Alain Bensoussan

The European Union is planning to overhaul its data protection regime, notably because of rapid technological developments (social networking sites, blogs, cloud computing, geo-location devices, biometric devices, RFID applications, video surveillance…) and globalization have brought new challenges for the protection of personal data. A French bill has decided to take up these challenges.

Know your rights & Be your own privacy watchdog!

The French data protection framework could be changed by a French bill to better protect the right to privacy in the digital age. The bill was proposed to the Senate on November 6, 2009, and filed for first reading in the National Assembly on March 24, 2010.

This proposed legislation is mainly based on an information report on “privacy in the age of digital memories” issued in May 2009, and which recommended, among other things to enable citizens to become the actors of their own protection. To meet the new challenges of the digital era, the report calls for an increased involvement of individuals in the protection of their own privacy.

How is that to be achieved? The report suggested to educate and raise citizen awareness of their right to privacy and privacy threats from an early age, and to update the Data Protection Act of January 6, 1978 to provide stronger guarantees. 

The bill thus amends the Data Protection Act to reflect the recommendations made in the report, as explained at the time by the then-current Digital Economy Secretary of State Nathalie Kosciusko-Morizet during the “Right to be forgotten” workshop in November 2009.

Boost privacy protections with a stronger Data Protection Act and a stronger CNIL

The bill proposes to enhance privacy by amending Articles 2 to 12 of the French Data Protection Act.

Firstly, the proposed changes would make the appointment of data protection officers (Correspondants informatique et libertés, also known as “CIL”) mandatory for public or private organizations where more than a hundred persons have direct access to, or process, personal data. 

The bill also requires data controllers to provide data subjects, before any processing of data, with specific, clear and easily accessible information on the data retention period and on the possibility to exercise their rights of suppression, access and rectification, electronically via the data controller’s website. 

Article 6 of the bill proposes to impose on the controllers who have websites to create on such websites a specific, clear, easily accessible and permanent section that would contain the mandatory data protection information listed in Article 32 of the Data Protection Act, such as the identity of the controller, the purposes of the processing, the recipients of the data… 

The information of data subjects will be further strengthened by the obligation of the data controllers to provide data subjects with information on the origin of data related to them upon their request (Article 9 of the bill). 

In addition, the bill would add a security breach disclosure requirement. Its Article 7 establishes the obligation for data controller to notify data security breaches to the French data protection authority (“CNIL”).

Another key measure in the bill is to give greater powers to the CNIL. Specifically, the monetary penalties currently capped at €150,000 (or €300,000 in case of second infringement within 5 years, subject that it does not exceed 5% of the turnover, without VAT, of the last FY) would be doubled to reach €300,000 (or €600,000 for repeated infringements). 

If passed, the bill would come into force six months after its publication, in order to give companies and government authorities enough time to comply (Article 14 of the Bill).

Finally, it is worth noting that special emphasis has been placed on the right to be forgotten (droit à l’oubli). Several measures are indeed designed to give greater efficiency to the right to be forgotten, such as the information on the data retention period to be given to individuals not only before any processing of their data but also on the website of the data controller in a permanent and readily available page, and the possibility to obtain from the CNIL information on how long the data, related to the processing notification are stored.