France is getting ahead of the final adoption of the General Data Protection Regulation (“GDPR”) and is expected to adopt this year several provisions of the GDPR before it comes into force in 2018. Indeed, the French Government has introduced a new Bill for a “Digital Republic” (the “Bill”) , which amongst other things, would amend several key provisions of the French Data Protection Act and the Consumers Code, with a view to implementing specific provisions of the GDPR under national law. In particular, the Bill seeks to enforce the French Data Protection Authority’s (“CNIL”) powers to impose fines against data controllers for violations of the French Data Protection Act.
The Bill was adopted by the French National Assembly on 26th January 2016 in its first reading and has now been passed to the Senate. This Bill is expected to be adopted later this year. Once adopted, these provisions would come into force under French law before the GDPR’s comes into force after a two-year grace period that follows its publication in the Official Journal of the European Union.
Below is a summary of the key provisions of the Digital Republic Bill that would amend the French Data Protection Act and the Consumers Code:
- Right to data portability
The Bill would introduce a general right for consumers to retrieve their data partially or entirely.
All providers of online communication services to the public would be required to provide consumers with a free service allowing them to lawfully withdraw: 1/ all files that they have posted online; and 2/ all data stored on their online personal account by means of an open and easy to use mechanism that is also machine readable.
Furthermore, all providers of emailing services would be required to offer a free service allowing their members to transfer, partially or entirely, all messages they have received or sent and their contacts list, to another emailing services provider.
Failure to do so would be punished by a fine up to EUR 15,000.
- Information of the data subjects
In addition to the obligatory information that data controllers must already provide to the data subjects under the current law, the amended French Data Protection Act would require data controllers to notify their data subjects about the period of retention of their personal data.
- Rights of the data subjects
Where personal data is collected electronically, the data subjects would be able to exercise their rights electronically (i.e., right to access, rectify and delete personal data, right to object to the processing).
- Right to erasure (right to be forgotten)
The right to erasure would be amended as follows:
– Upon request, the data controller would be required to erase without delay all personal data that was collected in the context of an offer of information society services where the data subject was a minor at the time of collection. An “information society service” is defined under article 1(2) of Directive 98/34/EC as “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services“. This broad definition covers any online paid services, which in the context of minors, could mean online gaming websites, educational websites, and other web platforms that are targeting specifically minors.
– In case of non-compliance with this requirement within one month from the request by the data subject, the data subject may file a complaint with the CNIL who would issue a decision within 15 days from receiving the complaint.
The above provisions would not apply in certain circumstances, for example, where the processing is necessary for purposes of freedom of expression and information; to comply with applicable laws; for public health safety reasons; to assess, exercise or defend legal rights; or for purposes of scientific, historical or statistical archiving in the public interest.
In addition, the Bill would add a new condition under the Data Protection Act for authorizing controllers to continue storing personal data once the retention period for processing the data has expired (other than for historical, scientific or statistical reasons) where the data subject has given instructions before his/her death.
The Bill would introduce a new right for data subjects to give instructions regarding the storage, erasure or disclosure of their data after their death. These instructions would either be general (i.e., they concern all personal data and are recorded by a third party who has been certified by the CNIL) or specific (i.e., they concern any identified processing of the individual’s personal data and are recorded by the data controller). The data subject could appoint an executor who would be tasked with executing these instructions. In the absence of a designated executor, the law would define who the executor would be amongst the data subject’s heirs.
- Sanction powers of the CNIL
This is by far the most significant proposal under the Bill. The types of sanctions that the CNIL could pronounce would remain the same under the amended Data Protection Act.
However, the CNIL would be authorized to pronounce fines up to EUR 20,000,000 or 4% of a company’s global turnover (whichever is higher) if a data controller fails to comply with the Data Protection Act. This is a significant enhancement from the maximum EUR 150,000 fine the CNIL may pronounce under the current law.
Some violations of the Data Protection Act would only be fined up to EUR 10,000,000 or 2% of a company’s global turnover (whichever is higher), namely the obligation to: 1/ notify the CNIL about the processing of personal data; 2/ appoint a DPO; 3/ implement appropriate data security measures; 4/ enter into an agreement between a controller and processor setting out the contractual duties of the data processor; and 5/ notify the CNIL in case of a data security breach.
The CNIL has lobbied very heavily in the French National Assembly to make sure these provisions are inserted in the Bill. Clearly, the CNIL intends to start using the new sanction powers that were granted to DPAs under the GDPR before the GDPR actually comes into force, which is expected in 2018. If the Bill is adopted, this means that the CNIL would be the first DPA in Europe to be empowered by law to impose fines up to 4% of a company’s global turnover.
It is worth noting, however, that the CNIL would only be authorized to sanction controllers for violations of the French Data Protection Act, not the GDPR in its entirety. And therefore, any other provisions under the GDPR that have not been implemented under French law via the adoption of the Bill would remain unenforceable until the GDPR comes fully into force in 2018.
- Cooperation of the CNIL with other DPAs
The CNIL would be empowered to investigate and enforce against non-compliant controllers upon request by a national supervisory authority with similar powers in a third country outside the European Union that has an adequate level of protection for personal data. In practise, what this means for example is that if the CNIL receives a formal request from the data protection authority in Canada, New Zealand or Israel (these three countries have all received an adequacy decision by the European Commission), the CNIL may act against a non-compliant controller established on French territory upon instruction by the requesting DPA. This measure is intended to enhance cooperation between the national supervisory authorities in different countries.
- Anonymisation procedures
The CNIL would be authorized to certify or accredit and publish any referential or general methodology for anonymising personal data in compliance with the law.
- Class actions
The amended Data Protection Act would grant various groups and associations the right to file a collective action on the grounds of a violation of the Data Protection Act, namely:
– associations whose purpose is the protection of privacy and personal data;
– consumer rights associations where the processing concerns consumers;
– labour unions where the processing concerns employees;
– any association that was created for the sole purpose of exercising the concerned collective action.
The Bill is expected to be adopted later this year. Stay tuned for more updates on the legislative developments to come in France that may affect data controllers!
By Olivier Proust, of Counsel
This article was first published in the IAPP’s Privacy Tracker.