French GDPR Implementation Bill – for French Data Protection Authority (CNIL) it could not come soon enough!
The development of the digital era has forced us to rethink the framework that is applicable to personal data.
– French Minister of Justice, Nicole Belloubet, 13th December 2017
As you may be aware, the Member States are slowly but surely debating implementing legislation in order to transpose the GDPR into national law, in accordance with their own procedural requirements. France is no exception. As such, on 13th December 2017, Nicole Belloubet, the Minister of Justice presented the bill which sets out how France shall implement the provisions of the GDPR into existing French Data Protection Law to the French Council of Ministers.
There is no doubt that the French government and legislature take data protection seriously, and this is in line with the general thinking of the French population. According to a recent study by the Consumer Science & Analytics Institute from September 2017, 85%of French people are concerned about the protection of their personal data in general, which has increased by 4% since 2014. More than 90% of French people questioned were concerned about personal data on the internet which has increased 5% since 2014. It is therefore unsurprising that the bill refers to these statistics in the preamble.
Background – France’s long love affair with Data Protection and Privacy
Whilst France has an obligation as a Member State to implement the GDPR, as we have seen above, Data Protection, Privacy and Personal Data are genuine preoccupations of the French government and public, and have been for many years.
France considers itself a pioneer in the sphere of data protection and was one of the first Member States to implement specialised data protection legislation (back in 1978 and updated again in 2004) and create a supervisory authority to ensure such laws were respected (CNIL), including the creation of a Personal Data Correspondent (in French, correspondant informatique et libertes or “CIL”) (having a similar role to the DPO under the GDPR).
By developing the activities of the CNIL over the years to include certification and encouraging the promotion of new technologies to protect the right to a private life, the implementation of the GDPR in France is perhaps (arguably) less dramatic than in other Member States – indeed France?s attitude to data protection and the fundamental right to a private life means that France has long permitted companies and other economic actors in France to develop and increase their commercial activities whilst protecting individual freedoms. Indeed, many -French concepts in data protection law are now echoed in the GDPR.
In terms of timing?
Article 24 of the bill envisages that it will enter into force in France on 25th May 2018 in accordance with the deadline set out in the GDPR.
Overview of the Key Articles in the French GDPR Bill
|Article No. (the bill)||Subject Matter||Detail|
|5||Cooperation Procedure between the CNIL and the EU||The article sets out how the CNIL and the other supervisory authorities in the EU will cooperate. It sets out how authorities can cooperate in the event of a control or inspection in France, and how other agents or supervisory authorities may participate in that control or inspection. The article also provides that the CNIL reserves the right to seek advice from the European Committee on Data Protection (EDPS) to ensure that the GDPR is being implemented in a fair and harmonised way across the EU.|
|7||Sensitive Data||This article modifies the current article 9 of the 1978 law by updating it with the GDPR and extending the notion of sensitive data to include genetic and biometric data and data about sexual preferences.|
|8||Rules that differ between Member States||This article states that in the event of any conflicts between the laws of the Member States (for example, where the GDPR has left some scope to national legislatures such as the obligations of data controllers or processors, the powers of supervisory authorities), this article confirms that national law shall apply when the person resides in France, even if the data controller is not situated in France.|
|9||Abolish the old declaration regime, and replace with PIAs||This article explains how the old declaration regime which involved sending standardised forms to the CNIL setting out how data is processed or seeking prior approval has been abolished (save in certain specific cases), and then sets out the requirement to carry out a Privacy Impact Assessment instead, in order to analyse the risk of a data processing activity. The article states that a data processor or controller can still consult with the CNIL if the processing is likely to present a high risk to freedoms and privacy, if the data controller did not implement any measures to reduce risk.|
|10||Data Processors and Data Controllers||This article follows the provisions in the GDPR regarding the obligations data processors need to respect.|
|14||Use of Digital Data by the Public Administration Authorities||This article anticipates a future whereby the French Administration (public authorities) will be 100% digital. This article therefore envisages increasing rights available to the French Administrative Authorities to use methods of automated decision making (for example, based on an algorithm), provided that sufficient guarantees and safeguards are in place in order to provide information to individuals as well as setting out how individuals can appeal how data is processed, and how the processor manages the automated decision makings, the development of the algorithms and any updates or changes.|
|21||Prior Declaration Formalities||This article set out methods of coordination measures due to the removal of most prior declaration formalities.|
|22||Pre-GDPR declarations (handover purposes)||This article sets out that for processing which was subject to formalities prior to the coming into force of the bill (i.e., before 25th May 2018), the CNIL shall provide to the public, in a format which is open and easily reusable, the list of processing activities permitted at that date. The document shall be available for 10 years.|
|23||Criminal Procedure matters||This article states that exceptions may be made regarding criminal data in order to comply with the Law against organised crime, terrorism and terrorist financing.|
Whilst the bill does deal with the key points raised in the GDPR, a communication from the CNIL nonetheless highlighted some criticisms in the draft text, such as:
- A tight calendar in terms of legislative process for the examination of the text, which is unrealistic given that the law and its operative Decrees need to be in force before 25th May 2018.
- The failure to include additional proposals in the bill, such as the inclusion of additional guarantees when using automated decision making processes which result in administrative decisions being made.
- The failure to address the increase in activity that the CNIL will face due to the complexity of the new European Data Protection framework as set out in the GDPR.
- The fact that the bill is very hard to read and not user-friendly as far as the public is concerned – indeed, the bill only contains the minimum information required to modify the existing law and implement the GDPR. The CNIL considers that the entire law needs to re-written in a coherent manner and not just refer to modifications.
Finally, the CNIL has submitted these points to the legislature, and so it is possible that we will see further changes to the bill as the legislative process develops, even if it is highly unlikely that we will see any significant substantive changes.
So what does this mean in a practical sense?
There is nothing particularly surprising or shocking in the bill – even if the general application of the GDPR means that companies processing personal data in France will need to review their existing processes, practices, security measures and policies before the implementation date.
Whilst this legislation is a bill, and so is very much in draft form and subject to change, there are nonetheless a few pointers to be particularly aware of when operating in France and dealing with data protection that you can already start to anticipate, such as:
- In France, the new law replaces the current system of Data Protection Declarations and Prior Authorisations and so companies need to be aware that the data controller responsible for the risks relating to data processing after the event.
- In accordance with the European text, sanctions can go up to 20 million Euros or 4% of a company’s global turnover, so it is really important to have proper systems and policies in place.
- In France, companies will still have to carry out Prior Declarations when dealing with sensitive data (such as biometric data required to identify or check the identity of individuals, genetic data, data using personal ID numbers and data relating to health).
- As per the European Law, the French bill also renforces individual rights by creating a right to information in respect of data processed in criminal matters, as well as a direct right to access, correct and delete data.
- Ensure that Data Processors and Data Controllers fully set out the scope of their relationship – Data Processors need to be aware that they are not exempt from liability for breach under the GDPR or the French bill, and so need to put safeguards and processes in place to reduce liability risk.
- Finally, for minors aged 16 and under, parental or guardian consent will be required before their data can be processed on social media.
- Watch out for changes in the policies French Facebook, Instagram, etc., and think about reworking your practices if you target minors as part of online / social media marketing campaigns.
– Charlotte Gerrish, Paris, January 2018
This note is for guidance and information purposes only and does not constitute definitive legal advice.