At a press conference in June, the CNIL made clear its desire for simplification under the new Data Protection Act, with a reduction in notification and procedure obligations. However, the new Act (the “Computing and Liberties Act”) differs considerably from the version envisaged by the CNIL and imposes further administrative obligations on companies and public bodies alike.
With the vote by the Senate to accept the Bill at the second reading, and after a long legislative process to transpose the 95/46 European Data Protection Directive dating from 1995, the reform of the Computing and Liberties Act has eventually reached a conclusion. Companies and public bodies will thus have to comply with new obligations, which despite the preference expressed by the French Data Protection Authority to simplify the procedures, the measures agreed are anything but light.
Amongst these are: a system of preliminary authorisation for certain data processing, increased powers for the National Computing and Liberties Commission (“CNIL”) and the creation of a network of data protection correspondents inside companies.
The system of notification to the CNIL has been entirely modified. In the previous system, all data processing concerning personal information (customer files, citizen files, human resources files, websites, etc…) had to be declared to the CNIL, but only the public sector bodies were subject to its prior authorisation.
From now on, except for data processing carried out for reasons of public security, public and private organisations are treated similarly. As a result, much of the processing carried out by government services or other public bodies now depends on a system of declaration alone, whereas processing of sensitive data comes under a system of authorisation, regardless of whether the data is used by the public sector or by a private company.
However, the Act does leave the possibility for the CNIL to simplify the procedures, by allowing simplified declarations and even some exemptions from declaration. The CNIL anticipated this new flexibility its decision of May 27, 2004, that companies no longer need notify details of the company payroll. The decision was influenced by the CNIL’s new president, Alex Türk, who is also a member of the French Senate and was recorder of the Bill on the reform of the Computing and Liberties Act.
This proclaimed intention is strictly limited by the framework of the Act: on the one hand the simplifications, particularly the exemptions of declaration, can only concern categories of processing unlikely to affect privacy or liberties and on the other hand, the Data Protection Act gives a long list of processing for which an authorisation must now be obtained from the CNIL (article 25). This excludes any simplification for such processing. The following is a list of the main categories of processing which now require prior authorisation:
automated processing that consists of a selection of people and is aimed at excluding some of them from the advantages of a right, a benefit or a contract. This applies to credit “black lists” (of debtors), smugglers etc.
automated interconnection of files with different purposes (that is whether such interconnection takes place between two companies or within the same company). This criteria for prior authorisation may lead to various interpretations and therefore to a lot of processing being subject to the CNIL’s prior authorisation
biometric identity checks, for instance for access controls. The CNIL is opposed to controls using digital prints and has therefore already made public that it will reject any request to carry out this kind of processing
transfers of personal data outside the European Union to a country without adequate data protection
All these types of processing must now be authorised by the CNIL before they can be legally carried out. This authorisation must be expressly granted and a lack of response from the CNIL in the two months following the filing of the application is taken to denote a refusal. Such a refusal can only be challenged before the “Conseil d’Etat”, the French Supreme Court for decisions from public authorities.
If organisations fail to notify the CNIL or request prior authorisation (as required), the consequences can be severe. Companies may be condemned under criminal law with penalties of up to three years imprisonment and a €300,000 fine. Moreover, according to case law, any recording or processing which is not duly declared to or authorised by the CNIL cannot be legally used against an employee. Indeed the French Supreme Court (“Cour de Cassation”) recently considered as unfounded, the dismissal of an employee who refused several times to clock in or out, arguing that the badge management system (used for security passes and/or timecards) had not been declared to the CNIL even though the company’s rules and regulations stipulated an obligation to validate the badges (Cass. Soc., April 6, 2004).
In France, notification or request for authorisation is a thorough dossier which must describe all the characteristics of the intended processing including the purposes, the list of the personal data to be used and the recipients, the security measures and technical means used, the wording of the information notice intended for the data subjects and the information regarding international data flows to countries outside the European Union without an adequate level of data protection. The CNIL must be notified of any changes. Individuals/companies are liable for failure to comply. In 2003, an HR manager and as the company he was working in, were sentenced to pay a fine for compiling an Excel table containing employee data; the notification which was filed to the CNIL did not expressly mention personal data.
The CNIL has been granted new powers to help enforce the act, referred to by the President of the CNIL as the “4 Cs”: Communication, Correspondent, Control and Coercion.
The CNIL can now also issue a wider array of penalties ranging from: a warning, a formal demand, issuing an injunction to cease processing or financial sanctions of up to €150,000 (€300,000 in the case of a second offence). These are in addition to the criminal and civil sanctions that can be pronounced by the courts. As under the previous Act, the CNIL can refer all infractions discovered by its services to the Public Prosecutor. In cases of emergency, it can now also submit the case to the judge via summary proceedings. The CNIL has announced its intention to carry out checks either on relevant documents or on premises and to punish abuses and violations of the Act.
It must be noted that CNIL's increased powers, which considerably modifies the legal framework, will necessarily imply during the checks, the respect of the rights of the defendant and of the principle of a contradictory hearing. This will narrow the gap between the administrative procedure of the checks to come before the CNIL and the procedure followed before a court.
It must be also underlined that, paradoxically, the new Act stipulates that professional secrecy (article 21) and medical secrecy in particular (article 44) is permitted and certain classified information can be withheld from the CNIL. According to the previous Act, no secret could be witheld. However, during the parliamentary discussions it was said that the CNIL will still be able to carry out its controls even in the case of professional secrecy, which is likely to complicate the CNIL’s obligations in this regard.
The CNIL will be assisted in its enforcement of the new Act by a team of data protection officers (“Correspondants à la protection des données” or “CDPs”), provided for under article 22 of the new Data Protection Act. Within companies, they will be in charge of the data processing register and will enforce the obligations provided for by law. The appointment of a CDP is optional, even though the CNIL strongly encourages it. Companies or other bodies that choose to appoint a CDP will be exempt from any declaration to the CNIL but not from prior authorisations required in the processing of sensitive personal data and in the case of data flows outside the European Union. Multi-national companies and companies working with countries outside the European Union may therefore have less interest in appointing a CDP.
A decree will be adopted to define the legal and computing qualifications required by data protection officers. Their role is an independent one, required as they are to represent both the CNIL inside the company and the company before the CNIL. Their appointment must be notified to the CNIL and to the works representatives. However, an amendment seeking to confer them with a specially protected status (guaranteeing their continued employment within the company) has been rejected during a debate before the Senate. The creation of such a function, which would go some way to increasing respect for the Data Protection Act inside companies, must therefore be carefully considered as the CDPs will have to conciliate competence, independence, objectivity and respect of the companies’ interests, while maintaining relationships with works representatives and with the CNIL. The Act does not specify whether the CDP will have to be chosen from within the company or if it will be possible to appoint an external council. While the Act makes clear that a CDP who does not fulfil his role correctly will be “dismissed of its functions”, it does not make clear who will be responsible for overseeing the duties of the CPD. Also, since the violation of the Act is punishable either under civil or under criminal law, the question is who will be liable for these sanctions in cases where a breach of the law occurs.
The answer to this question will probably depend on the powers and authority that the company chooses to give to the CDP. It will have to be specified through a delegation of authority when needed. The planned decree will certainly also contain additional provisions on such issue.
The CNIL has announced that it will start visits in all the French regions in order to present itself to heads of companies, local officials, associations and citizens. One of its aims will be to encourage all public and private organisations to appoint a data protection officer.
First published in the July 2004 issue of World Data Protection Report.