France

Overview

Stage of legislative progress 
Eg. pre-consultation, in consultation

The French data protection bill was voted and adopted by the French Parliament on 14 May 2018. But according to French Constitution 60 French Senators appealed to the Constitutional court on 16 may 2018 to rule on the constitutionality of the voted bill. Therefore some changes are expected, depending on the content of the Constitutional court’s decision, which can take a few weeks. Then the bill can be enacted.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

This bill modifies the current act N°78-17 of 6 January 1978 on information technology, data files and civil liberties.

Timescale for implementation 
Eg. pre-consultation, in consultation

We expect the new version of this act N°78-17 of 6 January 1978 on information technology, data files and civil liberties to be enacted in the next few weeks.


Areas where Member States must have local laws:

Personal data and freedom of expression 

Article 40 of the law n° 78-17 of the 6th of January 1978 relating to information technology, files and individual freedom, was not modified. The use of the right of erasure (« right to be forgotten ») can be refused when the processing of data is necessary for the exercise of the freedom of expression and right to be informed.

Penalties

The New French Data Protection Act reiterates the penalties provided for in Article 83 of the GDPR. The penalties do not apply to processing implemented by the State.


 

Areas where Member States may have local laws:

Professional secrecy 

The New Data Protection Act modifies the applicable conditions on professional secrecy. Article 44 states that professional secrecy cannot be opposed to the CNIL’s agents unless for information protected by professional secrecy applicable to a lawyer-client relation, by the secrecy of journalistic sources or by medical secrecy.

Medical secrecy applies to processing activities necessary for the purposes of carrying out preventive medicine, medical research, medical diagnoses, for the administration of care and treatment or for the management of health services. The disclosure of health data can occur only under the CNIL’s authority and with the presence of a physician.

Scientific, historical or statistical purposes 

The New Data Protection Act adds a provision on the data subjects rights in case of processing for archiving purposes. The right of access, the right to rectification, the right to restriction of processing, the right to data portability and the right to object do not apply for this type of processing.

Employment

The new French Data Protection Act does not change any provision of the French Labour Code. We are expecting another bill on this issue.

Personal data of deceased persons 

The New Data Protection Act does not change the right already provided by the Loi Informatique et Libertés allowing data subjects to set down instructions for the management of their personal data post mortem.

Children online

In relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 15 year old. Where the child is below the age of 15 year old, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental authority. However, this provision may change depending on the ruling of the Constitutional court as the Senate wanted to set the age of majority to 16 year old.

Special rules for special categories of data

The new French Data Protection Act adds three new cases where the processing of special categories of data is allowed:

  • For the processing of biometric data necessary to control the access to the workplaces and necessary to the use of devices and applications by employees, agents, or trainees;
  • For the processing of public information concerning rulings and court decisions, on the condition that the re-identification of the individuals is impossible
  • For the processing necessary to public research and after obtaining an authorization from the CNIL
Genetic, biometric or health data

The new French Data Protection Act sets out that the CNIL will impose standard regulations on the processing of biometric, genetic and health data, which will set out mandatory technical and organisational measures. This authority will also authorise processing carried out on behalf of the State of genetic or biometric data necessary to the authentication of individuals or to the identity checks. Moreover, a specific consent must be obtained from the participant to a health research study for the processing of their genetic data before the beginning the study.

The CNIL will publish mandatory standard regulations for the processing of health data for health research studies. The investigator will have to send a declaration of compliance to these regulations to the CNIL before the beginning of the study. However, if the study isnot compliant with such regulations, the investigator will need to obtain a specific authorization from the CNIL before beginning the study. If the CNIL will not respond to the request within two months, the authorisation will be considered as granted.

The information notice for health research study is changed by the New Data Protection Act. The legal guardians of a child or a protected adult must be informed. However, a child over the age of 15 years old can object to the transmission of his health data to his legal guardians

Designation of a Data Protection Officer

The New Loi Informatique et Libertés does not contain any specific provision on the DPO.

National identification numbers/any other identifier of general application

The New Data Protection Act is not modified on this. Article 2 states that personal data means any information relating to a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them. This includes the National identification number and any other number that can be connected to a natural person’s identity.
However, the National identification number does benefit from a specific protection in France. The processing of this number is subject to an authorization from the Council of State after taking into account the opinion of the CNIL (French Data Protection authority). The New Data Protection Act provides four exceptions to this principle :

  • For processing implemented for the purpose of establishing public statistics by the public statistical service if they do not contain any the data laid down in Article 8 and Article 9 of the New Data Protection Act.
  • For processing exclusively implemented for scientific or political researches.
  • For processing implemented by the State or a legal person governed by private/public law in charge of a public service for the purpose of making available to the users of the administration one or more teleservice.
  • For processing of health data governed by Chapter IX of the New Data Protection Act. 


 

Other:

Any other areas under discussion

The French Digital Republic act already established the right to data portability to anticipate the implementation of the GDPR. However, the right, as provided by the GDPR, seems to be more limited than the right provided by the French Digital act. Indeed, the French Digital act provides for a right to data portability (right for a data subject to be provided with the totality of his/her personal data in a portable format) in “any circumstances”. The GDPR provides a right to data portability for cases where the processing of data is based on the data subject’s consent or on a contract.

However, the French right to data portability does not include the right for a data subject to ask the controller to transmit his/her personal data to another controller of his/her choice when technically possible.