Data protection in France: overview
A Q&A guide to data protection in France.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
Please note: this Q&A was written before the ruling of the ECJ concerning the validity of the EU-US Safe Harbor framework. Therefore, the answers referring to safe harbours do not reflect the ruling.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The key regulations relating to personal data are:
Act No 78-17 on Information Technology, Data Files and Civil Liberties dated 6 January 1978 (DPA). This act was modified to implement Directive 95/46/EC on data protection (Data Protection Directive).
Decree No 2005-1309 of 20 October 2005.
The DPA was recently substantially amended by Law No 2016-1321 for a Digital Republic dated 7 October 2016 (Digital Republic Law). In part the amendment was made to prepare for Regulation (EU) 679/2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), due to come into force on 25 May 2018.
The French Data Protection Authority (Commission Nationale de l' Informatique et des Libertés) (CNIL) supervises enforcement of the DPA and frequently issues decisions and guidelines on it. See box, Regulator details.
There are a bundle of laws and regulations relating to personal data protection regulating specific sectors, including:
Postal and Electronic Communications Code (Articles L 34 et seq and Articles R 10 et seq) (regulating online electronic communication services to the public).
Consumer Code (Articles L 223-1 et seq) (on telemarketing).
Consumer Code (Articles L 224-42 to L 224-42-4). These will come into force on 25 May 2018 and will set out a general principle that consumers have a right to recover all of their data.
Public Health Code (Articles L 1110-4 et seq, L 1111-8 et seq, L 1115-1 et seq, L 1122-1 et seq, L 1435-6, L 1460-1 et seq, R 1111-1 et seq) (on the processing of health data).
Property Code (Article L 212-3) (on the retention of personal data contained in public archives).
Scope of legislation
The Data Protection Act (DPA) applies to:
Data controllers. A data controller is any person, public authority, department or any other organisation that determines the purposes and the means of the data processing (Article 3).
Data processors. A data processor is a person who processes personal data on behalf of the data controller (Article 35).
Data recipients. A data recipient is any authorised person to whom the data is disclosed (other than the data subject, the data controller, the sub-contractor and persons who, due to their functions, are in charge of processing the data) (Article 3).
The DPA also provides rights and guarantees to data subjects (that is, individuals about whom the data is processed).
Whether a person is a data controller, data recipient, data processor or a data subject is determined on a case-by-case basis, regardless of what has been agreed on by parties to an agreement.
Other categories of persons are also subject to the DPA, such as communications service providers (see Question 16).
The Data Protection Act (DPA) applies to the processing of personal data.
Personal data is defined as "any information relating to a natural person who is or can be identified, either directly or indirectly, by reference to an identification number or to one or more factors specific to them" (DPA Article 2). This includes, for example, a person's name, date of birth, telephone number, e-mail address and social security number.
To determine whether a person is identifiable, all the means that the data controller or any other person uses or has access to, must be taken in consideration.
In a decision dated 3 November 2016, the Supreme Court put an end to a controversial ruling that IP addresses must be considered to be personal data. This decision is in line with a previous ruling of the European Court of Justice dated 19 October 2016.
Sensitive data reveals, either directly or indirectly:
Racial and ethnic origin.
Political, philosophical or religious opinions.
Trade union membership or affiliation.
Details about health or sex life.
The Data Protection Act (DPA) regulates the automatic and non-automatic processing of personal data that is or may be contained in a personal data filing system. There is an exception for processing carried out for the exercise of exclusively private activities.
Processing of personal data is broadly defined under the DPA and means any operation or set of operations in relation to the data, whatever the mechanism used, especially (Article 2, DPA):
Adaptation or alteration.
Disclosure by transmission.
Dissemination or otherwise making available.
Alignment or combination.
Deletion or destruction.
In a company, most personal data is processed in relation to human resources management, for example:
Client and prospective client files.
The Data Protection Act (DPA) applies if the data controller:
Is established in France or carries out its activities in an establishment in France, regardless of its legal form.
Is not established in France or in any other EU member state, but uses means of processing that are located in French territory (except if used only for the purposes of transit through French territory or that of any other member state) (Article 5, DPA).
There is an "establishment" where there is an effective and real exercise of an activity through stable facilities.
Where the data controller is not established in France or in any other EU member state, it must designate a representative in France.
The Data Protection Act (DPA) does not apply to:
Data processing carried out for the exercise of exclusively private activities (for example, a personal address book).
Temporary copies made in the context of technical operations of transmission and the provision of access to a digital network for the purpose of automatic, intermediate and transitory retention of data and with the sole aim of allowing other recipients of the service to benefit from the best access possible to the transmitted information (Article 4, DPA).
Filing requirements are either simplified or normal. Some data processing requires prior authorisation.
Notification and authorisation can be submitted online though the Data Protection Authority (CNIL) website.
Simplified notifications (déclaration simplifée) are used for the most frequent categories of personal data processing that are not likely to be a violation of privacy or liberties. They apply to various types of processing including:
Recording telephone conversations in the workplace.
Management of school affairs.
Clients and prospective client files.
Energy consumption invoicing.
Workplace access controls.
Employee vehicle tracking.
For all types of processing, the CNIL has issued decisions containing a complete description of the standards that must be met, including the:
Purposes covered by the processing.
Categories of personal data.
Categories of data subjects.
Period of retention.
If the data processing complies strictly with the CNIL's decision, the data controller can submit a simplified notification consisting of a unilateral commitment to comply with the decision.
The CNIL's decisions are updated regularly. For example, the CNIL published an updated version of simplified declaration No 48 on 21 July 2016 relating to clients and prospective client files, which modified (among other things) the retention policy to be implemented for this type of processing.
If the characteristics of the processing differ from the content of the CNIL's decision, a normal notification (déclaration ordinaire) must be filed.
For both simplified and normal notifications, an acknowledgement of receipt is received from the CNIL without delay. The applicant can then carry out the data processing.
When several data processing operations are carried out by the same body and have identical or interrelated purposes, a joint notification can be made.
Other data processing is subject to prior authorisation (autorisation) from the CNIL. This includes the automatic processing of data relating to:
Offences, convictions and security measures.
Natural persons being excluded from the benefit of a right, a service or a contract, when the exclusion is not expressly provided for in the law.
Biometric data necessary for the verification of an individual's identity.
The CNIL must issue its decision within two months (renewable once). If the CNIL does not issue its opinion within this time limit, the application is deemed to have been rejected.
A simplified authorisation regime called "unique authorisation" (autorisation unique) also exists for some processing listed on the CNIL's website, including:
The fight against insurance fraud.
Tracking by vehicle rental companies of high-risk individuals.
On 14 January 2016, the CNIL also decided to include in this regime processing relating to the preparation, exercise and follow-up of litigation disputes and their enforcement.
Certain processing is exempt from any formalities if expressly allowed by the CNIL (such as payroll processing if there is no transfer of data outside the EEA).
Main data protection rules and principles
Main obligations and processing requirements
The data controller must ensure that personal data is (Article 6, Data Protection Act (DPA)):
Collected and processed fairly and lawfully.
Collected for specified, explicit and legitimate purposes and is subsequently processed in a manner that is compatible with those purposes.
Adequate, relevant and not excessive in relation to the purposes for which it was collected.
Accurate, complete and kept up to date (appropriate steps must be taken to delete and rectify data that is inaccurate and incomplete with regard to the purposes for which it is obtained and processed).
Retained in a form that allows identification of the data subjects for a period that is no longer than necessary for the purposes of the processing.
Data subjects must receive appropriate information about the processing (Article 32, DPA).
The data controller must take all useful precautions to preserve the security of the data (Article 34, DPA) (see Question 15).
A data controller can lawfully justify the processing of personal data if it has received the previous, free, non-ambiguous and informed consent of the data subject.
In practice, consent must be given in French (provided the data subject is a French speaker), either in writing or by a click-through if given over the internet.
Express consent is required in specific cases for:
Re-use of data for different purposes.
Commercial market research.
When processing personal data relating to minors, the CNIL considers that prior consent from the parents is necessary for the:
Collection of sensitive data.
Collection of photographs of minors.
Transfer of personal data to third parties for commercial market research purposes by electronic means or by post.
Clear information must be provided to the minor using terms that are adapted to their age. Adequate vigilance and warning systems must be implemented (like awareness messages, age controls, possibility of parental supervision).
Where personal data is provided to a third party (who is also a data controller) and there is a deletion request, the data controller who was asked to delete the data must take reasonable measures to inform the third party of the deletion request.
In the context of certain health-related research, a minor who is 15 years of age or older can refuse to let persons with parental authority have access to their data and refuse to let them be informed that their data is being processed.
Obtaining consent from employees is subject to certain exceptions because it is assumed that they will never freely consent. The employer must rely on other grounds to justify the necessary data processing.
The processing of personal data can be justified on any of the following grounds (Article 7, Data Protection Act):
Compliance with any legal obligation to which the data controller is subject.
Protection of the data subject's life.
Performance of a public service mission.
Performance of a contract to which the data subject is a party (or steps taken at the request of the data subject before entering into a contract).
Pursuit of the data controller's or the data recipient's legitimate interest, provided it is not incompatible with the interests or the fundamental rights and liberties of the data subject.
As a general principle, the collection and processing of sensitive data is prohibited (Article 8, Data Protection Act (DPA)).
However, this prohibition may lifted, subject to certain conditions, such as when the processing is:
Expressly consented to by the data subject.
Necessary for the protection of human life.
Based on personal data that was made public.
Necessary to establish, exercise or defend a legal claim.
Necessary for certain medical purposes.
Carried out for statistical purposes.
Processing data relating to offences, convictions and security measures can only be done by a limited number of persons identified in Article 9 of the DPA. The French Constitutional Council (Conseil constitutionnel) confirmed in 2004 that a legal entity can also carry out data processing relating to offences if it involves the offender's victim.
The CNIL has established a strict control regime over the processing of social security numbers because they can provide access to a significant amount of personal data and connections on many databases.
Rights of individuals
Data subjects must be given information on how personal data will be processed at the time the data is collected.
Data subjects must be informed of:
The identity of the data controller or its representative.
The purpose of the processing.
Whether replies to any question are compulsory or optional.
The consequences for them of the absence of a reply.
The recipients or categories of recipients of the data.
Their rights to access the collected personal data and to rectify, complete, update, block or delete it if inaccurate, incomplete, equivocal or expired.
The intended transfer of personal data outside the EEA (if applicable).
Where the data was not obtained from the data subject, the information must be provided at the time of recording the personal data or, if disclosure to a third party is planned, no later than the time when the data is first disclosed.
Since the entry into force of the Digital Republic Law, data subjects must be informed of (Article 32, Data Protection Act):
Their right to direct how their personal data be used after their death.
The duration of any storage of the data, or if impossible, the criteria that will be used to determine the duration.
It is recommended that this information be provided in writing.
Other specific rights granted to data subjects by the Data Protection Act (DPA) include the right to:
Object on legitimate grounds to the processing of any data relating to them, except where it satisfies a legal obligation or where an explicit provision of the decision that authorises the processing excludes the right to object (Article 38, DPA).
Object, at no cost to them, to the use of data relating to them for the purposes of canvassing, in particular for commercial ends, by the controller of a current or further data processing (Article 38, DPA).
Interrogate the data controller to obtain the following information:
confirmation as to whether the personal data of the data subject is to be used;
the purpose of the processing;
whether it will be transferred outside the EEA;
what to know about and how to object to the logic involved in the processing.
Obtain a copy of the processed data.
Request the data controller to rectify, complete, update, block or delete personal data relating to them that are inaccurate, incomplete, equivocal, expired, or whose collection, usage, disclosure or retention is prohibited.
When personal data has been collected through electronic means, data subjects must be given the possibility to exercise their rights using the same means (Article 43, DPA).
The Digital Republic Law supplemented Article 1 of the DPA by creating a fundamental right for data subjects to decide and control the use made of their personal data.
Article 40-1 also introduces the concept of "digital death" under which data subjects can create instructions during their lifetime to conserve, delete and communicate their data after their death (see Question 14).
Any provider of electronic communication services to the public must offer a free service allowing consumers to recover their data.
See Question 13.
The Digital Republic Law introduced the right for minors to be forgotten and to request deletion of any personal data that was collected when they were still a minor (Article 40, Data Protection Act).
Data subjects can create instructions during their lifetime to conserve, delete and communicate their data after their death. All providers of online electronic communications services to the public must inform users about what will happen to their data when they die and allow them to choose whether or not their data will be transferred to a designated third party.
Data controllers must take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data (Article 34, Data Protection Act).
Data controllers must protect personal data against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks.
The Data Protection Agency (CNIL) issued guidelines in 2010 on the security measures to be implemented by a data controller to guarantee the security of personal data processing.
In 2012, it published a second set of guidelines on the protection of privacy for high-risk or complex data processing, to help data controllers have a clear vision of the risks associated with the processing and identify the security measures to be implemented.
These guidelines were revised in 2015, to encourage data controllers to perform a privacy impact assessment built on two pillars:
The principles and fundamental rights identified as "not negotiable".
The management of risks on data subjects.
Failure to implement appropriate security measures can lead to five years' imprisonment and/or a fine of EUR300,000 (up to EUR1.5 million for legal persons) (Article 226-17, Criminal Code).
There is no general legal requirement to report personal data security breaches to the Date Protection Authority (CNIL).
However, in the event of a personal data breach, there is a general duty for providers of public electronic communications services to notify the CNIL within 24 hours of the breach. The CNIL accepts a two-stage notification if more time is needed for further investigations.
When the violation is likely to breach personal data security or privacy, the provider must immediately notify the affected party (unless the CNIL finds that appropriate protection measures have been implemented to ensure that the personal data is undecipherable).
Every provider of electronic communications services must keep an updated record of all personal data breaches, listing the conditions, effects and measures taken as remedies, and must make the record available to the CNIL on request (Article 34, Data Protection Act).
Failure by an electronic communications service provider to notify a security breach to the CNIL or to data subjects can trigger criminal sanctions of up to five years in prison and/or a fine of up to EUR300,000 (Article 226-17-1, Criminal Code).
Processing by third parties
A data controller must impose a number of requirements on a data processor to ensure that information is collected and processed in accordance with the data controller's instructions and with the Data Protection Act.
The contract must detail the security and confidentiality measures to be implemented by the data processor, for example, with regard to:
Data access protection (with a clear access and password policy).
Electronic data storage.
Data transfer (for example, through encryption).
Data disposal (for example, the data processor can commit to take all necessary steps to ensure that all business-critical information is removed from any decommissioned computers or external drives).
End user awareness (through training programmes and suchlike).
The data controller can install cookies or equivalent devices if prior consent is given by the user. This applies to website publishers, advertising networks, social networks and editors of audience development solutions.
The data controller must use a banner notice giving brief information and allowing the users to take steps to disable the website's cookies if they wish to do so before continuing to use the site.
In addition, the data controller must tell users how to disable the cookies and how disabling them may affect their experience on the website.
The Data Protection Authority (CNIL) considers that the consent is only valid for 13 months at a time.
Certain types of cookies are exempted from the obligations above (for example, where their purpose is to allow or facilitate online communication).
Sending unsolicited messages is prohibited without prior consent from the recipient (Article L.34-5, Postal and Electronic Communications Code; Article L.121-20-5, Consumer Code). Consent from data subjects is not considered as given when they agree to general sale terms or when there are pre-checked boxes on a website.
As an exception, unsolicited electronic commercial communications can be sent to a customer without their prior consent if:
The consumer's contact details were collected in compliance with the Data Protection Act and as a result of customer purchases.
The commercial communications concern similar products and services purchased by the customer.
The consumer can opt out when data is collected and at each commercial communication.
In a business-to-business relationship, there is no need for prior consent provided that the recipient has been informed about the fact that its e-mail address will be used for electronic commercial communications and is given the possibility to object to it when the e-mail address is collected. The commercial communication must be relevant to the profession of the recipient.
Marketing by post or by telephone do not require prior consent but cannot be done if the recipient has objected to it.
International transfer of data
Transfer of data outside the jurisdiction
A data controller cannot transfer personal data to a state that is not an EU member state if it does not provide a sufficient level of protection of individuals' privacy (Article 68, Data Protection Act (DPA)). The European Commission has established a list of states that provide an adequate level of protection.
A data controller can transfer personal data to a state that does not satisfy the above conditions if the data subject has expressly consented to its transfer or if the transfer is necessary under one of the following conditions (Article 69, DPA):
Protection of the data subject's life.
Protection of the public interest.
To meet obligations ensuring the establishment, exercise or defence of legal claims.
Consultation of a public register that is intended for public information and is open for public consultation or by any person demonstrating a legitimate interest.
Performance of a contract between the data controller and the data subject, or of pre-contractual measures taken in response to the data subject's request.
Conclusion or performance of a contract, either concluded or to be concluded in the interest of the data subject between the data controller and a third party.
There are other options to ensure an adequate level of compliance. These include using:
Standard contractual clauses (model clauses designed by the European Commission to facilitate transfers of personal data from the EU to all third countries, while providing sufficient safeguards for the protection of individuals' privacy).
Binding corporate rules validated by the Data Protection Agency (CNIL).
The US privacy shield.
A data controller must inform a data subject about the (Article 91, Decree of 20 October 2005):
State where the recipient of the data is established.
Nature of the data transferred.
Purpose of the transfer.
Categories of the recipients.
Level of protection of the state concerned. If the state does not provide an adequate level of protection, the data controller must mention under which exception the transfer is allowed.
Data transfer agreements
The European Commission adopted standard contractual clauses to facilitate transfers of personal data from the EU to third countries that do not provide an adequate level of protection. Although the law does not require use of the model clauses, the Data Protection Agency (CNIL) considers them to be a valid safeguard.
Enforcement and sanctions
The Data Protection Agency (CNIL) has strong enforcement powers. The CNIL can:
Conduct on-site inspections. The members of the CNIL can have access, from 6.00 am to 9.00 pm to the places, premises, or equipment used for processing personal data for professional purposes, with the exception of the parts used for private purposes. The public prosecutor must be informed beforehand and the person in charge of the private professional premises must be informed of their right to object to the visit. If they object, the visit can only take place after authorisation from the liberty and custody judge. However, if justified by urgency or by the seriousness of facts or by a risk of destruction or concealment of documentary evidence, the visit can take place without informing the person in charge of the premises and after authorisation from the judge. In this instance, the person in charge cannot object to the visit.
Submit written requests for communication of documents or files.
Conduct hearing inspections.
Since the Consumer Protection Act 2014, the CNIL can conduct online inspections (reviewing any publicly available information such as online privacy policies, online consent mechanisms and compliance with cookie requirements).
Impeding the action of the CNIL (either by resisting the exercise of the duties of the CNIL, refusing to communicate the information and documents requested, or by supplying inappropriate information) can result in one year in prison and a EUR15,000 fine (Article 51, Data Protection Act).
Since the introduction of the Digital Republic Law, the CNIL's chairperson can start summary proceedings for necessary measures in cases of serious and immediate violations of rights and liberties.
Failure to comply with the Data Protection Act (DPA) can trigger the following sanctions:
Up to five years' imprisonment.
A fine up to a maximum of EUR1.5 million for legal entities.
In addition, the Data Protection (CNIL) can serve a formal notice to comply on a data controller, ordering it to cease its non-compliance within a given deadline.
If the data controller does not comply with the notice served, the DPA can:
Issue a warning to the data controller for failing to comply with the obligations of the DPA (regarded as a sanction).
Set a financial penalty of up to EUR3 million.
Seek an injunction to cease the processing or withdraw its authorisation to process data.
When determining a proportionate financial sanction, the criteria that the CNIL can take into account include (Digital Republic Law):
Whether the breach was intentional or negligent.
Any measures taken to limit damages.
The degree of co-operation with the CNIL (which includes the way the CNIL was notified of the breach).
The categories of data involved in the breach (Article 47, DPA).
If the identified breach cannot be remedied within the framework of the formal notice process, the CNIL can issue any sanctions without formal notice.
The CNIL and/or the court can also order the sanctions to be made public. The CNIL can also order that the data controller individually inform, at its own expense, each of the data subjects concerned.
Examples of recent sanctions issued by the CNIL include:
A fine of EUR50,000 on Optical Centre, a distributor of optical products, for violations relating to the security and confidentiality of its customers' personal data.
A fine of EUR100,000 on Google following its refusal to comply with the CNIL's injunction to extend de-listing to all of its search engine's domain name extensions.
A warning to the French Socialist Party for a security breach on its website that led to a data leakage of 10,000 members.
French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés) (CNIL)
Main areas of responsibility. The CNIL is an independent administrative authority responsible for ensuring that information technology remains at the service of citizens, and does not jeopardise human identity or breach human rights, privacy, or individual or public liberties. It supervises enforcement of the DPA and frequently issues decisions and guidelines on it.
Description. Legifrance is the French Government entity responsible for publishing legal texts online. This website provides access to an English translation of the French Data Protection Act (www.legifrance.gouv.fr/Traductions/Catalogue-des-traductions).
Myria Saarinen, Partner
Latham & Watkins
Professional qualifications. France, Avocat à la Cour
Areas of practice. Data privacy, security and cybercrime; complex commercial litigation; litigation and trial practice; white collar defence and investigations; securities litigation and professional liability; product liability; mass torts and consumer class actions; energy regulatory and markets; intellectual property litigation; technology transactions.
Languages. French and English
- France Chapter, The Technology, Media & Telecommunications Review, 2016.
- French Digital Republic Law Expands Rights of Users and Regulators (Law No 2016-321 of 7 October 2016), Client Alert, 2016.
- 5 Questions About France's New Health-related Class Action Law, Client Alert, 2016.
- France Chapter, The Technology, Media & Telecommunications Review, 2015.
- France Chapter, International Fraud & Asset Tracing - 3rd Edition, 2015.
- Class Actions Enter into Force in France as of 1st October 2014, Client Alert, 2014.
- Introduction of Class Actions in France: A Growing Threat to Professionals?, Client Alert, 2014.
Julie Ladousse, Associate
Latham & Watkins
Professional qualifications. France, Avocat à la Cour
Areas of practice. Data privacy, security and cybercrime; complex commercial litigation; securities litigation and professional liability; litigation and trial practice.
Languages. French and English
Publications. 5 Questions About France's New Health-related Class Action Law, Client Alert, 2016.
Elise Auvray, Associate
Latham & Watkins
Professional qualifications: France, Avocat à la Cour
Areas of practice: Data privacy, security and cybercrime; complex commercial litigation; litigation and trial practice.
Languages. French and English
- France's Major Anti-Corruption Reform: What's Next for Companies and Their Top Management?, Client Alert, 2016.
- French Anti-Corruption Reform Expected In 2016, Client Alert, 2016.