The New Data Privacy and Protection Landscape in France
The French Act No. 2018-493 of 20 June 2018 or the FDPA for short is a data privacy law that was recently passed in France. As the country of France is an EU member state, The French Act No. 2018-493 of 20 June 2018 implements the provisions of the General Data Protection Regulation or GDPR for short into French law. As such, both the French Act No. 2018-493 of 20 June 2018 and the EU’s GDPR law outline the legal framework for which personal data may be collected and processed within France. Moreover, both pieces of legislation also establish the potential penalties that data controllers and processors stand to face should they violate the rights of French citizens as it pertains to data protection.
What is the scope and application of the French Act No. 2018-493 of 20 June 2018?
In terms of the scope and application of the French Act No. 2018-493 of 20 June 2018, the personal scope of the law applies to all legal or natural persons, whether they be public or private, who collect or process personal data within France, permitting said collection or processing activities concern personal data. Furthermore, as it relates to the territorial scope of the law, the law also applies to “the processing of personal data carried out in the context of the activities of an establishment of a data controller or a data processor on the French territory, whether or not the processing takes place in France.” Additionally, the material scope of the law to “the automated processing of personal data and to the non-automated processing of personal data contained or destined to appear in filing system.”
What are the requirements of data controllers and processors under the French Act No. 2018-493 of 20 June 2018?
As the French Act No. 2018-493 of 20 June 2018 was passed for the purposes of implementing the EU’s GDPR law into French law, the requirements of data controllers and processors remain largely unchanged. To this point, data controllers and processors within France must adhere to the data protection principles that were established by the EU’s GDPR law, which include but are not limited to the lawfulness, fairness, and transparency of data processing, as well as the integrity and confidentiality of personal data that is processed. However, there are some variations between the two laws as it relates to the requirements of data controllers and processors. For example, the law places certain restrictions on data transfers, stating that said transfers can only take place under the following circumstances:
- For the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties; and
- For processing concerning State security and defense.
What’s more, while the EU’s GDPR law mandates that data controllers and processors carry out Data Protection Impact Assessment or DPIA’s prior to collecting or processing personal data, the French Act No. 2018-493 of 20 June 2018 further defines the requirements for said DPIA’s. To this end, the French data protection authority or the CNIL for short published a “Blacklist” outlining the different data processing activities that were subject to the requirements of DPIA. The activities included on said “Blacklist” include but are not limited to “health data processing carried out by health or medico-social establishment for the care of individuals, processing operations for the purpose of constantly monitoring the activity of the employees involved, and processing involving profiling of individuals which may result in their exclusion from the benefit of a contract, or in its suspension or rupture.”
What are the rights of French citizens under the French Act No. 2018-493 of 20 June 2018?
In accordance with the EU’s GDPR law, French citizens have the following rights under the French Act No. 2018-493 of 20 June 2018:
- The right to be informed.
- The right to access.
- The right to rectification.
- The right to erasure.
- The right to object or opt-out.
- The right to data portability.
- The right to the restriction of processing.
- Rights concerning deceased individuals.
In terms of the penalties and punishments that can be imposed against data controllers and processors who fail to comply with the law, the French Act No. 2018-493 of 20 June 2018 is enforced by the CNIL. As such, the CNIL has the authority to impose a variety of sanctions against individuals and organizations who violate the rights of French citizens. Such sanctions include an injunction to comply with the GDPR and the FDPA, as well as a monetary up of to € 100 000 ($113,265) for each day that a data controller or processor fails to comply with said injunction, as well as an order to either temporarily or permanently suspend the collection and processing of personal data. What’s more, the law also provides French citizens with the right to seek “individual compensation procedure in relation to class actions (Article 37 of the Act).”
Through the provisions of the EU’s GDPR law and the FDPA, French citizens can rest assured that their personal data is being protected at all times. Through the establishment of these laws, data controllers and processors who misuse the personal data of French citizens are subject to very strict punishments. This is particularly true as it pertains to the class action lawsuits regarding the FDPA, as such provisions are not common in privacy laws outside of the scope of the U.S. As such, France is in many leading the way for data protection in terms of specific EU member states, as the country has taken powerful steps to ensure that the personal privacy of their respective citizens is protected at the highest level.