This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in France.
This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/data-protection-cyber-security/
Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?
The collection and use of personal data is primarily governed by the Law No 78-17 of 6 January 1978 relating to information technology, files and freedoms (the 'French Data Protection Act of 1978' or 'French DPA 1978'). The French DPA 1978 has a very wide scope of application and applies to anyone collecting and processing personal data. This is a general piece of legislation which applies irrespective of the sector of activity.
Personal data is any information relating to an identifiable person who can be directly identified (such as by their name and contact details) or indirectly identified in particular by reference to an identifier (such as an IP address, cookie data or location data). If a person collects information about individuals for any reason other than its own personal, family or household purposes, it would need to comply with the French DPA 1978. The law will also catch most businesses and organisations, whatever their size. It doesn’t need to be ‘private’ information – even information which is public knowledge or is about someone’s professional life can be personal data.
The Law No 2018-493 of 20 June 2018 on the protection of personal data significantly modifies the French DPA 1978 to comply with the General Data Protection Regulation ('GDPR') and introduces certain provisions specifically applicable in France as per the GDPR. The French data protection legislation will be recodified for the sake of clarity in the French DPA 1978 by the Ordonnance No 2018-1125 of the 12 December 2018 on the protection of personal data which will shortly come into force and no later than June 1st 2019.
Unless otherwise stated, references to articles to the French DPA 1978 will be made to the text applicable as of 1st June 2019.
However in the majority of instances the processing of personal data will be subject to the GDPR and the French DPA 1978.
The Commission Nationale de l'Informatique et des Libertés ('CNIL') is the supervisory authority for France. The roles of the CNIL are to raise awareness about data protection, inform and educate the public on data protection law, inspect and sanction non-compliance with data protection laws. Regarding its sanctions toolkit, the CNIL is empowered to render various types of sanctions which include but are not restricted to public or private warnings, monetary sanctions, cease-and-desist injunctions on data processing, and withdrawals of the prior authorization given by the CNIL. The most important pecuniary sanction given to date by the CNIL is the 50 million EUR fine against Google LLC for lack of transparency, failing to inform properly the users and collecting valid consent for targeted advertising services (Decision of the CNIL No SAN 2019-001 of 21 January 2019).
Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?
There is no registration or licensing requirement for entities covered by these laws.
The legal framework governing data protection applies to all entities that fall within its scope of application. One can note that the entry into force of the GDPR ended the mandatory prior formalities to the CNIL for certain types of data processing.
How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?
The definition of personally identifiable information ('PII') provided for by the French DPA 1978 is consistent with GDPR's definition of personal data in its Article 4(1).
The GDPR defines personal data as any information relating to an identified or identifiable natural person (‘data subject’) who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What identifies an individual could be as simple as a name, a number or an identifier such as an IP. Personal data can also be data that are not associated with the name of a person but can easily be used to identify him or her. For example, data which reveal a person's habit or taste can be personal data insofar as he or she can be identified. Even if an individual is identified or identifiable, directly or indirectly, from the data, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ an individual, the business needs to take into account a range of factors, including the content of the information, the purpose or purposes for which it is processing it and the likely impact or effect of that processing on the individual.
To consider whether data constitutes personal data, account must be taken of all the means available to the data controller to determine whether a person is identifiable. Of particular relevance here is the possibility for data controller to aggregate different set of data so as to enable the identification of individuals. As a result of the possibility to combine data, some sets of data may be personal data for some organizations due to the additional sets of data available to them, but it may not be personal data for other organizations.
In the EU including France, sensitive PII is now known as 'special categories of personal data'. Special categories of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (GDPR, Article 9(1); and French DPA 1978, Article 6(I)).
Other key definitions include:
- a 'controller' who is the party that determines the purposes and the means by which the personal data is processed. For example a business decides what data it collects on, and how it uses it in respect of its employees. It will be a controller in respect of that data;
- a 'processor' is the person which processes personal data on behalf of the controller. For example a service provider who provides payroll services for an employer.
Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?
Any entity falling into the scope of application of the French DPA 1978 must comply with the fundamental data protection principles (French DPA 1978, Article 4). Personal data must be:
- processed lawfully, fairly and transparently;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and where necessary kept up to date;
- not be kept longer than necessary; and
- processed in a secure manner.
There is also an overriding principle of accountability. A controller is responsible for and must be able to demonstrate compliance with data protection principles by having appropriate, documented records, processes, policies and training.
A controller must provide a 'fair processing notice' setting out how the data will be used and disclosed, the lawful basis for the processing and the individual's rights amongst other things. This information should be easily accessible, easy to understand, and in clear and plain language.
A controller must also establish a legal basis for processing personal data, and show that one of the following applies:
- individual has given their consent to the processing;
- processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for the compliance with a legal obligation;
- processing is necessary to protect the vital interest of the data subject or another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of a task carried out in the public interest or in the exercise of official authority; or
- processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party except where such rights and freedoms of the data subject (particularly where the data subject is a child).
There are more limited lawful bases for processing special category data, one of which must apply in addition to one of the lawful bases above where the data is special category data. These include but are not limited to processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, health, social security and social protection law. Full details are set out in Article 9 of the GDPR and Articles 6 and 44 of the French DPA 1978.
Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?
Consent is one of the lawful bases that controllers can rely on to process personal data. It tends to be used where no other lawful basis can be relied upon as it can be difficult to achieve consent and it can be withdrawn by the individual.
It must also sometimes be used when required by law for example for direct marketing by email or text (unless the soft opt in applies).
In order for consent to be valid, it must meet high requirements. Consent is defined as:
'any freely given, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her' (GDPR, Article 4(11)).
Consent can be given electronically, in writing or orally. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement/conduct clearly indicating acceptance of the proposed processing. In each case some affirmative action should be given. Silence, pre-ticked boxes or inactivity do not constitute consent.
When special categories of data are being processed consent also needs to be explicit.
For consent to be informed the data subject must be notified at least of the controller's identity and the purposes of processing. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, separate consent should be given for all of the purposes and should be clearly distinguishable.
The data subject will have, and must be informed of the right to withdraw his/her consent at any time. This will not affect the lawfulness of the processing preceding the withdrawal.
Consent may not be considered to be "freely given" if:
- performance of the contract is conditional on consent to the processing of personal data that is not necessary for the performance of that contract;
- there is a clear imbalance between the data subject and the controller (e.g. in an employment relationship); or
- the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Records of consents obtained should be kept to demonstrate compliance with the principles.
What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Sensitive PII, or more accurately now 'special categories' of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
In line with the GDPR, the definition of 'special categories' of personal data has been expanded under French law and now includes genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning a natural person's sexual orientation (French DPA 1978, Article 6(I)).
As a general principle, the processing of special categories of data is prohibited (GDPR, Article 9(1) ; and French DPA 1978, Article 6(I)). As the collection is a form of data processing, the collection of special categories of data is also, as a general principle, prohibited.
However, there are exceptions to this prohibition. The exceptions to the prohibition are laid down either in the GDPR or the French DPA 1978 (Article 6(II)). These include but are not limited to processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defence of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, health, social security and social protection law. Full details are set out in Article 9 of the GDPR and Articles 6 and 44 of the French DPA 1978. These contain further details about the circumstances in which these exceptions will be met and where such processing is therefore permitted.
Another exception to this prohibition is the processing of personal data justified by public interest carried out on behalf of the State acting in the exercise of its powers as a public authority (French DPA 1978, Articles 6(III), 31 and 32).
It should be mentioned that criminal convictions and offences are not included within the definition of special category data. The French DPA 1978 deals with this type of data. The processing of personal data relating to criminal convictions and offences is prohibited unless the controller is listed in Article 46 of the French DPA 1978.
How do the laws in your jurisdiction address children’s PII?
Children need particular protection when their personal data is being collected and processed as they may be less aware of the risks involved or their rights. A controller will need to assess the safeguards that they will need to put in place to make sure that the processing is fair and that a lawful basis is met. For example where consent is the lawful basis for processing the child's parent or guardian will need to be contacted to consent to the processing. A controller should keep under review age verification and parental responsibility mechanisms to ensure that it is using the most appropriate mechanisms to reduce the risks.
In relation to the offer of online services directly to a child (information society services), if the data subject is a child of at least 15 years old and they have given consent to the processing of his/her personal data, the processing will be lawful. Where the child is below 15 years old, such processing shall only be lawful if consent is given by both the child and the holders of parental responsibility over the child (Data Protection Act of 1978, Article 45). The controller shall make reasonable efforts to verify that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.
Any information and communication where processing is addressed to a child, should be in clear and in plain language that the child can easily understand. Children have the same rights as adults in relation to the processing of their data and the right to erasure of data is particularly relevant if they gave their consent to the processing when they were a child.
An issue may arise because a different age will apply in different countries, so businesses with a European reach will have to know the location of the child to ensure the right rules can be applied.
Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.
Both controllers and processors must maintain a record of processing activities under its responsibility which must be made available to the CNIL on request. In the event that an organization acts as controller for some data processing and as processor for other data processing, such organization should maintain two separate records of processing activities.
The record of processing activities must contain the following information:
- the organizations involved in the processing activities (representatives, subcontractors, co-responsible, etc.) ;
- the lawful basis for the processing ;
- the categories of data processed ;
- what this data is used for (i.e. what the organization does with it), who accesses the data and to whom it is disclosed ;
- how long the data is kept; and
- how the data is secured.
In addition to meeting the obligation under Article 30 of the GDPR, this record is a tool for monitoring and demonstrating compliance with the GDPR as per the accountability principle.
Companies with less than 250 employees benefit from a derogation. They must solely record the following data processing operations:
- recurring processing (e.g. payroll management, recurrent customer/prospect and supplier management, etc.);
- processing operations likely to involve a risk to the rights and freedoms of individuals (e.g. geolocation, CCTV, etc.); and
- processing operations involving sensitive data (e.g. health data, criminal convictions and offences, etc.).
In practice, this derogation enables VSEs and SMEs to bypass the obligation to record the processing activities of very specific cases carried out on an occasional and non-routine basis provided that such processing does not pose any risk to the data subjects. This can be illustrated by the processing of personal data in a communication campaign on the occasion of the opening of a new establishment. In case of doubt about whether this derogation applies to a processing operation, the CNIL recommends to include the processing activities in the record.
To facilitate the maintenance of this record, the CNIL created a model of a basic record in PDF and Word formats intended to meet the most common needs in terms of data processing, in particular for small structures (VSE-SMEs, associations, etc.). This model is available on the CNIL's website.
Moreover, given that Article 30 of the GDPR lays down specific obligations for the records of processing activities of the controller and the register of the processor, the CNIL recommends that an organization acting as both processor and controller maintains two separate records of processing activities:
- one for the processing of personal data for which the organization acts as processor; and
- another one for the processing that the organization carries out as a subcontractor.
Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?
A controller must carry out a data protection impact assessment ('DPIA') if the processing is likely to result in a high risk to individuals (GDPR, Article 35). For more information about DPIA please see question 10.
If, in the DPIA, a controller identifies a high risk that it cannot mitigate or reduce, it must consult with the CNIL prior to commencing the processing (GDPR, Article 36).
When consulting the CNIL, a controller shall provide details of:
- where applicable, the respective responsibilities of the controller, joint controllers and processors involved in the processing, in particular for processing within a group of undertakings;
- the purposes and means of the intended processing;
- the measures and safeguards provided to protect the rights and freedoms of data subjects;
- where applicable, the contact details of the data protection officer;
- the data protection impact assessment; and
- any other information requested by the CNIL.
The CNIL will respond within eight weeks of the request for consultation and provide written advice to the controller. Where appropriate, the CNIL can issue a warning not to process the personal data.
More details on the DPIA are provided for in Article 35 of the GDPR and on the CNIL website.
Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?
A DPIA should be carried out where the intended processing is "likely to result in high risks" to data subjects. According to the European Data Protection Board ('EDPB')'s guidelines, 9 criteria are used to determine whether a processing operation is likely to create a high risk to the rights and freedoms of natural persons, it is the case when a processing implies:
- An evaluation or rating;
- An automated decision making with legal or similar significant effect;
- A systematic monitoring;
- The collection of sensitive data or highly personal data;
- The collection of personal data processed on a large scale;
- Cross-referencing or combination of data sets;
- Data concerning vulnerable persons;
- Innovative use or application of new technological or organizational solutions;
- Processing in itself which prevents individuals from exercising a right or benefiting from a service or contract.
The assessment should be carried out prior to any processing and contain at least:
- A description of the proposed processing, its purposes and the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations;
- An assessment of the risks to the rights and freedoms of data subjects; and
- The measures envisaged to address the risks.
The controller should also seek the advice of the data protection officer (if it has one) when carrying out the above assessment. When appropriate, the controller should seek the views of the data subjects (or their representatives) on the intended processing. A software to conduct DPIA made by the CNIL is available for free on its website.
Where the result of the DPIA indicates that the processing operations would present a high risk if the controller did not take measures to mitigate the risk, the latter must consult the CNIL before processing is carried out.
In addition to the guidelines adopted by the EDPB in October 2017, the CNIL has published a list of processing operations which require a DPIA:
- Processing of health data for the care of individuals;
- Processing of genetic data of vulnerable persons (e.g. patients, employees, children, etc.);
- Processing operations profiling individuals for the purpose of human resources management;
- Processing operations for the purpose of constantly monitoring the activity of employees;
- Processing for the purpose of managing alerts (e.g. whistleblowing) in social and health contexts;
- Processing operations for the purpose of managing alerts (e.g. whistleblowing) in professional context;
- Processing of health data necessary for the establishment of a data warehouse or register;
- Processing involving the profiling of individuals who may result in their exclusion from a contract or in its suspension or termination;
- Shared processing of contractual breaches, which may lead to a decision to exclude or suspend the benefit of a contract;
- Processing involving the profiling of individuals based on data from external sources;
- Processing of biometric data of vulnerable persons (children, elderly, patients, asylum seekers, etc.);
- Processing operations for management of social housing requests;
- Processing operations for the purpose of providing social or medico-social support to individuals; and
- Large-scale processing of location data.
However, this list is not exhaustive and processing operations not included in it may nevertheless be subject to a DPIA.
Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?
A person must appoint a data protection officer ('DPO') if:
- it is a public authority or body (except for courts acting in their judicial capacity);
- its core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- its core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. A group of undertakings can select a single DPO providing that the DPO is easily accessible from each establishment. A single DPO may also be designated for several public bodies/authorities. The DPO does not have direct statutory liability under the French DPA 2018.
If a decision is made to voluntarily appoint a DPO, the business should be aware that the same requirements on the position and tasks of the DPO apply than if the appointment was mandatory.
The DPO’s tasks are:
- to inform and advise on data protection laws;
- to monitor compliance with data protection laws, and with the business' data protection polices, including training staff and conducting internal audits;
- to advise on, and to monitor, data protection impact assessments;
- to cooperate with the CNIL and other supervisory authorities; and
- to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc.).
In the performance of their tasks, the DPOs are accompanied by the CNIL. The authority leads sectoral, business and/or geographic networks of DPOs, leads awareness workshops and promotes the certification of DPO skills.
It also provides a dedicated telephone hotline and e-mail address to answer to their questions.
Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).
Individuals have the right to be informed about the collection and use of their personal data. Transparency is a key requirement.
At the time personal data is obtained from a data subject, a controller must provide the data subject with all of the following privacy information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the legitimate interests pursued by the controller or by a third party where the legitimate interests lawful basis is being used;
- the recipients or categories of recipients of the personal data, if any;
- source of the data;
- retention periods;
- details of the individuals rights, including the right to withdraw consent;
- the right to lodge a complaint with a supervisory authority;
- if there is a statutory or contractual obligation to provide certain details and the consequences of not providing these;
- if automated decision making or profiling is being conducted with meaningful information about the logic used and the intended consequences of the processing; and
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the mechanism that is being relied upon to allow the transfer and where relevant how to obtain a copy.
When personal data is obtained from a source other than the individual it relates to, the individual needs to be provided with the above privacy information:
- within a reasonable period of obtaining the personal data and no later than one month;
- if the data is used to communicate with the individual, at the latest, when the first communication takes place; or
- if it is envisaged to disclose the data to someone else, at the latest, when the data is disclosed.
The controller must actively provide privacy information to individuals. They can meet this requirement by putting the information on their website, but they must make individuals aware of it and give them an easy way to access it which includes at the point of collection of their data. For all audiences, information must:
- be concise;
- be transparent;
- be intelligible;
- be easily accessible; and
- use clear and plain language.
When providing the information to individuals, a combination of techniques can be used such as a layered approach to presenting the information, privacy dashboards, just in time notices and icons. It is also good practice to carry out user testing on draft privacy information to get feedback on how easy it is to access and understand. After it is finalized, regular reviews should be carried out to check it remains accurate and up to date. Indeed, the controllers should always update their privacy information and proactively bring any changes to people’s attention.
Some examples of notices of information can be found on the CNIL's website.
Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?
Under GDPR and under the French DPA 1978, processors have a number of direct obligations of their own concerning for instance security measures, security breach notifications, data protection officers and record-keeping.
Processors are also subject to the relevant investigative and corrective powers of the supervisory authority and may be subject to administrative fines or other penalties for breaches of its direct obligations. They may also be contractually liable to the controller for any failure to meet the terms of its agreed contract. This will of course depend on the exact terms of that contract.
Any party can also bring a claim directly against a processor. A processor can be held liable to pay compensation for any damage caused by its processing (including non-material damage such as distress). The processor will only be liable for the damage if:
- they have failed to comply with the provisions specifically relating to processors; or
- they have acted without the controller’s lawful instructions or against those instructions.
Processors will not be liable if they can prove they are not in any way responsible for the event giving rise to the damage.
If processors are required to pay compensation but are not wholly responsible for the damage, they may be able to claim back from the controller the share of the compensation for which they were liable.
Guidelines about processors have been published by the CNIL on September 2017 and provides with a lot of information for processors on their own obligations and how to be compliant with them.
However, specifically, some other laws may apply, for example, to health data hosting providers which are subject to the provisions of the Public Health Code.
Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?
Yes, there are minimum mandatory contractual provisions that data processing clauses/contracts with a processor must contain, which includes an obligation to flow-down those obligations to sub-contractors. Failing to include these is itself a breach. If data is being shared between two independent controllers, an appropriate data sharing agreement should be entered into by the parties.
The new contractual commitments to be imposed on processors include assisting with many of the obligations imposed on controllers (such as controllers' obligations to respond to the exercise of data subject rights, data security and other governance obligations).
Processors also have a direct statutory "policing" obligation, to "immediately inform" the controller if, in the processor's opinion, an instruction infringes the GDPR and/or the French DPA 1978.
A restriction on appointing sub-processors must also be included whereby sub-processors cannot be engaged without the controller's prior consent, which may be general, but if general then proposed changes must be notified in advance to give controllers a chance to object. Where that sub-processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller for the performance of that sub-processor's obligations.
A controller will conduct due diligences on a proposed processor to enable it to show how it has sought to comply with the data protection principles. This will include the security measures that the processor has in place.
Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)
Transfers of personal data to countries outside the EEA are restricted. These restrictions apply to all transfers, no matter the size of transfers or how often they are carried out.
To enable a restricted transfer to takes place, a business must identify if the transfer is to a country which is covered by an EU Commission 'adequacy decision'.
Details of such countries can be found on the CNIL's website or on the EU Commission's website.
If there is no adequacy decision then the business must put in place an appropriate safeguard to enable the transfer to take place. Most businesses use the EU Commission model contracts however there are other mechanisms such as binding corporate rules for internal group transfers that can be used. More details on what can regarded as appropriate safeguards are provided for by Articles 46 and 47 of the GDPR.
In the absence of a EU Commission adequacy decision, or of appropriate safeguards, a transfer shall only take place if one of the specific derogations/conditions apply such as the data subject has given their explicit consent, the transfer is necessary for performance of a contract, or for important reasons of public interest or the establishment, exercise or defence of legal claims or necessity to protect the vital interests of the data subject or another where the data subject is physically or legally unable to give consent. The full derogations are listed in Article 49 of the GDPR.
It is also still possible to rely on Privacy Shield for transfers to the USA, subject to any potential future case-law challenges.
In view of Brexit, flows of personal data from the EU to the UK could be impacted. See the United Kingdom section for more on that.
What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?
Both the controller and processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data. The parties should take into account factors such as the state of the art, implementation costs and the context of processing (GDPR, Article 32).
The CNIL recommends controllers and processors to identify the processing of personal data, assess the risks generated by each processing, implement and verify the security measures, and have periodic safety audits carried out. Security measures should be put in place in order to prevent unauthorised or accidental processing. The CNIL recommends implementing systematically the following basic precautions:
- raise awareness among users (make each user aware of security and privacy issues);
- authenticate users (recognize its users so that it can then give them the necessary access);
- manage authorizations (limit access to the only data a user needs);
- track access and manage incidents (log access and provide procedures to manage incidents in order to be able to react in the event of data security breaches such as breach of confidentiality, integrity and availability);
- secure workstations (prevent fraudulent access, virus execution or remote control, especially via the Internet);
- secure mobile computing (anticipate data security breaches due to the theft or loss of mobile equipment);
- protect the internal computer system (authorize only the network functions necessary for the processing operations set up);
- secure servers (strengthen security measures applied to servers);
- secure websites (ensure that minimum good practices are applied to websites);
- safeguard and provide for business continuity (perform regular backups to limit the impact of unwanted data loss);
- secure archiving (archive data that is no longer used on a daily basis but have not yet reached their storage limit, for example because it is stored in order to be used in the event of litigation);
- supervise the maintenance and destruction of data (ensure data security at all stages of the hardware and software life cycle);
- manage subcontracting (monitor data security with subcontractors);
- secure exchanges with other organizations (reinforce the security of any transmission of personal data);
- protect the premises (strengthen the security of the premises hosting the computer servers and network equipment);
- supervise IT developments (integrate security and privacy as early as possible in projects); and
- encrypt, guarantee integrity or sign (ensure the integrity, confidentiality and authenticity of information).
More guidance by the CNIL is available on its website.
Does your jurisdiction impose requirements of data protection by design or default?
Yes, a business must put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights (GDPR, Article 25). This is known as privacy by design. Data protection by design is about considering data protection and privacy issues upfront, that is to say at the design phase of any system, service, product or process, and then throughout the lifecycle. Consideration must be taken to all the rules and restrictions related to data protection upstream of each contemplated processing of personal data.
In essence, this means that controllers have to integrate or ‘bake in’ data protection into the processing activities and business practices. There are many ways to implement the principle of 'data protection by design' in practice including the implementation of data protection concepts such as data minimisation, storage limitation and transparency. From an organisational point of view, a good business practice is to ensure the effectiveness of the rights of data subjects. Data protection by design may also be reflected at the technical level. The choice of architecture (decentralized vs. centralized), the implementation of security measures to prevent misuse of data and pseudonymisation techniques are good examples of technical implementations of 'data protection by design'.
The pro-privacy methodology of 'data protection by design' help to ensure that compliance with the GDPR’s fundamental principles and requirements is effective, and forms part of the GDPR focus on accountability. According to the principle of 'accountability', data controllers must implement internal processes and procedures to enable them to demonstrate compliance with data protection laws.
The concept of 'data protection by design' is closely linked but different to the 'data protection by default' concept. In doing so, data controllers must only process data that is necessary to achieve the specific purpose that it determined. Data protection by default links with the fundamental data protection principles of data minimisation and purpose limitation.
Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?
The French DPA 1978 implements the provisions imposed by the GDPR under which the data controller shall, under certain conditions, report data security breaches to the relevant supervisory authority. The definition of data security breach provided for by the French DPA 1978 refers to the GDPR which defines a data security breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In addition to this general obligation to report data security breaches, there are some sectorial obligations to report data security breaches (whether or not it concerns PII) for:
- Operators of Essential Services ('OES') and Digital Service Providers ('DSP'): they must notify to the Prime Minister any breach having an impact on the operation or security of their information systems. In addition, if the security incident is affecting networks and information systems, they also have to notify the French national information systems security authority ('ANSSI') without delay after becoming aware of the breach. The law does not provide any specific definition of data security breach;
- Telecom operators: the obligation for telecom operators to report data security breaches to the CNIL was introduced in 2011 to implement the Directive 2009/136/CE of 25 November 2009. A security breach in this context is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or unauthorised access to personal data being processed in the context of the provision of electronic communications services to the public; and
- Healthcare institutions: they shall report serious information system security incidents to the regional health agency. Serious security incidents are defined as events creating an exceptional situation within an establishment, organisation or service. In addition, if the safety incident is significant, it will also be transmitted by the regional health agency to the competent State authorities. Significant incidents are defined as incidents having a potential or proven impact on the departmental, regional or national organization of the health system and incidents that may affect other institutions, organizations or services.
Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?
The French DPA 1978 introduces a duty on controllers to report certain types of data security breaches to the relevant supervisory authority.
This general notification obligation pursuant to the French DPA 1978 provides that the report to the CNIL shall intervene within 72 hours.
If the controller cannot provide all the required information within this time period because further investigations are necessary, the notification may intervene in two stages:
- An initial notification within 72 hours following the violation (if the 72-hour deadline is exceeded, the controller must explain the reasons for the delay) ; and
- An additional notification as soon as the complete information is available.
The CNIL has implemented an online platform available for data security breach notifications (accessible at https://notifications.cnil.fr/notifications/index).
Such notification to the CNIL shall intervene in the case where there is a risk regarding data subjects privacy. The level of risk is self assessed by the data controller. However, in the case of a control operated by the CNIL, it will have to demonstrate that the data security breach was unlikely to result in a risk to the rights and freedoms of data subjects. If such risk is high, the data controller will also have to notify the data subjects. The CNIL has the power to compel a business to inform affected individuals if they consider there is a high risk.
OES and DSP shall notify the Prime Minister of any data security breach irrespective of the level of risk for the data subjects.
Healthcare institutions shall notify the regional health agency of any serious and significant security incidents. Serious incident are considered as (i) incidents with potential or proven consequences for the safety of care (ii) incidents affecting the confidentiality or integrity of health data and (iii) incidents affecting the normal functioning of the establishment, agency or service.
Telecom operators must notify without delay the CNIL of any data security breach.
Any notification to the CNIL must contain the following information in particular:
- a description of the nature of the personal data security breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point where more information can be obtained;
- the consequences that may occur following the personal data security breach; and
- the measures taken or proposed to be taken by the controller to address the personal data security breach, including, where appropriate, measures to mitigate its possible adverse effects.
In addition, if a personal data security breach is likely to result in a high risk to the rights and freedoms of individuals, the business must inform those concerned directly and without undue delay. In other words, this should take place as soon as possible.
A ‘high risk’ means the threshold for informing individuals is higher than for notifying the CNIL. The business will need to assess both the severity of the potential or actual impact on individuals as a result of a data security breach and the likelihood of this occurring. If the impact of the data security breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, the business will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a data security breach.
The notification of the data security breach to data subjects may not be required by the CNIL if appropriate protection measures have been implemented by the business to render the data unintelligible to any person who is not authorised to access it and have been applied to the data affected by the said data security breach.
Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
Individuals have a range of rights under the French Data Protection Act 1978 such as provided for in the GDPR.
Individuals have the right to access their personal data, rectify inaccurate or incomplete personal data and erase or restrict its use or transfer the personal data to another party in certain circumstances. They shall be informed on their rights through a specific notice at the latest at the time of data collection.
Where legitimate interests is the lawful basis for processing the data, a data subject can object to the processing in which case the controller must assess whether it can continue to process the data (this is called the legitimate interests balancing test/assessment). An individual has the absolute right to object to receiving direct marketing and to withdraw any consent they have given for a processing activity – if they object or withdraw their consent this must be complied with.
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them unless certain conditions are met. The right to access gives individuals the right to obtain a copy of their personal data as well as other supplementary information such as the purpose of the processing, the recipients of the data processed, etc. It helps individuals to understand how and why an organisation is using their data, and check they are doing it lawfully. To obtain such data, the individual shall prove its identity. The data controller may request the payment of fees to proceed with this operation but the costs shall not exceed the reproduction costs. The controller may refuse to proceed with abusive requests, e.g. repetitive or systematic requests but will have the burden of proof of the abusive nature of the requests if requested.
The right to have personal data erased is also known as the ‘right to be forgotten’. The right is not absolute and only applies to inaccurate, incomplete, ambiguous and out of date data or whose collection, use, disclosure or retention is prohibited by law. However, if the personal data were collected at a time where the data subject was a minor, the right to deletion is absolute and the data controller shall take any appropriate measures to inform any third party to which the data was transferred that such data shall be deleted.
The data subject rights may not apply in certain circumstances (to the extent that applying the right would prejudice/prevent certain purposes) such as where personal data is processed for crime and taxation purposes. The DPA 1978 also contains a number of other exemptions, a number of which are narrowly applied in practice.
In addition, French law provides that data subjects have the right to define specific or general guidelines on their data after their death. If the guidelines are general, i.e. if they concern all personal data relating to the data subject, they must be registered with a digital trusted third party certified by the CNIL. If the guidelines are specific, they are registered with the concerned data controller. In the absence of instructions, the heirs of the data subject, may, to a certain extent defined by law, exercise the rights of the data subject.
Personal subjects also have the right to data portability, i.e. to receive their personal data provided to a controller, in a structured, commonly used and machine-readable format in order to transmit those data to another controller if (i) the processing is carried out by automated means, (ii) is based the legal ground of the consent or contract and (iii) does not infringe the rights and freedoms of third parties.
Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?
Rights of individuals are exercisable through the judicial system as well as by the CNIL. However, it is more common that individual directly bring cases before the CNIL rather than before the courts.
The CNIL has developed an online platform accessible from the internet which can be easily reached by any individual to raise a claim if its rights are violated. When a claim is brought before the CNIL, it will contact the data controller and then inform the data subjects on the status of its claim. If the CNIL receives several complaints about a violation committed by the same company, the CNIL may decide to audit such company's compliance with the French DPA 1978.
The data subject will not obtain any monetary compensation by raising a claim before the CNIL but only the enforcement of his or her rights. However, if the company does not comply with the CNIL requests, it may be condemned to an administrative sanction, even if the individual did not suffer any damage as a result of the violation of its rights.
To obtain monetary compensation, a data subject shall bring a civil or criminal action against a controller or processor where they consider their rights have been infringed. To obtain compensation, the data subject shall demonstrate that he or she suffered damage. Proceedings can be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.
Several data subjects suffering damage as a result of a common cause of a similar breach of the provisions of the French DPA 1978 or GDPR may also decide to bring a collective action before the civil court or the competent administrative court. This action may be brought either to put an end to the breach or to obtain compensation for the material and moral damage suffered, or for both purposes.
How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?
The CNIL has a large set of powers to enforce privacy laws and can take the following actions:
- A notice recalling the obligations of data protection law;
- An order to bring the processing into conformity with the obligations arising from the French DPA 1978 and the GDPR or to comply with requests submitted by data subjects to exercise their rights, which may be accompanied, by a penalty payment in an amount not exceeding €100,000 per day of delay from the date fixed by the CNIL;
- A temporary or definitive limitation of processing, its prohibition or the withdrawal of an authorisation granted;
- The withdrawal of a certification or the injunction, to the certification body concerned, to refuse a certification or to withdraw the certification granted;
- The suspension of data flows addressed to a recipient located in a third country or to an international organisation;
- Partial or total suspension of the decision to approve binding corporate rules; and
- An administrative fine of up to €20 million or, in the case of an undertaking, 4% of the previous year's total worldwide annual turnover, whichever is higher.
Regarding administrative fines, there is a two tier system reflecting the seriousness with which a breach of specified obligations is viewed. For example breaches of the principles, conditions applicable to consent, lawful basis, individual's rights and restricted transfers provisions are subject to the higher tier of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Breaches of obligations such as maintaining the record of processing activities, conducting a data protection impact assessment, a processor's obligation, privacy by design and appointing a data protection officer (amongst others) are subject to a lower standard tier where the maximum fine is €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Please note that until 2016, the maximum amount of the fine was solely up to €150,000 and was then increased to €3,000,000 from 2016 until the entry into force of the GDPR.
Decisions issued by the CNIL may be appealed to the French Council of State.
In addition, civil actions brought by persons who suffered material or non-material damage may also result in civil sanctions to compensate the harm suffered by the persons concerned.
Finally, violations of the French DPA 1978 may also be punished by criminal penalties of up to €300,000 in fines and to 5 years' imprisonment.
Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.
The French DPA 1978 provides for some limitations in relation to the individual's rights. For example, according to Article 48 of the French DPA 1978, the obligation to inform for a data controller which did not obtained the PII from the data subject (i.e. through and indirect means of collection) is limited if the provision of such information (i) proves impossible, (ii) would involve disproportionate effort (iii), or is likely to render impossible or seriously impair the achievement of the objectives of the processing. However, such limitation shall only apply if the controller takes appropriate measures to protect the data subject's rights and freedoms and legitimate interests.
Similarly, the right to deletion does not apply for example where the processing of personal data is necessary to exercise the right to freedom of expression and information or for reasons of public interest in the field of public health.
There are also a number of specific provisions that apply in certain circumstances to some particular processing:
- processing of health data;
- processing for the purposes of research, study or evaluation in the field of health;
- processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- processing of personal data for the purposes of journalism and literary and artistic expression; and
- processing in the electronic communications sector.
In addition, some types of PII processing are not covered by the GDPR:
- personal data that is processed for purely personal or household activity with no connection to a professional or commercial activity. This type of processing is out of scope of data protection legislation;
- French law excludes from the scope of French DPA 1978 temporary copies made in the context of the technical activities of transmitting and providing access to a digital network in order to allow other recipients of the service the best possible access to the information transmitted (French DPA 1978, Article 42(I)(4)). This derogation aims at taking into account the use of servers or "proxies" to temporarily store the addresses of Internet users and websites visited and therefore allow a faster display of previously visited pages;
- processing of personal data by competent law authorities for law enforcement purposes e.g. police investigating a crime. These processing are covered by the rules of Title 3 of the French DPA 1978, which implements the EU Police Crime Directive No 2016/680; and
- processing of PII for the purposes of safeguarding national security or defence. These processing are covered by the rules of Title 4 of the French DPA 1978.
Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them. This applies where there is no human involvement in the decision-making process. Such a process can only be carried out by an organisation if the decision is:
- necessary for entering into or performance of a contract between the organisation and the individual;
- authorised by law (for example, for the purposes of fraud or tax evasion);
- based on the individual’s explicit consent; or
- under certain conditions, an individual administrative decision provided that it does not involve sensitive data.
- inform Internet users on the purpose of the cookies used;
- obtain their consent which shall not be valid for longer than 13 months; and
However, cookies which are solely used for technical purposes such as "shopping cart" cookies for a merchant site or authentication cookies does not require to comply with the above conditions.
Please describe any laws addressing email communication or direct marketing?
Marketing activities using personal data have to comply with the French DPA 1978 as well as with the provisions of the Law No 575 of 21 June 2004 for confidence in the digital economy codified in the Postal and Electronic Communications Code.
Where personal data is processed for the purposes of direct marketing, the prior and express consent to receive emails communications from the data subject must be obtained. Such consent shall be freely given, and obtained clearly and separately from any other information.
However, there is an exception to this prohibition principle where the details of the recipient are collected directly from such person in the context of a sale or a provision of services and (i) the marketing relates to the same/similar goods/services as those provided ; (ii) the customer is given the opportunity to opt-out at the time of data collection and in every communication thereafter; and (iii) the marketing comes directly from the contracting entity/controller who has sold the goods/services.
In this respect, the CNIL recommends that prior consent be required through a tick box provided that this is not a pre-ticked box.
Where the data subject objects to processing for direct marketing purposes, the business should not continue to process the data for such purposes (including any profiling relating to such direct marketing).
In addition, the CNIL considers that every email communication shall contain the identity of the sender, and a simple mean to opt-out to receiving further email (for example through an hyperlink at the end of the email).
The CNIL adopts a more flexible approach where the email communications are sent between professionals. In this case, the prior consent requirement does not apply and it is sufficient to provide a simple information at the time where the data are collected since (i) a simple means to opt-out is provided (ii) the subject of the email communication is related to the profession of the person contacted.
At the time of writing, a new E-Privacy Regulation is currently being prepared which will impact the above.