France Data Protection Act

As a member of the European Union (EU), France is subject to the General Data Protection Regulation (GDPR). However, like all other EU nations, the country has its own interpretation of the GDPR to facilitate the law's implementation as per French needs. That is where the Data Protection Act comes in.

Initially passed in 1978, the Act was heavily amended in 2018 to reflect the modern data protection mechanisms of the GDPR and give all users or data subjects certain unalienable rights that every company or data handler must guarantee.

The Commission nationale de l'informatique et des libertés (CNIL) has been responsible for the implementation of this law as well as certain aspects of the GDPR across France, while also being the first point of contact for all data subject grievances against any data handler.

Who Needs to Comply with the Law

As per both the GDPR and France's Data Protection Act, specific forms of data processing mandate a data handler to comply with these pieces of legislation. Additionally, it is essential to know what comes under the jurisdiction of these laws in terms of territorial scope:

a. Material Scope

The French Data Protection Act covers both personal and sensitive personal data. Unless there is some exception, such as a legal case, France's internal security, or the life of a human at stake, all data handlers, public and private, are supposed to adhere strictly to the requirements of this law.

b. Territorial Scope

As far as the territorial scope of the Data Protection Act is concerned, it applies to the following:

• Data handlers located inside the jurisdiction of France
• Data handlers located outside France but offering goods or services to users in France
• Data handlers located outside France but monitoring the digital behavior of data subjects in France

Obligations for Organizations Under that Specific Law

Under the provisions of the GDPR and France's own Data Protection Act, data handlers operating in France have certain obligations and responsibilities towards their users. The most important of these obligations include:

a. Lawful Basis Requirements

The French data protection law clearly states that data handlers can only initiate data processing on users if they have a legal and financially relevant reason.

Some of the exceptions mentioned in the law include the collection of data that is vital to a legal case, data necessary for French national security, medical diagnosis, information gathered by the National Institute of Statistics and Economic Studies (INSEE), and collection of data necessary for the protection of human life.

b. Consent Requirements

As per Section 2 Article 8(i) of the French Data Protection Act, "the collection and processing of personal data that reveal, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of persons, or which concern their health or sexual life, is prohibited."

As for processing any other forms of data, the data handler must gain explicit and unambiguous consent from the data subject for each category of data.

c. Privacy Policy Requirements

All data handlers collecting data on French residents must ensure they have a clearly visible, comprehensible, and navigatable privacy policy page on their websites. The privacy policy must have the following information:

• The purposes of the processing
• The personal data or categories of personal data being collected
• The category or categories of the data subjects
• The rights of data subjects
• The recipients or categories of recipients to whom the personal data are disclosed
• The period during which the personal data are to be retained

The data handler must also communicate this policy with the CNIL before it can start data processing. The CNIL must notify the data handler's conformity with the data regulations within two months after receiving the initial communication.

d. Security Requirements

As per the GDPR and France's own data protection law, all data handlers handling French residents' data have to take the appropriate measures to protect and secure all such data. No technique or tool is explicitly mentioned in the GDPR, but encryption is considered the most effective way to ensure this.

In 2018, the CNIL published the "Security of Personal Data" guide available here, which lists all the measures that data handlers must take in addition to several recommendations and steps that businesses of all sizes could inculcate into their data protection practices.

e. Data Breach Requirements

As per the French Data Protection Act, all data handlers are responsible for informing the regulatory authorities as soon as the data handler becomes aware of a data breach.
Similarly, the data handler must also inform the data subjects of this data breach. However, there is no clear timeframe for this.

Moreover, data handlers can opt for a general public announcement or press release instead of informing each data subject individually if such an effort requires disproportionate resources.

f. Data Protection Officer Requirement

As per France's data protection law, all data handlers must appoint a Data Protection Officer (DPO) with the relevant credentials and qualifications. The CNIL advises all data handlers to appoint a DPO that meets the following criteria:
Resides in French jurisdiction
Has the legal qualifications for the role

The CNIL gives companies the leeway to have their own eligibility criteria to ensure the best person for the job is selected.

g. Data Protection Impact Assessment

Both the GDPR and France’s Data Protection Act require all data handlers to carry out impact assessments within their organization.

The DPO is generally expected to lead such efforts and devise the best strategies, mechanisms, and guidelines to ensure that an organization’s practices remain compliant with the data protection laws. All data handlers must also keep an updated record of all such assessments to give a holistic view of their compliance practice over time.

h. Cross border data transfer Requirements

The GDPR does not name any other jurisdiction apart from the EU. International data transfer outside France is not allowed unless the following conditions are met:

• The data destination is a whitelisted jurisdiction
• The data handler in the other country has the relevant data protection authorities and code of conduct
• A binding contractual obligation
• Ad-hoc contractual obligations approved by the CNIL

Data Subject Rights

Under both the GDPR and Data Protection Act, data subjects in France have certain guaranteed rights that a data handler must abide by. The most important of these rights are discussed below. Additionally, as per Article 40-1 of the Data Protection Act, all data subjects have the right to leave detailed instructions on what is to be done with their data in the event of their death.

Right to access the data subject's own personal data

Like most data protection laws, France's version gives data subjects the right to request access to whatever data has been collected on them.

However, this right to request access can be denied if the data in question is subject to a legal case where access for the data subject could jeopardize the sanctity of the data.

Right to rectify/correct the data subject's own personal data

All subjects can request the data handler to update or amend the data if the data subject so desires. The data handler must ensure these changes at no extra cost to the data subject and without undue delay. If the data subject in question is deceased, their legally declared heir can make a similar request to the data handler. Lastly, if the data that needs to be updated has been shared with a third party, the data handler must ensure it is updated accordingly.

Right to erasure of personal data

The data subject can request the data handler to delete all data they may have collected on the data subject. The data handler must ensure they fulfill this request in haste and inform the data subject of the request's status once it is done.

However, if the data in question is subject to legal proceedings or concerns national security matters for France, such requests can be rejected.

Right to restrict data processing

All data subjects have the right to request the data handler to restrict their data processing activities to certain forms of data. Similarly, a data subject can also request the data handler to end the processing of their data entirely.

The data handler must comply with such requests unless the data processing is deemed necessary owing to matters related to national security in France by the CNIL.

Right to withdraw consent

It is the express right of any data subject to rescind their prior consent to a data handler to collect their data. Once consent is withdrawn, the data handler can no longer process the data subject's data without asking for consent to do so.

Regulatory Authority

The French data regulatory authority is the Commission nationale de l'informatique et des libertés (CNIL, English: National Commission on Informatics and Liberty). The body's primary responsibility is to enforce the Data Protection Act within France.

It works closely with the Agence nationale de la sécurité des systèmes d'information (ANSSI; English: National Agency for the Security of Information Systems), whose primary responsibility is to support and secure the development of digital technology that can make French citizens' data more secure and safe against cyberattacks. These efforts often coincide with data processing and collection efforts. Hence, this collaboration allows both agencies to use their resources more efficiently and effectively.

Penalties for Non-compliance

Under GDPR, any company found in breach or non-compliance with its regulations can be fined €20 million of 4% of their annual global turnover, whichever is greater. Additionally, companies found in breach of the Data Protection Act can be punished with €300,000 and five years' imprisonment sentence for the following offenses:

• Having third-parties process data on its behalf without initiating proper formalities.
• Processing data relating to registration numbers of individuals in the national register of identification of natural persons
• Failing to inform the CNIL of a data breach
• Collecting, storing, and processing personal data using fraudulent, unfair, and unlawful means
• Processing a data subject' data after the data subject has objected to the processing
• Retaining data subject's data without gaining proper consent
• Processing data for health purposes without gaining the data subject's consent
• Unauthorized disclosure of data to other third-parties
• Transfer of data under Chapter V of the GDPR

How an Organization Can Operationalize the Law

Compliance with France's Data Protection Act can be a relatively straightforward task for data handlers if they have a relevant roadmap to work on. Here are the best steps to get started:

• Have an easy-to-read privacy policy that clearly communicates all the data subject's rights without leaving any room for ambiguity
• Hire a DPO that understands the GDPR and Data Protection Act, both legally and strategically, to aid your data collection methods
• Ensure all the company's employees and staff are acutely aware of their responsibilities under the law
• Conduct regular data protection impact assessments as well as data mapping exercises to ensure maximum efficiency in your compliance efforts
• Notify the relevant authorities of a data breach as soon as possible

How can Securiti Help

It wouldn't be an overstatement to say that data has become the fuel that helps businesses target their customers and potential customers more effectively. However, that itself is a dual-edged sword, with data breaches being by far the easiest way for a business to lose the trust of their customers substantially. Hence, compliance with data protection laws across the world and undertaking the requirements mentioned in these laws can help businesses retain that confidence over a period of time.

Compliance with different data protection laws worldwide is easier said than done since each law has its own provisions and would require businesses to tweak their data collection practices radically in cases. In such circumstances, AI-driven solutions are the best way forward as they allow the business to merge effectiveness with efficiency.

Securiti is a global leader in data compliance and governance solutions thanks to its PrivacyOps framework that can help any business achieve compliance at the click of a single button. Request a demo today and see how Securiti's tools can help you today.