Following on from the article published on the dataprotection.blog on 24 January 2018 – French GDPR Implementation Bill ? for French Data Protection Authority (CNIL) it could not come soon enough!, Charlotte Gerrish provides us with the latest update on the status of the French GDPR Implementation Bill which, after surviving an attack of “unconstitutionality” before the French Constitutional Council, is now on its way into force.
As we stated back in January 2018, the French legislature had been fairly slow in pushing forward with the implementation of the GDPR into French national law. The progress of the Bill had not been without issues. On 16 May 2018, just 9 days before the GDPR was due to come into force, at least 60 French senators referred the Bill to the Constitutional Council claiming that certain provisions were unconstitutional and therefore contrary to French law and public policy (Affaire No. 2018-765 DC).
So, what were the senators unhappy about?
- They considered that the Bill in general was inaccessible and impossible to understand, on the whole, and specifically in respect of a dozen or so articles which would be likely to seriously mislead data subjects about their rights.
- They considered that the principles of impartiality and proportionality of penalties were not respected by the Bill, as the revised provisions implementing the GDPR gave the French Data Protection Authority (the CNIL) various measures in the event of a breach of the GDPR by data controllers or processors (including by issuing warnings).
- They considered that the age of majority to consent to data processing as set out in the Bill was unconstitutional.
- They considered that the fact that the Bill allowed public authorities to utilise profiling and automated decision making was against the constitution.
- They considered that the scope of processing criminal data was vague.
On 12 June 2018, a few weeks after the GDPR became directly applicable in France, the Constitutional Council rendered its decision in the matter.
According to the Press Release in the matter, the Constitutional Council overturned the majority of the senators – objections, considering that:
- The Bill is legible, and that the legislature had followed requirements to adapt the existing French national data protection law in a simple way in order to bring it into line with the GDPR;
- The measures made available to the CNIL are not sanctions involving punishment in accordance with French case law in the matter, and are therefore constitutional;
- The age of consent for data processing as set at 15 years is not incompatible with the provisions of the GDPR, and that individuals under 15 years of age need parental consent for their data processing to be lawful is acceptable; and
- The right of public authorities to carry out profiling by automated decision making (via the use of algorithms in accordance with the rules and criterion set in advance by the data controller) does not have the effect of allowing public authorities to adopt decisions without a legal basis, nor to apply any other rules other than those that apply anyway in accordance with applicable law, and that all relevant safeguards are place (as per the Code governing the Relationship between the Public and the Public Sector), such as by requiring individuals to be informed about the automated decision making and explaining the algorithm in an easy-to-understand manner, for example.
The only point raised by the senators that was upheld by the Constitutional Council was in respect of criminal data processing. Indeed, the Constitutional Counsel considered that the provisions in the Bill relating to the processing of personal data relating to criminal convictions and offences or related security measures were a mere copy of the text contained in the GDPR. Indeed, the phrase “under the control of official authorities” was vague, as the categories of official authorities were not specified. The Constitutional Council therefore agreed that this is uncontitutional, and that the sentence under the control of official authorities will not be contained in the final version of the Bill to be enacted.
What does this mean for the GDPR and data protection law in France?
Now that the Bill has been confirmed as being constitutional, it will now proceed to enactment so that the GDPR will officially be implemented into French national law, however some additional points will need to be finalised by subsequent legislative mechanisms, particularly in the areas of national and public security and defence.
Where is Europe at with national member state implementation of the GDPR?
With this recent progress in the French GDPR bill, France is likely to soon join the club of Member States which have legislated on national GDPR measures (at the time of writing, this club includes Austria, Belgium, Croatia, Denmark, Germany, Ireland, the Netherlands, Slovakia, Sweden and the UK).
Of course, the GDPR applicable in all member states from 25th May 2018 regardless of national measures. It is therefore important that all organisations established in the EU or providing goods or services to residents in the EU comply with their GDPR obligations.
– Charlotte Gerrish, Lawyer, June 2018 – This note is for guidance only and does not constitute definitive legal advice.