Part 3: French Digital Republic Law – right to privacy

59Following the French Digital Republic Law of October 7, 2016, Dreyfus presents a trilogy of articles on three essential features of the law.

The Digital Republic Law is centered around its’ title II called “Protection of rights in the society”. Within this Title II is the Second Chapter,  entirely dedicated to “Protection of personal privacy online”, including “Protection of personal data”.

The specific feature of the chapter

This chapter is particularly relevant in that it ensures a smooth transition to the new Regulation (EU) No. 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data (“GDPR”). Although the GDPR entered into force on April 27, 2016, its provisions will apply only as of May 25, 2018 in order to give companies enough time to comply with the new rules.

These new rules entail profound changes that the French legislator wished to anticipate in order to guide and the stakeholders and ensure compliance when processing personal data.

Power given to the data subjects

Both the Digital Republic Law and the GDPR focus on the person whose personal data will be processed (hereinafter called the “data subject”).

Article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person”. However, an identifiable person refers to “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity”. Therefore, data is personal when it allows the identification of a natural person. This data does not have to identify the data subject directly, as it shall be sufficient to identify them with data roll-up.

However, concerning personal data, the Digital Republic Law amended Article 1 of Act No. 78-17 of January 6, 1978 on Information Technology, Data Files and Civil Liberties by adding a second very important paragraph: “Any person has the right to decide and to control the use of his or her personal data, pursuant to the conditions set out in this law.”

A self-determination right is thus conferred on the data subject.

Control of Post-mortem data

The Digital Republic Law also incorporates the right for data subjects to control their post-mortem data by amending the Act of January 6, 1798, and Article 40-1, with the aim to empower them to exercise their right over their personal data. The law thus creates a system of directives on storage, deletion and communication of the data subject’s personal data.

These directives may be amended or revoked at any time by the data subject. The directives define the manner in which the person intends to exercise his various rights following his or her death.

There are two types of directives:

  • General directives: they concern all personal data relating to the data subject. They may be registered with a trusted third party certified by the National Commission on Informatics and Liberty (CNIL). The CNIL will be responsible for managing a single registry where the references to the general directives and the registered and trusted third party will be recorded.
  • Specific directives: they concern the processing of personal data mentioned in these directives. They shall be registered with the relevant data controllers and shall be subject to specific consent of the data subject. Thus, the mere approval of the general terms and conditions of use (GTC) does not allow the definition of these specific directives.

The directives may designate a person who, upon the death of the data holder concerned, will be responsible for executing directives and requesting their implementation from the data controllers. In the absence of the designated person and unless otherwise instructed, the heirs of the deceased shall take note of the instructions and request their execution.

Providers of a public online communication service are responsible for informing users about what is done with their personal data upon their death and must allow  them to choose whether or not to communicate their data to a third party they designate. Additional information on this issue should be included in the GTC specifically, but also in the data protection policy.

The rights granted to a person to decide what should be done with their post mortem data cannot be limited. Thus, a clause in the GTCs regarding the processing of personal data limiting these prerogatives is considered null and void.

Strengthening information available to users

Article 32 of the French Data Protection Law already required certain informations to be communicated to data subjects by whose data is being processed. Thus, the data collection forms had to mention the identity of the data controller, the purpose of the data processing, the mandatory or optional character of the data, the recipients of the data, and so on. The Digital Republic Law includes an eighth point on the storage period in terms of the categories of data processed or, if not possible, the criteria used to determine this duration.

Thus, any data collection form, data protection policy and any general terms and conditions of use shall henceforth indicate the data storage period.

Expansion of the CNIL’s powers

The main point addressed by the French Digital Republic Law is perhaps the expansion of the CNIL’s powers, specifically thanks to the amendment of Article 45 of the Act dated January 6, 1978 with respect to sanctions that can be imposed by the CNIL.

Henceforth, when a data controller fails to comply with his obligations, the CNIL’s chair shall be entitled to issue a formal notice to put an end to any identified infringement within a time limit set by him. In case of extreme emergency, this delay may be reduced to twenty-four hours. Previously, the timeframe was five days. If infringement does not cease, the CNIL Restricted Committee may then issue, following an adversarial hearing (procédure contradictoire), a warning, a penalty (except where the processing is made by the State), an injunction to cease the processing or a withdrawal of the authorisation issued pursuant to Article 25 of the Law of January 6, 1978.

Monetary penalties are a novelty because prior to the French Digital Republic Law, monetary penalties were set only in cases of violation of a formal notice. This penalty may not exceed three million euros.

 Article 83 of the RGPD provides for penalties, proportional to the breaches :

 – up to EUR 10,000,000 or, in the case of a company, up to 2% of the total annual worldwide turnover for the previous financial year, whichever is the greater;

– or up to EUR 20 000 000 or, in the case of a company, up to 4% of the total annual worldwide turnover for the previous financial year, whichever is the greater.

Since the European regulation is of direct application, these amounts should be applied by the CNIL as of May 25, 2018.

Such measures may also be taken by the Restricted Committee, without prior formal notice and following an adversarial hearing (procédure contradictoire), where the identified infringement cannot be brought into conformity in the context of a formal notice.

Where there has been a violation of rights and freedoms of the data subject following execution of the processed data, the Restricted Committee may also, when the matter is brought before it by the chairman of the CNIL andin the context of emergency proceedings defined by a decree of the Conseil d’Etat and following an adversarial hearing (procédure contradictoire):

– decide to suspend processing, for a maximum period of three months,

– issue a warning,

– decide to lock certain processed personal data, for a maximum period of three months,

– or, for certain processing, inform the Prime Minister so that he may take action toward putting an end to the infringement identified.

In the event of a serious and immediate violation of human rights and freedom of the data subject,  the CNIL chair may request a court of law to order, by way of summary proceedings, any measure necessary to safeguard these rights and freedoms.

The Restricted Committee should take into account :

  • the intentional or negligent nature of the breach,
  • measures taken by the data controller to mitigate the damage suffered by the data subjects,
  • the level of cooperation with the CNIL in order to remedy the breach and to mitigate its possible negative effects,
  • categories of personal data,
  • and finally the way in which the breach was communicated to the Committee.

The Restricted Committee may make public the sanctions issued. It may also order sanctioned parties to inform the data subjects of this sanction individually, at their expense.

The Restricted Committee may also order the publication of sanctions in  newspapers and other media, at the sanctioned person’s expense.

Certain developments and clarifications on this law will be specified in the decrees. To be continued…

Please see our two other articles on the Digital Republic Law:

  • Part 1: French Digital Republic Law – online platforms
  • Part 2: French Digital Republic Law – data recovery