21 JUNE 2018
The French Constitutional Council (‘the Constitutional Council’) ruled, on 12 June 2018, on the constitutionality of the provisions laid out in the draft Law on the Protection of Personal Data (‘the Draft Law’) implementing the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680). In particular, the Constitutional Council found that the majority of the provisions of the Draft Law were in accordance with the Constitution, except for the wording ‘under the control of the public authority’ included in Article 13. Following the ruling, the Draft Law was published in the Official Gazette, on 21 June 2018, as Law No. 2018-493 of 20 June 2018 on the Protection of Personal Data, and is now fully in effect.
Cécile Martin, Partner at Ogletree Deakins International LLP, told DataGuidance, “According to the 60 Senators that referred the matter to the Constitutional Council, even though the GDPR allows Member States to adopt specific local rules, the Draft Law was not easily comprehensible and accessible given that it contained several discrepancies with the provisions of the GDPR. The Constitutional Council considered that the introduction by the legislator of provisions which may be slightly different from the GDPR does not have the effect of depriving the Draft Law of accessibility and understanding. The Council also underlined that the Draft Law empowers the French Government to bring formal corrections and adaptions to the Draft Law once published by way of orders.”
In particular, the Constitutional Council declared that the provisions, setting the age at which information society services may be offered directly to a child at 15 years old, were constitutional. In addition, it affirmed that the filing requirements for the specific processing of health data, and the processing of automated decisions based on algorithms were compatible with the Constitution.
Businesses need to understand the power of CNIL in terms of sanctions
Martin noted, “[The Senators argued that] the power of sanction conferred to the French data protection authority (‘CNIL’) was contrary to the principles of independency and impartiality given that, CNIL is now in a position to sanction a company to a large fine without any increase to the rights and guarantees of the persons prosecuted. The members of the Parliament raised that until 2016, the power of sanction was limited to €150,000 and that it had been increased in 2016 to only €3,000,000 which is, below the amount that can now be pronounced by CNIL under the GDPR. The Constitutional Council ruled that the requirements of impartiality when CNIL pronounces a fine are sufficient and cannot vary depending on the maximal amount of the fine.”
Additionally, the Constitutional Council ruled that the power of the CNIL’s President to publish a cease and desist letter would not qualify as a sanction and therefore respects the principle of impartiality.
Martin concluded, “There are many different points [in the Constitutional Council’s decision] that businesses should be aware of but I think that businesses need to understand the power of CNIL in terms of sanctions as well as the fact that certain data processing about health data remain subject to filing with CNIL.”
ALICE MARINI Privacy Analyst