DLA Piper Intelligence

Data Protection
Laws of the World

Law

France
France

Law No. 78 17 of 6 January 1978 on ‘Information Technology, Data Files and Civil Liberty’ ('Law') is the principal law regulating data protection in France.

The EU Data Protection Directive 95/46/EC was implemented via Law No. 2004-801 of 6 August 2004 which amended the Law.

Enforcement of the Law is principally through the ‘Commission Nationale de l'Informatique et des Libertés’ (CNIL).

Last modified 26 Jan 2017
Law
France

Law No. 78 17 of 6 January 1978 on ‘Information Technology, Data Files and Civil Liberty’ ('Law') is the principal law regulating data protection in France.

The EU Data Protection Directive 95/46/EC was implemented via Law No. 2004-801 of 6 August 2004 which amended the Law.

Enforcement of the Law is principally through the ‘Commission Nationale de l'Informatique et des Libertés’ (CNIL).

Last modified 26 Jan 2017
Definitions

Definition of personal data

Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to him or her such as a name, registration number or telephone number.

Definition of sensitive personal data

Personal data that reveals directly or indirectly, racial and ethnic origins, political, philosophical or religious opinions or trade union affiliation of persons, or that concerns their health or sexual life.

Last modified 26 Jan 2017
Authority

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 place de Fontenoy
TSA 80175
75334 Paris Cedex 07

T 01 53 73 22 22
F 01 53 73 22 00

https://www.cnil.fr/en/home

The CNIL is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardise human identity or breach human rights, privacy or individual or public liberties.

Last modified 26 Jan 2017
Registration

Except for certain data processing that is subject to exemption, authorisation, ministerial order or decree issued by the Supreme Administrative Court (Conseil d’Etat), the processing of personal data requires a prior declaration to the CNIL.

The prior declaration to the CNIL shall specify, amongst other things:

  • the purpose(s) of the processing
  • the identity and the address of the data controller (i.e. the natural or legal person who determines the purpose and the means of the personal data processing and implements such decisions itself or appoints a data processor to implement them)
  • the interconnections between databases
  • the types of personal data processed and the categories of persons concerned by the processing
  • the recipients of the processed data
  • the time period for which the data will be kept
  • the department or person(s) in charge of implementing the data processing
  • the recipients or categories of recipients of the personal data
  • the measures taken in order to ensure the security of the processing, and
  • the existence of a data transfer to a country outside of the EU regarded by the CNIL as not providing an adequate level of protection.

The CNIL may also exempt certain processing from prior declaration, in view of their purposes, addressees, the nature of the processed data, the length of its retention or the concerned persons. Other processing may require only a simplified prior declaration.

Last modified 26 Jan 2017
Data Protection Officers

There is no legal requirement for organisations to appoint a data protection officer (DPO, known as a Correspondant Informatique et Libertés or "CIL" in France).

However, an organisation is exempt from making prior declarations to the CNIL if the organisation has appointed a DPO.

The appointment of a DPO does not exempt an organisation from requesting prior authorisation, where necessary (e.g. for the transfer of data to a country that does not provide an adequate level of protection to personal data).

The DPO is in charge of verifying the compliance of data processing with the Law. The DPO communicates, to any person who requests, information on the processing such as its purposes, interconnections, the types of data and the categories of concerned persons, the length of data retention and the department in charge of implementing the processing.

Last modified 26 Jan 2017
Collection & Processing

Any personal data must be processed in a manner consistent with the following general principles:

  • all personal data is processed fairly and lawfully
  • all personal data is collected for specific, explicit and legitimate purposes and is subsequently processed in accordance with these purposes
  • all personal data collected is adequate, relevant, and non-excessive in view of the purposes for which it is collected
  • all personal data is accurate, comprehensive and, when necessary, kept up to date, and
  • all personal data is retained for no longer than is necessary for the purposes for which it is processed.

The processing of personal data shall have received the individual’s consent or shall fulfil one of the following conditions:

  • compliance with a legal obligation incumbent on the data controller
  • the purpose of the processing is to protect the individual’s life
  • the purpose of the processing is to carry out a public service
  • processing relates to the performance of a contract to which the concerned individual is a party, or pre-contractual measures requested by that individual, or
  • processing relates to the realisation of the legitimate interest of the data controller or of the data recipient, subject to the interest and fundamental rights and liberties of the concerned individual.

Where sensitive personal data is processed, a different list of specific conditions applies.

Whichever of the above conditions is relied upon, the person from whom the personal data is collected must be informed of:

  • the identity of the data controller and, as the case may be, its representative
  • the purposes of the data processing
  • the recipients or categories of recipients of the data
  • whether it is required to provide personal data, and the consequences of not providing data
  • the right to object, for a legitimate purpose, to the collection of such data, a right to access the collected data and a right to have the processed data rectified, completed, blocked or deleted

  • the right to issue directives relating to the disposition of the collected data after death

  • where data is to be transferred outside the EU, specific details on what, where and why the data is transferred and under which level of protection, and

  • the period during which personal data will be retained; where this is impossible, the criteria for determining the retention period must be specified.

Last modified 26 Jan 2017
Transfer

Transfer of a data subject’s personal data to a non EU/European Economic Area (EEA) country is allowed if the country guarantees to individuals a sufficient level of protection in terms of privacy and fundamental rights and liberties. The sufficient nature of the protection is assessed taking into account national laws, applicable security measures, specific characteristics of the processing such as its purpose and duration, as well as the nature, origin and destination of the processed data.

For data transfers to the United States, companies that adhere to the Privacy Shield principles are deemed to offer adequate protection.

Data controllers may transfer personal data out of the EEA to countries that are not deemed to offer adequate protection if the transfer is necessary:

  • for the protection of the individual’s life
     
  • for the protection of the public interest
     
  • to comply with obligations allowing the acknowledgement, the exercise or the defence of a legal right
     
  • for consultation of a public register intended for the public’s information
     
  • for the performance of a contract between the data controller and the individual, or pre contractual measures undertaken at the individual’s request, or
     
  • for the conclusion or the performance of a contract in the interest of the individual, between the data controller and a third party.

The CNIL may allow transfers if the above conditions are not fulfilled provided there is an adequate level of protection by reason of contractual provisions e.g. by standard contractual clauses (Model Clauses) approved by the European Commission, or internal rules (Binding Corporate Rules) applicable to data exporter and data importer.

Last modified 26 Jan 2017
Security

The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and, amongst other things, prevent alteration, corruption or access by unauthorised third parties.

A data processor may only process personal data on behalf of and upon instructions given by the data controller. The data processor must provide sufficient guarantees in terms of security and confidentiality, but even if this is the case, the data controller remains liable for compliance with these obligations.

Last modified 26 Jan 2017
Breach Notification

The Law does not set out any general obligation to notify the CNIL or the data subject in the event of a data security breach.

However, electronic communication services providers must notify the CNIL without delay in the event of a data security breach during the provision of electronic communications services via publicly available electronic communications networks. The breach must also be notified without delay to subscribers if it may violate their personal data or privacy, except if the CNIL has already established that appropriate protection measures have been implemented by the provider in relation to the data implicated by the breach.

Electronic communication services providers must keep an up to date inventory of all breaches of personal data.

Last modified 26 Jan 2017
Enforcement

The CNIL has the power to proceed with verifications of any data processing, and, as the case may be, to request a copy of every document that it considers useful in view of its mission. Since March 2014, CNIL agents are authorised to perform online inspections and issue compliance orders to companies that are in violation of the Law. The data controller is only informed of the investigation once it has been conducted. In addition, agents of the French Competition Authority are authorized, within the scope of their investigation, to report violations of the Law to the CNIL. 

The CNIL also has the power to pronounce different sanctions that vary in accordance with the severity of the violation committed by the data controller:

  • warnings and notices to comply with the obligations defined in the Law, and
  • if the data controller does not comply with the notice, the CNIL has the power to order a financial sanction proportional to the gravity of the violation, up to EUR 3M. When determining the amount of a fine, the CNIL must take into account several factors, which largely echo those set forth in the General Data Protection Regulation.

Since October 2016, in cases of extreme urgency the CNIL is also entitled to issue a cease and desist notice to comply within 24 hours. When the infringing party does not comply, the CNIL may issue a warning, a fine or an injunction. When it is not possible in fact for the infringing party to comply with the law, the CNIL can order a fine without first issuing a cease and desist notice (but due process must still be followed).

The CNIL will also be able to conduct inspections on behalf of comparable authorities in non-EU countries that offer an adequate level of protection to personal data. The CNIL must first enter into an agreement describing the relationship between the authorities.

In accordance with Articles 226-16 to 226-24 of the French Criminal Code, various violations of the Law may constitute a misdemeanour. For example, the violation, even by negligence, of the prior declaration requirements (see Registration above) is punishable by up to 5 years’ imprisonment, and/or a fine of up to EUR 300,000 (for natural persons), or a fine up to EUR 1.5M and/or other sanctions (for legal persons).

Last modified 26 Jan 2017
Electronic Marketing

The Act does not contain explicit provisions with respect to electronic marketing. However, Article L. 34-5 of the French Postal and Electronic Communications Code regulates electronic marketing in France. The CNIL has issued guidelines on the basis of this provision.

The CNIL distinguishes between B2B and B2C relationships.

In any event, all electronic marketing messages must specify the name of the advertiser and allow the recipient to object to the receipt of similar messages in the future.

Electronic marketing to consumers (B2C)

Electronic marketing activities are authorised provided that the recipient has given consent at the time of collection of his/her email address.

This principle does not apply when:

  • the concerned individual is already a customer of the company and if the marketing messages sent pertain to products or services similar to those already provided by the company, and
     
  • the marketing messages are not commercial in nature.

In any event the concerned individual, at the time of collection of his/her email address, must:

  • be informed that it will be used for electronic marketing activities, and
     
  • be able to easily and freely object to such use.

Electronic marketing to professionals (B2B)

Electronic marketing activities are authorised provided that the recipient has been, at the time of collection of his/her email address:

  • informed that it will be used for electronic marketing activities, and
     
  • able to easily and freely object to such use.

The message sent must relate to the concerned individual’s professional activity.

Please note that email addresses such as contact@companyname.fr are not subject to the requirements of prior consent and the right to object.

Last modified 26 Jan 2017
Online Privacy

Cookies

The EU Cookie Directive has been implemented in the Law. It states that any subscriber or user of electronic communications services must be fully and clearly informed by the data controller or its representative of:

  • the purpose of any cookie (i.e. any means of accessing or storing information on the subscriber’s/user’s device, eg when visiting a website, reading an email, installing or using software or an app), and
  • the means of refusing cookies,

unless the subscriber/user has already been so informed.

Cookies are lawfully deployed only if the subscriber/user has expressly consented after having received such information. Valid consent can be expressed via browser settings if the user can choose the cookies he/she accepts and for which purpose.

However, the foregoing provisions do not apply:

  • to cookies the sole purpose of which is to allow or facilitate electronic communication by a user, or
  • if the cookie is strictly necessary to provide on line communication services specifically requested by the user.

In December 2013 the CNIL issued updated recommendations for cookies that are more flexible than the CNIL's prior position. The CNIL considers that certain cookies are not covered by the Law (e.g. cookies used to constitute a ‘basket’ on a e-commerce platform, session ID cookies authentication cookies and certain analytics cookies).

Regarding consent, the CNIL has specified that consent must be:

  • freely given (i.e. in circumstances where the user has a choice to refuse consent)
  • specific (i.e. relate to a specific cookie associated with a clearly defined purpose), and
  • informed (i.e. the user must be given information beforehand, specifying the cookie’s purpose as well as the possibility to revoke consent).

The CNIL regards the following consent collection mechanisms as compliant:

  • a banner on the first webpage visited (of a particular site), which can specify eg that continuing to visit the site constitutes consent to set cookies
  • a consent request zone overprinting on the site’s homepage
  • boxes to tick when registering for an online service, and

  • buttons that activate functionalities of services that set cookies (such as plugins on social networks).

The CNIL considers that the obligation of obtaining the user's prior consent is incumbent on website publishers, mobile application publishers, advertisers ("régies publicitaires"), social networks, analytics services providers, etc., which must all comply with the Law, whether they deploy or read cookies on their own or a third party website or application.

Since October 2014, the CNIL has started to verify compliance with its recommendations on cookies and tracking technologies through on‑site and online inspections, which resulted in a number of formal notices to comply with the Law.

Location and Traffic Data

The Postal and Electronic Communications Code deals with the collection and processing of location and traffic data by electronic communication service providers (CSPs).

All traffic data held by a CSP must be erased or anonymised. However, traffic data may be retained, for example:

  • for the purpose of finding, observing and prosecuting criminal offences
  • for the purpose of billing and payment of electronic communications services, or
  • for the CSP’s marketing of its own communication services, provided the user has given consent thereto.

Subject to exceptions (observing and prosecuting criminal offences; billing and payment of electronic communications services), location data may be used in very limited circumstances, for example:

  • during the communication, for the proper routing of such communication, and
  • where the subscriber has given informed consent, in which case the location data may be processed and stored after the communication has ended.  Consent can be revoked free of charge at any time.
Last modified 26 Jan 2017
Contacts
Carol A.F. Umhoefer
Carol A.F. Umhoefer
Partner
T +1 (212) 335 4965
Last modified 26 Jan 2017