On 21 June 2018, a new law ("Loi n°2018-493 on the protection of personal data") was enacted which amends the existing French Data Protection Act (the "Act") in order to comply with the provisions set out in the GDPR and the Directive (EU) 2016/680. In particular, the new law uses the possibilities provided for in the GDPR to implement specific national provisions, such as a different age limit that applies to minors. The essential provisions of the amended Data Protection Act are summarized in this article.
- Reinforced role of the French Data Protection Authority
Controls: The French Data Protection Authority's (CNIL) supervisory powers are broadened and further detailed in the new version of the Act. CNIL agents can still access a controller's premises and may still request all documents and any useful information or justifications that are necessary for their investigation. Secrecy may not be opposed to them except with regard to information covered by attorney-client privilege, the secrecy of journalistic sources, or information that is protected by medical secrecy. One of the most significant changes, however, concerns online investigations and the possibility for CNIL agents to use fake identities under certain conditions when conducting online inspections.
Sanctions: Sanctions have also been adapted to the provisions of the GDPR. New sanctions, such as imposing fines or withdrawing a certification or authorisation are provided in the event of a breach of data protection rules. In addition, the amount of potential administrative fines has significantly increased. The CNIL will now be able to impose fines up to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year.
Cooperation between the CNIL and other data protection authorities: The cooperation between the CNIL and other data protection authorities is formally mentioned in the Act in order to comply with the provisions of the GDPR. For example, the Act now allows for joint inspections to take place on the French territory, involving both CNIL agents and the agents from other data protection authorities working together.
Other missions: The CNIL may establish and implement soft law standards, such as guidelines, recommendations, codes of conduct and reference documents. Those are intended to facilitate the compliance of processing of personal data with applicable data protection laws and to carry out prior risk assessments by controllers and processors. Additionally, the CNIL may decide, taking into account the specific needs of local or regional authorities and companies, to certify persons, products, data systems or procedures which comply with the GDPR and with the French Data Protection Act.
- Temporary suspension of international data transfers at the request of the CNIL
Regarding international data transfers, the CNIL can lodge a request with the French highest administrative Court (Conseil d'État) to temporarily suspend a transfer outside the European Economic Area. The Conseil d'État must then refer to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the validity of the adequacy decision or any other act taken by the European Commission authorising or approving appropriate safeguards in the context of data transfers. This is the implementation of the decision of the CJUE of 6 October 2015, commonly referred to as the "Schrems ruling", which stated that national supervisory authorities must be able to examine, with complete independence, whether the transfer complies with applicable data protection law, even when the European Commission has adopted an adequacy decision.
- Special categories of data
Sensitive data: To comply with the GDPR, the scope of sensitive data has been broadened and now includes genetic data, biometric data and data relating to the sexual orientation of a data subject. The GDPR creates exceptions to the general prohibition to process sensitive personal data and gives flexibility to the Member States to implement additional exceptions. The French Data Protection Act uses such exceptions, for example, by authorizing the processing of biometric data when it is strictly necessary to control access to the workplace, to computers and to applications used at work.
The CNIL can also prescribe additional measures, including technical and organisational measures with regard to the processing of genetic data, biometric data or data concerning health in accordance with Article 9(4) GDPR.
Data relating to criminal convictions, offences or related security measures: The CNIL can also implement additional safeguards in relation to the processing of personal data relating to criminal convictions and offences in accordance with Article 10 of the GDPR. Natural or moral persons whose processing activities are related to the re-use of public information contained in certain court decisions - such as database referencing - can process personal data relating to criminal convictions, offences and related security measures only if the processing operations prevent data subjects from being re-identified.
- Minors consent
Article 8 GDPR allows national legislation to lower the age limit (16 years under the GDPR) for the processing of personal data on minors in the context of information society services (provided that this age limit does not fall below 13). In France, the age for "digital majority" has now been set at 15, which means that from the age of 15, a minor can consent to his/her data processing. Therefore, data controllers have to make sure they use a clear and accessible language in order to obtain the "informed consent" of minors. However, for children below 15, personal data processing is lawful only if consent is obtained "jointly" by the minor concerned and the holder of the parental responsibility. By requiring the consent both of the minor and the legal guardian, this creates an additional condition for the validity of consent in the specific context of processing minors' data. Data controllers will therefore have to adapt their online services targeting minors to these new rules.
- Rights of the data subjects
One of the most significant changes regarding data subjects' rights concerns minors. Indeed, minors above 15 years can exercise their data protection rights without notifying their parents or legal guardian in relation to the processing of their health data for certain types of medical research, studies or evaluations.
It is also worth noting that, prior to the GDPR, the French Data Protection Act had already been amended by the Digital Republic Act, in 2016. This law introduced specific new rights for individuals, including the right for data subjects to give instructions concerning the use and disclosure of their personal data after their death (i.e. what we refer to as the "post-mortem right to privacy") and the extended right to be forgotten when personal data was collected at the time when the data subject making the request was a minor.
The amended Data Protection Act also expands the right for public administration to use automated individual decision-making based solely on algorithms under certain circumstances involving individual administrative decisions.
- Class actions expanded to compensation
Class actions are today extended to include compensation for material and moral damage suffered in the event of a data breach. However, the controller or processor may be held liable only if the event gives rise to damage that occurred after 24 May 2018. Data subjects can be represented by associations whose statutory purpose is the protection of privacy and personal data, consumer associations, certain trade unions of employees, civil servants or trade unions representing magistrates of the judiciary.
- Data Protection Impact Assessment (DPIA)
The amended Data Protection Act itself does not contain any specific or additional provisions regarding DPIA. However, the CNIL has announced that it is preparing a list of data processing operations that will either be subject to mandatory impact assessments, or on the contrary, will be exempt from DPIA requirements.
- Simplification of prior formalities
Following the entry into force of the GDPR, the obligation to register your data processing operations with the CNIL is no longer required. Instead, data controllers should make sure they comply with the provisions of the GDPR, including the obligation to maintain a record of their processing activities, to implement data protection by design and to carry out a data privacy impact assessment if their processing is likely to result in a "high risk" for the rights and freedoms of natural persons. However, in some specific areas such as national security and data relating to health, prior notifications and authorisations have been maintained. This is particularly relevant for organizations that are involved in the processing of health data, for example, medical research, clinical trials and other types of processing that may be carried out in the public interest.
- Is this the end of the story?
The amended Data Protection Act also contains a provision enabling the French Government to further amend this Act within 6 months by way of ordinance (i.e. a simplified procedure that allows legislation to get passed by by-passing the normal legislative process). So stay tuned as we continue to update you on the legal developments taking place in France.