ANALYSIS: After six months of debates, heated exchanges between both chambers of parliament and a referral to the country's constitutional council, data protection laws in France have finally been updated.
With the adoption of Law n° 2018-493 of 20 June 2018, France has modernised data protection laws that have been in place in the country since 1978.
France also joins 11 other EU member states, including the UK, Germany and Ireland, in adopting national legislation necessary to implement and supplement the EU's General Data Protection Regulation (GDPR) and Law Enforcement Directive, which sets rules on the processing of personal data by law enforcement agencies and intelligence services.
According to the European Commission, a further seven EU countries are expected to adopt such laws before the end of June, with nine countries, including Spain, expected to be later with their legislative updates.
The main aspects of the new data protection laws in France
The scope of the new data protection rules is set out in the new legislation. It confirms that the new rules adopted on the basis of the GDPR apply whenever the data subject resides in France, including when the data controller is not established in the country.
Several aspects of the new laws take provisions of the GDPR into account. This includes by reconstituting the role of France's data protection authority, the Commission Nationale de l’information et des Liberties (CNIL).
The CNIL now has a statutory duty to implement the principle of accountability contained throughout the GDPR, including through issuing opinions and recommendations, and approving codes of conduct and certification mechanisms, and is further required to provide local authorities, their groupings, and small and medium-sized enterprises with appropriate information on data protection to help them comply with the new rules.
The new rules also make provision for the CNIL to work with other national data protection authorities across the EU via the 'cooperation mechanism' provided for under the GDPR, and, also in line with the GDPR's stiff sanctions regime, gives the CNIL the power to take enforcement action and issue financial penalties – in certain cases up to 4% of a business' annual global turnover, or €20 million, whichever is highest.
Changes have also been made to rules relating to so-called 'class action' lawsuits on data protection breaches.
Under the new regime, class action lawsuits can now be lodged with the purpose of claiming damage for infringing personal data operations, which includes material and moral damage, in addition to the existing possibility to bring an end to those processing operations.
In addition, data subjects in France can now mandate employee representatives or a not-for-profit organisation active in the field of data protection or consumer protection to lodge the complaint on their behalf. Actions can be lodged against an infringing data controller and/or processor.
The GDPR leaves it up to individual EU member states to set their own rules on the processing of personal data in certain areas. The new French legislation contains a raft of new rules in this regard, including in relation to setting a legal age of consent for children accessing websites and apps and other 'information society services', and in the context of health data processing.
According to the new laws, a child can give their consent to the processing of personal data with regard to the direct provision of information society services from the age of 15. Where the child is under 15 years of age, processing shall be lawful only if consent is given jointly by the child and their parent or guardian.
Information society service providers must draft in clear and simple terms, easily understandable by the child, information relating to the processing operation concerning him or her.
On health data processing, the new laws state that organisations wishing to process health data will need to obtain authorisation from the CNIL to do so where their processing operations do not comply with standards issued by the CNIL in conjunction with the health industry.
In addition, processing of data containing the social security number will be subject to a specific regime: a decree issued by the Council of State, which will come after the CNIL has issued an opinion, will determine which type of data controllers will be able to process social security numbers and for which purposes.
Concepts largely derived from the GDPR have also been implemented into the new French data protection laws to meet the requirements of the new Law Enforcement Directive.
It means the processing of personal data by French authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties will be shaped by requirements on data security and accuracy, as well as obligations to carry out data protection impact assessments and embed data protection by design and default into new surveillance technologies and processing activities, and the need to contractually define data processing carried out by third parties.
Actions for businesses
For organisations operating in France, the adoption of the new data protection rules should serve as a further spur to finalising their steps towards GDPR compliance.
Businesses will also eagerly await the release of further information to help them frame their data processing which CNIL is expected to publish in many areas, notably in respect of processing health data.
For local authorities and SMEs, the new laws also give them an opportunity to ask CNIL for special assistance to help them comply, while website operators, mobile app developers and other information service providers should implement processes to allow them to collect consent taking into account the new legal age of consent set out in the new rules.
Annabelle Richard and Valentine Morand are Paris-based experts in data protection law at Pinsent Masons, the law firm behind Out-Law.com.
Written by
