Data Protection Report - Norton Rose Fulbright

On January 26, 2016, the French National Assembly adopted the “Digital Republic” bill  — a comprehensive bill introducing various provisions to regulate the digital sphere within the French society. Access to public data, neutrality of the Internet, access to the digital sphere and communication networks are some of the main subjects covered by this bill. The bill also addresses the protection of individual rights within the digital sphere. The bill is now under review by the French Senate.

The bill proposes several key amendments to the French Data Protection Act of 6 January 1978 (“DPA”). Notably the CNIL, the French data privacy regulator, emphasized (“Deliberation” dated 19 november 2015) that the bill and any changes to the DPA that the bill contemplates must comply with the EU Global Data Protection Regulation (“GDPR”).

CNIL’s Expanded Enforcement Authority under the “Digital Republic” Bill

The “Digital Republic” bill would expand the CNIL’s powers. Specifically, the bill would increase the amount of monetary sanctions that the CNIL can impose for privacy violations, which reflects the relevant sanction provisions of the future GDPR. The CNIL would thus be able to impose monetary sanctions on a data controller of up to 20 million euros or 4% of its worldwide turnover. The sanction would be limited to 10 million euros or 2% of the worldwide turnover for minor violations of the DPA.

The CNIL would also have the power to order a data controller to individually notify individuals affected by the breach of the sanctions imposed against it. Finally, when a breach cannot be remedied (e.g., a security breach), the CNIL would have the authority to impose sanctions on the data controller without any prior formal notice.

Cooperation between the CNIL and data protection authorities outside the EU

The bill also proposes granting the CNIL expanded powers to cooperate with supervisory authorities based in countries outside the European Union offering a similar level of data protection. Notably, the CNIL would be entitled to enforce potential violations of the DPA by a data controller established on French territory at the request of these non-EU supervisory authorities, and to exchange information with these supervisory authorities (subject to the prior conclusion of a collaboration agreement between the CNIL and such other authorities).

Policy guidance 

The “Digital Republic” bill would allow the CNIL to consider and weigh in on ethical and social concerns raised by the evolution of digital technologies. The CNIL would also have responsibility for promoting the use of technologies which protect private life, particularly data encryption.

Expanded privacy protections for individuals

The “Digital Republic” bill would expand privacy protections for individuals, including:

  • General principle: right to decide and control the use of personal data

The bill would amend Article 1 of the DPA by introducing the general principle that any data subject has a right “to decide and control the use of his or her personal data, pursuant to the conditions set out in the DPA”. The adoption of this principle could influence the CNIL in assessing whether data processing is in compliance with the DPA.

  • Obligation to inform the data subjects of the data retention period

The bill would also amend Article 32 of the DPA to require data controllers to inform data subjects about the applicable retention period of the categories of data processed or, when not feasible, about the criteria used to determine data retention periods. If this provision is adopted, data controllers will have to modify their privacy notices accordingly.

  • Obligation to facilitate the exercise by data subjects of their access and rectification rights

Data controllers that collect personal data by electronic means will have to allow the data subjects to exercise their rights by electronic means pursuant to a new Article 43-bis of the DPA.

  • Right to data erasure for minors

With some exceptions, the bill would require data controllers to erase the data collected from minors at the request of the individual whose data was collected when he or she was a minor in the frame of the “offer of services of the information society”. This expression is rather unclear but this right to data erasure for minors should apply to many kinds of online communication services.

  • Instructions left by a deceased data subject

Under certain conditions, the bill would allow a data subject to provide instructions to a third party (such as a successor or a trusted third party certified by the CNIL) regarding the archiving, erasure and communication of his or her personal data after his or her death. Such third party would thus be allowed to exercise all or part of the deceased data subject’s rights against data controllers.

Class Actions

The “Digital Republic” bill would authorize certain organizations to bring data protection class actions on behalf of consumers in the event of a breach of the DPA.  This authority  would apply to: (a) associations protecting privacy and personal data; (b) consumer protection associations; (b) trade unions, when the processing affects employees; and (c) any association created for the sole purpose of filing the class action.

Broader rights under the French Consumer Code

The “Digital Republic” bill would also provide broader “digital” rights in the French Consumer Code (the “FCC”).

Email and other online communication service providers would now have to offer account and data portability. These rights are broader than the equivalent provisions of the GDPR because the bill does not limit the portability requirements to personal data.

Operators of online platforms will be subject to reinforced transparency obligations towards consumers and will encompass not only intermediation platforms as it is currently the case under article L.111-5-1 of the FCC but also operators that offer online communication services based on the ranking using algorithms, of contents, goods or services proposed or made available online by third-parties.

Finally, the bill will require consumer review websites to disclose to consumers the methodology of verifying online reviews.

Our Take

Some of the “Digital Republic” bill’s provisions are similar or equivalent to the provisions of the GDPR, which is slated to come into force in 2018 at the earliest. Notably, should the bill be adopted by the French Senate, the CNIL would be granted some of the new powers that it would not have until the GDPR comes into effect. Data subjects’ right to data portability would also be effective before 2018.

Yet, the CNIL emphasized in its “Deliberation” dated 19 November 2015 that the bill and any amendments to existing law, notably to the DPA and FCC, must comply with the GDPR. Furthermore, the bill has not yet been reviewed by the French Senate so further changes are to be expected.

In any event, the bill confirms the importance for companies and public bodies to start anticipating the future requirements of the GDPR.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.