The Implementation Process
Directive 95/46/EC (the “Data Protection Directive”) has not yet been implemented under French law, but the process is currently under way. A draft law on the protection of individuals with regard to processing of personal data that modifies the law No. 78-17 of 6 January 1978 concerning computer systems, files and freedoms, was filed on 18 July 2001 and was adopted by the Assemblée Nationale on the first reading on 30 January 2002. This first draft was submitted to the Senate on the 1 April 2003, which amended the draft as adopted by the Assemblée Nationale.
The draft, as amended by the Senate is due to be submitted again next autumn to the Assemblée Nationale for their adoption.
The main changes resulting from this draft implementation law can be summarised as follows:
The new Article 5 of the law of 1978 introduces and reiterates the criteria for national jurisdiction resulting from Article 4 of the Directive and provides that processing of personal data should be governed by French law when it is undertaken in the context of activities pertaining to a data controller’s establishment located on French territory. The provisions of French law also apply when the data controller, although not located in France, uses processing facilities (e.g. computer servers) that are located on French territory.
New fundamental rights
Whereas the law of 1978 merely prohibited unfair or fraudulent collection of data, the new Article 6 establishes the general principles of lawful processing (fairness of collection and processing, specific determination of the purpose of processing, relationship of the processing to its purposes, accuracy and updating of data, time period for which data is held proportionate to the purpose) that result from Article 6 of the Directive.
The new system for the creation of computer files
The current law provides for a system of authorisation and declaration depending on the private or public nature of the data controller. The draft implementation law provides that the applicable system will depend on the nature of the data and the purpose of the processing and no longer on the nature of the data controller.
The general rule is a system of notification. This, in addition, will be simplified for the most current categories of files that meet standards established by the CNIL. Eight categories of files will be subject to the CNIL’s prior approval (system of authorisation) depending on the nature of the data that they contain (for example, sensitive data, genetic data, criminal data, etc.) or depending on their purpose or scope (for example, interconnection between files of different natures and use for purposes of exclusion from the benefit of a right).
The draft law however, excludes from the application of these systems of notification and authorisation:
any processing that is limited to ensuring the long-term conservation of archiving documents,
any processing for which the data controller has designated a correspondent in charge of the protection of personal data, except when transfers of personal data outside the EU are intended.
The Senate also slightly modified what information is required in a notification or application for authorisation.
Prior information of the data subject
a) When the personal data is collected directly from the data subject
The new Article 32 of the law of 1978 reinforces the former Article 27 by adding the following elements to the information required to be communicated to the data subject:
the identity of the party responsible for the processing and where appropriate, the identity of the representative;
the intended purpose of the processing;
any transfers of data out of the EU (added by the Senate)
Furthermore, the Senate has added a new Article 32. Ibis which specifies that the data controller must inform any person that uses electronic communication networks:
of the purpose of any access to information stored in its terminal connection equipment,
of the methods that are available to a data subject to present this.
b) When the personal data is not collected directly from the data subject
Whereas the law of 1978 did not provide any obligations to inform data subjects when the data concerning them was not directly collected from them, the new Article 32 provides that, in the same vein as Article 11 of the Directive, the data controller shall inform the data subject once the data is recorded or if it plans to transfer data to third parties and at the latest, at the time of the first transfer of the data.
This new article thus creates a new obligation for the data controller to inform data subjects. The new obligation does not apply if informing the data subject is clearly impossible or requires the use of disproportionate means with respect to the benefit it would provide.
c) Prior information and anonymisation processes
In addition, the Senate limited the information required to be supplied to a data subject when the personal data is made anonymous by an anonymisation process that has previously been approved by the CNIL. In this case, the required information is limited to the identity of the data controller and where appropriate, the identity of the representative and for the intended purpose of processing for which the data is collected.
The right of opposition of the data subject
Article 26 of the law of 1978 already provided that any individual is entitled to oppose the processing of his personal data, provided that he has a legitimate reason to exercise this right. The new Article 38 of the law of 1978 reiterates this provision and extends the scope of this right from now on. The data subject also has the right to oppose the use of his/her personal data for marketing purposes. Such a right of opposition will be discretionary and must be exercisable without charge.
The right of access of the data subject
Concerning this right, the Senate added a provision allowing the data subject to ask the data controller for information relating to the transfer of personal data outside the EU.
Furthermore, the amended version of the draft law reproduces the exception to the right of access of Article 13 of the European Directive and specifies that this right does not apply when personal data is kept in such a way that excludes a risk of breaching the data subjects and for a time period that does not exceed the period necessary for the sole purpose of creating statistics, scientific or historical research.
In the list of sensitive data, the draft implementation law includes data relating to an individual's health and substitutes the notion of "individual morals" of the current law with "sexual life". The new Article 8 of the law of 1978 also introduces, only for the purpose of processing data, requirements for certain categories of data and new exceptions to the prohibition on processing sensitive data (processing necessary for the protection of human life, processing relating to data clearly made public by the data subject, processing for which the data subject has expressly given his consent, etc.).
The draft law modified by the Senate also permits the CNIL to allow the processing of sensitive data if such data is intended to be made anonymous on short notice by an anonymisation process that has previously been approved by the CNIL.
Cross-border data flow
The new Article 68 of the law of 1978 reiterates Articles 25 and 26 of the Directive, in accordance with which the transfer of personal data to a non-E.U. Member State may only take place if the recipient country provides an adequate level of protection of the privacy and fundamental rights of the private individuals concerned.
This new Article also establishes criteria with which such a level of protection can be assessed. It also specifies exceptions to the principles of prohibiting the transfer of data to countries which do not have an adequate level of protection (protecting the life of the person concerned, safe-guarding the public interest, legal obligations related to the assessment, exercise or defence of a legal right, transfer from a public register, the meeting or fulfilment of an agreement).
This Article provides, as allowed by the Directive, the option of additional exemptions in consideration of the level of protection that corresponds specifically to the processing in question and in particular, to the protective character of contractual clauses to which it may be subject. The draft implementation law provides that the CNIL may require the data controller to suspend transfer of data to a third party country if it considers that it must inform the European Commission of a problem in the matter.
The former law of 1978 did not contain any provisions concerning the relationship between a data controller and a data possessor. The new Article 35 of this law reiterates the provisions of the Directive and requires that the sub-contractor provides specific guarantees and mentions that the sub-contracting relationship must be governed by a written agreement.
Powers and objectives of the CNIL
Currently, although the CNIL has the power to investigate, it has no means of enforcing its recommendations. In addition, its findings can only, where applicable, result in a warning or a report to the public prosecution service, if the evidence found points to the commission of a criminal act.
The new Articles 11, 44 to 49 of the law of 1978 reinforce the powers of the CNIL. For example, the CNIL will with the authorisation of the court be able to gain access to any business premises where files and materials are contained or used,, if the owner of the premises opposes such access. Where appropriate, CNIL may formally notify the party that is responsible for the processing to comply with the legal provisions and impose financial penalties.
The CNIL will also be able to make comments concerning the sanctions relating to the breach of IT law. In an emergency, the Commission may, if the data processing was held to be in breach of rights and freedoms guaranteed by law, order provisional measures to interrupt the processing or to prohibit access to specific data or, as regards processes related to government activities, inform the Prime Minister so that he or she is able to take appropriate action.
In the event of serious, immediate breach of rights and freedoms guaranteed by law, the Commission may refer the case to the court which has jurisdiction to rule on matters of special urgency, (a civil court if it concerns processing undertaken by a private individual or entity or an administrative court for processing undertaken by public services) so that it can take, if necessary under penalty, security measures necessary to ensure individual rights.
Furthermore, the draft law as modified by the Senate gives the CNIL a duty to inform all data controllers of their rights and obligations. The CNIL will also be able to make public statements about IT developments, give support to other administrative entities, define the French position on data protection and represent the French government on an international level.
The most important development generated by the Senate is the CNIL’s power to impose financial sanctions, within the constraints of the law, when profits are made on data processing. These sanctions shall, however, not exceed 5% of the concerned company sales and shall be limited to 300,000 euros.
Lastly, the CNIL shall establish a list of States that are considered by the European Commission to provide adequate protection for any personal data transferred to them.
Selfregulation and codes of practice
The draft implementation law encourages good practice by data controllers and to this end, the CNIL intends to assess codes of practice submitted to it by any professional organisations.
In general, penalties have been lowered; the maximum penalty incurred is limited to three years imprisonment and a fine of 45,000 euros. The new Article 226-22-1 of the Penal Code imposes sanctions for breaches of provision covering the transfer of data to non-E.U. Member States.
The draft law as modified by Senate excludes the possibility for Internet users to refuse the creation of cookie files imposed by certain websites in order to access their services.