21 December 2017
The Ministry of Justice published, on 13 December 2017, a draft law to amend Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (‘the Act’) in light of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) as well as the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (‘the Draft Law’).
Marc Lempérière, Partner at Almain Avocats, told DataGuidance, “In order to make sure that the Draft Law will adopted by Parliament before 25 May 2018, it is subject to an accelerated procedure, which limits the number of readings by each chamber to one. It is quite limited in its scope and leaves the task of redrafting the entire Act to the Government through ordinance procedures to increase its legibility and remedy problems of coherence with the rest of French legislation. For instance, the Draft Law does not modify the Act with respect to the information that must be provided to data subjects, their rights with respect to their personal data (e.g. limitation and data portability), the transformation of the data protection correspondent into a data protection officer and data breaches. [Until] the Government makes all these changes by ordinance […] French citizens will need to read the GDPR and the Act together to determine which legislative provisions are applicable.”
As has been the case with several other Member States’ draft GDPR bills, the Draft Law seeks to take advantage of various derogations permitted under the GDPR, in particular in relation to the data processing of national identification numbers, processing of genetic or biometric data and data breach notification.
[Until] the Government makes all these changes by ordinance […] French citizens will need to read the GDPR and the Act together to determine which legislative provisions are applicable
“Ten articles of the Draft Law concern the use of the derogations,” noted Lempérière. “Firstly, the Draft Law provides that French law shall apply when the GDPR refers to rules of national law when the data subject resides in France, including when the data controller does not reside in France, except with respect to laws concerning freedom of expression, where the law of the data controller shall apply. This reflects the concern shown by the Government that French data subjects should always be protected by French law. [In addition,] the Government utilised the exception provided for under Article 87 of the GDPR concerning the processing of national identity numbers, to establish a regime of prior authorisation. The Draft Law also provides for prior authorisations for the use of genetic or biometric data by public authorities and a specific regime is defined for the processing of health data. Moreover, the Draft Law allows data subjects to entrust the defence of their interests regarding infringements of the GDPR before the French data protection authority (‘CNIL’) to associations. Finally, the Government will issue a decree listing the data processing that are exempt from the obligation to notify data breaches in view of the risk this may represent to national security.”
Simultaneous to the publication of the Draft Law, CNIL published its assessment. In particular, CNIL welcomed the use of national derogations in relation to health data, as well as the fact that the Draft Law clarified the scope of its supervisory powers. CNIL did highlight, however, that it regretted that its proposals to adapt CNIL’s procedures to enable it to cope with the increase in activity related to the Draft Law had not been retained. In addition, CNIL noted the late timetable for the examination and publication of the Draft Law as well as related future ordinances.
Lempérière concluded, “[A further] aspect that is of interest will be the Government’s position with respect to the right to the future of deceased persons’ data. The Digital Republic Act 2016 introduced this right and provides that information as to the exercise of this right must be communicated to French data subjects with all the other compulsory preliminary information. However, the GDPR does not provide for this, nor for a right to Member States to add compulsory information to the lists in Articles 13 and 14, since this would go against the unification of data protection law in the EU and the harmonisation of the common market. It will be interesting to see whether the Government withdraws this new right to comply with the GDPR or prefers to leave this discrepancy, and risk being subject to sanctions by the Court of Justice of the European Union.”
Alexis Kateifides | Privacy Analyst