France’s Law to Accompany the GDPR and EU Directive Published
On December 13, 2017 the French Ministry of Justice published a draft law to accompany the implementation within France of the General Data Protection Regulation 2016/679 (GDPR) and the Directive 2016/680, governing the handling of data in law enforcement situations.
The following are some of the noticeable change brought by the draft law with respect to GDPR.
(Temporarily) Unclear and Not User-friendly
It is presented as an amendment to the existing French Data Protection Act (DPA, known as Loi Informatique & Libertés) and the press release indicates that “the government has made the choice to keep the existing structure.”
As a consequence, the revised DPA will be particularly difficult to read and understand, because it does not remove the old text that should no longer apply after the GDPR takes effect. By way of example, it does not delete the former rules on territorial scope, whereas the rules have changed significantly under GDPR.
To correct this unfortunate situation, Article 20 authorizes the government to revamp the law by way of ordinance in order to “make the formal corrections and adaptations necessary for the simplification and the coherence as well as the simplicity of the implementation implemented by the data subjects.” The government has a period of six months after the adoption of the law to do so.
Scope for Local Derogations
Where the GDPR allows local law to adapt or complete the rights and obligations provided by GDPR, French rules will apply to processing of personal data of individuals residing in France, even if the controller is not established in France.
However, where this relates to freedom of expression or freedom of the press, national rules of the country where the data controller is established shall apply.
Powers of the CNIL
The draft law contains many changes to the powers of the CNIL and the way it is organized in relation to its decision making process.
- Soft law – Among others, the CNIL:
- Will publish guidelines, recommendations or specifications for processing activities and encourage the development of code of conducts – and will publish methodologies for processing of health data for research purposes
- May prescribe additional security measures for health data, including biometric and genetic data
- May provide or organize certification
- May establish a list of high risk processing activities requiring prior consultation
- May make observations before any court in procedures based on GDPR or the DPA
- Sanctions – There are a number of changes to sanctions themselves, as well as sanctions procedures. For example, the CNIL will be able to issue an injunction with a daily fine of up to €100,000.
- Investigations – Multiple changes in this area include CNIL agents being allowed to carry out the online checks under a borrowed identity.
- Cooperation – There are several provisions on the cooperation between the CNIL and other supervisory authorities, including as regards joint investigations.
- International transfers – Following a complaint, the CNIL will have power to request that the State Council (i) orders the suspension or the cessation of the transfer of data, (possibly with a daily fine) and (ii) requests a preliminary ruling by the European Court of Justice to assess the validity of (a) an adequacy decision by the European Commission or (b) any acts taken by the European Commission authorizing or approving appropriate safeguards in the context of data transfers.
Registration Formalities and Prior Authorization
GDPR has eliminated the registration formalities for processing activities with data protection authorities, except for measures providing safeguards for international transfers and consultation of the supervisory authority where there remains a risk to data subject after a data protection impact assessment (DPIA). However:
- French law retains registration formalities for heath data for certain types of processing activities.
- Processing activities involving use of the social security number will be set by a decree of the Council of State, after opinion by the CNIL, including the categories of controllers and the permitted purposes. Otherwise, use of the social security number is permitted for national statistical purposes, including scientific research and electronic relations with the French administration. The CNIL will no longer have the power to authorize, even on a case by case basis, other uses of the social security number.
- A higher level of authorization remains applicable for processing activities implemented on behalf of the French state (for example, for the biometric or genetic data necessary for the identification or control of the identity of persons).
Data Protection Officer
The draft law has not modified the DPO requirement (but has added some minor specificities).
Processing Activities in the “Health Sector” – Chapter IX and new sections 53 to 60 of the DPA are devoted to processing activities in the “health sector”. Such processing activities have to be carried out for public interest purposes. They do not include processing activities for the purpose of medical treatments or prevention and processing for social care purposes, which is governed by the general section on sensitive data. Notably, they include, but are not limited to, medical research or evaluation of practices in the medical sector.
The processing of this data will have to comply with specifications, methodologies or regulations established by the CNIL in consultation with the National Institute of Health Data and other public bodies and stakeholders. Implementation of such processing activities will require either (i) prior self-certification with the relevant specification, methodology or regulation or (ii) prior authorization by the CNIL. The CNIL may grant a general authorization to a controller for all identical processing activities.
The draft law also contains provisions with regard to data subjects’ rights and, notably, in relation to minors.
Processing of “Sensitive Data” – The draft law adds to the general prohibition to process special categories of data, so called “sensitive data”, the prohibition to process genetic, biometric data for uniquely identifying a natural person (as well as data relating to a person’s sexual orientation).
It does, however, authorize, in addition to what is provided under article 9.2 GDPR, the use by employers or administrations of biometric data for access control to premises, equipment or apps.
Data Relating to Criminal Convictions and Offences
This type of data can only be processed by limited categories of persons, except where the processing is for the purpose of exercising or defending one’s rights in justice and for the enforcement of any decision, as strictly necessary for this purpose.
Data from published court decisions can be reused, but without disclosing information on the identity of individuals.
Representation of Data Subjects
Individuals can be represented individually in their complaints to the CNIL or against it by the associations and organizations already empowered by Article 43 to represent several individuals in class actions (with a reminder that class actions cannot involve claiming for damages).
Automated Individual Decisions
The draft law facilitates automated decision making by administrative bodies, provided that it does not involve processing of sensitive data and that “the data controller ensures the control of the algorithmic processing and its evolutions,” without, however, defining precisely this “control of algorithmic processing”.
Data Breach Communication
A decree by the State Council will set the list of processing activities for which there will be no requirement to communicate the data breach to data subjects, where the disclosure of such information creates a risk for national security, national defense or public safety. This only applies where the processing is based on a legal obligation or necessary for a mission of public interest.
Age of Consent for Minors
Because the bill does not contain any provision on the age of consent, the 16-year minimum threshold set by the RGPD becomes the rule. There is some debate on whether the minimum age should be 15.
The draft law has already been commented on by the CNIL and the State Council. It was submitted by the government on 13 December under a so-called “accelerated procedure,” which limits the number of reviews by both chambers of parliament, with a view to meeting the May 25, 2018 deadline.
Even after its publication, as required by the law itself, a robust cleaning exercise will be required to make it fully compatible with GDPR.