The bill on the protection of personal data


Le projet de loi relatif à la protection des données personnellesThe adoption of the “European data protection package” on 27 April 2016 launched a movement within the Member States to reform national legislation on personal data. The implementation of the General Data Protection Regulation 2016/679 ( (“GDPR”) particularly marks significant progress in this area. It is from the perspective of the application of this regulation that the French government made public on December 13, 2017 the “bill on the protection of personal data” adapting the Data Protection Act to the GDPR (

This draft law highlights the desire, contained in the European regulation, to increase the influence of the national supervisory authorities responsible for personal data. To this end, numerous changes relating to the powers and organization of the CNIL ( are planned.  We note the strengthening of its role, especially through the extension of its powers in soft law and sanctions. Some changes also concern its investigative powers and cooperation with other EU supervisory authorities. In this sense, it is noted that the CNIL will henceforth be able to attach to its conclusions a reference for a preliminary ruling to the Court of Justice of the European Union for an assessment of the validity of the European Commission’s adequacy decision and of all the acts taken by the European Commission authorizing or approving the appropriate assurances in the context of data transfers. In addition, its scope of action has been broadened through its ability to ask the State Council 🙁 to order the suspension or termination of the data transfer concerned, if applicable under penalty.

In addition, the draft law establishes a specific procedure for the processing of health data. While this category of processing includes medical research and evaluation of care, it excludes, when they fall under the provisions on sensitive data, processes “necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services“. Also, in accordance with the GDPR, the bill establishes a fundamental prohibition on the processing of so-called “sensitive” data, genetic and biometric data for the purpose of uniquely identifying a natural person. However, it goes further than Article 9.2 of the GDPR by providing for the possibility for the administration and employers to use biometric data for access control purposes to workplaces, devices and applications. In addition, the bill limits the use of data relating to criminal convictions, offences or related security measures to only certain categories of persons. An exception is, however, provided where such data are used for the purpose of taking legal action as a victim, defendant or on their behalf and enforcing the judgment given. Finally, it has been provided, in procedural matters, that the persons concerned may be represented individually by any organization or association authorized to take group actions in the context of complaints or actions against the CNIL.

Although the bill is in line with the GDPR, there are some discrepancies between the two texts. Indeed, while the GDPR abolishes prior formalities with the supervisory authorities, subject to a few exceptions, the bill keeps them with the CNIL for health data in certain areas. In addition, it also maintains a high level of authorization for processing on behalf of the State, including the use of biometric or genetic data for identification and identity control purposes. Processing requiring the use of the social security number (NIR) will also be authorized within the framework of a decree in the State Council, taken after a reasoned opinion and published by the CNIL which will determine the categories of data controllers and the purposes of these processing operations. The use of NIRs will also be authorized for derogatory purposes for national statistics, electronic relations with the French administration and scientific research. Therefore, the bill is more inflexible in this regard.

It is regrettable that the draft law does not specify the appointment of a Data Protection Officer (“DPO”) or the age of consent required of minors, aspects for which the Member States had a certain amount of leeway.

In conclusion, in the light of these discrepancies, it is certain that, even after the adoption of the law, certain amendments are still necessary to make the French law all the more compatible with the GDPR. However, the impact of these divergences will have to be measured insofar as the European regulation remains directly applicable.