Just two weeks before the European Union’s General Data Protection Regulation (GDPR) was to come into effect, the French Parliament finally adopted its new Law on the Protection of Personal Data (law no. 2018-493) to adapt existing French law to the GDPR’s new rules and to amend the 1978 Data Protection Act (Law n°78-17). However, the new law was immediately challenged on constitutional grounds and the Constitutional Court did not render its decision until 12 June 2018 – after the GDPR had come into effect – with the result that the Law on the Protection of Personal Data was not promulgated until 20 June 2018.
The Law on the Protection of Personal Data was however not enough to complete the transposition of the GDPR in France and required an implementation decree that France has now issued (Decree no. 2018-687 of 1 August 2018). It took effect on 4 August 2018.
As is well understood by now, the GDPR applies directly in the Member States and replaces the national law on many points but on other points, the so-called "national margins of maneuver", the GDPR provides for some measure of flexibility at the Member State level. Hence legislation like the French Data Protection Act of 1978 remains in force, complemented by the GDPR.
The Decree of 1 August 2018 modifies the provisions of Decree n ° 2005-1309 of 20 October 2005 to bring them into conformity with the GDPR and to address these “national margins of maneuver”.
Perhaps most importantly, the 1 August 2018 Decree confers on the French data protection authority, the Commission for Information and Liberties (CNIL), the powers it needs to carry out its expanded mission.
In addition, the Decree revises various administrative rules with respect to the funding of the CNIL, and sets out the composition of the Audit Committee of the National Health Data System (an important issue for the protection of personal data), and implements several other measures of the Law of 20 June 2018. For instance, the Decree lays out the list of treatments and categories of processing authorized to derogate from the right to notification of a data breach where the notification is likely to pose a risk to national security, national defense or public safety. The 1 August 2018 Decree also completes the transposition of Directive (EU) 2016/680 of the GDPR on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention and detection of criminal offenses, investigation and prosecution of such offenses or the execution of criminal sanctions, and the free movement of such data. It covers the coordination, in particular in the Code of Criminal Procedure and the Penal Code, for the treatment of police files and criminal records.
At this point, one might say that France has now fully implemented the GDPR and French data protection law has reached a stable plateau. But… in its press release about the 1 August 2018 Decree, the CNIL announced that it expects to see a complete rewriting of the Data Protection Act in the next six months or so, notably to render the Act more reader friendly. In other words, watch this space…