives an idea of where it’s heading, this draft may still be amended and there can still be surprises.