Securiti Named a 2022 Cool Vendor in Data Security by GartnerDownload Now
As a member of the European Union (EU), France is subject to the General Data Protection Regulation (GDPR). However, like all other EU nations, the country has its own interpretation of the GDPR to facilitate the law's implementation as per French needs. That is where the Data Protection Act comes in.
Initially passed in 1978, the Act was heavily amended in 2018 to reflect the modern data protection mechanisms of the GDPR and give all users or data subjects certain unalienable rights that every company or data handler must guarantee.
The Commission nationale de l'informatique et des libertés (CNIL) has been responsible for the implementation of this law as well as certain aspects of the GDPR across France, while also being the first point of contact for all data subject grievances against any data handler.
As per both the GDPR and France's Data Protection Act, specific forms of data processing mandate a data handler to comply with these pieces of legislation. Additionally, it is essential to know what comes under the jurisdiction of these laws in terms of territorial scope:
The French Data Protection Act covers both personal and sensitive personal data. Unless there is some exception, such as a legal case, France's internal security, or the life of a human at stake, all data handlers, public and private, are supposed to adhere strictly to the requirements of this law.
As far as the territorial scope of the Data Protection Act is concerned, it applies to the following:
Under the provisions of the GDPR and France's own Data Protection Act, data handlers operating in France have certain obligations and responsibilities towards their users. The most important of these obligations include:
The French data protection law clearly states that data handlers can only initiate data processing on users if they have a legal and financially relevant reason.
Some of the exceptions mentioned in the law include the collection of data that is vital to a legal case, data necessary for French national security, medical diagnosis, information gathered by the National Institute of Statistics and Economic Studies (INSEE), and collection of data necessary for the protection of human life.
As per Section 2 Article 8(i) of the French Data Protection Act, "the collection and processing of personal data that reveal, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of persons, or which concern their health or sexual life, is prohibited."
As for processing any other forms of data, the data handler must gain explicit and unambiguous consent from the data subject for each category of data.
The data handler must also communicate this policy with the CNIL before it can start data processing. The CNIL must notify the data handler's conformity with the data regulations within two months after receiving the initial communication.
As per the GDPR and France's own data protection law, all data handlers handling French residents' data have to take the appropriate measures to protect and secure all such data. No technique or tool is explicitly mentioned in the GDPR, but encryption is considered the most effective way to ensure this.
In 2018, the CNIL published the "Security of Personal Data" guide available here, which lists all the measures that data handlers must take in addition to several recommendations and steps that businesses of all sizes could inculcate into their data protection practices.
As per the French Data Protection Act, all data handlers are responsible for informing the regulatory authorities as soon as the data handler becomes aware of a data breach.
Similarly, the data handler must also inform the data subjects of this data breach. However, there is no clear timeframe for this.
Moreover, data handlers can opt for a general public announcement or press release instead of informing each data subject individually if such an effort requires disproportionate resources.
As per France's data protection law, all data handlers must appoint a Data Protection Officer (DPO) with the relevant credentials and qualifications. The CNIL advises all data handlers to appoint a DPO that meets the following criteria:
Resides in French jurisdiction
Has the legal qualifications for the role
The CNIL gives companies the leeway to have their own eligibility criteria to ensure the best person for the job is selected.
Both the GDPR and France’s Data Protection Act require all data handlers to carry out impact assessments within their organization.
The DPO is generally expected to lead such efforts and devise the best strategies, mechanisms, and guidelines to ensure that an organization’s practices remain compliant with the data protection laws. All data handlers must also keep an updated record of all such assessments to give a holistic view of their compliance practice over time.
The GDPR does not name any other jurisdiction apart from the EU. International data transfer outside France is not allowed unless the following conditions are met:
Under both the GDPR and Data Protection Act, data subjects in France have certain guaranteed rights that a data handler must abide by. The most important of these rights are discussed below. Additionally, as per Article 40-1 of the Data Protection Act, all data subjects have the right to leave detailed instructions on what is to be done with their data in the event of their death.
Like most data protection laws, France's version gives data subjects the right to request access to whatever data has been collected on them.
However, this right to request access can be denied if the data in question is subject to a legal case where access for the data subject could jeopardize the sanctity of the data.
All subjects can request the data handler to update or amend the data if the data subject so desires. The data handler must ensure these changes at no extra cost to the data subject and without undue delay. If the data subject in question is deceased, their legally declared heir can make a similar request to the data handler. Lastly, if the data that needs to be updated has been shared with a third party, the data handler must ensure it is updated accordingly.
The data subject can request the data handler to delete all data they may have collected on the data subject. The data handler must ensure they fulfill this request in haste and inform the data subject of the request's status once it is done.
However, if the data in question is subject to legal proceedings or concerns national security matters for France, such requests can be rejected.
All data subjects have the right to request the data handler to restrict their data processing activities to certain forms of data. Similarly, a data subject can also request the data handler to end the processing of their data entirely.
The data handler must comply with such requests unless the data processing is deemed necessary owing to matters related to national security in France by the CNIL.
It is the express right of any data subject to rescind their prior consent to a data handler to collect their data. Once consent is withdrawn, the data handler can no longer process the data subject's data without asking for consent to do so.
The French data regulatory authority is the Commission nationale de l'informatique et des libertés (CNIL, English: National Commission on Informatics and Liberty). The body's primary responsibility is to enforce the Data Protection Act within France.
It works closely with the Agence nationale de la sécurité des systèmes d'information (ANSSI; English: National Agency for the Security of Information Systems), whose primary responsibility is to support and secure the development of digital technology that can make French citizens' data more secure and safe against cyberattacks. These efforts often coincide with data processing and collection efforts. Hence, this collaboration allows both agencies to use their resources more efficiently and effectively.
Under GDPR, any company found in breach or non-compliance with its regulations can be fined €20 million of 4% of their annual global turnover, whichever is greater. Additionally, companies found in breach of the Data Protection Act can be punished with €300,000 and five years' imprisonment sentence for the following offenses:
Compliance with France's Data Protection Act can be a relatively straightforward task for data handlers if they have a relevant roadmap to work on. Here are the best steps to get started:
It wouldn't be an overstatement to say that data has become the fuel that helps businesses target their customers and potential customers more effectively. However, that itself is a dual-edged sword, with data breaches being by far the easiest way for a business to lose the trust of their customers substantially. Hence, compliance with data protection laws across the world and undertaking the requirements mentioned in these laws can help businesses retain that confidence over a period of time.
Compliance with different data protection laws worldwide is easier said than done since each law has its own provisions and would require businesses to tweak their data collection practices radically in cases. In such circumstances, AI-driven solutions are the best way forward as they allow the business to merge effectiveness with efficiency.
Securiti is a global leader in data compliance and governance solutions thanks to its PrivacyOps framework that can help any business achieve compliance at the click of a single button. Request a demo today and see how Securiti's tools can help you today.
See how easy it is to manage privacy compliance with robotic automation.