Reed Smith Friday, May 14, 2010
Alert 10-106

French language version

 

Mobile and Print-friendly version
alert-concep_GRE-words.gif

Toward Reinforcement of the Applicable Legislation on Data Protection in France: The New Bill On Privacy

 

Introduction

 

A bill "intended to better guarantee the right to privacy in the digital age"1 was adopted by a large majority of the French Senate March 23, ,2010, and immediately transmitted to the French National Assembly for review. 

 

The first objective of the bill is aimed at educating students about the use and exposure of personal information on the Internet, notably through social media.  The bill is principally aimed at significantly reinforcing the obligations of data processors, and with increasing the powers of the French data protection agency, the CNIL. 

 

The projected changes are the following:

 

Extension of the notion of personal data to digital identity (ID)

 

Personal data is defined by law as, "any data concerning an identified physical person or a person who can be identified, directly or indirectly, by reference to an identification number or one or more elements specific to him or her."
 
Among these elements, one can generally find: name, social security number, address, telephone number, etc.

 

The bill expressly integrates into these elements "any number identifying the holder with access to online communication services with the public," i.e., the electronic ID.

 

The intent of this bill is therefore to explicitly make the law of 1978 cover all Internet exchanges. 

 

The appointment of a data protection officer (DPO), for the moment only encouraged, could become mandatory in certain cases

 

The bill provides that where prior authorization of the CNIL is required, principally for the processing of sensitive data (such as medical data, data in which racial origin, political, philosophical or religious opinions, membership in political associations or movements, criminal convictions, etc., appears directly or indirectly) and/or for the interconnection of different files, the data processor must appoint a data protection officer (DPO – 'Correspondant Informatique et Libertés'—CIL) to supervise carrying out the concerned processing.
 
Under the bill, designation of a DPO is mandatory, however, when more than 100 people are processing personal data. One issue that is not clear from the bill is whether persons working in affiliated companies outside of France will count as part of the 100.

 

Under the bill, the DPO will be obligated to immediately inform the CNIL of any non-compliance with the French Data Protection Act.  This mechanism, therefore, makes data processors liable if they do not immediately signal any non-compliance, as failure to notify is in itself punishable. 

 

The information of persons whose personal data is used is reinforced by the bill 

 

Data processors will also be obliged to inform any person whose personal data is processed, beginning with employees, clients, suppliers, etc., of the existence of this processing, the purpose of such processing, the identity of the data processor, the length of time the data will be held, potential access by other persons to the data, and their remedies against such processing. 

  • The data processor must immediately, and prior to the processing, inform the person concerned that his or her personal data is going to be processed
  • These procedures must for the most part be carried out electronically
  • The data processor must also permanently put on its website information that would allow persons whose personal data is processed to exercise their rights

The CNIL's power of review and sanction would be expanded

 

Under the bill, the CNIL's enforcement powers will be increased as follows:

  • The CNIL will be granted the power to make unannounced visits to data processors (with prior authorization from the judge ('Juge des Libertés et de la Détention')
     
  • Fines will be doubled, increasing from €150,000 to 300,000 for a first infringement and from €300,000 to 600,000 for a repeated infringement3

Outlook

 

The bill is currently under review, not subject to any specific timeline or priority, by the Law Commission of the French National Assembly, whose vote will prevail.  It was reviewed and voted by the Senate in less than two months, and one of its principle architects was the current president of the CNIL, Senator Alex Türk.

 

The bill is not supported by the French government or by President Sarkozy.  It is unlikely to be passed in its current form given that the National Assembly has the reputation of being closer to the business world.

 

Nevertheless, the existence of the bill demonstrates the importance attached to the protection of personal data by the French lawmaker, who has already strengthened the applicable French regulation resulting from the transposition of the EU Directive 95/46/CE on data protection.

 

Our team for data protection is at your disposal to discuss the obligations of your company in France concerning the processing and transfer of personal data.

 

__________

  1. 'Proposition de loi visant à mieux garantir le droit à la vie privée à l'heure du numérique'
  2. Article 2 of the French Data Protection Act of January 6, 1978
  3. Article 47 of the revised French Data Protection Act of January 6, 1978 

Cynthia O'Donoghue

Partner, London
+44 (0)20 3116 3494

Daniel Kadar

Associate, Paris
+33 (0)176 70 4025











 
ReedSmith
About Reed Smith
Reed Smith is a global relationship law firm with nearly 1,600 lawyers in 22 offices throughout the United States, Europe, Asia and the Middle East. Founded in 1877, the firm represents leading international businesses, from Fortune 100 corporations to mid-market and emerging enterprises. Its lawyers provide litigation and other dispute resolution services in multi-jurisdictional and other high-stakes matters; deliver regulatory counsel; and execute the full range of strategic domestic and cross-border transactions. Reed Smith is a preeminent advisor to industries including financial services, life sciences, health care, advertising, technology and media, shipping, energy trade and commodities, real estate, manufacturing, and education. For more information, visit reedsmith.com.

Europe: London, Paris, Munich, Greece

Middle East: Abu Dhabi, Dubai

Asia: Hong Kong, Beijing

United States: New York, Chicago, Washington, Los Angeles, San Francisco, Philadelphia, Pittsburgh, Oakland, Princeton, Northern Virginia, Wilmington, Silicon Valley, Century City, Richmond

The information contained in this Client Alert is intended to be a general guide only and not to be comprehensive, nor to provide legal advice. You should not rely on the information contained in this Alert as if it were legal or other professional advice.

Reed Smith LLP is a limited liability partnership registered in England and Wales with registered number OC303620 and its registered office at The Broadgate Tower, 20 Primrose Street, London EC2A 2RS. Reed Smith LLP is regulated by the Solicitors Regulation Authority. Any reference to the term 'partner' in connection to Reed Smith LLP is a reference to a member of it or an employee of equivalent status.

This Client Alert was compiled up to and including May 2010.

Business from offices in the United States and Germany is carried on by Reed Smith LLP, a limited liability partnership formed in the state of Delaware; from the other offices, by Reed Smith LLP of England; but in Hong Kong, the business is carried on by Richards Butler in association with Reed Smith LLP (of Delaware, USA). A list of all Partners and employed attorneys as well as their court admissions can be inspected at the firm's website.



To opt-out from future communications, click here.