On 12 December 2018, the French government adopted a new version of the French Data Protection Act by way of ordinance. As a reminder, the French legislator had authorized the French government to legislate by way of ordinance in order to achieve uniformity between French Data Protection law and the GDPR. The essential changes of the amended Act are summarized below.
Overview of legislative framework
The freshly adopted Ordinance adds an additional layer of complexity to the existing French Data Protection Framework. Data subjects as well as practitioners now have to articulate:
- The Law No. 78-17 of 6 January 1978 on information technology, files and freedoms which is the genesis block of French Data Protection law. As described in our previous blog post, it was subsequently modified by the Law No. 2018-493 of 20 June 2018 in order to align French data protection law with the GDPR, together forming the French Data Protection Act ("the Act").
- The Decree No. 2005-1309 of 20 October 2005 implementing the Law n°78-17 above. Similarly, it was subsequently modified by the Decree No 2018-687 of 1 August 2018 with the same objective to align French law with the European framework (the "Decree").
- The Ordinance 2018-1125 of 12 December 2018 modifying the Law n°78-17 in its 2018 version ("the Ordinance"). The Ordinance makes certain formal corrections and adaptations that are necessary to better structure the layout of the Act in line with the GDPR.
A ratification bill must now be submitted to Parliament within six months of the publication of the said Ordinance in order for the amended Act to come fully into force. In addition, a future decree may also be adopted (see below).
Formal modifications: a more streamlined amended Act
The changes introduced are mainly formal and most of them correspond to changes in the numbering and layout of the French Data Protection Act. The Ordinance replaces the existing 72 articles of the Act with 128 new ones. In general, the content of the legislative provisions has not been amended but instead was reorganized for a better readability of the Act. This Ordinance also improves the readability of the Act by specifying the different regimes which apply to the different types of processing activities, namely:
- Title I applies to all processing operations;
- Title II applies to processing covered by the GDPR;
- Title III applies to processing covered by Directive 2016/680 for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
- Title IV applies to processing contributing to national defence or State security (title IV). The latter is an innovation and lays out a comprehensive new framework by adjusting the general rules to the specificities afferent to national security.
Specific chapters were also added that cover specific areas of processing, such as processing in the electronic communications' sector or to the French exception concerning the data protection rights of deceased persons.
- Harmonization with the GDPR
The Act now refers specifically to certain provisions of the GDPR, including the definition and conditions for valid consent and the territorial scope of the GDPR. As a result, previous definitions have been deleted from the Act. Furthermore, the Ordinance removes a few provisions that were not in line with the GDPR (e.g. the exception to the prohibition of processing so-called "sensitive" data if said data are anonymised within a short period of time). Some of the wording under key provisions has also been redrafted for better consistency with the provisions of the GDPR, such as the overarching principles listed in article 5 of the GDPR or the term "agreement" which has been replaced by "consent" when used in relation to cookies on users' terminals.
- New criminal sanctions
The Ordinance also adds two new sanctions under the Criminal Code.
- Failure to notify data breaches by controllers and processors
Article 226-17-1 of the French Criminal Code relating to the sanction for failure to notify a data breach to the French Data Protection Authority ("CNIL") or to concerned data subjects has been extended all data controllers (as opposed to only telecom operators under the previous version). It also provides for the liability of processors for failure to notify controllers of such a data breach. The penalty remains unchanged, i.e. up to five years' imprisonment and a fine amounting to €300,000.
- Obstructing the CNIL's actions
Article 226-22-2 of the French Criminal Code adds a new offence in case of obstruction of the CNIL's actions. The sanction is one year of imprisonment and a fine of up to €15,000. The said obstruction is constituted either by preventing the CNIL from performing its tasks, by refusing to communicate documents and information that may be relevant to its mission (or by concealing or erasing these), or by communicating information that does not comply with the content of the information recorded at the time the request was formulated or that is not directly accessible.
Entry into force
According to the Ordinance and as explained by the CNIL in its press release, the amended Act will come into force once the current Decree No. 2005-1309 implementing the Act has also been amended by a new decree and in any case no later than 1st June 2019. In the meantime, the provisions of the former Act (as amended by the law of 20 June 2018), continue to apply.
Complexity of the law
As a regulation, the GDPR applies directly in each Member State and takes precedence over national law. Thus, the French legislator does not need to "transpose" the GDPR into French law. While the Ordinance does provide more clarity and consistency to the amended Act by introducing specific references to the GDPR, not all the key provisions of the GDPR are explicitly mentioned or referenced in the amended Act (e.g. the concepts of privacy by design and by default). As a result, a more complex and multi-layered framework for data protection law now exists in France and companies will have to juggle between the different legal texts (GDPR, the Act, the Decree and the Ordinance) when verifying their compliance to French data protection law.
Special thanks to Sixtine Crouzet and Paola Heudebert for their valuable contributions to this article.