Privacy & Information Security Law Blog

On October 7, 2016, the French Digital Republic Bill (the “Bill”) was enacted after a final vote from the Senate. The Bill aligns the French legal data protection framework with the EU General Data Protection Regulation (“GDPR”) requirements before the GDPR becomes applicable in May 2018.

Increased Fines

The Bill significantly increases the maximum level of fines for violations of the French Data Protection Act. The French Data Protection Authority (“CNIL”) will be able to immediately impose a fine of up to €3 million (previously, fines could not exceed €150,000) until the GDPR becomes applicable. Once the GDPR becomes applicable, the Bill states that the CNIL will be entitled to exercise the full scope of sanctions prescribed by the GDPR (i.e., fines of up to, as the case may be, (1) €10 million or 2 percent of annual worldwide turnover, or (2) €20 million or 4 percent of annual worldwide turnover).

Right to Data Portability

The Bill also gives any consumer the right to obtain, free of charge, a copy of any of his/her data resulting from the use of a service provided by an online communication service provider, except for data that has been “significantly enriched” by the service provider. A further decree will detail the enrichments that are presumed to be insignificant. Online communication service providers will also be required to make changes to their user interfaces and software to facilitate the transmission of personal data to another service provider, as required by the right to data portability. This provision will enter into force on the same day the GDPR becomes applicable (i.e., May 25, 2018).

Enhanced Information and Control of the Individual of Personal Data

Any data subject will be able to specify their wishes regarding the retention, erasure and transfer of their personal data after death. These wishes can be recorded by a trusted digital third party certified by the CNIL. The data subject can also request that any of their personal data that was collected as a minor is erased.

In anticipation of the GDPR, the Bill also requires data controllers to inform individuals of their data retention period, or if that’s not possible, of the criteria used to determine the retention period.

For the first time in France, the draft of the Bill went through an open public consultation process to involve the public in the law making process and understand the questions and issues raised by the proposals.