France - Data Protection Overview
1. Governing Texts
In France, the French Act No. 2018-493 of 20 June 2018 (only available in French here) ('the Amendment Law') incorporates the GDPR provisions in the existing Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (only available in French here) ('the 1978 Act'), which governs the protection of personal data.
For greater clarity, the law has been rewritten via Ordinance No. 2018-1125 of 12 December 2018 (only available in French here) ('the 2018 Ordinance'), which took effect on 1 June 2019.
The French data protection authority ('CNIL') acts as the French supervisory authority and its guidelines clarify the 1978 Act.
Historically, France has been subject to the unamended 1978 Act, creating CNIL. It was enacted following the so-called 'SAFARI' scandal revealed in 1974 in Le Monde regarding the French administration's plan to interconnect nominative files via social security numbers creating thus the need to regulate the use of personal data.
The 1978 Act has been amended several times, including by the Law No. 2004-801 as of 6 August 2004 implementing the Directive 95/46/CE on protection of personal data (only available in French here), and in 2016 by the Act for a Digital Republic as of 7 October 2016 ('the Digital Republic Act') (only available in French here), which anticipated the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') regarding algorithms, children, anonymisation of criminal data in court decisions, financial sanctions, and most importantly France's characteristic feature: digital inheritance.
Almost a month after the entry into force of the GDPR, notwithstanding an emergency enactment procedure and the submission of provisions to the Conseil Constitutionnel to ensure compliance with the French Constitution of 4 October 1958 (only available in French here), the Amendment Law finally modified Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (official version available in French here; unofficial English version available here) ('the Act') with a retroactive entry into force on 25 May 2018.
At that time, the GDPR implementation technique was characterised by France's symbolic choice to maintain the 1978 Act's architecture, preserving the principles that were identified 40 years ago by the legislator, and repealing only contradictory provisions. However, this method led to unsatisfactory results in terms of legibility. Some provisions appeared redundant, while others were unclear with regards to their practical application or resulted in having a meaning diverging substantially from the GDPR provisions.
The first enforcement decree, published on 3 August 2018, Decree No. 2018-687 of 1 August 2018 (only available in French here) ('Decree No. 2018-687'), specifies the organisation and functioning of CNIL (e.g. quorum, investigations, cooperation with other European authorities, complaint filling through an online form), provides that CNIL is to publish the lists of processing operations for which a Data Protection Impact Assessment is required ('DPIA Blacklist') (CNIL has since fulfilled its mandate to issue its DPIA Blacklist in Deliberation No. 2018-328 of 11 October 2018 (the full DPIA Blacklist issued by CNIL including examples of such blacklisted processing operations is only available in French here), details the data subjects' rights (e.g. conditions and guarantees under which the rights of access, rectification, restriction and opposition may be waived in the event of data processing for scientific, historical research or statistical purposes), establishes the list of categories of data processing (administrative, financial, operational, and medical) which may derogate from the data breach notification obligations, and coordinates the Code of Civil Procedure and the Penal Code ('the Penal Code') in particular for the processing of criminal records.
With these clarifications provided, the criticisms raised by the Amendment Law were resolved with the adoption of the 2018 Ordinance, which finally modified the architecture of the 1978 Act by rewriting the entire text in order to improve its legibility, ensure consistency with other regulations in force, and correct any error and omission for coherence with the GDPR.
The Act is now organised around five titles relating to:
- common provisions including definitions of the essential concepts by express reference to the GDPR, the material and territorial scope of application, the fundamental principles of personal data protection, the rules on sensitive data as well as those on the organisation and functioning of CNIL, and finally the criminal provisions (Article 1 to 41 of the Act);
- personal data processing provisions as provided for in the GDPR (Article 42 to 86 of the Act);
- personal data processing provisions as provided for in the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) ('the Data Protection Directive') (Article 87 to 114 of the Act);
- exclusively national personal data processing provisions concerning State security and defence (Article 115 to 124 of the Act); and
- personal data processing provisions regarding Overseas France (i.e. French-administered territories outside Europe) (Article 125 to 128 of the Act).
According to Article 3 of the amended Act, its provisions apply to the processing of personal data carried out in the context of the activities of a controller or processor established in France, whether or not the processing takes place in France.
Furthermore, and in addition to Decree No. 2018-687 which specifies the modalities of application and certain provisions of the Act and sets out more precisely the time periods and procedural rules applicable to the missions and powers of CNIL, other enforcement decrees were enacted to finalise French law's adaptation to European personal data protection regulations.
In particular, Decree No. 2019-536 of 29 May 2019 (only available in French here) ('the Implementing Decree') was published, constituting the final step in bringing national law into line with the GDPR. The Implementing Decree ensures the consistency of the revised 1978 Act with European regulation, specifies data subjects' rights, adapts procedural rules before CNIL, repeals Decree No. 2005-1309 of 20 October 2005 (only available in French here), and above all brings into force the Act as amended by the Ordinance No. 2018-1125.
Therefore, it is still the provisions of the 1978 Act integrating the GDPR and its decrees that set the general framework applicable to the protection of personal data in France.
CNIL regularly publishes guidance, mainly only available in French, on its website which, for the moment, relates more to the GDPR than the Act itself. Among such guidance, the following should be highlighted:
- The Six-Step GDPR Compliance Methodology (only available in French here);
- Recommendations on Data Protection Officers ('DPOs') (only available in French here);
- Guidance on ISO 27701 and the Processing of Personal Data or Personally Identifiable Information (only available in French here);
- Guidance on the Right to Delisting (only available in French here);
- Guidelines on cookies and other trackers (only available in French here);
- Guidelines on Data Protection Impact Assessment ('DPIA') (only available in French here);
- Guidance on notification (only available in French here); and
- various other guidelines on different topics such as anonymisation techniques, passwords, Binding Corporate Rules ('BCRs'), personal data breach notification, consent, and profiling (only available in French here).
In addition to general guidance, CNIL has also published a range of GDPR compliance tools, including Privacy Impact Assessment Software and an open source software to detect cookies deposited on users’ devices by websites (only available in French here).
CNIL is also in the process of transforming its now-obsolete instruments, such as authorisation procedures, into soft law guidance. In the meantime, CNIL explained that its deliberations and authorisations can be used to 'orientate conformity' before new reference documents, such as the Standard on Processing of Personal Data for the purposes of Debt Management (only available in French here) and the Standard on Processing of Personal Data for the purposes of Commercial Activities (only available in French here), are published.
1.3. Case law
Since the entry into force of the GDPR, CNIL has sanctioned several violations in breach of the legislation and issued warnings against companies (all available sanctions only available in French here).
For example, sanctions have notably been imposed for:
- failure to respect the right to object to processing;
- failure to comply with the obligation to process adequate and relevant data;
- failure to provide information to the data subjects;
- failure to cooperate with the supervisory authority;
- data security breaches; and
- lack of transparency, unsatisfactory information and lack of valid consent for advertising (notably against Google for €50 million on 21 January 2019 (only available in French here)).
2. Scope of Application
As long as the processing concerns personal data, the Act applies whether the data controller or processor is a legal or natural person, public or private.
Article 48 of the Act also provides for the application of certain provisions (right of any person to lay down guidelines for the storage and deletion of his or her personal data after his or her death) of the Act to deceased individuals.
Article 3 of the Act provides that all the provisions of the Act apply to the processing of personal data carried out in the context of the activities of an establishment of a data controller or a data processor on the French territory, whether or not the processing takes place in France.
National rules adopted on the basis of the GDPR to adapt or supplement the rights and obligations of the GDPR will also apply where the data subject resides in France, including where the controller is not established in France. However, for processing carried out for journalistic, academic, artistic or literary expression purposes the national rules applicable are those to which the data controller is subject when it is established in the European Union.
Article 2 of the Act provides it applies to the automated processing of personal data and to the non-automated processing of personal data contained or destined to appear in filing system.
Processing carried out by natural persons for the exercise of strictly personal or domestic activities are not subject to the Act.
3.1. Main regulator for data protection
CNIL is the national supervisory authority according to the meaning and for the application of the GDPR. It is an independent administrative authority composed of 18 members, including parliamentarians, representatives of high jurisdictions, qualified public figures, and a chairperson.
As to institutional proceedings, the members congregate in plenary sessions and, since 2004, CNIL's Restricted Committee, which is composed of five members and a Chair, can impose diverse sanctions in case of non-compliance with data protection legislations.
3.2. Main powers, duties and responsibilities
As the French data protection authority, CNIL's main mission is to control and audit compliance with data protection legislations and impose sanctions in case of a failure to remedy breaches.
Under the GDPR, CNIL's right to gain entry and inspection remain essentially the same as it was under the previous French data protection regime, and while the nature of premises regarding on-site searches is more clearly specified, it is still subject to professional secrecy. The Act now also provides for the possibility to use a borrowed identity for online controls (even though the power to conduct online audits was established in 2014).
At the end of the audit process, CNIL examines the gathered information and documents and drafts an inspection report. When the breaches are noted as serious, CNIL can impose sanctions. However, the Constitutional Council ruled that neither the warnings nor the formal notices pronounced by CNIL's chairperson according to Article 20 of the Act constitute 'sanctions' that are punitive in nature.
In addition to its historical responsibilities, CNIL is awarded the power to adopt or encourage the development of new soft law instruments (such as guidelines, recommendations, codes of conduct, model regulations, reference methodologies for health data processing, certification mechanisms, etc).
Furthermore, since 2020, the European cooperation has increased and its mechanisms are now an integral part of CNIL's activity in the context of cross-border processing controls. For instance, CNIL participated in close cooperation with Luxembourg data protection authority to the procedure led against Amazon Europe Core that resulted in one the highest sanction pronounced by a European data protection authority to date (although the decision is not enforceable yet). The claim was addressed to the CNIL by a French association.
- a guide on Ransomware Attacks, how to anticipate and react in case of an incident, was published by the National Cybersecurity Agency of France ('ANSSI') and the Ministry of Justice (only available in French here);
- three new sets of guidelines adopted by the CNIL to assist medical and paramedical professionals complying with their obligations in relation to the processing of health data; and
- two practical guides related to retention periods applicable to health data for health sector professionals (the first one applies to all health sectors to the exception of research while the second one only applies to the field of health research).
4. Key Definitions
Data controller: There is no definition of 'data controller' in the Act. Article 2 refers to the definitions provided by Article 4 of the GDPR. Thus, a data controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor: Article 2 provides for the application of the definition of 'data processor' provided in Article 4 of the GDPR. Thus, a data processor is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data: There is no definition of 'personal data' in the Act. Article 2 of the Act refers to the definitions provided by article 4 of the GDPR. Thus, personal data is any information relating to an identified or identifiable natural person.
Data subject: There is no definition of 'data subject' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, a data subject is an identified or identifiable natural person.
Health data: There is no definition of 'health data' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, health data means personal data related to the physical or mental health of a natural person.
Biometric data: There is no definition of 'biometric data' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, biometric data is personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person.
Pseudonymisation: There is no definition of 'pseudonymisation' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
5. Legal Bases
Regarding a minor's consent, Article 45 of the Act specifies that a minor may consent alone to the processing of personal data with regard to the direct provision of information society services from the age of 15. Where the minor is under the age of 15, processing shall be lawful only if consent is given jointly by the minor concerned and the holder(s) of parental authority over that minor.
There are no variations from the GDPR.
There are no variations from the GDPR.
There are no variations from the GDPR.
There are no variations from the GDPR.
There are no variations from the GDPR.
Historical and scientific research purposes
The Act provides that personal data can be retained beyond the time necessary to fulfil historical, statistical, scientific purposes for which they are processed and that further processing for such purposes shall be considered compatible with the original purposes of data collection (Article 4 of the Act). Exemptions from the obligation of the controller to inform data subjects are provided for processing necessary to data retention for historical, statistical or scientific purposes, where data was initially collected for another purpose (Article 79 of the Act).
The right of access provided for in the Act does not apply to personal data retained (Article 49 of the Act):
- in a form clearly excluding any risk to the privacy of the data subjects concerned;
- for a period not exceeding time necessary for the sole purpose of establishing statistics or scientific or historical research; and
Finally, where processing is for archival purposes in the public interest, rules are determined by Articles L.211-2 and L. 212-3 of the French Estate Code (only available in French here) (Articles 4 and 78 of the Act).
Article 4 of the Act provides for the same principles as the GDPR; i.e.:
- lawfulness, fairness and transparency: the processing must be transparent for processing under GDPR;
- purpose limitation;
- data minimisation: for this principle, the Act specifies that for personal data must not be excessive for processing relating to:
- the prevention, investigation, detection, or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State and;
- State national security, defence or public security purposes.
- storage limitation; and
- integrity and confidentiality.
7. Controller and Processor Obligations
In accordance with the GDPR, France has abolished its prior notification regime (i.e. simplified or standard declarations or authorisation requests are as a principle not required anymore); however, some processing must still be notified to CNIL for authorisation or request for an opinion.
So far, CNIL has only identified processing of health data for research purposes and for public interest purposes as triggering this prior notification obligation and has published the relevant authorisation request forms online (only available in French here).
Notably, CNIL has issued the guidance on notification requirements as noted above in the section on guidelines issued by CNIL.
In addition, Articles 31 and 32 of the Act provide that authorisation by decree or ministerial ruling is required for processing:
- of special categories of data (sensitive data specified in Article 6(I) of the Act);
- biometric and genetic data necessary to identify persons or control identity on behalf of the State; and
- for State national security, defence or public security purposes, and relating to the prevention, search, finding or prosecution of criminal offences or to the enforcement of criminal convictions or detention orders on behalf of the State (these 'sovereignty processing operations' remain unchanged).
According to Article 33 of the Act, requests for prior authorisation must include:
- the name and the address of the controller, or, if they are established outside of the EU, of their representative;
- the objectives of the processing activities;
- any related processing activities, where applicable;
- the origin and category of the personal data that would be processed;
- the retention period for the personal data concerned;
- the services or departments responsible for the implementation of the processing activities;
- the recipients or categories of recipients set to receive the personal data;
- the role of the person or service to which the right of access provided for in Articles 49, 105, and 119 of the Ordinance applies, and the measures relating to the exercise of this right;
- the measures taken to ensure the security of the processing and data and the guarantee of the secrets protected by the law and, where applicable, the indication of the use of a subcontractor; and
- transfers of personal data outside of the EU, where applicable.
In addition, the controller must inform CNIL without delay (Article 33 of the Act):
- of any change affecting the data aforementioned; and
- of the ceasing of the processing activities.
Under Article 66(V) of the Act, CNIL will issue its decision within two months of receipt of the request. However, this period may be extended for an additional two months by a reasoned decision of the President. After the expiry of this period, if no response is received, the request will be assumed to be granted.
Moreover, the Standard on health management, which was adopted by virtue of Deliberation No. 2019-057 of 9 May 2019 (only available in French here) ('the Health Standard') specifies that data controllers, which in the context of the Health Standard are manufacturers, companies, operators, or organisations responsible for placing a drug, device, or product on the market, must send to CNIL, prior to the processing, a declaration of conformity i.e. that the processing complies with the requirements of the Health Standard.
Finally, the specific list of categories of controllers and purposes of processing using the social security number of natural persons ('NIR') has been published by Decree on 21 June 2019 Decree No. 2019-341 of 19 April 2019 (only available in French here).
Furthermore, if the processing complies with MR001 for risk intervention research (only available in French here) and MR003 for minimal risk and non-interventional research (only available in French here), and the controller had filed a commitment to comply with the same, the processing operation can be conducted without prior authorisation from the CNIL.
The Act provides for the following two restrictions on data transfers:
- for the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
- for processing concerning State security and defence.
Regarding the processing relating to the prevention, investigation, detection or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State, Article 112 of the Act provides that the data controller may only transfer data or authorise the transfer of data already transferred to a non-EU State when:
- the transfer is necessary for the purpose of the prevention, investigation, detection, investigation and prosecution of criminal offences or the execution of criminal penalties;
- the personal data is transferred to a controller established in that non-EU State or within an international organisation which is a competent authority responsible for the prevention, investigation, detection, investigation and prosecution of criminal offences or the execution of criminal penalties in France;
- if the personal data originates from another State, the State that transmitted the data has previously authorised this transfer in accordance with its national law;
- as provided by Article 36 of the Data Protection Directive, in case of an adequacy decision or, in the absence of such a decision, a legally binding instrument providing appropriate safeguards or, in the absence of such a decision and instrument, the controller has assessed all the circumstances of the transfer and considers that there are such appropriate safeguards;
- the specific derogations of Article 38 of the Data Protection Directive apply; or
- the conditions of Article 39 of the Data Protection Directive are fulfilled.
Regarding processing for State national security, defence or public security purposes, Article 123 of the Act provides that the data controller may transfer personal data only if:
- the State ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing of such data;
- the specific derogations provided by Article 49 of the GDPR apply; or
- the transfer is authorised by a decree, issued after an opinion of the CNIL, where the processing guarantees an adequate level of protection of privacy and the fundamental rights and freedoms of individuals.
A new remedy is created for CNIL in terms of data transfers outside of the EU to implement the European Court of Justice's Judgment of 6 October 2015, Maximillian Schrems v. Data Protection Commissioner C-362/14, EU:C:2015:650, in the event of a case, submitted against a controller or processor, where CNIL considers the grievances regarding protection of rights and liberties of a data subject to be founded, in the context of data transfers to non-EU states or international organisations (Article 39 of the Act).
CNIL can request the Conseil d'Etat, the highest administrative court in France in charge of reviewing CNIL's decisions, to suspend data transfers to an 'adequate' country outside of the EU.
Following the Court of Justice of the European Union ('CJEU') decision of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II') 16 July 2020 invalidating the 'Privacy Shield' and the adoption by the European Commission of the new Standard Contractual Clauses on 4 June 2021, CNIL has published detailed guidance to assist data controllers identify and manage transfers of personal data outside the EU (only available in French here). CNIL also published several guides and recommendations for transfers of personal data to the United States.
Articles 57 and 60 of the Act explicitly refer to Article 30 of the GDPR providing that the controller, processor and, where appropriate, their representative shall keep the data processing record under the conditions laid down in Article 30 of the GDPR.
Regarding the processing for the prevention, investigation, detection or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State, Article 100 of the Act provides that the controller and its processor shall keep a data processing record as provided by Article 30 of the GDPR and this record shall also contain a general description of the measures aimed at ensuring a level of security appropriate to the risk, an indication of the legal basis of the processing operation, including transfers, for which the personal data are intended and, where appropriate, the use of profiling.
National activities subject to prior consultation/authorisation
According to Article 62 of the Act, the controller must carry out a DPIA prior to the processing of personal data in the conditions provided for in Article 35 of the GDPR.
In addition to the DPIA Blacklist published by CNIL, which indicates activities which are subject to the requirement of a DPIA, CNIL has adopted, through Deliberation No. 2019-118 of 12 September 2019, its list of processing activities which are not subject to the requirement of a DPIA ('the DPIA Whitelist').
A DPIA must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned.
Thus, generally, processing operations which fulfil at least two of the following criteria must be subject to a DPIA:
- assessment/scoring (including profiling);
- automatic decision with legal or similar effect;
- systematic monitoring;
- collection of sensitive data;
- collection of personal data on a large scale;
- data crossing;
- vulnerable persons (patients, elderly, children, etc.);
- innovative use (use of a new technology); and
- exclusion of the benefit of a right/contract.
For example, if a company sets up a system which monitors the activity of its employees, this data processing meets the criteria of systematic monitoring and that of data concerning vulnerable persons, therefore the implementation of a DPIA will be necessary.
The DPIA Blacklist specifies 14 types of processing for which a DPIA is required, provided that these processing meet at least two of the above-mentioned criteria:
- health data processing carried out by health or medico-social establishment for the care of individuals;
- processing of genetic data from 'vulnerable' individuals (patients, employees, children, etc.);
- processing operations establishing persons' profiles for human resources management purposes;
- processing operations for the purpose of constantly monitoring the activity of the employees involved;
- processing for the purpose of social and health alerts and reports management;
- processing for the purpose of professional alerts and reports management;
- processing of health data required for the establishment of a data warehouse or registry;
- processing involving profiling of individuals which may result in their exclusion from the benefit of a contract, or in its suspension or rupture;
- shared processing of observed contractual breaches which may lead to the exclusion or suspension from the benefit of a contract;
- profiling processing using data from external sources;
- processing of biometric data for the purpose of uniquely identify a natural person including 'vulnerable' individuals (students, elderly, patients, asylum seekers, etc.);
- requests examination and social housing management;
- processing for the purpose of providing social or medico-social support of individuals; and
- processing of large-scale location data.
If it appears that the level of residual risk of the processing remains high after conducting the DPIA, the controller is required by Article 63 of the Act to consult CNIL before carrying out such processing.
Practical tools are available in English on CNIL's website, such as the PIA software which helps reusing DPIAs, and DPIA guides (templates, knowledge bases, methodology, and guides applicable to connected objects).
National activities not subject to prior consultation/authorisation
A DPIA is not required in the following cases:
- when processing does not present a high risk to the rights and liberties of data subjects;
- when the nature, scope, context and purposes of the proposed processing are very similar to a processing for which an impact assessment has already been conducted;
- where processing is legally required or necessary for the performance of a public service task (Article 6(1)(c) and e of the Act)), provided that the following conditions are met:
- it has a legal basis in EU or EU member state legislation;
- an impact assessment has already been conducted when this legal basis was adopted; and
- this legislation regulates this processing operation; and
- when the processing corresponds to an exception determined by CNIL in accordance with Article 35(5) of the Act.
Regarding this final exemption, CNIL's DPIA Whitelist specifies that the following types of processing, among others, do not require a DPIA:
- processing implemented solely for human resources purposes and in accordance with the conditions laid down in the applicable texts, for the sole management of the staff of bodies employing fewer than 250 persons, with the exception of the use of profiling;
- processing for the purpose of supplier relationship management;
- processing implemented under the conditions provided for in the texts relating to the management of the electoral register of municipalities;
- processing for the management of the activities of works councils and committees;
- processing carried out by an association, foundation or any other non-profit institution for the management of its members and donors in the framework of its regular activities, provided that the data is not sensitive;
- processing of health data necessary for the care of a patient by a health professional practising in an individual capacity in a doctor's surgery, pharmacy or medical biology laboratory;
- processing by lawyers in the individual practice of their profession;
- processing by the clerks of commercial courts for the purpose of carrying out their activity;
- processing by notaries for the purpose of carrying out their notarial activity and the drafting of notarial office documents;
- processing by local authorities, as well as legal persons covered by public and private law, for the management of schools, as well as extracurricular and early childhood services;
- processing operations carried out for the sole purpose of managing physical access controls and timetables for the calculation of working time, without any biometric devices, with the exception of processing operations revealing sensitive or highly personal data; and
- processing relating to breathalyser tests, strictly regulated by a text and implemented in the context of transport activities for the sole purpose of preventing drivers from driving a vehicle under the influence of alcohol or drugs.
It should be further noted that the European Data Protection Board ('EDPB') issued, on 22 April 2020, its Opinion 7/2020 on the Draft List of the Competent Supervisory Authority of France regarding the Processing Operations Exempt from the Requirement of a Data Protection Impact Assessment (Article 35(5) GDPR) ('Opinion 7/2020'), which recommends, regarding the management of commercial activities, reducing the scope of the Whitelist by covering only business-to-consumer relations, and excluding the processing of sensitive data or data of highly personal nature from the Whitelist.
How to conduct a DPIA
Furthermore, CNIL has published the following templates for conducting DPIAs:
- PIA Methodology template;
- PIA templates;
- Template on PIA in the context of Internet of Things devices; and
- PIA Knowledge bases.
Article 57 of the Act provides that the controller shall appoint a data protection officer ('DPO') under the conditions of Chapter IV, Section 4 of the GDPR. Article 103 of the Act also provides for the mandatory appointment of a DPO but only for competent authorities (i.e. public authority or any other body or entity entrusted with the exercise or prerogatives of public authority, such as the judicial authority, the police and repressive authorities) for the purposes of prevention, investigation, prosecution of criminal offences or the enforcement of criminal convictions, when acting as controllers.
CNIL has issued guidance on the appointment of a DPO specifically for competent authorities (only available in French here).
The appointment of a DPO is one of the key points of compliance for CNIL. It has strongly encouraged French companies to appoint DPOs, even where the company is not under an obligation to do so under the GDPR's criteria.
The appointment of the DPO must be notified online to CNIL by filling out a form with the contact details of the controller (or processor) and of the DPO. The notification to CNIL can be done online in four steps, only available in French, here.
CNIL offers guidance on the role of the DPO (only available in French here).
Furthermore, Deliberation No. 2018-318 of 20 September 2018 Adopting the Criteria of the Standard of Qualification of the DPO (only available in French here) ('Deliberation No. 2018-318') adopted criteria standards on the certification reference system, setting out a list of 17 required competencies to be certified as a DPO, including:
- the DPO must understand the principles of, for example, lawful processing, data minimisation, data accuracy, and data retention;
- the DPO must be able to identify the legal basis of a processing activity;
- the DPO must be able to organise and participate in data protection audits;
- the candidate must know how to identify personal data breaches which require notification to CNIL and data subjects; and
- the DPO must know whether or not it is necessary to carry out a DPIA.
Deliberation No. 2018-317 of 20 September 2018 Adopting the Criteria of the Reference Framework of Accreditation of Certification Bodies for the Certification of the Competences of the DPO (only available in French here) adopts the accreditation framework, setting out the criteria for organisations who wish to be certified by CNIL to certify DPOs according to the provisions of Deliberation No. 2018-318.
Article 58 of the Act refers to Article 33 of the GDPR for data breach notification to CNIL.
The Act also provides an obligation of communication of the data breach to the data subject in accordance with Article 34 of the GDPR, and specifies that for processing necessary to comply with a legal obligation or regarding a task of public interest, this obligation may be waived when it is likely to constitute a threat to national security, national defence or public safety, in the cases provided for in Article 85 of the Implementing Decree, namely:
- processing involving personal data likely to enable persons whose anonymity is protected to be directly or indirectly identified; and
- processing of administrative, financial and operational management data, as well as processing of health data.
The Act specifically requires providers of electronic communication services to document the breaches so CNIL can verify compliance and to notify a data breach to CNIL, as well as the data subject, except if CNIL finds that the controller has implemented appropriate protective measures to make the data concerned by the violation incomprehensible to any unauthorised person (Article 83 of the Act).
There are no specific provisions regarding the timeframes for retaining data in the Act.
However, CNIL published, in July 2020, a practical guide (only available in French here) ('the Practical Guide') on data retention periods detailing the main principles of personal data retention and providing practical advice on their implementation.
This Practical Guide does not provide a compilation of definite retention periods to be observed by controllers but gives guidance on how to determine the retention period of personal data where no law, regulation or guideline provide for a specific time frame.
In particular, CNIL recommends assessing the retention period or the criteria for determining it with regard to the purposes of processing (e.g., the duration of the business relationship) and to keep documentation justifying this assessment. To this end, it provides an analysis grid to identify reasonable durations for each retention phase of personal data (i.e. current use, intermediate archiving and, where applicable, definitive archiving).
Albeit this provision has been subject to lengthy parliamentary debates, the Act lowers the age for valid consent given by children from 16 to 15 years old regarding the offer of information society services (Article 45 of the Act). However, for other processing, such as processing necessary to perform an online contract with a minor will thus not need to comply with those provisions, due to the definition of information society services by Directive 98/48/EC of the European Parliament and of the Council of 20 July 1998 amending Directive 98/34/EC laying down a Procedure for the Provision of Information in the field of Technical Standards and Regulations.
When the individual is younger than 15, consent will need to be provided jointly by the minor and their parent.
Controllers also are subject to an obligation of information towards such minor, the wording of which must be adapted to his or her age since children must be made aware of the risks of using the Internet, notably when they create an account on social networks.
The new threshold of 15 years of age underlines the willingness to harmonise French legislation in general since it already corresponds to the sexual majority age and to the age at which health data can be factored in surveys.
On 9 June 2021, the CNIL published a set of recommendations to strengthen the protection of minors’ personal data online. These recommendations pursue the following objectives:
- regulating the ability of minors to act online;
- encouraging minors to exercise their rights;
- supporting parents in minors’ education to digital;
- seeking parental consent for minors under the age of 15;
- promoting parental control tools that respect children's privacy and interests;
- strengthening the information and rights of minors through design;
- verifying the age of the child and the parents' agreement to respect the child's privacy; and
- providing specific guarantees to protect the interests of the child.
For each of these objectives, the CNIL has adopted dedicated recommendations (available in French only here).
Article 6 of the Act provides that it is prohibited to process the following sensitive data: personal data revealing the alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of a natural person or to process genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
As exception, Article 6 provides that these sensitive data can be processed in the cases mentioned in Article 9(2) of the GDPR and for processing justified by public interest and duly authorised.
In addition, Article 44 of the Act provides that Article 6 of the Act does not apply for:
- processing necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services and carried out by a member of a health profession, or by another person bound by an obligation of professional secrecy by virtue of his duties;
- statistical processing carried out by the National Institute of Statistics and Economic Studies or one of the ministerial statistical offices;
- processing of health data justified by the public interest and complying with the Section 3 of Chapter III of the Act dedicated to processing of personal data in the health field;
- processing in accordance with CNIL standard regulations implemented by employers or administrations regarding biometric data strictly necessary to control access to workplaces, and to devices and applications used by the employees;
- processing of public information contained in court decisions; and
- processing necessary for public research, if carried out for an important public interest purpose.
Furthermore, for some specific data, the government chose to use the room for manoeuvre allowed by the GDPR and set a specific regime for its processing.
Regarding the processing of genetic or biometric data carried out on behalf of the State for the authentication or control of the identity of individuals, Article 32 of the Act provides that an authorisation by decree of the Conseil d'Etat is required after reasoned opinion of CNIL.
An authorisation procedure is required for health data processing (Article 66 of the Act) (except in cases of health alerts in emergency situations (Article 67 of the Act)), and processing for research, study or evaluation purposes in the health field (Article 73 of the Act) that do not comply with CNIL's toolkits and model regulations, which can be established with the National Institute of Health Data, acknowledging that a simple declaration attesting compliance with these instruments shall allow implementation of such processing.
Section III of the Act provides that CNIL's authorisation must be given within two months otherwise the authorisation is deemed granted unless the two months period has been extended, and that controls will be operated with an audit committee, created at the initiative of the government (Article 77 of the Act).
In addition, the regime includes specific provisions regarding minors aged 15 or over, that may in particular object to holders of parental authority having access to data concerning him or her collected in course of the research, study or evaluation in the health field, or being informed of such processing in cases provided for in Article 70 of the Act.
Social security number ('NIR')
As per Article 30 of the Act, Decree No. 2019-341 of 19 April 2019 on the Implementation of Processing Operations Involving the Use of the Registration Number in the National Directory of Identification of Natural Persons or Requiring the Consultation of this Directory (only available in French here) ('the NIR Decree') lists categories of controllers and purposes allowed regarding processing activities using the NIR. It includes notably the following:
- processing for the fulfilment of their tasks in the field of social protection, including when the use of the registration number in the national identification register of natural persons is necessary for the performance of assessments, studies, statistics and research, or for the implementation of exchanges or treatments involving several social protection actors;
- the National Public Health Agency, for the management and follow-up of health alerts; and
- companies, in order to fulfil their reporting obligations requiring the use of the registration number in the national identification register for natural persons, and for the automated processing of payroll and personnel management resulting from legal or regulatory provisions and collective agreements concerning declarations, calculation of contributions and payments to dedicated organisations.
The CNIL has also published guidance on the NIR Decree (only available in French here).
Criminal convictions and offences data
Criminal convictions are dealt with by Article 46 of the Act. Such processing can be implemented by:
- jurisdictions, public authorities and legal persons managing a public service;
- auxiliaries of justice (such as mediators or experts) for the strict exercise of their functions, as well as entities collaborating with judicial entities;
- natural or legal persons, for the purpose of enabling them to prepare and, where appropriate, to initiate and follow legal proceedings as victims, defendants or on their behalf and to enforce the decision rendered;
- associations providing assistance to victims under agreement with the Ministry of Justice;
- collective management organisations acting on behalf of the intellectual property rights they manage, or on behalf of victims of intellectual property rights violations; and
- re-users of public information contained in court decisions, provided that processing is neither intended to nor has the effect of allowing the reidentification of the persons concerned.
With respect to the final point, Law No. 2016-1321 of 7 October 2016 for a Digital Republic (only available in French here) ('the Digital Republic Act') already imposed the implementation of a prior study in order to verify the possibility of reidentifying persons when the data is communicated.
In addition, Article 76 of the Decree of 29 May 2019 extended the list of persons authorised to process these categories of personal data including to:
- associations providing assistance for the reintegration of individuals placed under the authority of the justice system;
- educational, social or medico-social support institutions;
- public or private educational institutions, boarding schools and all authorised structures supporting juvenile delinquents; and
- judicial representatives designated for the protection of adults.
Article 60 of the Act explicitly refers to Article 28 of the GDPR providing that the processing carried out by a data processor shall be governed by a contract or any legal act binding the data processor and the data controller, in a written form, complying with the conditions laid down in Article 28 of the GDPR.
Regarding processing concerning State security and defence, according to Article 122 of the Act, the contract between the data processor and the data controller must contain an indication of the obligations of the data processor with regard to the protection of the security and confidentiality of the data and provides that the data processor may only act on the instructions of the data controller.
8. Data Subject Rights
Article 48 of the Act expressly refers to Articles 13 and 14 of the GDPR for the conditions of right of information's application.
These articles list the information that the controller shall give to data subjects when personal data is collected directly from them or collected indirectly.
In addition to the information provided for in Articles 13 and 14 of the GDPR, Article 48 of the Act also provides that the controller shall give information to the data subject about the right to define guidelines on the fate of personal data after death (Article 48 of the Act).
However, this right of information can be limited. Beside limitations of the GDPR, data subjects' right to information is limited by the Act when:
- processing is carried out for the purposes of journalism or literary and artistic expression (Article 80 of the Act);
- processing is carried out for the purposes of prevention, investigation and prosecution of criminal offences in the conditions of Articles 107 and 108 of the Act;
- processing is carried out for archival purposes in the public interest, for scientific or historical research or for statistical purposes, when the data was originally collected for another purpose (Article 79 of the Act); and
regarding the indirect collection of personal data, when:
- processing is carried out for archival purposes in the public interest, for scientific or historical research or for statistical purposes, when the data was originally collected for another purpose (Article 79 of the Act); and
- processing is carried out on behalf of the State and is relevant to public security, or by public administration to check or recover taxes, or to check on the activities of legal and natural persons which may lead to the detection of an infringement or failure, an administrative fine or penalty (Article 48 of the Act, in application of Article 23 of the GDPR);
- personal data is transmitted by an administrative authority to an intelligence service. In this case, data subjects are not entitled to be informed of this transmission (this exception has been added to Article 48 of the Act by and the Law on the prevention of acts of terrorism and intelligence Law No. 2021-998 of 30 July 2021).
Regarding cookies, the CNIL published a Deliberation on 17 September 2020 adopting guidelines on the application of Article 82 of the Act regarding the use of "cookies and other trackers" Deliberation No. 2020-091 ('the Cookies Guidelines') (only available in French here).
In the Cookies Guidelines, the CNIL states that:
- navigation on a website can no longer be considered as a valid expression of the user's consent. Individuals must explicitly consent to the placement of cookies by a clear positive action. Otherwise, cookies or tracers cannot be placed on their device;
- withdrawal of consent should be easy and possible at any time;
- refusal of cookies and trackers should be, as easy as acceptance;
- individuals must be clearly informed of the purposes of the trackers before they consent, as well as the consequences of accepting or refusing them. Individuals must be informed of the identity of all actors using cookies on their devices; and
- the organisations operating the trackers must be able to provide, at any time, proof of the valid collection of the user's consent.
The CNIL also adopted practical recommendations to comply with the Cookies Guidelines including good practices to collect the user's consent examples of user interfaces (only available in French here).
The deadline for compliance for mobile sites and applications ended on 31 March 2021.
Finally, in a decision dated 19 June 2020, the Conseil d'Etat ruled that the CNIL could not impose a general and absolute ban on making access to a website conditional on the consent to the deposit of trackers for targeted advertising purposes. Consequently, CNIL has amended its Cookies Guidelines, but only on that particular aspect.
Variations within the Act on the GDPR's right to access consist of the following.
For processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to monitor or recover taxes, according to Article 52 of the Act, the right of access shall be addressed to the CNIL.
For processing carried out by the financial courts in the context of their non-judicial tasks as provided for by the Code of Financial Courts (only available in French here), Article 52 of the Act provides that the right of access may be restricted under the conditions laid down in of Article 23(1) (e) and (h) of the GDPR.
Regarding health data, Article 64 of the Act provides that such data is to be communicated to the data subject, according to his or her choice, directly or through the intermediary of a doctor whom he or she designates for this purpose, in compliance with the provisions of Article L. 1111-7 of the Public Health Code (only available in French here). (Article L 1111-7 of the Public Health Code provides that if no exceptions apply, the data must be communicated to the data subject no later than eight days after their request and no sooner than after a 48-hour period of reflection has been observed and that specific conditions apply for minors).
Regarding the processing relating to the prevention, investigation, detection or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State, except where the personal data are contained either in a judicial decision or in a judicial file being processed in the course of criminal proceedings, Article 107 of the Act provides that if and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society for:
- avoiding hindering investigations, enquiries or administrative or judicial proceedings;
- avoiding hindering the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal sanctions; and
- protecting public security, national security, rights and freedoms of others, the data controller may refuse or limit the data subject's right of access. In this case, the data controller shall inform the data subject, as soon as possible, of any refusal or limitation of access as well as the reasons for the refusal or limitation except if this communication risks compromising one of the purposes set out above.
Regarding processing relating to state security and defence, Article 118 of the Act provides that requests to exercise the right of access are addressed to CNIL. Where CNIL finds, in agreement with the controller, that the communication of the data contained therein does not harm its purposes, State security, defence or public security, such data may be communicated to the applicant. However, according to Article 119 of the Act, where the processing involves information the disclosure of which would not harm the purposes for which it is intended, it may be provided that the right of access may be exercised by the data subject with the controller directly.
Regarding the right to rectification, Article 50 of the Act explicitly refers to Article 16 of the GDPR.
Variations within the Act on the GDPR's right to rectification consist of the following.
According to Article 52 of the Act, for processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to monitor or recover taxes, the right of rectification shall be addressed to CNIL.
Regarding the processing relating to the prevention, search, finding or prosecution of criminal offences or to the enforcement of criminal convictions or detention orders on behalf of the State, Article 106 provides that the data subject has the right to obtain from the data controller the rectification as soon as possible of any personal data concerning him/her which are inaccurate.
The data controller shall:
- inform the data subject of any refusal to rectify and the reasons for the refusal;
- communicate the rectification of inaccurate personal data to the competent authority from which the data originated; and
- notify the recipients.
Except where the personal data are contained either in a judicial decision or in a judicial file being processed in the course of criminal proceedings, Article 107 of the Act provides that if and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society for (i) avoiding hindering investigations, enquiries or administrative or judicial proceedings (ii) avoiding hindering the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal sanctions (iii) protecting public security, national security, rights and freedoms of others, the data controller may not inform the person of the refusal to rectify personal data or of the reasons for this decision.
The data controller shall inform the data subject of the possibility of exercising his or her rights through CNIL or through legal recourse.
Regarding processing relating to state security and defence, Article 118 of the Act provides that requests to exercise the right of rectification are addressed to CNIL. Where CNIL finds, in agreement with the controller, that the communication of the data contained therein does not harm its purposes, State security, defence or public security, such data may be communicated to the applicant. However, according to Article 119 of the Act, where the processing involves information the disclosure of which would not harm the purposes for which it is intended, it may be provided that the right of rectification may be exercised by the data subject with the controller directly.
Article 51 of the Act expressly refers to Article 17 of the GDPR for the implementation of the right to erasure.
Nevertheless, this right is subject to the limitations provided in Article 17 and additional limitations provided for in the Act:
- Article 106(III) of the Act, regarding processing for the purposes of prevention, investigation and prosecution of criminal offences, provides that instead of deleting, the controller is entitled to only limit the processing in certain cases.
- Article 52 of the Act provides that for processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to check or recover taxes, requests of the exercise of the right of deletion must be addressed to CNIL in application of Article 118 of the Act, as well as for processing relating to State security and defence.
Under the Act, the right to erasure can be invoked in the context of processing for journalistic, artistic or academic purposes, contrary to what is provided in Article 17(3)(a) of the GDPR. However, towards this contradiction, Article 17 of the GDPR will prevail, thus removing the right to erasure for processing with these specific purposes.
Besides, Article 51 of the Act contains specific provisions for the right to erasure when the data subject was a minor (i.e. under 18 years old) at the time of the data collection.
This provision deals specifically with the right to erasure in respect of personal data relating to children that is processed in the context of online services, also provided for in Article 17 of the GDPR referring to Article 8. The effect is that any request for erasure in that particular context, and any complaint handling process, will be dealt with under the Act, and not under Article 17 of the GDPR.
Finally, Article 51 of the Act provides that the data subject is entitled to refer to CNIL the non-execution of the deletion of personal data.
Regarding the right to de-referencing, the Conseil d’Etat acknowledges the CJEU judgments (Google LLC v. CNIL C‑507/17 and GC and others v. CNIL C‑136/17) of 24 September 2019, and rendered several decisions (13 decisions dated 6 December 2019) (accessible only in French here) according to which (i) the right to de-referencing applies to the European territory, and (ii) when a request for de-referencing relates to sensitive data (including political opinions, religious or philosophical beliefs or sex life as well as criminal conviction), a balance must be sought between the fundamental rights of the person requesting such de-referencing and those of internet users potentially interested in that information. The Conseil d’Etat further published a legal note setting out the conditions applicable to the right to be forgotten (only available in French here).
The Act provides that the right of the data subject to object to processing can be exercised under the conditions of Article 21 of the GDPR (Article 56 of the Act).
Consequently, the Act is in line with the reduced scope of exercise of this right provided for by the GDPR. Indeed, whereas the right under Article 21 GDPR only applies to personal data processed under the 'legitimate interest' or 'public interest grounds' (though individuals can withdraw their consent to processing at any time, which is effectively also a right to object to processing based on consent), the Act used to provide, in its former version, that this right applied to personal data processed on the basis of all grounds other than the 'legal obligation' ground.
Moreover, the reduction in the scope of exercise of this right is also reflected in the exceptions to it, extended by the amended version of the Act. According to Article 56 of the Act, the right to object cannot be exercised where the processing is legally required, or where there is an overriding express provision authorising the processing, in addition to the 'compelling legitimate interest' exception provided for in the GDPR (except in the case of marketing, where the right to object is absolute).
The Act does not implement variations of GDPR on the right to data portability, as it expressly refers to Article 20 of the GDPR.
Article 47 of the Act expressly forbids that a court decision involving an assessment of a person's conduct may be based on an automatic processing of personal data intended to evaluate certain aspects of the person's personality.
Article 47 of the Act also provides that no decision which has legal effects on or significantly affects a person may be taken solely on the basis of automated processing of personal data, including profiling. However, according to Article 47 of the Act, and excluding the event where the administration decides on an administrative appeal, this last prohibition is limited in some cases:
- the exceptions provided for in Article 22 of the GDPR; and
- individual administrative decisions taken in compliance with French legislation, provided that the processing does not involve sensitive data referred to in Article 6 of the Act, and that the controller ensures that the algorithmic processing and its developments are controlled in order to be able to explain to the data subject the way in which the processing has been carried out.
There are no such limitations regarding processing relating to State security and defence (Article 120 of the Act) and processing for the purposes of prevention, investigation and prosecution of criminal offences (Article 95 of the Act). Article 95 of the Act adds that any profiling that discriminates against natural persons on the basis of special categories of personal data is prohibited.
Right to restriction of processing
The Act does not implement variations of GDPR on the right to restriction of processing, as it expressly refers to Article 18 of the GDPR.
Right of deceased individuals
If by principle, Article 84 of the Act provides that the data subject's rights expire upon his death, the Act also introduces in Article 85 of the Act some additional rights for the deceased, as introduced by the Digital Republic Act. It allows data subjects to provide guidelines as to the fate of their data after death (erasure/retention of data or communication to a third party). Even though it was initially targeting social media companies, it applies to every organisation. A person can be designated to carry out these instructions, and thus has authority, upon the death of the data subject, to read the directives and request their implementation by the concerned controller. These guidelines can be general (where they relate to all data concerning the data subject) or specific (where they only concern specific data processing operations):
- general guidelines can be entrusted to a trusted third party which will be certified by CNIL; or
- special guidelines can also be entrusted to controllers (social networks, online messaging, etc.) in the event of death; they are subject to the specific consent of the data subject and may not result solely from the latter's approval of the general conditions of use.
In the absence of guidelines, the heirs have the possibility to exercise certain rights, including the right of access if necessary, to settle the deceased's estate.
The Act specifies the formal powers of CNIL, and its Restricted Committee and/or chairperson, to take corrective actions and impose sanctions in case of breach by controllers or processors of their obligations under the GDPR or the Act, or against a certification body (Articles 20 to 23 of the Act).
Whereas the sanction procedure under the previous regime was conducted in two steps (an optional notice phase followed by an adversarial sanction phase), CNIL's chairperson or Restricted Committee can now carry out actions and impose sanctions, when there is a need to act in order to protect the rights and liberties of data subjects, in the following graduated manner (Article 20 of the Act):
- initial warning;
- formal notice to comply within a certain period ; and
if the controller/processor is still in breach, it can:
- issue a call to order;
- issue an injunction to comply with the GDPR or the FDPA (under penalty of up to € 100 000 per late day);
- order temporary or definitive restriction on processing;
- prohibit processing or withdraw an authorisation under the GDPR or the FDPA; and/or
- suspend of data flow to a third-party country or international organisation.
Corrective actions and sanctions can also be carried out and/or imposed in case of urgency, such as temporary interruption of processing, restriction of processing and suspension of the controller/processor's certification, and the new power to request an urgent opinion or a binding decision from the European Data Protection Board ('EDPB') (Article 21(III) of the Act). However, in practice, CNIL rarely applies large sanctions and prefers a more cooperative approach, discussing with the controller/processor and working with them towards compliance.
The Act provides for the possible publication of sanctions in newspapers or other media, as a sanction, at the expense of the breaching party, and where, for instance, a high number of data subjects is involved (Article 22 of the Act).
In addition, it should be noted that the 2018 Ordinance added to the arsenal of criminal offences of the Act the fact of obstructing the action of CNIL, now punishable by a €15,000 fine (multiplied by five for legal entities) and one year's imprisonment (Article 226-22-2 of the Penal Code).
Finally, any administrative fine imposed by CNIL may be deducted from a criminal fine imposed by a French criminal judge in a pending similar procedure.
The GDPR provides for a €20 million cap or 4% of global turnover, for acts committed after 25 May 2018. The Digital Republic Act already anticipated and previously increased the maximum amount for fines from €150,000 to €3 million. In addition, controllers became obligated to individually inform data subjects of such sanction, and CNIL started being able to impose financial penalties without prior notice where the violation could not be brought into conformity.
The Act provides for an individual compensation procedure in relation to class actions (Article 37 of the Act). Class actions for consumer and competition law breaches were implemented in 2014 and their scope was extended in 2016 to other matters including personal data protection, discrimination, labour law, environmental law and health.
Therefore, although data protection class actions are not new under French law, their scope was limited before the GDPR as they were only aimed at stopping a breach and did not provide for the possibility for data subjects to claim compensation. These compensation claims are now possible in court under the GDPR regime as included in Chapter 1 of Title V of the Act No. 2016-1547 (only available in French here) and Chapter X of Title VII of Book VII of the Code of Administrative Justice (only available in French here) provides procedural provisions dealing with class actions brought before a competent civil or administrative court.
The class of individuals who can bring an action is limited to:
- certain privacy associations, provided they have been 'regularly declared' (i.e. they have made the necessary declaration to the relevant prefecture (of title, object, registered offices of the association as well as information on the persons responsible for its administration);
- consumers' associations (where the processing of the personal data affects consumers); and
- employees or civil servants' trade union representatives.
In addition, the class of individuals who can bring an action includes organisations whose object is relating to the protection of rights and freedoms or involves the defence of interests in relation to the purposes of the contentious processing (Article 38 of the Act) but only for the exercise of the data subjects' rights.
The judge may order, upon request during trial, a collective liquidation damages procedure, or, after trial, individual compensation procedure. Persons wishing to be compensated must belong to the class and apply individually by addressing a request to the person found liable or, if he or she has not responded to that request, to the claimant who then receives a warrant to seize the judge for compensation. Individual compensation can also be obtained through mediation.
CNIL has issued various enforcement actions, which include the following, among others.
On 21 January 2019, CNIL imposed a financial penalty of €50 million against Google LLC, in accordance with the GDPR, for lack of transparency, inadequate information and lack of valid consent regarding personalised advertising. On 19 June 2020, the Conseil d'État dismissed the complaints against it and validated CNIL's decision (only available in French here).
On 26 November 2020, CNIL imposed a financial penalty of €2,250,000 and €800,000 against Carrefour France and Carrefour Banque for various violations of the GDPR (both only available in French here and here).
On 7 December 2020, CNIL imposed a financial penalty for a total of €100 million against GOOGLE LLC and GOOGLE IRELAND LIMITED for failure to obtain users’ prior consent before placing advertising cookies and lack of information of the users of search engine google.fr (only available in French here).
On 20 July 2021, CNIL imposed a financial penalty of €1.75 million on AG2R La Mondiale Group for failing to comply with obligations relating to retention periods and information to individuals (only available in French here).
On 26 July 2021, CNIL imposed a financial penalty of €400,000 on Monsanto for failure to inform data subjects of the processing of their data for lobbying purposes (only available in French here).