The French data protection Act n°78-17 of 6 January 1978 on information technology, data files and civil liberties was modified by a bill on 20 of June 2018 (the “new French data protection Act” or “FDPA”) in order to take into account the GDPR provisions and to transpose the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
The decree n°2005-1309 dated 20 October 2005 implementing the FDPA was also amended by decree of 1st August 2018 (the “Decree”).
The territorial scope of the FDPA differs from the territorial scope of the GDPR.
The FDPA applies to the processing of personal data:
Areas where Member States must have local laws:
When the processing of personal data is carried out for journalistic purposes or for the purpose of academic, artistic or literary expression, the national rules taken on the basis of the provisions of the GDPR shall be those applicable to the controller if it is established in the European Union. Indeed, the provisions concerning especially the information notice, the data transfer or the storage of the data do not apply for these processing operations.
The FDPA reiterates the penalties provided for in Article 83 of the GDPR and those provided in the French Criminal Code. The penalties do not apply to processing implemented by the State.
Areas where Member States may have local laws:
The FDPA modifies the applicable conditions on professional secrecy. The CNIL’s agents do not have access to information that falls under a lawyer-client relationship, the anonymity of journalistic sources or medical confidentiality (article 44 of the FDPA). Medical confidentiality applies to processing activities necessary for the purposes of carrying out preventive medicine, medical research, medical diagnoses, for the administration of care and treatment or for the management of health services. The disclosure of health data can occur only under the CNIL’s authority and in the presence of a physician.
Where the processing of personal data is carried out by public archive services for archival purposes in the public interest, for scientific, historical or statistical purposes, the right of access, the right to rectification, the right to restriction of processing, the notification obligation regarding rectification or erasure of personal data or restriction of processing, the right to data portability and the right to object do not apply (article 36 of the FDPA). Article 100-1 of the Decree specifies the conditions and guarantees for this derogation.
The FDPA does not change the right already provided by the law for a digital republic allowing data subjects to establish instructions for the management of their personal data post mortem (article 40-1).
Regarding offers of information society services directly to children, the processing of the personal data of a child shall be lawful if the child is at least 15 years old (article 7-1 of FDPA). If the child is under the age of 15 years old, a joint consent is required from the child and their legal guardian.
The FDPA abolishes prior declaration and authorisation regimes.
However, prior authorisation granted by the CNIL is maintained under certain conditions in case of health data processing (Chapter IX, article 54, III).
In case of processing relating to research and evaluation studies in the field of health which do not comply with reference methodologies authorised and published by the CNIL, the authorisation will be granted by the CNIL after different Committees have delivered their opinions (article 64 of the FDPA).
Certain other processing operations need to comply with other procedures such as:
The FDPA adds new circumstances where the processing of special categories of data is allowed such as:
The FDPA extends the list of persons authorised to proceed, for purposes other than prevention and repression of criminal offences, the processing of personal data relating to criminal convictions, offences and related security measures. The processing of this data may be carried out by new categories of actors (article 9). Article 41 of the Decree completes the list defined in the FDPA. These actors include associations and medical institution.
The FDPA adds a possibility for the administration to take automated individual decisions if the processing does not concern special categories of data, provided the decision does not comment on an administrative appeal and the processing strictly follows legal or statutory provisions. For these decisions, the controller shall ensure that the algorithmic processing and its developments are under control in order to be able to explain in detail and in an intelligible way to the data subject how the processing has been carried out with regard to him/her (article 10, 2 of the FDPA).
Assumed identity: For the control of online public communication services, the members of the CNIL and the agents of its authorised services may carry out any online operation necessary for their mission under an assumed identity. The use of an assumed identity does not affect the regularity of their findings (article 44 III).
Article 65-1 of the Decree provides that when members or agents from the CNIL are using an assumed identity to control the online public communication services of a controller or a processor, they shall establish a report of the online transactions carried out, the methods of consultation and use of these services, the answers obtained and their findings.
Communication of a data breach to the data subject: Article 40 III of the FDPA states that a decree from the Council of State after a reasoned and published opinion from the CNIL will be necessary to list the categories of processing which are authorised, under certain circumstances, to derogate from the obligation to communicate a data breach to the data subject where the notification of an unauthorised disclosure or unauthorised access to such data is likely to constitute a risk for national security, national defense or public security. Article 91-2-1 of the Decree list the categories of processing.
Class action : Article 43 ter III of the FDPA was amended to extend the scope of legal claims in class actions. In addition to obtain the cessation of the breach, a class action may be brought before the civil or administrative courts in order to obtain compensation for material and moral damages suffered. However, the person who caused the damage may only be held liable if the operative event that caused the damage occurred after 24 May 2018.
The FDPA opens the right in certain circumstances, for any person, to mandate an association or trade union organisation to act on his or her behalf before the CNIL or before the Courts against the CNIL or the controller or processor (article 43 quarter of the FDPA).
The rules concerning the processing of personal data for the purposes of research, study or evaluation in the field of health are inserted in a new Chapter IX of the FDPA. This processing may only be carried out for public interest purposes. The chapter provides a list of processing purposes which are excluded from these rules, such as processing enabling studies to be carried out by medical monitoring staff and intended for their exclusive use or processing carried out in health establishments by physicians responsible for medical information.
Moreover, a specific consent must be obtained from the participants to a health research study for the processing of their genetic data before the beginning of the study (article 63 of the FDPA).
The FDPA provides that the CNIL will impose methodologies and standard regulations on the processing of health, genetic and biometric data, which will set out mandatory technical and organisational measures.
The processing of genetic or biometric data necessary for the authentication or identity checks of individual may be implemented on behalf of the State, acting in the exercise of its prerogative as a public authority (article 27 of the FDPA).
Furthermore, the FDPA (article 8, 9) provides that processing relating to biometric data strictly necessary to control the access to workplaces and for devices and applications used by employees, agents, trainees or service providers may be carried out by employers and administrations, if such processing complies with a standard regulation elaborated by the CNIL. A public consultation about “biometrics at work” was launched by the CNIL.
The CNIL has published recommendations following the GDPR requirements on the DPO: https://www.cnil.fr/fr/le-delegue-la-protection-des-donnees-dpo. The CNIL has published an online form allowing controllers and processors to notify their DPO to the CNIL: https://www.cnil.fr/fr/designation-dpo
The Social Security Number (“SSN”) does benefit from a specific protection in France. The FDPA has introduced a case where a decree from the Council of State, taken after a published and reasoned opinion from the CNIL, will determine the categories of controllers and the purposes for the processing of personal data including the Social Security Number. Four exceptions to this principle are listed (article 22).
In the event of an emergency and in order to manage a health alert, the SSN number may be used by organisms or services entrusted with a public service mission and named on a list established by order of the ministers responsible for health and social security, taken after the opinion of the CNIL (article 55 of the FDPA). Article 19 of the Decree provides that in that case, the SSN has to be encrypted.