Data protection in France: overview
A Q&A guide to data protection in France.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The key legislation was Act Number 78-17 of 6 January 1978 on data processing, data files and individual liberties. However, this was overhauled in 2004 by the Data Process Act (DPA), which implemented Directive 95/46/EC on data protection (Data Protection Directive).
Other data protection laws that apply to specific sectors include:
The Public Health Code, in particular Articles L. 1110-4, L. 1111-8, L. 1112-3, L. 1121-3, L. 1142-24-4, L. 1343-3, and L. 2132-1.
The Monetary and Financial Code, in particular Articles L. 440-4, L. 464-1, L. 464-2, and L. 612-17.
The Postal and Electronics Communications Code, in particular Article L. 34-5 for electronic marketing and Article L. 34-1 et seq for electronic communications operators.
Scope of legislation
The laws apply to data controllers and data processors, where the data controller is either:
Carrying out its activity on French territory within an establishment, whatever its legal form.
Using a means of processing located on French territory (although the data controller cannot be established in either France or the EU), with the exception of processing used only for the purposes of transit through the French territory or any other in the EU.
The Data Process Act (DPA) regulates personal data. Personal data is defined as any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to him. To determine whether a person is identifiable, all the means that the data controller, or any other person uses or may have access to, should be taken into consideration (Article 2, DPA).
The processing of personal data is regulated. This is broadly defined as any operation or set of operations in relation to such data, whatever the mechanism used, especially the following operations (Article 2, Data Process Act):
Adaptation or alteration.
Disclosure by transmission.
Dissemination or otherwise making available.
Alignment or combination.
Deletion or destruction.
The DPA applies to the processing of personal data by a data controller which is established in France or carries out its activities in France in an establishment, whatever its legal form.
If the data controller is not established in France or any other EU member state, but nonetheless uses means of processing located in France (except for processing only for the purposes of transit through France or any other EU member state), this will fall under the DPA.
The DPA does not define the term "establishment" but the French data protection authority (Commission Nationale de L’Informatique et des Libertes), (CNIL) considers that there is an establishment where there is an effective and real exercise of an activity through stable arrangements.
A data controller must notify the French data protection authority (CNIL) if it intends to process data. Some types of processing (subject to a number of exceptions) require a declaration.
A prior declaration to the CNIL requires the data controller to submit the:
Purpose(s) of the processing.
Identity and address of the data controller.
Possible interconnections between databases.
Personal data processed and the categories of persons concerned by the processing.
Recipient(s) of the processed data.
Time period for which the data will be kept.
Department or person(s) in charge of data processing.
Recipient(s) or categories of recipients of the personal data.
Measures taken in order to ensure the security of the processing.
The data controller must get further prior authorisation from the CNIL for the processing of data that could be harmful to privacy and civil liberties, for example:
The processing of certain sensitive data categories.
The transfer of data outside the EU to a country without adequate protection.
Automated processing, which consists of the data of a selection of people and is aimed at excluding some of them from the advantages of a right, benefit or contract.
Automated interconnection files.
Biometric identity checks.
Main data protection rules and principles
Main obligations and processing requirements
Data controllers must comply with Article 6 of the Data Process Act, ensuring that all personal data collected is:
Processed fairly and lawfully.
Collected for specific, explicit and legitimate purposes, and is subsequently processed in accordance with these purposes.
Adequate, relevant, and non-excessive in view of the purposes for which it is collected.
Accurate, comprehensive and kept up-to-date.
Parties must obtain a data subject's consent before the collection and processing of their data is carried out. This consent may be implied, except where sensitive data is collected, which requires express consent.
Data processing regarding those under the age of 18 is subject to the consent of the parent or guardian of the minor. However, this may not apply online (for example, e-mail addresses for newsletters). The French data protection authority, the CNIL, has indicated that the processing of a minor's sensitive data is prohibited.
If the data processor has not received consent from the data subject, it cannot process the data unless one of the following is satisfied:
Compliance with a legal obligation incumbent on the data controller where the purpose of the processing is to protect the individual's life.
The purpose of the processing is to carry out a public service.
Processing relates to the performance of a contract to which the concerned individual is a party or of pre-contractual measures requested by that individual.
Processing the data is in the legitimate interests of the data controller or of the data recipient, subject to the interests and fundamental rights and liberties of the concerned individual.
Sensitive data is that which relates to a person's race or ethnic origin, political opinions or associations, religious or philosophical beliefs, union membership, sexual preference, criminal record, or health or genetic information.
The processing of sensitive personal data is prohibited unless the (Article 8, Data Process Act):
Data subject has given consent.
Processing is necessary to protect human life and the data subject is unable to give consent due to legal incapacity or physical impossibility.
Processing is specifically for an association that relates only to members of that association and is not transmitted unless consent is given for transmission.
Personal data has been made public by the data subject.
Processing is necessary for the establishment, exercise or defence of a legal claim.
Process is necessary for healthcare.
Process is for statistical purposes carried out by the National Institute of Statistics and Economic Studies or one of the statistical services of Ministries.
Processing is necessary for medical research.
Rights of individuals
Where sensitive personal data is processed, the data subject must be informed of:
The identity of the data controller and, as the case may be, its representative.
The purposes of the data processing.
The recipients, or categories of recipients, of the data.
Whether it is required that the data subject provides personal data, and the consequences of not providing data.
The right to object, for a legitimate purpose, to the collection of such data.
The right to access the collected data.
The right to have the processed data rectified, completed, blocked or deleted.
Where data is to be transferred outside the EU, specific details on what, where and why the data is transferred and under which level of protection.
Data subjects can obtain from the data controller (Article 39, Data Process Act (DPA)):
Confirmation as to whether their data is being processed.
Information relating to the purposes of the processing, the categories of processed personal data and the recipients or categories of recipients to whom the data is disclosed.
If applicable, information relating to transfer of the personal data outside the EU.
A copy, in an accessible form, of their personal data, as well as any available information on the origin of the data.
Information allowing data subjects to know and object to the reasoning involved in the processing, where a decision taken based on automatic processing produces legal effects in relation to the data subject.
Data subjects can object to:
The processing of their data, under Article 38 of the DPA (except if the processing is required by law or if the law or regulation authorising the processing expressly excludes the application of Article 38 to such processing).
The use of their data for marketing purposes.
Data subjects can ask the data controller to rectify, complete, update, block or delete their personal data that is:
Prohibited from being collected, used, disclosed or stored.
The equivalent provisions under the Data Protection Directive were the subject of the high profile European Court of Justice (ECJ) judgment in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (Case C-131/12, 13 May 2014), which saw the internet search engine ordered to remove certain links to web pages that were considered inaccurate and damaging.
The data controller must take all useful precautions with respect to the nature of the data and the risk presented by the processing to preserve the security of the data and, among other things, prevent the alteration, corruption or access by unauthorised third parties (Article 34, Data Process Act (DPA)).
A data processor may only process personal data on behalf of, and on instruction by, the data controller. The data processor must provide sufficient guarantees in terms of security and confidentiality but, ultimately, the data controller is liable for compliance.
The French data protection authority, the CNIL, issued various recommendations for ensuring security, including:
Strong password management.
A process for the creation and deletion of user accounts.
Identification of who accesses the data.
Secure local networks.
Secure physical access.
Adopting an information systems security policy.
Training users on information technology risks.
French law does not have a general obligation to notify the French data protection authority (CNIL) or the data subject in the event of a data security breach.
However, e-communication services providers (including ISPs and mobile phone operators) must notify the CNIL within 24 hours of becoming aware of a data security breach during the provision of electronic communications services via publicly available electronic communications networks. In 2013, the CNIL implemented an online breach reporting mechanism on its website, www.cnil.fr.
The breach must also be notified without delay to subscribers if it may violate their personal data or privacy, unless the CNIL has established that appropriate protection measures have been implemented to the data.
E-communication services providers must also keep an up-to-date inventory of all breaches of personal data.
Processing by third parties
Directive 2002/58/EC on the protection of privacy in the electronic communications sector (E-Privacy Directive) states that any subscriber or user of e-communications services must be fully and clearly informed by the data controller or its representative of the:
Purpose of any cookies.
Means of refusing cookies, unless the subscriber or user has already been so informed.
However, these do not apply:
To cookies the sole purpose of which is to allow or facilitate electronic communication by a user.
If the cookie is strictly necessary to provide online communication services that were specifically requested by the user.
In 2013, the CNIL gave its opinion that certain cookies were not covered by the Law (for example, cookies used to constitute a "basket" on an e-commerce platform, session ID cookies).
Regarding consent, the CNIL has specified that consent must be:
The CNIL considers that the following consent mechanisms will be compliant:
A banner on the first webpage visited, which specifies that continuing to visit the site constitutes consent.
A consent request zone overprinting on the site's homepage.
Boxes to tick when registering for an online service.
The website owner is liable for allowing a third party to install a cookie on the user's computer.
Article L. 34-5 of the French Postal and Electronic Communications Code and Article 121-20-5 of the French Consumer Code, regulate electronic marketing.
The CNIL has issued guidelines in which it distinguished between business to business (B2B) and business to consumer (B2C) relationships.
Electronic marketing activities are authorised provided the recipient has been informed at the time of collection of their e-mail address that:
It will be used for electronic marketing activities.
They may object to such use.
All traffic data held by a communications services provider (CSP) must be erased or anonymised. However, traffic data may be retained for the purpose of:
Finding, observing and prosecuting criminal offences.
Billing and payment of electronic communications services.
The CSP's marketing of its own communication services, provided the user has given consent for that.
Subject to exceptions, location data may be used in very limited circumstances:
During the communication, for the proper routing of such communication.
Where the subscriber has given informed consent, in which case the location data may be processed and stored after the communication has ended; consent may be revoked free of charge at any time.
Electronic marketing activities are authorised provided that the recipient has given consent at the time of collection of their e-mail address. This principle does not apply when:
The concerned individual is already a customer of the company and the marketing messages sent pertain to products or services similar to those already provided by the company.
The marketing messages are not commercial in nature.
The concerned individual must be informed at the time of collection of their e-mail address that:
It will be used for electronic marketing activities.
He or she may object to such use.
International transfer of data
Transfer of data outside the jurisdiction
Data controllers can transfer data to parties in countries other than in the European Economic Area (EEA) to the same extent they could share information within France.
Transfer to a non-EEA country is only permitted if the country guarantees individuals a sufficient level of protection in accordance with the Data Protection Directive. Transfer to the United States can be effected if controllers act in accordance with the US/EU Safe Harbor.
A data subject must consent to their data being transferred outside the EEA unless the transfer is necessary:
For the protection of the individual's life.
For the protection of the public interest.
To comply with obligations allowing the acknowledgement, the exercise or the defence of a legal right.
For consultation of a public register intended for the public's information.
For the performance of a contract between the data controller and the individual, or for pre-contractual measures undertaken at the individual's request.
The CNIL may allow transfers if the above conditions are not fulfilled provided there is an adequate level of protection by Model Clauses approved by the European Commission or Binding Corporate Rules (BCRs), which are designed to allow intragroup personal data transfer outside the EEA in compliance with Article 25 of the Data Protection Directive.
Data transfer agreements
The three sets of model clauses (approved by the EU Commission) which cover transfers of data outside the EEA from a data controller to either another data controller, or to a data processor and its sub-processors, have terms that can be included in any general contract between the parties.
On 21 March 2014, the Article 29 Working Party issued a working document containing draft ad hoc contractual clauses for transfers of personal data from data processors in the EU to data sub-processors outside the EU. The working document is now in the hands of the European Commission which must decide whether to amend the existing model clauses to reflect these changes, or to supplement them with the new clauses.
Enforcement and sanctions
In verifying data processing, the French data protection authority (CNIL) can request a copy of every document that it considers useful. The CNIL also has the power to employ on-site inspections, document reviews, warnings and notices, hearings, injunctions and fines (see Question 25).
To date, the CNIL has been able to employ its powers of inspection only when the processing or use of processed data leads to a violation of human rights, human identity, privacy, or individual or public liberties, and was limited to onsite inspections. However, a new French law (No. 2014-344), passed on 17 March 2014, granted the CNIL the ability to conduct remote inspections online. Further, where it considers a criminal offence has been committed, the CNIL can notify France's Public Prosecutor and can make public any sanctions imposed.
The CNIL can impose fines of up to EUR150,000 for a first violation and fines of up to EUR300,000 for a second violation within 5 years. For legal entities, the CNIL can impose fines of up to 5% of the turnover within the general limit of EUR300,000 and/or a criminal fine of up to EUR300,000 (or EUR1.5 million for a corporate entity) and/or 5 years' imprisonment.
Under the Draft Data Protection Regulation, these fines will increase: data controllers will face fines of up to EUR100 million or 5% of their annual turnover for serious breaches of personal data.
Commission Nationale de l' Informatique et des Libertés (CNIL)
Main areas of responsibility. The CNIL is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardise human identity or breach human rights, privacy, or individual or public liberties.
Description. Legifrance is the French government entity responsible for publishing legal texts online.
It provides access, in French, to laws and decrees published in the Journal officiel, important court rulings, collective labour agreements, standards issued by European institutions, and international treaties and agreements to which France is a party. English Translations of French legal texts are available on the Legifrance site, but have no legal force, they are provided for informational purposes only.
Edwards Wildman Palmer UK LLP
Professional qualifications. England and Wales, Solicitor; Paris Bar
Areas of practice. Privacy and data protection; IT and outsourcing; digital media and E-commerce.
Advising a large corporate and investment bank with regard to the standardisation of its various agreements (including software licence and maintenance agreements, and agreements for its core payments systems) in order to produce one single standard for use within Europe.
Advising one of the world's largest online retailers with regard to various commercial contracts, particularly in the context of consumer retail, and data protection and privacy issues.
Advising a well-known consumer technology company regarding various commercial law issues in Europe, with emphasis on service procurement, supply and distribution and data protection and privacy issues.
Languages. English, French.
Professional associations/memberships. Franco-British Chamber of Commerce; Computer Law Group; Le Web; TechCrunch; Women's Forum for the Economy and Society.
Publications. Various articles published in IT Law (France) and Data Protection and Privacy Laws (UK); a comparative law study in L'Expert magazine (France); co-author of the "Communications and Broadcasting Regulation" chapter in the latest edition of Internet Law & Regulation by Graham Smith.