Data Protection in France

Data protection laws in France

At a glance

  • The General Data Protection Regulation (GDPR) is applicable to France.
  • France updated its data protection laws in alignment with the GDPR through various legislative measures and decrees.
  • Amendments to French data protection laws in 2021 and 2022 introduced exceptions, simplified sanction procedures, and increased flexibility.
  • French data protection laws apply when the controller/processor is established in France or when data subjects reside in France, without incorporating the “targeting criterion” from the GDPR.

EU regulation

The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR” or ”Regulation”) is a European Union law which entered into force in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on May 25, 2018, without requiring implementation by the EU Member States through national law.

A 'Regulation' (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the Member States.

Territorial Scope

Primarily, the application of the GDPR turns on whether an organization is established in the EU. This is the “establishment criterion”. An 'establishment' may take a wide variety of forms and is not necessarily a legal entity registered in an EU Member State.

However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related "to the offering of goods or services" (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or "the monitoring of their behavior" (Article 3(2)(b)) as far as their behavior takes place within the EU. This is the “targeting criterion”.


France regulation

France updated Law No. 78-17 of January 6, 1978 on information technology, data files and civil liberties (the â€œLaw”) to GDPR  with the enactment of (i) Law No. 2018-493 of June 20, 2018 on the protection of personal data, and (ii) Order No. 2018-1125 of December 12, 2018, adopted pursuant to Article 32 of Law No. 2018-493, updates the Law and other French laws relating to personal data protection in order to “simplify the implementation and make the necessary formal corrections to ensure consistency with EU data protection law”. France domestic data protection legislation was further completed with the adoption of Decree No. 2019-536 of May 29, 2019, adopted for the application of the Law (the â€œDecree”). The Decree clarifies procedural rules of the French data protection authority, including its control and sanctions, and further specifies data subject rights.

The Law and the Decree have been updated:

  • In 2021, (i) Law No. 2021-988 of July 30, 2021, on the prevention of acts of terrorism and intelligence amended articles 48 and 49 of the Law to create exceptions to the rights of individuals when processing is justified by national security and (ii) Law No. 2021-1017 of August 2, 2021, relating to bioethics which modified article 75 of the Law relating to processing in the health field;
  • In 2022, (i) Law No. 2022-52 of January 24, 2022, on criminal liability and homeland security amends articles 10, 20, 125 of the Law and created article 22-1 to introduce the simplified sanction procedure of the French data protection authority and (ii) Decree No. 2022-517 of April 8, 2022, amends the Decree to define the modalities of this simplified sanction procedure as introduced by Law No. 2022-52 of January 24, 2022. The objective of these new texts is to introduce more flexibility in the use of formal notices or sanctions; and
  • In 2024, Law No. 2024-449 of May 21, 2024 aiming to secure and regulate the digital space, which (i) extends the territorial scope of the Law, (ii) extends the powers and missions of the French supervisory authority, mainly in light of the new EU Digital Decade Regulation and (iii) introduces new obligations upon organizations processing personal data (e.g. in relation to the implementation of age verification systems or the hosting of health data).

Territorial Scope

Initially, Article 3 of the Law provided that it applied only when (i) the data controller or data processor is established in France (whether the processing takes place in France or not) or (ii) the data subjects reside in France (for the possible legal variations as permitted from time to time of the GDPR). Further to Law No. 2024-449 of May 21, 2024, the territorial scope of the Law has been extended and it now also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to the monitoring of their behaviour within the EU, in particular through the collection of their personal data with a view to reconciling it with data relating to their online activity.

Continue reading

  • no results

Back to top