29 July 2002

Nathalie Lambert

The Directive 95/46/EC is not yet implemented under French law, but the implementation process is currently under way. A draft law on the protection of individuals with regard to personal data processing modifying the law No. 78-17 of 6 January 1978 concerning computer systems, files and freedoms, was file on 18 July 2001. This draft law was adopted by the Assemblée Nationale on the first reading of 30 January 2002 and should be submitted to the Senate next autumn.

The main changes resulting from this draft implementation law could be summarised as follows:

National jurisdiction

The new article 5 of the law of 1978 introduces and reiterates the criteria for national jurisdiction resulting from article 4 of the Directive and provides that the processing of personal data should be governed by French law when it is undertaken in the context of activities pertaining to an establishment on French territory of the data controller. The provisions of French law also apply when the data controller, although not located in France, uses processing facilities located on French territory.

New fundamental rights

Whereas the law of 1978 merely specified that unfair or fraudulent collection of data was prohibited, the new article 6 of such law sets up the general principles of lawful processing (fairness of collection and processing, specific determination of the purpose of processing, relationship of the processing to its ends, accuracy and updating of data, period held proportionate to the purpose) that ensue from article 6 of the Directive.

The new system for the creation of computer files

The current law provides for a system of authorisation and declaration depending on the private or public nature of the data controller. The draft implementation law provides that the applicable system will depend on the nature of the data and the purpose of the processing and no longer on the nature of the data controller.

The general rule is a system of declaration; this, in addition, will be simplified for the most current categories of files meeting standards set by the CNIL. Eight categories of files will be subject to the CNIL’s prior approval (system of authorisation) depending on the nature of the data that they contain (for example, sensitive data, genetic data, data on offences and penalties, etc.) or depending on their purpose or scope (for example, interconnection between files of different natures, use for purposes of exclusion from the enjoyment of a right).

Prior information of the data subject

(a) When the personal data are collected directly from the data subject:

The new article 32 of the law of 1978 reinforces the former article 27 by adding the following elements to the required information that must be communicated to the data subject:

  • the identity of the party responsible for the processing and, where appropriate, the identity of the representative;
  • the intended purpose of the processing for which the data is destined.

(b) When the personal data are not collected directly from the data subject:

Whereas the law of 1978 did not provide any obligation to inform the data subjects when the data concerning them were not directly collected from them[1], the new article 32 provides that, in the same vein as article 11 of the Directive, the data controller shall inform the data subject once the data is recorded or if it plans to transfer data to third parties, at the latest at the time of the first transfer of the data.

This new article thus creates a new obligation for the data controller to inform the individuals concerned. The new obligation does not apply however if the procedure to be implemented is clearly impossible or requires the use of disproportionate means with respect to the benefit they would provide.

The right of opposition of the data subject

Article 26 of the law of 1978 already provided that any individual is entitled to oppose the processing of his personal data, provided that he has legitimate reasons to exercising this right. The new article 38 of the law of 1978 reiterates this provisions and extends the scope of such right of the data subject; henceforth, the data subject also has the right to oppose the use of his/her personal data for marketing purposes. Such right of opposition will be discretionary and may be exercised without charge.

Sensitive data

The draft implementation law includes in the list of sensitive data, data relating to an individual's health and substitutes the notion of "individual morals" given in the current law with "sexual orientation". The new article 8 of the law of 1978 introduces also, only insofar as the purpose of the processing so requires for certain categories of data, new exceptions to the prohibition of processing sensitive data (processing necessary to protect the person concerned or that of other third parties, processing relating to data clearly made public by the person concerned, etc.).

Cross-border data flow

The new article 68 of the law of 1978 reiterates articles 25 and 26 of the Directive. In accordance with which, the transfer of personal data to a non-E.U. Member State may only take place if the recipient country provides an adequate level of protection of the privacy and fundamental rights of the private individuals concerned by the processing.

This new article also establishes the criteria from which such a level of protection can be assessed. It also specifies exceptions to the principles of prohibiting the transfer of data toward countries having an inadequate level of protection (protecting the life of the person concerned, safe-guarding the public interest, legal obligations related to the assessment, exercise or defence of a legal right, transfer from a public register, the meeting or fulfilment of an agreement).

This article provides, as allowed by the Directive, the option of additional exemption in consideration of the level of protection corresponding specifically to the processing in question and, in particular, to the protective character of contractual clauses to which it may be subject. The draft implementation law provides that the CNIL may require the data controller to suspend a transfer of data to a third party country if it considers that it must inform the European Commission of a difficulty in the matter.


The former law of 1978 did not contain any provision concerning the relations between a data controller and a data possessor. The new article 35 of this law reiterates the provisions of the Directive and requires that the subcontractor provide specific guarantees and mentions that the sub-contracting relationship must be governed by a written agreement.

Powers of the CNIL

Currently, although the CNIL has the power to investigate, it has no means of enforcing the implementation of its recommendations. In addition, its findings can only, where applicable, result in a warning or a report to the public prosecution service, if the evidence found constitutes a criminal act.

The new articles 11, 44 to 49 of the law of 1978 reinforce the powers of the CNIL. Therefore, the CNIL will be able to gain access to any business premises where files and materials are contained or used, with the authorisation of the court, if the owner of the premises opposes such access. Where appropriate, it may formally notify the party responsible for processing to comply with the provisions of the law and apply penalties, specifically financial penalties.

The CNIL will also be able to make comments concerning the penal sanctions relating to the breach of IT law. In an emergency, the Commission may, if the implementation of the processing was held to be in breach of rights and freedoms guaranteed by law, order provisional measures to interrupt the processing or to prohibit access to specific data or, as regards processes related to government activities, inform the Prime Minister so that he or she is able to take appropriate measures.

Lastly, in the event of serious, immediate breach of rights and freedoms guaranteed by law, the Commission may refer the case to the court having jurisdiction to rule on matters of special urgency, (civil court if it concerns processing undertaken by a private individual or entity, administrative court for processing undertaken by public services) so that he or she can take, if necessary under penalty, security measures necessary to ensure individual rights.

Self regulation and codes of practice

The draft implementation law encourages good practices by data controllers and, to this end, the CNIL intends to assess the codes of practice that may be submitted to it by the professional organisations concerned.


In general, penalties have been lowered; the maximum penalty incurred is limited to three years imprisonment and a fine of 45,000 euros. New article 226-22-1 of the Penal Code sanctions breaches of provisions covering the transfer of data to non-E.U. Member States.

[1] The French Supreme Court had also considered that there was no obligation for the data collector to inform the data subject if the data were not collected directly from the latter.