Professional Documents
Culture Documents
History of Data Protection in FRANCE
History of Data Protection in FRANCE
History of Data Protection in FRANCE
France introduced legislation relating to personal data and computer files as far back as the late
1970s, with law Nr. 79-17 of 6 January 1978. This Act also set up the French Data Protection
Authority, the CNIL. Legislation covering research conducted in the heath sector was introduced in
1994.
Despite this early start in introducing data protection legislation in France, it took 9 years for Directive
95/46/EC to be introduced. In the meantime, the protection of privacy during the processing of
information was covered in a piecemeal fashion, by the Law of 12 April 2000 on the Rights of Citizens
and their Relationship with Administration, and the Law of 4 March 2002 on Patients' Rights.
Following a lengthy legislative process, the Directive was finally incorporated into French law with Law
Nr. 2004-801 of 6 August 2004 relating to the Protection of Data Subjects as Regards the Processing
of Personal Data. This law amended the 1978 law, and the bulk of it came into force immediately.
Name of supervisory authority Commission Nationale de l' Informatique et des Libertes (CNIL)
The CNIL's duties are outlined in Article 11 of the new Law. As in the 1978
Act, the CNIL registers notifications, informs on rights, oversees the correct
application of the law (advice and warnings). It also provides opinions on the
legitimacy of the processing (authorization requests), and engages in
jurisdictional recourse in the case of a breach of the law and oversees the
whole procedure. The CNIL also has the power to control the initiation of the
processing (Article 44), as well as the power to impose sanctions, for
example: warnings, injunctions to stop the processing, and financial
sanctions (Articles 45 to 49).
General Powers of supervisory
authority
The CNIL can also carry out on-the-spot audits concerning any file counting
personal data, and issue warning to the controllers if required, or inform the
public prosecutor.
Finally, the CNIL plays the role of intermediary between data subjects and
controllers (through the request to access). At the request of the professional
organizations that represent controllers, the CNIL assesses the ‘professional
rules’ and gives labels to products, or procedures recognized as conforming
to the Law (Article 11-3˚ a, b, c) as provided by Article 27 of the Directive.
Article 45 of the 2004 law sets out the sanctions for breaches of the law.
These include fines, imprisonment, publishing the information of the case in
What are the penalties for data
newspapers or other publications (for which the sanctioned person must
controllers if they breach the law?
pay), ceasing processing operations and removing the controller's
authorisation to process.
Have any provisions been made for the Yes. The processing of identification numbers by private bodies must be
processing of a national identification authorised by the Supervisory Authority. The processing of identification
number or a general identifier, as per numbers by public bodies must be authorised by decree taken by the Conseil
Article 8(7)? d'Etat after opinion given by the CNIL.
Is it necessary to obtain consent It is probably necessary to get consent when is not impracticable or
before processing personal data, or are inappropriate.
alternatives available even when
obtaining consent would not be
impracticable or inappropriate?
Does the Data Protection Legislation No. In French law, the notion of ‘physical persons’ only concerns living
cover the deceased? persons.
Section 1
Section 2
Section 3
Section 4
Section 5
Section 6
Section 7
Section 8
Section 9
Section 10
Section 11
Section 12
Section 13
Section 14
Section 15
Section 16
Section 17
Section 18
Section 19
Section 20
Section 21
Section 22
Section 23
Section 24
Section 25
Section 26
Section 27
Section 28
Section 29
Section 30
Section 31
Section 32
Section 33
Section 34
Section 35
Section 36
Section 37
Section 38
Section 39
Section 40
Section 41
Section 42
Section 43
Section 44
Section 45
Section 46
Section 47
Section 48
CHAPTER I
PRINCIPLES AND DEFINITIONS
SECTION 1.
Data processing shall be at the service of every citizen. It shall develop in the
context of international co-operation. It shall infringe neither human identity,
nor the rights of man, nor privacy, nor individual or public liberties.
SECTION 2.
SECTION 3.
Any person shall be entitled to know and to dispute the data and logic used in
automatic processing the results of which are asserted against him.
SECTION 4.
For the purposes of this Act personal data which permit, in any form, directly
or indirectly, the identification of the natural persons to which they relate,
irrespective of whether the processing is done by a natural or legal person.
SECTION 5.
For the purposes of the Act the automatic processing of personal data means
any series of operations effected by automatic means, involving the collection,
recording, preparation, modification, storage and destruction of personal data as
well as any series of such operations relating to the use of files or data bases,
including interconnections or comparisons, the consultation or communication
of personal data.
CHAPTER II
THE NATIONAL DATA PROCESSING AND LIBERTIES COMMISSION
SECTION 6.
The appropriations required by the national Commission for its operations shall
be included in the budget of the Ministry of Justice. The provisions of the Audit
Act of 10 August 1922 shall not apply to the administration thereof. The
Commission's accounts shall be audited by the Cour des Comptes.
SECTION 8.
It shall consist of 17 members designated for five years or the duration of their
term in office:
- two deputies and two senators elected respectivly by the national Assembly
and the Senate;
- two members or former members of the Cour des Comptes, one ranking as
"conseiller-maitre" or higher, elected by the general assembly of the Cour des
Comptes;
SECTION 9.
He may within ten days after a matter has been discussed, call for a further
meeting to reconsider it.
SECTION 10.
The Commission shall have staff under the control of the Chairman or, on
delegation of authority, of a Vice-Chairman.
The Commission may delegate its powers under Sections 16, 17 and 21 (4), (5)
and (6) to the Chairman or Vice-Chairman Delegate.
The Commission may request the senior presiding judges of courts of appeal or
the chief judges of administrative courts to assign a judge of their court, if
necessary assisted by experts, to carry out investigations and inspections under
its supervision.
SECTION 12.
SECTION 13.
The members of the National Data Processing and Liberties Commission shall
take no orders from any authority in the performance of their duties.
CHAPTER III
FORMALITIES PRIOR TO COMMENCING AUTOMATIC DATA PROCESSING
SECTION 14.
The National Data Processing and Liberties Commission shall ensure that
public or private automatic processing of personal data is carried out in
accordance with this Act.
SECTION 15.
If the Commission fails to notify its opinion within two months, which time
may be extended for a like period once by the Chairman, such opinion shall be
deemed to be favorable.
SECTION 16.
SECTION 17.
For the most common types of public or private processing, which manifestly
do not infringe privacy or liberties, the Commission shall set and publish
simplified rules based on the characteristics set forth in Section 19.
SECTION 18.
- the person making the application and the person empowered to decide on
the processing or, if such a person resides abroad, his representative in
France;
- the categories of persons who, by reason of their duties or for the needs of
the department, have direct access to the data recorded;
- the personal data processed, their source and the duration of storage, as
well as the addressees or categories of addressees authorized to receive such
data;
- the steps taken to provide for security of the processing and the data and to
safegards secrets protected by law;
Some of the particulars listed above may be omitted from applications for
opinions relating to the automatic processing of personal data affecting national
security, defense or public safety.
SECTION 20.
Decrees made in the Conseil d'Etat may provide that the regulations relating to
certain processing affecting national security, defense and public safety shall
not be published.
SECTION 21.
1. shall issue individual rulings or general regulations in the cases provided for
in this Act;
4. shall issue warnings to those concerned and report violations to the public
prosecutor, pursuant to Article 40 of the Code of Criminal Procedure;
5. shall ensure that the procedures for giving effect to the right of access and
correction laid down in the regulations and declarations provided for in
Sections 15 and 16 do not hinder the free exercise of such right;
6. shall receive claims, petitions and complaints;
SECTION 22.
- the Act or official decision authorizing its establishment or the date of the
declaration;
- the department regarding which the right of access provided under Chapter
V below is to be exercised;
SECTION 23.
The Commission shall submit a yearly report to the President of the Republic
and to parliament on the discharge of its duties. This report shall be published.
The report shall describe, inter alia, the procedures and working methods of the
Commission and shall contain in an appendix any information about the
organization of the Commission and its departments which may facilitate
relations of the public with the Commission.
SECTION 24.
CHAPTER IV
COLLECTION, RECORDING AND STORAGE OF PERSONAL DATA
SECTION 25.
SECTION 26.
Any natural person is entitled to object, for due cause, to the processing of
personal data concerning him.
This right shall not apply to processing limitately, designated in the regulation
provided for in Section 15.
SECTION 27.
- as to the natural or legal persons for whom the data are intended;
When such data are obtained by questionnaires, these must mention the above
requirements.
These provisions shall not apply to the collection of data requed for purposes of
criminal investigation.
SECTION 28.
Unless otherwise provided by law, the data may not be stored in personal form
beyond the period stated in the application for opinion or in the declaration,
unless such storage is authorized by the Commission.
SECTION 29.
Any person processing personal data or ordering such processing thereby shall
undertake, vis-a-vis the persons concerned to see that all necessary precautions
are taken to protect the data and in particular to prevent these from being
distorted, damaged or disdosed to unauthorized third part.
SECTION 30.
Unless otherwise provided by law, only the courts and public authorities acting
within the scope of their legal powers and, on favorable opinion of the National
Commission, legal persons managing a public service may engage in the
automatic processing or personal data relating to criminal offenses, convictions
or security measures.
Until implementation of the file of motor vehicle drivers provided by Act 70-
539 of June 1970, insurance companies shall be authorized, under Commission
supervision, to process themsleves the data mentioned in Section 5 of that Act
relative to the persons covered by the last paragraph of such Section.
SECTION 31.
Access to the voter list is given under identical conditions to candidates and
political parties under the control of campaign commissions.
SECTION 33.
Sections 23, 30 and 31 shall not apply to personal data processed by press or
broadcasting organizations under the laws governing them, if application of
those sections would have the effect of restricting freedom of expression.
CHAPTER V
EXERCISE OF RIGHT OF ACCESS
SECTION 34.
Any person proving his identity shall be entitled to question the departments or
organizations using automatic processing, a list of which shall be available to
the public under Section 22 above, to determine whether such processing
involves personal data concerning him, and if they do, to obtain access thereto.
SECTION 35.
- time to respond;
SECTION 36.
In the event of dispute, the onus of proof shall be on the department in relation
to which the right of access is exercised, unless it appears that the disputed data
were disclosed by or with the consent of the person concerned.
When the holder oa right of access has a record ??tered, the charge paid
pursuant to Section 35 shall be refunded.
SECTION 37.
SECTION 38.
If an item of data has been sent to a third party, its correction or deletion must
be notified to such party unless the Commission waives such a proceeding.
SECTION 39.
SECTION 40.
CHAPTER VI
PENAL PROVISIONS
SECTION 41.
Whoever engages in the automatic processing of personal data, or has such data
so processed without publication of the official decisions provided for in
Section 15 or without filing the declarations as provided in Section 16 shall be
imprisoned for six months to three years, or fined 2,000 to 200,000 francs, or
both.
The court may also order publication of the judgment in full or in part in one or
more newspapers, and public display thereof as it may determine, at the guilty
party's cost.
SECTION 42.
The court may also order publication of the judgment in full or in part in one or
more newspapers and public display thereof as it may determine, at the guilty
party's cost.
SECTION 43.
Any person who, in connection with recording, filing, transmittal or any other
form of processing, obtains personal data, disclosure of whichwould impair
reputation or standing or invade privacy, and who knowingly and without the
authorization of the person concerned discloses such data to any party not
authorized to receive them under this or any other Act, shall be imprisoned for
two to six months, fined 2,000 to 20,000 francs, or both
Whoever imprudently or negligently discloses or allows disclosures of data
described in the preceding paragraph shall be fined 2,000 to 20,000 francs.
SECTION 44.
CHAPTER VII
MISCELLANEOUS
SECTION 45.
The provisions of Sections 25, 27, 29, 30, 31, 32 and 33 relative to the
acquisition, recording and storage of personal data shall apply to non-
automated or mechanized files other than those involving strict exercise of the
right of privacy.
The first paragraph of Section 26 shall apply to same files, except public files
designated by official decision.
Decrees made in the Conseil d'Etat shall specify arrangements for giving effect
to this Act. They shall be enacted within six months of promulgation hereof.
Such decrees shall fix the time, when the provisions of this Act shall take
effect. Such time shall not exceed two years after the promulgation of this Act.
SECTION 47.
SECTION 48.
The Commission may, however, by special ruling, apply Section 15 and fix the
time within which the regulation covering processing must be adopted.
Two years after the promulgation of this Act, all processing covered by Section
15 shall comply with the requirements of such Section.
ALAIN PEYFEFITTE
YVON BOURGES
FERNAND ICART
RENE MONORY
SIMONE VEIL
French Data Protection Agency (CNIL) Releases New Guidelines on “Discovery”
General
The CNIL states in its detailed “Deliberation 2009-474” (in French only) that the volume and scope of
document discovery in U.S. proceedings has significantly increased. It reiterates that all data flows
out of France for litigation purposes must be in line with the French Data Protection Law of 1978 (as
amended): “Obtaining an authorization from a French judge to send documents to the U.S. (through
a “letter of request” addressed to the French chancellery) does not release a company from the
obligation to respect French [data protection] law, in particular the provisions on data flows out of the
EU....”
Is Prior Consent of the CNIL Required?
One key issue for U.S. litigants is when prior consent of the CNIL is required, irrespective of other
regulations and treaties (such as the 1970 Hague Convention on Obtaining Evidence Abroad that
the U.S. and France have ratified). The CNIL makes the following clarifications:
The CNIL’s prior consent is NOT required for personal data transfers to the U.S. for litigation
or investigation purposes (SEC, FTC, etc.) if: (i) it is a single data transfer, and (ii) the amount of
information transferred is “not massive.” The CNIL still must be notified of the data transfer.
Data transfers that go beyond this threshold (i.e.,“massive and repeated data transfers”), are
only allowed if: (i) the receiving party in the U.S. signs the EU/U.S. Safe Harbor Principles, (ii) the
parties use the EU contractual clauses for international data transfers, or (iii) the parties adhere to
the Binding Corporate Rules (a complicated set of rules for corporate groups developed by the EU
that must be individually approved by the national data protection authorities).
If the data are already located in the U.S., the data processor must ensure that the data are
“adequately protected” by the U.S. authorities, e.g., through a “stipulative court order” [probably a
Protective Order].
Various Additional Privacy Issues
The CNIL addresses a number of privacy requirements for personal data transferred to the U.S., for
instance:
Prior consent of the individual: Prior consent of the individual can be a legitimate basis for
data transfers under the French data protection laws, provided that there is evidence that it is “free,
clear, specific” consent, in particular the consent must not be given “under pressure,” or merely to
avoid “sanctions.”
Reducing the amount of data: The CNIL demands that personal data sent from France
must be “proportionate” and “adequate” with the discovery purpose. One method to ensure this is to
filter the data in France for key words to reduce its volume. The CNIL also recommends
anonymizing the data to the maximum extent.
Data storage: Data sent to the U.S. may only be stored for the “duration of the proceedings.”
Informing the individuals: Pursuant to French data protection laws, the individuals to whom
the personal data in France refer must be informed about the data transfer (exceptions may apply if
such disclosure “endangers the proceeding”). These individuals must have the right to know what is
sent and to “rectify” false or incomplete information about them.
Preliminary Observations
Many requirements that the CNIL stipulates in the Guidelines are open to interpretation. Given that
the European “Article 29 Working Party” of data protection representatives at the EC is also looking
into this issue on the European level (see Bingham’s e-discovery alerts of 02/23/09 and 02/11/2008),
this is probably not the last word from Europe. It remains to be seen how aggressively the CNIL will
enforce the new Guidelines.
To read the full French CNIL Guidelines, click here.
Protection of personal data in France