The French Constitutional Council has issued its ruling on June 12 regarding the new data protection law implementing the EU General Data Protection Regulation (GDPR). It’s a PASS!

Almost a month after Senators referred the newly adopted data protection law to the Constitutional Council, thus blocking its promulgation on time for the GDPR’s entry into application last May 25, the suspense comes finally to an end.

The decision reveals that Senators had several grievances against the new law.

First, the validity of the overall law was tested against the objective of constitutional value of legislative accessibility and intelligibility, as Senators argued its articulation with the provisions of the GDPR is unclear and likely to “seriously mislead” citizens about their rights and obligations in terms of data protection. However, the constitutional watchdog did not follow the argument, considering that the law was legible and that article 32 of the law actually authorizes the Government to do some redrafting of the law “to make formal corrections and necessary adaptations for simplification and consistency purposes, as well as to ensure the simplicity of the implementation, by the stakeholders, of the provisions bringing the national law into compliance” with GDPR, and to take other measures to ensure the consistency of the overall legislative framework applicable to data protection.

Then Senators specifically challenged the constitutionality of a dozen provisions, which were all eventually found valid, except a portion of article 13 of the law. This provision modifies article 9 of the existing law, providing that personal data relating to criminal convictions and offences or related security measures may be processed only “under the control of official authority” or by certain categories of persons listed in the law. The Constitutional Council notes that the legislator simply reproduced the wording of article 10 of the GDPR, without specifying the categories of persons authorized to process such data under the control of official authority, or the purposes of such processing. This lack of specificity is the reason why the words “under the control of official authority” were declared unconstitutional. As a result, such words will not appear in the law that will be promulgated.

Challenged provisions that were found valid include:

  • Article 1 (modifying article 11 of the existing law) regarding the missions of the French supervisory authority (the CNIL), and in particular its consultative role in the legislative process;
  • Article 4 (modifying articles 17 and 18 of the existing law) regarding the procedures in front of the CNIL’s restricted committee (formation restreinte), which is in charge of pronouncing sanctions against data controllers or their processors in case of violation of the data protection rules;
  • Article 5 (modifying article 44 of the existing law) expending the rights of the CNIL’s agents in relation to investigations (notably by limiting the situations where a person under investigated could use “secrecy” as an excuse not to communicate information to CNIL’s agents or give them access to information; and by allowing CNIL’s agents to use a fake identities to where necessary to conduct online controls);
  • Article 7 (modifying article 45 of the existing law) regarding the measures that the CNIL can take in case of a violation of the GDPR (including warnings, reprimands, orders to carry out specific remediation activities, orders to cease the processing, withdrawal or suspension of a certification, administrative fines, etc.). In particular, the Constitutional Council confirmed that the fact that a person could consecutively receive a warning or a formal order to comply from the CNIL (which can be made public), and then be sanctioned by the restricted committee, does not violate the principle of proportionality of the sanction;
  • Article 13 (modifying article 9 of the existing law) providing that it is possible for individuals and private entities to process personal data relating to criminal convictions and offences to prepare and exercise their rights in the context of legal proceedings;
  • Article 16 (modifying Chapter IX of the existing law) regarding the processing of health data, and in particular the fact that processing by organizations providing top-up health insurance is excluded from the scope of Chapter IX;
  • Article 20 (introducing a new article 7-1 to the existing law) providing that, in relation to the direct offer of online services, processing of personal data of children under 15 is lawful only if the consent is given jointly by the minor and the holder(s) of parental responsibility. In this respect, commentators thought Senators would challenge the age limit of 15 years old, but it turns out they challenged the requirement of a “joint” consent (which is in fact allowed by GDPR, as article 8 of the Regulation provides “such processing shall be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child”;
  • Article 21 (modifying article 10 of the existing law) about automated decision making, and in particular the possibility for the administration to make individual decisions producing legal effects concerning the data subject or similarly significantly affecting him/her, using algorithms;
  • Article 30 (creating a new Chapter XIII) regarding processing governed by the EU Data Protection Directive on Police and Criminal Justice Cooperation; and
  • Article 36 (modifying article 230-8 of the French Criminal Procedure Code) defining the conditions under which mentions regarding criminal background may be erased from a database operated to facilitate the finding of criminal offenses.

Now that the law has passed the constitutional scrutiny, it should be promulgated in the next days. France will then join the limited club of those EU countries that have completed the adaptation of their national law to align with GDPR (members notably include Austria, Germany and Sweden) – although it should be kept in mind that decrees will have to be adopted to implement certain provisions of the law (e.g., to specify the conditions of certain procedures conducted by the CNIL; to restrict the obligation of notification under article 34 of the GDPR for national security, defence and public security purposes with respect to certain processing operations; to define the categories of data controllers who may process the national registration number (NIR) and the purposes for which NIR may be processed; etc.).