France - Data Protection Overview
1. Governing Texts
In France, the French Act No. 2018-493 of 20 June 2018 (only available in French here) ('the Amendment Law') incorporates the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') provisions in the existing Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (only available in French here) ('the 1978 Act'), which governs the protection of personal data.
For greater clarity, the law has been rewritten via Ordinance No. 2018-1125 of 12 December 2018 (only available in French here) ('the 2018 Ordinance'), which took effect on June 1, 2019.
The French data protection authority (the Commission nationale de l'informatique et des libertés, 'CNIL') acts as the French supervisory authority and its guidelines clarify the 1978 Act.
Historically, France has been subject to the unamended 1978 Act, creating CNIL. It was enacted following the so-called 'SAFARI' scandal revealed in 1974, in the French newspaper, Le Monde regarding the French administration's plan to interconnect nominative files via social security numbers creating thus the need to regulate the use of personal data.
The 1978 Act has been amended several times, including by the Law No. 2004-801 as of 6 August 2004 implementing the Directive 95/46/CE on protection of personal data (only available in French here), and in 2016 by the Act for a Digital Republic as of 7 October 2016 ('the Digital Republic Act') (only available in French here), which anticipated the GDPR regarding algorithms, children, anonymization of criminal data in court decisions, financial sanctions, and most importantly France's characteristic feature: digital inheritance.
Almost a month after the entry into force of the GDPR, notwithstanding an emergency enactment procedure and the submission of provisions to the Conseil Constitutionnel ('French Constitutional Court') to ensure compliance with the French Constitution of 4 October 1958 (only available in French here), the Amendment Law finally modified Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (official version available in French here; unofficial English version available here) ('the Act') with a retroactive entry into force on May 25, 2018.
At that time, the GDPR implementation technique was characterized by France's symbolic choice to maintain the 1978 Act's architecture, preserving the principles that were identified 40 years ago by the legislator, and repealing only contradictory provisions. However, this method led to unsatisfactory results in terms of legibility. Some provisions appeared redundant, while others were unclear with regards to their practical application or resulted in having a meaning diverging substantially from the GDPR provisions.
The first enforcement decree, published on August 3, 2018, Decree No. 2018-687 of 1 August 2018 (only available in French here) ('Decree No. 2018-687'), specifies the organization and functioning of CNIL (e.g. quorum, investigations, cooperation with other European authorities, complaint filling through an online form), provides that CNIL is to publish the lists of processing operations for which a Data Protection Impact Assessment ('DPIA') is required ('DPIA Blacklist') (CNIL has since fulfilled its mandate to issue its DPIA Blacklist in Deliberation No. 2018-328 of 11 October 2018 - the full DPIA Blacklist issued by CNIL including examples of such blacklisted processing operations is only available in French here), details the data subjects' rights (e.g. conditions and guarantees under which the rights of access, rectification, restriction and opposition may be waived in the event of data processing for scientific, historical research, or statistical purposes), establishes the list of categories of data processing (administrative, financial, operational, and medical) which may derogate from the data breach notification obligations, and coordinates the Code of Civil Procedure and the Penal Code ('the Penal Code') in particular for the processing of criminal records.
With these clarifications provided, the criticisms raised by the Amendment Law were resolved with the adoption of the 2018 Ordinance, which finally modified the architecture of the 1978 Act by rewriting the entire text in order to improve its legibility, ensure consistency with other regulations in force, and correct any error and omission for coherence with the GDPR.
The Act is now organized around five titles relating to:
- common provisions including definitions of the essential concepts by express reference to the GDPR, the material and territorial scope of application, the fundamental principles of personal data protection, the rules on sensitive data as well as those on the organization and functioning of CNIL, and finally the criminal provisions (Article 1 to 41 of the Act);
- personal data processing provisions as provided for in the GDPR (Article 42 to 86 of the Act);
- personal data processing provisions as provided for in the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) ('the Data Protection Directive') (Article 87 to 114 of the Act);
- exclusively national personal data processing provisions concerning State security and defense (Article 115 to 124 of the Act); and
- personal data processing provisions regarding Overseas France (i.e. French-administered territories outside Europe) (Article 125 to 128 of the Act).
According to Article 3 of the amended Act, its provisions apply to the processing of personal data carried out in the context of the activities of a controller or processor established in France, whether or not the processing takes place in France.
Furthermore, and in addition to Decree No. 2018-687 which specifies the modalities of application and certain provisions of the Act and sets out more precisely the time periods and procedural rules applicable to the missions and powers of CNIL, other enforcement decrees were enacted to finalize French law's adaptation to European personal data protection regulations.
In particular, Decree No. 2019-536 of 29 May 2019 (only available in French here) ('the Implementing Decree') was published, constituting the final step in bringing national law into line with the GDPR. The Implementing Decree ensures the consistency of the revised 1978 Act with European regulation, specifies data subjects' rights, adapts procedural rules before CNIL, repeals Decree No. 2005-1309 of 20 October 2005 (only available in French here), and above all brings into force the Act as amended by the Ordinance No. 2018-1125.
Therefore, it is still the provisions of the 1978 Act integrating the GDPR and its decrees that set the general framework applicable to the protection of personal data in France.
CNIL regularly publishes guidance, mainly only available in French, on its website which, for the moment, relates more to the GDPR than the Act itself. Among such guidance, the following should be highlighted:
- The Six-Step GDPR Compliance Methodology (only available in French here);
- Recommendations on Data Protection Officers ('DPOs') (only available in French here);
- Recommendations on log records (only available in French here);
- Guidance on Employees' right of access to their personal data and work-related emails (only available in French here);
- Guidance on ISO 27701 and the Processing of Personal Data or Personally Identifiable Information (only available in French here);
- Guidance on the right to delisting (only available in French here);
- Guidelines on cookies and other trackers (only available in French here);
- Guidelines on Data Protection Impact Assessments ('DPIA') (only available in French here);
- Two reference methodologies for accessing the main National Health Data System (in French 'Système national des données de santé' or 'SNDS') (only available in French here) ;
- Updated guidance on whistleblowing (only available in French here) ;
- Guidance on the processing of personal data intended to the management of pharmacies (only available in French here) ;
- Practical factsheets on building learning databases for artificial intelligence (subject to consultation) (only available in French here) and;
- Various other guidelines, recommendations and practical information on different topics such as anonymization techniques, employees' access rights, Binding Corporate Rules ('BCRs'), personal data breach notification, consent, and profiling (only available in French here).
In addition to general guidance, CNIL has also published a range of GDPR compliance tools, including online forms (e.g. personal data breach notifications (only available in French here), appointment of a data protection officer ('DPO') (only available in French here), etc.); templates (e.g. record of processing activities (available here), etc.) as well as software (e.g. Privacy Impact Assessment Software, an open source software to detect cookies deposited on users' devices by websites, etc.) and a tool to visualize the evolution of the Act over time, article per article called 'the Life of Law'.
CNIL also launched, in 2021, a 'sandbox' with the aim to provide support and legal certainty to selected projects. For 2022, CNIL sandbox was dedicated to digital tools in the field of education or EdTech.
CNIL is also in the process of transforming its now-obsolete instruments, such as authorization procedures, into soft law guidance. For instance, in February 2022, CNIL published two reference documents, the Standard on Processing of Personal Data for the purposes of debt management (only available in French here) and the Standard on Processing of Personal Data for the purposes of commercial activities (only available in French here) (both constituting the 'commercial activities management' reference framework). Pending adoption of new standards, CNIL explained that its previous deliberation and authorization can be used to 'orientate conformity'.
1.3. Case law
Since the entry into force of the GDPR, CNIL has sanctioned several violations in breach of the legislation and issued warnings against companies (sanctions available here).
For example, sanctions have notably been imposed for:
- failure to respect the right to object to processing;
- failure to comply with cookies requirements (especially lack of information and valid consent) (notably against Google for €150 million and Facebook for €60 million on December 31, 2021 (press release available here)) and more recently against Criteo on June 15, 2023, and Voodoo , Tik Tok and Apple in three decisions adopted on December 29, 2022 (decisions only available in French here);
- failure to provide information to data subjects;
- failure to cooperate with the supervisory authority;
- data security breaches;
- failure to comply with the obligation to limit the data retention period;
- failure to comply with the obligation to facilitate the exercise of rights; and
- failure to comply with the obligation to process adequate and relevant data.
2. Scope of Application
As long as the processing concerns personal data, the Act applies whether the data controller or processor is a legal or natural person, public, or private.
Article 48 of the Act also provides for the application of certain provisions (right of any person to lay down guidelines for the storage and deletion of their personal data after their death) of the Act to deceased individuals.
Article 3 of the Act provides that all the provisions of the Act apply to the processing of personal data carried out in the context of the activities of an establishment of a data controller or a data processor on the French territory, whether or not the processing takes place in France.
National rules adopted on the basis of the GDPR to adapt or supplement the rights and obligations of the GDPR will also apply where the data subject resides in France, including where the controller is not established in France. However, for processing carried out for journalistic, academic, artistic, or literary expression purposes the national rules applicable are those to which the data controller is subject when it is established in the European Union.
Article 2 of the Act provides that it applies to the automated processing of personal data and to the non-automated processing of personal data contained or destined to appear in a filing system.
Processing carried out by natural persons for the exercise of strictly personal or domestic activities are not subject to the Act.
3.1. Main regulator for data protection
CNIL is the national supervisory authority according to the meaning and for the application of the GDPR. It is an independent administrative authority composed of 18 members, including parliamentarians, representatives of high courts, qualified public figures, and a chairperson.
As to institutional proceedings, the members congregate in plenary sessions and, since 2004, CNIL's Restricted Committee, which is composed of five members and a Chair, can impose diverse sanctions in case of non-compliance with data protection legislations.
3.2. Main powers, duties and responsibilities
As the French data protection authority, CNIL's main mission is to control and audit compliance with data protection legislation and impose sanctions in case of a failure to remedy breaches.
Under the GDPR, CNIL's right to gain entry and inspection remain essentially the same as it was under the previous French data protection regime, and while the nature of premises regarding on-site searches is more clearly specified, it is still subject to professional secrecy. The Act now also provides for the possibility to use a borrowed identity for online controls (even though the power to conduct online audits was established in 2014).
At the end of the audit process, CNIL examines the gathered information and documents and drafts an inspection report. When the breaches are noted as serious, CNIL can impose sanctions. However, the French Constitutional Court ruled that neither the warnings nor the formal notices pronounced by CNIL's chairperson according to Article 20 of the Act constitute 'sanctions' that are punitive in nature.
In addition to its historical responsibilities, CNIL is awarded the power to adopt or encourage the development of new soft law instruments (such as guidelines, recommendations, codes of conduct, model regulations, reference methodologies for health data processing, certification mechanisms, standards, etc.).
Furthermore, since 2020, the European cooperation has increased, and its mechanisms are now an integral part of the CNIL's activity in the context of cross-border processing controls. For instance, in February 2022, CNIL, in cooperation with its European counterparts, was able to issue a formal notice to a website editor for its use of Google Analytics. Following the filing of 101 complaints in all 30 States of the European Economic Area ('EEA') by None of your business ('NOYB') (founded by Mr. Schrems), the European Data Protection Board ('EDPB') established a task force to jointly examine the legal issues raised and coordinate EEA States' position. Thus, thanks to this cooperation, CNIL ruled that personal data collected and processed through Google Analytics is transferred by Google to the United States without adequate safeguards excluding the possibility of access to personal data by US intelligence services. In 2021, CNIL participated in close cooperation with the Luxembourg data protection authority ('CNPD') to the procedure led against Amazon Europe Core that resulted in the highest sanction pronounced by a European data protection authority to date (€746 million on July 16, 2021) (although Amazon's appeal is still pending and the decision not enforceable yet). The claim was addressed to CNIL by a French association.
For 2023, CNIL's control program (published on March 21 2023) focused on the following areas: 'smart' cameras, the use of the personal credit repayment incidents file, access to medical records and tracking by mobiles applications. These four major concerns follow:
- the publication of CNIL's 2022-2024 strategic plan, which makes the use of 'smart' cameras a priority topic. As a result, CNIL initiated a series of actions that include support for private and public players, but also investigations, particularly in the run-up to the Rugby World Cup in 2023 and the Olympic Games in 2024;
- frequent complaints on the management of Banque de France's personal credit incident file (FICP), which records information on serious payment incidents relating to overdrafts and loans granted for non-professional purposes, as well as information on over-indebtedness (only available in French here);
- the work of CNIL and the Ministry of Health on data security, for example concerning the general policy on the security of health information systems (PGSSI-S), the shared medical file (DMP), the health professional card ('CPS-eCPS'), the 'pro Santé connect' service, etc.
Following a first coordinated enforcement framework of the EDPB on cloud services in 2022, the CNIL and its counterparts will also organize a similar action to verify the appointment of data protection officers ('DPOs') and how they carry out their duties (see press release of the EDPB here).
4. Key Definitions
Data controller: There is no definition of 'data controller' in the Act. Article 2 refers to the definitions provided by Article 4 of the GDPR. Thus, a data controller is a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor: Article 2 provides for the application of the definition of 'data processor' provided in Article 4 of the GDPR. Thus, a data processor is natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data: There is no definition of 'personal data' in the Act. Article 2 of the Act refers to the definitions provided by Article 4 of the GDPR. Thus, personal data is any information relating to an identified or identifiable natural person.
Data subject: There is no definition of 'data subject' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, a data subject is an identified or identifiable natural person.
Sensitive data: There is no definition of 'sensitive data' in the Act. However, Article 6 of the Act provides for the same definition as Article 9 of the GDPR. Thus, sensitive data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership as well as genetic data, biometric data, health data, data concerning sex life or sexual orientation of a natural person.
Health data: There is no definition of 'health data' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, health data means personal data related to the physical or mental health of a natural person.
Biometric data: There is no definition of 'biometric data' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, biometric data is personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.
Pseudonymization: There is no definition of 'pseudonymization' in the Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.
5. Legal Bases
Regarding a minor's consent, Article 45 of the Act specifies that a minor may consent alone to the processing of personal data with regard to the direct provision of information society services from the age of 15. Where the minor is under the age of 15, processing shall be lawful only if consent is given jointly by the minor concerned and the holder(s) of parental authority over that minor.
In addition, French law no. 2023-566 of 7 July 2023 on the digital majority and the fight against online hate (only available in French here) imposes new obligations on social networks operating in France regarding minors. These service providers are required to:
- prevent minors under the age of 15 from subscribing to their services without the authorization of the holder(s) of parental authority; and
- implement technical solutions to verify the age of minors and the holder(s) of parental authority that comply with a set of guidelines to be drawn up by the French audiovisual and digital communications authority (ARCOM) in consultation with CNIL (publication forthcoming).
There are no variations from the GDPR.
There are no variations from the GDPR.
There are no variations from the GDPR.
There are no variations from the GDPR.
There are no variations from the GDPR.
Historical and scientific research purposes
The Act provides that personal data can be retained beyond the time necessary to fulfill historical, statistical, scientific purposes for which they are processed and that further processing for such purposes shall be considered compatible with the original purposes of data collection (Article 4 of the Act). Exemptions from the obligation of the controller to inform data subjects are provided for processing necessary to data retention for historical, statistical, or scientific purposes, where data was initially collected for another purpose (Article 79 of the Act).
The right of access provided for in the Act does not apply to personal data retained (Article 49 of the Act):
- in a form clearly excluding any risk to the privacy of the data subjects concerned;
- for a period not exceeding time necessary for the sole purpose of establishing statistics or scientific or historical research; and
Finally, where processing is for archival purposes in the public interest, rules are determined by Articles L.211-2 and L. 212-3 of the French Estate Code (only available in French here) (Articles 4 and 78 of the Act).
Article 4 of the Act provides for the same principles as the GDPR; i.e.:
- lawfulness, fairness and transparency: the processing must be transparent for processing under GDPR;
- purpose limitation;
- data minimization: for this principle, the Act specifies that personal data must not be excessive for processing relating to:
- the prevention, investigation, detection, or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State and;
- State national security, defense or public security purposes;
- storage limitation; and
- integrity and confidentiality.
7. Controller and Processor Obligations
In accordance with the GDPR, France has abolished its prior notification regime (i.e. simplified or standard declarations or authorization requests are as a principle not required anymore); however, some processing must still be notified to CNIL for authorization or request for an opinion.
So far, CNIL has only identified processing of health data for research purposes and for public interest purposes as triggering this prior notification obligation and has published the relevant authorization request forms online (only available in French here).
In addition, Articles 31 and 32 of the Act provide that authorization by decree or ministerial ruling is required for processing:
- of special categories of data (sensitive data specified in Article 6(I) of the Act);
- biometric and genetic data necessary to identify persons or control identity on behalf of the State; and
- for State national security, defense or public security purposes, and relating to the prevention, search, finding or prosecution of criminal offenses or to the enforcement of criminal convictions or detention orders on behalf of the State (these 'sovereignty processing operations' remain unchanged).
Finally, the specific list of categories of controllers and purposes of processing using the social security number of natural persons ('NIR') has been published by Decree on 21 June 2019 Decree No. 2019-341 of 19 April 2019 (only available in French here).
The Act provides for the following two restrictions on data transfers:
- for the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
- for processing concerning State security and defense.
Regarding the processing relating to the prevention, investigation, detection or prosecution of criminal offenses or to the execution of criminal penalties or detention orders on behalf of the State, Article 112 of the Act provides that the data controller may only transfer data or authorize the transfer of data already transferred to a non-EU State when:
- the transfer is necessary for the purpose of the prevention, investigation, detection, investigation, and prosecution of criminal offenses or the execution of criminal penalties;
- the personal data is transferred to a controller established in that non-EU State or within an international organization which is a competent authority responsible for the prevention, investigation, detection, investigation, and prosecution of criminal offenses or the execution of criminal penalties in France;
- if the personal data originates from another State, the State that transmitted the data has previously authorized this transfer in accordance with its national law;
- as provided by Article 36 of the Data Protection Directive, in case of an adequacy decision or, in the absence of such a decision, a legally binding instrument providing appropriate safeguards or, in the absence of such a decision and instrument, the controller has assessed all the circumstances of the transfer and considers that there are such appropriate safeguards;
- the specific derogations of Article 38 of the Data Protection Directive apply; or
- the conditions of Article 39 of the Data Protection Directive are fulfilled.
Regarding processing for State national security, defense or public security purposes, Article 123 of the Act provides that the data controller may transfer personal data only if:
- the State ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing of such data;
- the specific derogations provided by Article 49 of the GDPR apply; or
- the transfer is authorized by a decree, issued after an opinion of the CNIL, where the processing guarantees an adequate level of protection of privacy and the fundamental rights and freedoms of individuals.
A new remedy is created for CNIL in terms of data transfers outside of the EU to implement the European Court of Justice's Judgment of 6 October 2015, Maximillian Schrems v. Data Protection Commissioner C-362/14, EU:C:2015:650, in the event of a case, submitted against a controller or processor, where the CNIL considers the grievances regarding protection of rights and liberties of a data subject to be founded, in the context of data transfers to non-EU states or international organizations (Article 39 of the Act).
CNIL can request the Conseil d'Etat ('Council of State'), the highest administrative court in France in charge of reviewing CNIL's decisions, to suspend data transfers to an 'adequate' country outside of the EU.
Following the Court of Justice of the European Union ('CJEU') decision of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II') 16 July 2020 invalidating the 'Privacy Shield' and the adoption by the European Commission of the new Standard Contractual Clauses on June 4, 2021, CNIL has published detailed guidance to assist data controllers identify and manage transfers of personal data outside the EU (only available in French here). CNIL also published several guides and recommendations for transfers of personal data to the United States.
Following the EU Commission's adequacy decision for the EU-US Data Privacy Framework ('DPF') according to which the EU Commission, recognizes that the DPF ensures an adequate level of protection for personal data transferred from the EU to organizations in the US that are included in the Data Privacy Framework List (maintained and made publicly available by the U.S. Department of Commerce), the CNIL has released an FAQ on US adequacy (only available in French here).
The CNIL clarifies that organizations subject to the GDPR (controllers or processors) may now transfer personal data to certified organizations that have made an annual and public commitment to adhere to the DPF without being required to set up a transfer tool under Article 46 of the GDPR or rely on a derogation under Article 49 of the GDPR. The CNIL also recalls that transfers to US organizations outside the EU-US DPF require appropriate safeguards, such as standard contractual clauses, or any other transfer tool listed in Article 46 of the GDPR. In these cases, it is the data exporters' responsibility to conduct a transfer impact assessment (TIA) that may be based on the analysis of US legislation conducted by the European Commission in its new adequacy decision.
Articles 57 and 60 of the Act explicitly refer to Article 30 of the GDPR providing that the controller, processor and, where appropriate, their representative shall keep the data processing record under the conditions laid down in Article 30 of the GDPR.
Regarding the processing for the prevention, investigation, detection, or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State, Article 100 of the Act provides that the controller and its processor shall keep a data processing record as provided by Article 30 of the GDPR and this record shall also contain a general description of the measures aimed at ensuring a level of security appropriate to the risk, an indication of the legal basis of the processing operation, including transfers, for which the personal data are intended and, where appropriate, the use of profiling.
National activities subject to prior consultation/authorization
According to Article 62 of the Act, the controller must carry out a DPIA prior to the processing of personal data in the conditions provided for in Article 35 of the GDPR.
In addition to the DPIA Blacklist published by CNIL, which indicates activities which are subject to the requirement of a DPIA, CNIL has adopted, through Deliberation No. 2019-118 of 12 September 2019 (only available in French here), its list of processing activities which are not subject to the requirement of a DPIA ('the DPIA Whitelist').
A DPIA must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned.
Thus, generally, processing operations which fulfill at least two of the following criteria are subject to a DPIA:
- assessment/scoring (including profiling);
- automatic decision with legal or similar effect;
- systematic monitoring;
- collection of sensitive data;
- collection of personal data on a large scale;
- data crossing;
- vulnerable persons (patients, elderly, children, etc.);
- innovative use (use of a new technology); and
- exclusion of the benefit of a right/contract.
For example, if a company sets up a system which monitors the activity of its employees, this data processing meets the criteria of systematic monitoring and that of data concerning vulnerable persons, therefore the implementation of a DPIA will be necessary.
The DPIA Blacklist specifies 14 types of processing for which a DPIA is required, provided that these processing activities meet at least two of the above-mentioned criteria:
- health data processing carried out by health or medico-social establishment for the care of individuals;
- processing of genetic data from 'vulnerable' individuals (patients, employees, children, etc.);
- processing operations establishing persons' profiles for human resources management purposes;
- processing operations for the purpose of constantly monitoring the activity of the employees involved;
- processing for the purpose of social and health alerts and reports management;
- processing for the purpose of professional alerts and reports management;
- processing of health data required for the establishment of a data warehouse or registry;
- processing involving profiling of individuals which may result in their exclusion from the benefit of a contract, or in its suspension or rupture;
- shared processing of observed contractual breaches which may lead to the exclusion or suspension from the benefit of a contract;
- profiling processing using data from external sources;
- processing of biometric data for the purpose of uniquely identify a natural person including 'vulnerable' individuals (students, elderly, patients, asylum seekers, etc.);
- requests examination and social housing management;
- processing for the purpose of providing social or medico-social support of individuals; and
- processing of large-scale location data.
If it appears that the level of residual risk of the processing remains high after conducting the DPIA, the controller is required by Article 63 of the Act to consult CNIL before carrying out such processing.
Practical tools are available in English on CNIL's website, such as the PIA software mentioned above which helps with reusing DPIAs, and DPIA guides (templates, knowledge bases, methodology, and guides applicable to connected objects).
National activities not subject to prior consultation/authorization
A DPIA is not required in the following cases:
- when processing does not present a high risk to the rights and liberties of data subjects;
- when the nature, scope, context and purposes of the proposed processing are very similar to a processing for which an impact assessment has already been conducted;
- where processing is legally required or necessary for the performance of a public service task (Article 6(1)(c) and (e) of the GDPR), provided that the following conditions are met:
- it has a legal basis in EU or EU Member State legislation;
- an impact assessment has already been conducted when this legal basis was adopted; and
- this legislation regulates this processing operation; and
- when the processing corresponds to an exception determined by CNIL in accordance with Article 35(5) of the GDPR.
Regarding this final exemption, CNIL's DPIA Whitelist specifies that the following types of processing, among others, do not require a DPIA:
- processing implemented solely for human resources purposes and in accordance with the conditions laid down in the applicable texts, for the sole management of the staff of bodies employing fewer than 250 persons, with the exception of the use of profiling;
- processing for the purpose of supplier relationship management;
- processing implemented under the conditions provided for in the texts relating to the management of the electoral register of municipalities;
- processing for the management of the activities of works councils and committees;
- processing of health data necessary for the care of a patient by a health professional practicing in an individual capacity in a doctor's surgery, pharmacy or medical biology laboratory;
- processing operations carried out for the sole purpose of managing physical access controls and timetables for the calculation of working time, without any biometric devices, with the exception of processing operations revealing sensitive or highly personal data; and
- processing relating to breathalyzer tests, strictly regulated by a text and implemented in the context of transport activities for the sole purpose of preventing drivers from driving a vehicle under the influence of alcohol or drugs.
Article 57 of the Act provides that the controller shall appoint a data protection officer ('DPO') under the conditions of Chapter IV, Section 4 of the GDPR. Article 103 of the Act also provides for the mandatory appointment of a DPO but only for competent authorities (i.e. public authority or any other body or entity entrusted with the exercise or prerogatives of public authority, such as the judicial authority, the police, and repressive authorities) for the purposes of prevention, investigation, prosecution of criminal offenses or the enforcement of criminal convictions, when acting as controllers.
CNIL has issued guidance on the appointment of a DPO specifically for competent authorities (only available in French here).
The appointment of a DPO is one of the key points of compliance for CNIL. It has strongly encouraged French companies to appoint DPOs, even where the company is not under an obligation to do so under the GDPR's criteria.
The appointment of the DPO must be notified online to CNIL by filling out a form with the contact details of the controller (or processor) and of the DPO. The notification to CNIL can be done online in four steps, only available in French, here.
CNIL offers guidance on the role of the DPO (only available in French here).
Furthermore, Deliberation No. 2018-318 of 20 September 2018 Adopting the Criteria of the Standard of Qualification of the DPO (only available in French here) ('Deliberation No. 2018-318') adopted criteria standards on the certification reference system, setting out a list of 17 required competencies to be certified as a DPO, including:
- the DPO must understand the principles of, for example, lawful processing, data minimization, data accuracy, and data retention;
- the DPO must be able to identify the legal basis of a processing activity;
- the DPO must be able to organize and participate in data protection audits;
- the candidate must know how to identify personal data breaches which require notification to CNIL and data subjects; and
- the DPO must know whether or not it is necessary to carry out a DPIA.
Deliberation No. 2018-317 of 20 September 2018 Adopting the Criteria of the Reference Framework of Accreditation of Certification Bodies for the Certification of the Competences of the DPO (only available in French here) adopts the accreditation framework, setting out the criteria for organizations who wish to be certified by CNIL to certify DPOs according to the provisions of Deliberation No. 2018-318.
Article 58 of the Act refers to Article 33 of the GDPR for data breach notification to CNIL.
The Act also provides an obligation of communication of the data breach to the data subject in accordance with Article 34 of the GDPR, and specifies that for processing necessary to comply with a legal obligation or regarding a task of public interest, this obligation may be waived when it is likely to constitute a threat to national security, national defense or public safety, in the cases provided for in Article 85 of the Implementing Decree, namely:
- processing involving personal data likely to enable persons whose anonymity is protected to be directly or indirectly identified; and
- processing of administrative, financial and operational management data, as well as processing of health data.
The Act specifically requires providers of electronic communication services to document the breaches so CNIL can verify compliance and to notify a data breach to CNIL, as well as the data subject, except if CNIL finds that the controller has implemented appropriate protective measures to make the data concerned by the violation incomprehensible to any unauthorized person (Article 83 of the Act).
There are no specific provisions regarding the timeframes for retaining data in the Act.
However, CNIL published, in July 2020, a practical guide on data retention periods (only available in French here) ('the Practical Guide') detailing the main principles of personal data retention and providing practical advice on their implementation.
In particular, CNIL recommends assessing the retention period or the criteria for determining it with regard to the purposes of processing (e.g., the duration of the business relationship) and to keep documentation justifying this assessment. To this end, it provides an analysis grid to identify reasonable durations for each retention phase of personal data (i.e., current use, intermediate archiving and, where applicable, definitive archiving).
Albeit this provision has been subject to lengthy parliamentary debates, the Act lowers the age for valid consent given by children from 16 to 15 years old regarding the offer of information society services (Article 45 of the Act). However, for other processing, such as processing necessary to perform an online contract with a minor will thus not need to comply with those provisions, due to the definition of information society services by Directive 98/48/EC of the European Parliament and of the Council of 20 July 1998 amending Directive 98/34/EC laying down a Procedure for the Provision of Information in the field of Technical Standards and Regulations.
When the individual is younger than 15, consent will need to be provided jointly by the minor and their parent.
Controllers also are subject to an obligation of information towards such minor, the wording of which must be adapted to their age since children must be made aware of the risks of using the internet, notably when they create an account on social networks.
The new threshold of 15 years of age underlines the willingness to harmonize French legislation in general since it already corresponds to the sexual majority age and to the age at which health data can be factored in surveys.
On June 9, 2021, CNIL published a set of recommendations to strengthen the protection of minors' personal data online. These recommendations pursue the following objectives:
- regulating the ability of minors to act online;
- encouraging minors to exercise their rights;
- supporting parents in minors' education to digital;
- seeking parental consent for minors under the age of 15;
- promoting parental control tools that respect the minor's privacy and best interests;
- strengthening the information and rights of minors through design;
- checking the age of the minor and parental consent to respect the child's privacy; and
- providing specific safeguards to protect the interests of the child.
For each of these objectives, CNIL has adopted dedicated recommendations and has recently published numerous educational contents for children and their parents and teachers including games and short videos.
Article 6 of the Act provides that it is prohibited to process the following sensitive data: personal data revealing the alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of a natural person or to process genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.
As an exception, Article 6 provides that these sensitive data can be processed in the cases mentioned in Article 9(2) of the GDPR and for processing justified by public interest and duly authorized.
In addition, Article 44 of the Act provides that Article 6 of the Act does not apply for:
- processing necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services and carried out by a member of a health profession, or by another person bound by an obligation of professional secrecy by virtue of their duties;
- statistical processing carried out by the French National Institute of Statistics and Economic Studies ('Insee') or one of the ministerial statistical offices;
- processing of health data justified by the public interest and complying with Section 3 of Chapter III of the Act dedicated to processing of personal data in the health field;
- processing in accordance with CNIL standard regulations implemented by employers or administrations regarding biometric data strictly necessary to control access to workplaces, and to devices and applications used by the employees;
- processing of public information contained in court decisions; and
- processing necessary for public research, if carried out for an important public interest purpose.
Furthermore, for some specific data, the government chose to use the room for maneuver allowed by the GDPR and set a specific regime for its processing.
Regarding the processing of genetic or biometric data carried out on behalf of the State for the authentication or control of the identity of individuals, Article 32 of the Act provides that authorization by decree of the Council of State is required after the reasoned opinion of CNIL.
An authorization procedure is required for health data processing (Article 66 of the Act) (except in cases of health alerts in emergency situations (Article 67 of the Act)), and processing for research, study or evaluation purposes in the health field (Article 73 of the Act) that do not comply with CNIL's toolkits and model regulations, which can be established with the National Institute of Health Data, acknowledging that a simple declaration attesting compliance with these instruments shall allow implementation of such processing.
Section 3 of Chapter III, Title II of the Act provides that CNIL's authorization must be given within two months otherwise the authorization is deemed granted unless the two months period has been extended (Article 66 of the Act), and that controls will be operated with an audit committee, created at the initiative of the government (Article 77 of the Act).
In addition, the regime includes specific provisions regarding minors aged 15 or over, that may in particular object to holders of parental authority having access to data concerning them collected in course of the research, study, or evaluation in the health field, or being informed of such processing in cases provided for in Article 70 of the Act.
Social security number ('NIR')
As per Article 30 of the Act, Decree No. 2019-341 of 19 April 2019 on the Implementation of Processing Operations Involving the Use of the Registration Number in the National Directory of Identification of Natural Persons or Requiring the Consultation of this Directory (only available in French here) ('the NIR Decree') lists categories of controllers and purposes allowed regarding processing activities using the NIR. It includes notably the following:
- processing for the fulfillment of their tasks in the field of social protection, including when the use of the registration number in the national identification register of natural persons is necessary for the performance of assessments, studies, statistics and research, or for the implementation of exchanges or treatments involving several social protection actors;
- the National Public Health Agency, for the management and follow-up of health alerts; and
- companies, in order to fulfill their reporting obligations requiring the use of the registration number in the national identification register for natural persons, and for the automated processing of payroll and personnel management resulting from legal or regulatory provisions and collective agreements concerning declarations, calculation of contributions and payments to dedicated organizations.
The CNIL has also published guidance on the NIR Decree (only available in French here).
Criminal convictions and offences data
Criminal convictions are dealt with by Article 46 of the Act. Such processing can be implemented by:
- jurisdictions, public authorities, and legal persons managing a public service;
- auxiliaries of justice (such as mediators or experts) for the strict exercise of their functions, as well as entities collaborating with judicial entities;
- natural or legal persons, for the purpose of enabling them to prepare and, where appropriate, to initiate and follow legal proceedings as victims, defendants or on their behalf and to enforce the decision rendered;
- associations providing assistance to victims under agreement with the Ministry of Justice;
- collective management organizations acting on behalf of the intellectual property rights they manage, or on behalf of victims of intellectual property rights violations; and
- re-users of public information contained in court decisions, provided that processing is neither intended to nor has the effect of allowing the reidentification of the persons concerned.
With respect to the final point, Law No. 2016-1321 of 7 October 2016 for a Digital Republic (only available in French here) ('the Digital Republic Act') already imposed the implementation of a prior study in order to verify the possibility of reidentifying persons when the data is communicated.
In addition, Article 76 of the Decree of 29 May 2019 extended the list of persons authorized to process these categories of personal data including to:
- associations providing assistance for the reintegration of individuals placed under the authority of the justice system;
- educational, social or medico-social support institutions;
- public or private educational institutions, boarding schools and all authorized structures supporting juvenile delinquents; and
- judicial representatives designated for the protection of adults.
Article 60 of the Act explicitly refers to Article 28 of the GDPR providing that the processing carried out by a data processor shall be governed by a contract or any legal act binding the data processor and the data controller, in a written form, complying with the conditions laid down in Article 28 of the GDPR.
Regarding processing concerning State security and defense, according to Article 122 of the Act, the contract between the data processor and the data controller must contain an indication of the obligations of the data processor with regard to the protection of the security and confidentiality of the data and provides that the data processor may only act on the instructions of the data controller.
8. Data Subject Rights
Article 48 of the Act expressly refers to Articles 12 to 14 of the GDPR for the conditions of right of information's application.
These articles list the information that the controller shall give to data subjects when personal data is collected directly from them or collected indirectly.
In addition to the information provided for in Articles 13 and 14 of the GDPR, Article 48 of the Act also provides that the controller shall give information to the data subject about the right to define guidelines on the fate of personal data after death (Article 48 of the Act).
However, this right of information can be limited. Beside limitations of the GDPR, data subjects' right to information is limited by the Act when:
- processing is carried out for the purposes of journalism or literary and artistic expression (Article 80 of the Act);
- processing is carried out for the purposes of prevention, investigation, and prosecution of criminal offenses in the conditions of Articles 107 and 108 of the Act;
- processing is carried out for archival purposes in the public interest, for scientific or historical research or for statistical purposes, when the data was originally collected for another purpose (Article 79 of the Act); and
regarding the indirect collection of personal data, when:
- processing is carried out for archival purposes in the public interest, for scientific or historical research or for statistical purposes, when the data was originally collected for another purpose (Article 79 of the Act); and
- processing is carried out on behalf of the State and is relevant to public security, or by public administration to check or recover taxes, or to check on the activities of legal and natural persons which may lead to the detection of an infringement or failure, an administrative fine or penalty (Article 48 of the Act, in application of Article 23 of the GDPR); and
- personal data is transmitted by an administrative authority to an intelligence service. In this case, data subjects are not entitled to be informed of this transmission (this exception has been added to Article 48 of the Act by and the Law on the prevention of acts of terrorism and intelligence Law No. 2021-998 of 30 July 2021).
Regarding cookies, CNIL published a Deliberation on September 17, 2020 adopting guidelines on the application of Article 82 of the Act regarding the use of 'cookies and tracking devices' Deliberation No. 2020-091(only available in French here) ('the Cookies Guidelines').
In the Cookies Guidelines, CNIL states that:
- navigation on a website can no longer be considered a valid expression of the user's consent. Individuals must explicitly consent to the placement of cookies by a clear positive action. Otherwise, cookies or trackers cannot be placed on their device;
- withdrawal of consent should be as easy as to give consent and possible at any time;
- refusal of cookies and trackers should be as easy as acceptance;
- individuals must be clearly informed of the purposes of the trackers before they consent, as well as the consequences of accepting or refusing them;
- individuals must be informed of the identity of all the actors depositing cookies on their devices, at the time consent is collected; and
- the organizations operating the trackers must be able to demonstrate, at any time, the valid collection of the user's consent.
CNIL also adopted practical recommendations to comply with the Cookies Guidelines including good practices to collect the user's consent examples of user interfaces (only available in French here).
Finally, in a decision dated June 19, 2020, the Council of State ruled that CNIL could not impose a general and absolute ban on making access to a website conditional on the consent to the deposit of trackers for targeted advertising purposes (i.e. suppression of the provision of the guidelines prohibiting the practice of 'cookie walls'). Consequently, the CNIL has amended its Cookies Guidelines, but only on that particular aspect.
In addition, following complaints from the NOYB association, the CNIL, and its European counterparts, gathered within the Cookie Banner Task Force, published a report on cookie banners on January 17, 2023, setting out the common positions of the European supervisory authorities on the practices and design of cookie banners (available here). According to this report, the European supervisory authorities consider that the design of cookie banners must enable users to understand what they are consenting to and how to express their choice. In this respect, the authorities agreed that a case-by-case examination of cookie banners should be carried out to determine whether the design chosen is not manifestly misleading to users.
Variations within the Act on the GDPR's right to access consist of the following.
For processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to monitor or recover taxes, according to Article 52 of the Act, the right of access shall be addressed to the CNIL.
For processing carried out by the financial courts in the context of their non-judicial tasks as provided for by the Code of Financial Courts (only available in French here), Article 52 of the Act provides that the right of access may be restricted under the conditions laid down in of Article 23(1)(e) and (h) of the GDPR.
Regarding health data, Article 64 of the Act provides that such data is to be communicated to the data subject, according to their choice, directly or through the intermediary of a doctor whom they designates for this purpose, in compliance with the provisions of Article L. 1111-7 of the Public Health Code (only available in French here) (Article L 1111-7 of the Public Health Code provides that if no exceptions apply, the data must be communicated to the data subject no later than eight days after their request and no sooner than after a 48-hour period of reflection has been observed and that specific conditions apply for minors).
Regarding the processing relating to the prevention, investigation, detection, or prosecution of criminal offenses or to the execution of criminal penalties or detention orders on behalf of the State, except where the personal data are contained either in a judicial decision or in a judicial file being processed in the course of criminal proceedings, Article 107 of the Act provides that if and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society for:
- avoiding hindering investigations, enquiries, or administrative or judicial proceedings;
- avoiding hindering the prevention, detection, investigation, or prosecution of criminal offenses or the execution of criminal sanctions; and
- protecting public security, national security, rights, and freedoms of others, the data controller may refuse or limit the data subject's right of access. In this case, the data controller shall inform the data subject, as soon as possible, of any refusal or limitation of access as well as the reasons for the refusal or limitation except if this communication risks compromising one of the purposes set out above.
Regarding processing relating to State security and defense, Article 118 of the Act provides that requests to exercise the right of access are addressed to CNIL. Where CNIL finds, in agreement with the controller, that the communication of the data contained therein does not harm its purposes, State security, defense or public security, such data may be communicated to the applicant. However, according to Article 119 of the Act, where the processing involves information the disclosure of which would not harm the purposes for which it is intended, it may be provided that the right of access may be exercised by the data subject with the controller directly.
Regarding the right to rectification, Article 50 of the Act explicitly refers to Article 16 of the GDPR.
Variations within the Act on the GDPR's right to rectification consist of the following.
According to Article 52 of the Act, for processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to monitor or recover taxes, the right of rectification shall be addressed to CNIL.
Regarding the processing relating to the prevention, search, finding or prosecution of criminal offenses or to the enforcement of criminal convictions or detention orders on behalf of the State, Article 106 provides that the data subject has the right to obtain from the data controller the rectification as soon as possible of any personal data concerning them which are inaccurate.
The data controller shall:
- inform the data subject of any refusal to rectify and the reasons for the refusal;
- communicate the rectification of inaccurate personal data to the competent authority from which the data originated; and
- notify the recipients.
Except where the personal data are contained either in a judicial decision or in a judicial file being processed in the course of criminal proceedings, Article 107 of the Act provides that if and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society for (i) avoiding hindering investigations, enquiries or administrative or judicial proceedings (ii) avoiding hindering the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal sanctions; or (iii) protecting public security, national security, rights and freedoms of others, the data controller may not inform the person of the refusal to rectify personal data or of the reasons for this decision.
The data controller shall inform the data subject of the possibility of exercising their rights through CNIL or through legal recourse.
Regarding processing relating to State security and defense, Article 118 of the Act provides that requests to exercise the right of rectification are addressed to CNIL. Where CNIL finds, in agreement with the controller, that the communication of the data contained therein does not harm its purposes, State security, defense or public security, such data may be communicated to the applicant. However, according to Article 119 of the Act, where the processing involves information the disclosure of which would not harm the purposes for which it is intended, it may be provided that the right of rectification may be exercised by the data subject with the controller directly.
Article 51 of the Act expressly refers to Article 17 of the GDPR for the implementation of the right to erasure.
Nevertheless, this right is subject to the limitations provided in Article 17 of the GDPR and additional limitations provided for in the Act:
- Article 106 (III) of the Act, regarding processing for the purposes of prevention, investigation, and prosecution of criminal offenses, provides that instead of deleting, the controller is entitled to only limit the processing in certain cases.
- Article 52 of the Act provides that for processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to check or recover taxes, requests of the exercise of the right of deletion must be addressed to CNIL in application of Article 118 of the Act, as well as for processing relating to State security and defense.
Under the Act, the right to erasure can be invoked in the context of processing for journalistic, artistic, or academic purposes, contrary to what is provided in Article 17(3)(a) of the GDPR. However, towards this contradiction, Article 17 of the GDPR will prevail, thus removing the right to erasure for processing with these specific purposes.
Besides, Article 51 of the Act contains specific provisions for the right to erasure when the data subject was a minor (i.e., under 18 years old) at the time of the data collection.
This provision deals specifically with the right to erasure in respect of personal data relating to children that is processed in the context of online services, also provided for in Article 17 of the GDPR referring to Article 8. The effect is that any request for erasure in that particular context, and any complaint handling process, will be dealt with under the Act, and not under Article 17 of the GDPR.
Finally, Article 51 of the Act provides that the data subject is entitled to refer to CNIL the non-execution of the deletion of personal data.
Regarding the right to de-referencing, the Council of State acknowledges the CJEU judgments (Google LLC v. CNIL C‑507/17 and GC and others v. CNIL C‑136/17) of 24 September 2019 and rendered several decisions (13 decisions dated December 6, 2019) (only available in French here) according to which (i) the right to de-referencing applies to the European territory, and (ii) when a request for de-referencing relates to sensitive data (including political opinions, religious or philosophical beliefs or sex life as well as criminal conviction), a balance must be sought between the fundamental rights of the person requesting such de-referencing and those of internet users potentially interested in that information. The Council of State further published a legal note setting out the conditions applicable to the right to be forgotten (only available in French here).
The Act provides that the right of the data subject to object to processing can be exercised under the conditions of Article 21 of the GDPR (Article 56 of the Act).
Consequently, the Act is in line with the reduced scope of exercise of this right provided for by the GDPR. Indeed, whereas the right under Article 21 of the GDPR only applies to personal data processed under the 'legitimate interest' or 'public interest grounds' (though individuals can withdraw their consent to processing at any time, which is effectively also a right to object to processing based on consent), the Act used to provide, in its former version, that this right applied to personal data processed on the basis of all grounds other than the 'legal obligation' ground.
Moreover, the reduction in the scope of exercise of this right is also reflected in the exceptions to it, extended by the amended version of the Act. According to Article 56 of the Act, the right to object cannot be exercised where the processing is legally required, or where there is an overriding express provision authorizing the processing, in addition to the 'compelling legitimate interest' exception provided for in the GDPR (except in the case of marketing, where the right to object is absolute).
The Act does not implement variations of GDPR on the right to data portability, as it expressly refers to Article 20 of the GDPR.
Article 47 of the Act expressly forbids that a court decision involving an assessment of a person's conduct may be based on an automatic processing of personal data intended to evaluate certain aspects of the person's personality.
Article 47 of the Act also provides that no decision which has legal effects on or significantly affects a person may be taken solely on the basis of automated processing of personal data, including profiling. However, according to Article 47 of the Act, and excluding the event where the administration decides on an administrative appeal, this last prohibition is limited in some cases:
- the exceptions provided for in Article 22 of the GDPR; and
- individual administrative decisions taken in compliance with French legislation, provided that the processing does not involve sensitive data referred to in Article 6 of the Act, and that the controller ensures that the algorithmic processing and its developments are controlled in order to be able to explain to the data subject the way in which the processing has been carried out.
There are no such limitations regarding processing relating to State security and defense (Article 120 of the Act) and processing for the purposes of prevention, investigation, and prosecution of criminal offenses (Article 95 of the Act). Article 95 of the Act adds that any profiling that discriminates against natural persons on the basis of special categories of personal data is prohibited.
Right to restriction of processing
The Act does not implement variations of GDPR on the right to restriction of processing, as it expressly refers to Article 18 of the GDPR.
Right of deceased individuals
If by principle, Article 84 of the Act provides that the data subject's rights expire upon his death, the Act also introduces in Article 85 of the Act some additional rights for the deceased, as introduced by the Digital Republic Act. It allows data subjects to provide guidelines as to the fate of their data after death (erasure/retention of data or communication to a third party). Even though it was initially targeting social media companies, it applies to every organization. A person can be designated to carry out these instructions, and thus has authority, upon the death of the data subject, to read the directives and request their implementation by the concerned controller. These guidelines can be general (where they relate to all data concerning the data subject) or specific (where they only concern specific data processing operations):
- general guidelines can be entrusted to a trusted third party which will be certified by CNIL; or
- special guidelines can also be entrusted to controllers (social networks, online messaging, etc.) in the event of death; they are subject to the specific consent of the data subject and may not result solely from the latter's approval of the general conditions of use.
In the absence of guidelines, the heirs have the possibility to exercise certain rights, including the right of access, if necessary, to settle the deceased's estate.
The Act specifies the formal powers of CNIL, and its Restricted Committee and/or chairperson, to take corrective actions and impose sanctions in case of breach by controllers or processors of their obligations under the GDPR or the Act, or against a certification body (Articles 20 to 23 of the Act).
Whereas the sanction procedure under the previous regime was conducted in two steps (an optional notice phase followed by an adversarial sanction phase), CNIL's chairperson or Restricted Committee can now carry out actions and impose sanctions, when there is a need to act in order to protect the rights and liberties of data subjects, in the following graduated manner (Article 20 of the Act):
- initial warning;
- formal notice to comply within a certain period; and
if the controller/processor is still in breach, it can:
- issue a call to order;
- issue an injunction to comply with the GDPR or the Act (under penalty of up to €100,000 per late day);
- order temporary or definitive restriction on processing;
- revoke a certification or to issue an order to the certifying body to refuse or to withdraw the certification that has been granted;
- prohibit processing or withdraw an authorization under the GDPR or the Act;
- suspend of data flow to a third-party country or international organization; and/or
- suspend partially or totally the approval of BCRs.
Furthermore, the Act No. 2022-52 of 24 January 2022 relating to criminal liability and internal security (only available in French here) ('the Act No. 2022-52'), has introduced a new Article 22-1 to the Act which set forth a simplified enforcement procedure. This simplified procedure may only be initiated by the chairman of the Restricted Committee if the following conditions are met and taking into consideration the seriousness of the breaches observed:
- the chairman of the Restricted Committee considers that the following corrective measures are appropriate:
- call to order; and/or
- injunction to comply with the GDPR or the Act, provided that it does not exceed €100 for each day of delay; and/or
- administrative fine pursuant to the GDPR or the Act provided that the fine does not exceed €20,000.
- the chairman of the Restricted Committee considers that the case does not present any particular difficulty, in light of the established case law or previous decisions issued by the Restricted Committee.
Corrective actions and sanctions can also be carried out and/or imposed in case of urgency, such as temporary interruption of processing, restriction of processing and suspension of the controller/processor's certification, and the new power to request an urgent opinion or a binding decision from the EDPB (Article 21(III) of the Act). However, in practice, CNIL rarely applies large sanctions and prefers a more cooperative approach, discussing with the controller/processor and working with them towards compliance.
The Act provides for the possible publication of sanctions in newspapers or other media, as a sanction, at the expense of the breaching party, and where, for instance, a high number of data subjects is involved (Article 22 of the Act).
It should also be noted that the 2018 Ordinance added to the arsenal of criminal offenses of the Act the fact of obstructing the action of CNIL, now punishable by a €15,000 fine (multiplied by five for legal entities) and one year's imprisonment (Article 226-22-2 of the Penal Code).
Furthermore, any administrative fine imposed by CNIL may be deducted from a criminal fine imposed by a French criminal judge in a pending similar procedure.
The GDPR provides for a €20 million cap or 4% of global turnover, for acts committed after May 25, 2018. Article 20 of the Act now provides for fines up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. In addition, controllers became obligated to individually inform data subjects of such sanction, and CNIL started being able to impose financial penalties without prior notice where the violation could not be brought into conformity.
Finally, the last paragraph (IV) of Article 20 of the Act, added by the Act No. 2022-52, provides that when a case has been referred to the Restricted Committee, the chairman may order the respondent to produce the elements requested by the CNIL and, if the respondent failed to respond to a previous formal notice, a penalty which may not exceed €100 per day of delay may also be issued.
The Act provides for an individual compensation procedure in relation to class actions (Article 37 of the Act). Class actions for consumer and competition law breaches were implemented in 2014 and their scope was extended in 2016 to other matters including personal data protection, discrimination, labor law, environmental law and health.
Therefore, although data protection class actions are not new under French law, their scope was limited before the GDPR as they were only aimed at stopping a breach and did not provide for the possibility for data subjects to claim compensation. These compensation claims are now possible in court under the GDPR regime as included in Chapter 1 of Title V of the Act No. 2016-1547 (only available in French here) and Chapter X of Title VII of Book VII of the Code of Administrative Justice (only available in French here) provides procedural provisions dealing with class actions brought before a competent civil or administrative court.
The class of individuals who can bring an action is limited to:
- certain privacy associations, provided they have been 'regularly declared' (i.e. they have made the necessary declaration to the relevant prefecture (of title, object, registered offices of the association as well as information on the persons responsible for its administration);
- consumers' associations (where the processing of the personal data affects consumers); and
- employees or civil servants' trade union representatives.
In addition, the class of individuals who can bring an action includes organizations whose object is relating to the protection of rights and freedoms or involves the defense of interests in relation to the purposes of the contentious processing (Article 38 of the Act) but only for the exercise of the data subjects' rights.
The judge may order, upon request during trial, a collective liquidation damages procedure, or, after trial, individual compensation procedure. Persons wishing to be compensated must belong to the class and apply individually by addressing a request to the person found liable or, if he or she has not responded to that request, to the claimant who then receives a warrant to seize the judge for compensation. Individual compensation can also be obtained through mediation.
CNIL has issued various enforcement actions, which include the following, among others.
On January 21, 2019, CNIL imposed a financial penalty of €50 million against Google LLC, in accordance with the GDPR, for lack of transparency, inadequate information and lack of valid consent regarding personalized advertising. On June 19, 2020, the Council of State dismissed the complaints against it and validated CNIL's decision (only available in French here).
On November 26, 2020, CNIL imposed a financial penalty of €2,250,000 and €800,000 against Carrefour France and Carrefour Banque for various violations of the GDPR (both only available in French here and here).
On December 7, 2020, CNIL imposed a financial penalty for a total of €100 million against GOOGLE LLC and GOOGLE IRELAND LIMITED for failure to obtain users' prior consent before placing advertising cookies and lack of information of the users of search engine google.fr (only available in French here).
On July 20, 2021, CNIL imposed a financial penalty of €1.75 million on AG2R La Mondiale Group for failing to comply with obligations relating to retention periods and information to individuals (only available in French here).
On July 26, 2021, CNIL imposed a financial penalty of €400,000 on Monsanto for failure to inform data subjects of the processing of their data for lobbying purposes (only available in French here).
On June 23, 2022, CNIL imposed a financial penalty of €1 million on TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE for failure to comply with its obligations regarding direct marketing (right to object) and to respect data subjects' rights to information, right of access and right to object (only available in French here).
On October 20, 2022, CNIL imposed a financial penalty of €20 million against CLEARVIEW AI for unlawful processing of personal data, failure to respect individuals' rights and lack of cooperation with the CNIL. In addition, the CNIL issued an order to cease collecting and using data on individuals in France without a legal basis and delete those data already collected. The CNIL added to this injunction a penalty of €100,000 per day of delay (courtesy translation available here).
On December 29, 2022, CNIL imposed a financial penalty of €3 million against VOODOO, a smartphone games publisher, for using a technical identifier for advertising purposes without the user's consent (only available in French here).
On June 15, 2023, CNIL imposed a financial penalty of €40 million against CRITEO, a digital marketing company, in particular for failing to ensure that its partners (e.g. publishers) obtained consent from their users for the use of Criteo's cookie (only available in French here).
On October 12, 2023, CNIL imposed a financial penalty of €600.000 against GROUPE CANAL+ in particular for failing to comply with its obligations regarding commercial prospecting and to facilitate the exercise of data subjects' rights (including right to be informed and data subjects' access right) (only available in French here).