France adopts Law for a Digital Republic: key data provisions are a jump-start on the GDPR

Data Protection, Privacy and Security Alert

Par:

France’s Law for a Digital Republic, under discussion for more than a year, has at last been published.

Some key provisions of the law, published in early October, are immediately effective and anticipate the GDPR’s effective date of May 25, 2018: increased maximum administrative fines; expanded notice obligations for data controllers; and a specific Right To Be Forgotten for minors.

Other provisions, including the creation of a right to direct the use of one’s data after death, will not be fully effective until the adoption of implementing decrees. A new right of data portability for consumers, similar to the right under the GDPR, will take effect May 25, 2018.

Maximum administrative fine raised from €150,000 to €3 million; CNIL enforcement authority reinforced

Under the Law for a Digital Republic, and effective immediately, the French data protection authority, the CNIL, can order administrative fines of up to €3 million.  Previously, the maximum fine was €150,000, or €300,000 for a repeat violation. When determining the amount of the fine, the CNIL must take into account several factors, which largely echo those set forth in the GDPR.

In cases of extreme urgency, the CNIL is now also entitled to issue a cease-and-desist requiring compliance within 24 hours. When the infringing party does not comply, the CNIL may issue a warning, a fine or an injunction. When it is not possible in fact for the infringing party to comply with the law, the CNIL can order a fine without first issuing a cease-and-desist (but due process must still be followed).

The CNIL will also be able to conduct inspections on behalf of comparable authorities in non-EU countries that offer an adequate level of protection to personal data. The CNIL must enter into an agreement describing the relations between the authorities.

Expanded notice requirements

Effective immediately, notices to data subjects must specify the period during which personal data will be retained; where this is impossible, the criteria for determining the retention period must be specified.

Notices must also mention the data subject’s right to issue directives for the disposition of personal data after death (see details below on this new right).

“Right to Be Forgotten” for minors

In a nod to Recital 65 of the GDPR, the Law provides that persons who were minors at the time their personal data was collected in connection with information society services are entitled to have their personal data erased promptly by the data controller. If the controller shared the data with another controller, then the first controller must take reasonable measures (including technical measures) to inform the third party that the data subject has demanded the erasure of all links to the data, or any copy or replication of the data. If the data is not erased or the controller does not respond within one month, the data subject may petition the CNIL, which has three weeks to issue its decision. The data controller’s obligation to erase personal data is subject to five exceptions, similar to those forth in the GDPR.

Post mortem rights to control one’s data

The Law creates a new right: each data subject may issue directives relating to the disposition of his or her personal data after death. Those directives may be general or specific or both; general directives can be stored with a third party certified by the CNIL and the CNIL will keep a record of those directives (the publication of the implementing decree relating to the CNIL record is expected in March 2017). Specific directives are stored with the relevant data controller.

The data subject can designate a person to exercise the rights after the data subject’s death.

Except where the directives specifically state otherwise, heirs are entitled to exercise the decedent’s rights for purposes enumerated in the Law, including to ensure that controllers take into account the data subject’s death, close the decedent’s user accounts and stop processing the decedent’s personal data.

Online communication service providers must inform users what is done with their personal data upon death, and must allow users to decide whether their personal data should be transferred upon death.

Other measures of immediate application

The Law amends the first article of the French data protection law to state that “Every person has the right to decide and control the use of personal data concerning him or her, in accordance with the terms of this law.” This amendment was inspired by the constitutional court of Germany. This principle will be implemented in practice by several measures, including the post mortem rights and data portability rights described in this alert, as well as heightened confidentiality for private electronic  correspondence (see our alert on how the Law for a Digital Republic will affect online platforms, telecoms and online communication providers).

Where a data controller has collected personal data electronically, data subjects must be allowed to exercise their rights electronically, where possible.

And for May 25, 2018… Data portability enshrined in the French Consumer Code

As from May 25, 2018, consumers will have a right of data portability for all their data. Personal data portability will be determined by the GDPR, and portability of all other data will be determined by the French Consumer Code. Given the CNIL’s expansive interpretation of the definition of personal data, and the vagueness of the new Consumer Code provisions, this new right could prove difficult to apply in practice.

Under this new right of consumer data portability, providers of online communication services to the public will be required to offer consumers a free service to recover (i) all files uploaded by the consumer, (ii) all data that result from the use of the consumer’s user account and that can be consulted by the consumer (except data that has been significantly enriched by the provider); and (iii) other data associated with the consumer’s user account (a) that simplifies a change of provider, or access to other services, or (b) where identification of the data takes into account the value of the services, competition between providers, usefulness for the consumer, and the frequency and economic impact of the use of the services.

These provisions will not apply to providers with active user accounts below a certain threshold, which will be determined by decree. A decree will also set forth a list of types of data enrichment that will be presumed insignificant and that consequently will not justify a refusal to “port” data.

Find out more about the implications of the Law for a Digital Republic by contacting either of the authors.