France

French Data Protection Act enacted on June 20 2018 ("FDPA").

Secondary legislation expected before end of 2018 to make minor adjustments, rewrite some articles and modify the references to the FDPA in other laws.

French Data Protection Act modifies Law N°78-17 of January 61978 on information technology, data files and civil liberties ("FDPA").  Decree n°2005-1309 was also amended by a new decree (01/08/2018 – the "Decree").

Territorial scope slightly differs from the GDPR. The FDPA applies to the processing of personal data:

• when the controller is located on French territory

• when the controller, without being established on French territory or another Member State, uses means of processing located on French territory

• when the data subject is a French resident, even when the controller is not established in France.

N/A

Areas where Member States must have local laws:

Art 67.: when personal data is processed for journalistic, artistic or literary expression purposes, provisions regarding information notice, data transfers, data subject rights data, retention and the processing of special categories of data do not apply.

Articles 50-52. The FDPA reiterates the penalties provided for in Article 83 of the GDPR. The penalties do not apply to processing done by the State.

Criminal offences:

• Sanctions listed in articles 226-16 to 226-24 and in articles R. 625-10 to R. 625-13 of the French Criminal Code (e.g. collecting personal data by fraudulent, unfair or unlawful means, processing the national identification number in cases which are not provided for in the FDPA, not notifying a data breach etc.)
  

• Any action obstructing the CNIL's action

Areas where Member States may have local laws:

Article 44. Controllers and processors are not required to disclose information falling under a lawyer-client relationship, the anonymity of journalistic sources or medical confidentiality. Medical confidentiality applies to processing activities necessary for the purposes of carrying out preventive medicine, medical research, medical diagnoses, for the administration of care and treatment or for the management of health services. The disclosure of health data can occur only under the CNIL’s authority and in the presence of a doctor.

Article 36. Where the processing of personal data is carried out by the public archive services for archival purposes in the public interest, for scientific, historical or statistical purposes: the right of access, rectification, to restrict the processing, and the notification obligation regarding rectification or erasure of personal data or restriction of processing, to data portability and the right to object do not apply. Article 100-1 of the Decree specifies the conditions and guarantees for this derogation.

No special provisions

Article 40-1. The FDPA reiterates the right already provided for by the digital republic Act allowing data subjects to establish instructions for the management of their personal data after death.

15 years.
Article 7-1. If under 15, joint consent from the child and the holder of parental authority is required.

Article 54 (III). Prior authorizations still required in certain conditions in case of health data processing.
Article 8. The FDPA adds new circumstances where processing of special categories of data is allowed such as:

• processing of biometric data strictly necessary to control access to the workplace and devices and applications used by employees, agents, trainees or service providers;

• processing relating to health data and public research under certain circumstances; and,

• processing relating to the re-use of public information under certain circumstances.
  

Article 9 of the FDPA and Article 41 of the Decree: the list of persons authorized to process criminal data is extended.

Chapter IX of the FDPA.
Article 54. Processing of biometric, genetic and health data can only be carried out for public interest purposes.
The CNIL will impose standard regulations for the processing of biometric, genetic and health data, which will set out mandatory technical and organisational measures to implement prior to any processing.

Article 53. Exemptions: A list of processing activities are excluded (e.g. processing of personal data by doctors carried out in health establishments for medical information purposes, processing carried out for the purpose of ensuring the provision of benefits by health insurance providers, processing activities listed in Article 8 (II) (1°-6°) etc.). Biometric data can also be processed by employers to control access to the workplace in limited circumstances (Art. 8 (II) (9°)).

N/A

Article 22. The Social Security Number (“SSN”) benefits from specific protection. A decree from the Council of State (the French administrative supreme court), will determine the categories of controllers and the purposes of processing for which this number can be processed. 3 exemptions are listed (e.g. processing for the sole purpose of producing official statistics carried out by the official statistics department, processing for scientific or historical research purposes etc.)

Article 55. In the event of an emergency and in order to manage a health alert, the SSN number may be used those entrusted with a public service task and named on a list established by the health and social security minister, taken after the opinion of the CNIL. Article 19 of the Decree provides that in that case, the SSN has to be encrypted.

Other:

N/A