Data Law Nav­ig­at­or | France

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection 

Last updated 28 November 2018

Risk scale

Laws

  • Data Protection and Privacy Act No. 78/17 dated 6 January 1978 as amended by the Parliament by the law n°2018-493 of 20 June 2018 implementing the EU General Data Protection Regulation 2016/679 (GDPR) and EU Data Protection Law Enforcement Directive 2016/680 (the “DPA”).
  • Application decree 2005-1309 dated 20 October 2005 as modified by decree 2018-687 dated 1st August 2018 (the “Decree”).
  • Law No. 2016/1321 for a Digital Republic of 7 October 2016 (“Law for a Digital Republic”).

Authority

The French data protection authority (Commission Nationale de l’Informatique et des Libertés – CNIL) is an independent administrative authority responsible for ensuring lawfulness and compliance with the French data protection framework concerning the processing of personal data.

It assists professionals in their compliance and helps individuals to control their personal data and exercise their rights.

Anticipated changes to law

Proposal for a regulation of the European parliament and of the council concerning the respect for private life and the protection of personal data in electronic communications and repealing directive 2002/58/EC (regulation on privacy and electronic communications, “E-Privacy”).

Stage of legislative implementation of GDPR

The GDPR is partially implemented through the amendment of the DPA by law n°2018-493 and decree 2018-687 dated 1st August 2018.

An Ordinance (Ordonnance), which should be published by the end of the year 2018, will amend the DPA to complete the implementation and remove outdated domestic law provisions.

Additional implementation decrees are expected.  

In the meantime, both DPA and GDPR provisions are applicable. Any outdated local law provisions which are still in force no longer apply.

Local derogations as permitted by GDPR 

Class action (Article 43-ter DPA)

Article 43-ter DPA allows individuals in the same situation suffering from the same breach of GDPR or DPA provisions to launch a class action.

The class action can be used to require the end of the infringements and to claim compensation for material or moral damages. Such class action is subject to specific rules.

Claimant associations (Article 43-quarter DPA)

Data subjects have the right to instruct a claimant association to bring a claim on their behalf against the data controller for a breach.

Children

French Law has lowered the age of consent to processing defined in the GDPR from 16 to 15 concerning processing in relation to the direct offer of information society. The data controller must obtain consent from the parents and the child if it wishes to collect data from a child below the age of 15.

Post Mortem right to Privacy

Article 40-1 DPA provides the data subject with an additional right, that is the possibility for that data subject to define guidelines for the storage, erasure and communication of personal data after his death.

Sensitive Data

Article 8 DPA fully reproduces the list of sensitive data provided by Article 9 GDPR, and extend the scope of these exceptions in authorising:

  • the processing of data that have been rendered anonymous using a CNIL-approved process;
  • the processing of data that involves the re-use of public information contained in court rulings and decisions, provided that neither the purpose nor the outcome of such processing is the re-identification of the data subjects;
  • the processing by employers and administrative bodies of biometric data strictly necessary for controlling access to workplaces and to equipment and software used by employees for their work. This processing must comply with standard rules to be adopted by the CNIL.

Concerning health data, please refer to the registration/notification category below.

Criminal data processing

Article 9 DPA and Article 26 Decree specify which entities can process criminal data, and notably:

  • courts;
  • public authorities;
  • legal entities operating a public service;
  • private legal entities involved within the justice public service;
  • court officers, and
  • natural persons or legal entity involved in the process of a legal action before the courts.
Freedom of choice for users of electronic devices (Article 28 DPA)

With reference to article 7 GDPR, article 28 DPA prohibits any restriction on the options of the end user without legitimate technical or safety grounds, especially during the initial configuration of the electronic device. 

Scope

Article 2 DPA provides that the DPA applies to any fully or partially automated personal data processing and non-automated personal data processing documented or destined to be documented, to the exceptions of exclusively personal activities, provided they meet the criteria.

Article 5-1 DPA provides that the DPA provisions adapting and completing the rights and obligations provided by GDPR are applicable if the data subject resides in France, even if the controller is not established in France, except for processing of personal data for journalistic, academic, artistic or literary purposes.

The DPA applies to the following persons processing personal data:

  • Data controllers (article 3 DPA)
  • Data processors (article 35 DPA)
  • Data recipients (article 3 DPA)

Penalties/enforcement

Failure to comply with the DPA may result in both administrative and criminal sanctions.

Administrative sanctions

In case of non-compliance with the DPA, the CNIL may:

  • issue a warning to the data controller;
  • order a financial sanction proportional to the severity of the violation, up to EUR 20m or in the case of a company up to 4% of the world's annual turnover (the higher amount being taken into account);
  • seek an injunction to temporarily or permanently cease the processing or withdraw its authorisation to process data;
  • order to comply with requests to exercise the rights of persons;
  • order to bring the processing in compliance;
  • conduct on-site and online inspections (notably by using fake identities);
  • issue public non-compliance warnings.
Criminal sanctions (Article 226-16 of the French Criminal Code)

Failure to comply with the DPA is punishable by five years’ imprisonment and a fine of up to EUR 300,000 (EUR 1.5m if the data controller is a legal person).

Recent decisions issued by the CNIL:
  • issuing a public warning to another car rental company for data breach (decision No. SAN-2017-011 of 20 July 2017);
  • sentencing an optical company to a financial sanction of EUR 250,000 for data breach (decision No.SAN-2018-002 of 7 May 2018);
  • sentencing an association to a financial sanction of EUR 30,000 for data breach (decision No.SAN-2018-010 of 16 September 2018).

Registration / notification 

Specific types of data are subject to authorisation

  • Social security numbers (RNIPP registration numbers): French Law maintains a prior authorization regime. A Council of State (Conseil d’Etat) framework decree, enacted following consultation with the CNIL, will define the categories of data controllers authorised to process social security numbers and the permitted purposes of such processing.

    However, no authorisation is required for the processing of social security numbers performed solely for public interest related purposes, for scientific or historical research purposes or statistical purposes, or for supplying users with one or more online government services, under certain conditions. These purposes do not in fact require such strict regulation, provided that additional safeguards are in place.

  • Biometric and Health Data: the CNIL, in collaboration with the INDS (French National Health Data Institute) has issued standard rules and reference documents for the processing of health data. The processing may take place if it complies with these requirements, provided however that the data controllers first submit a declaration of compliance to the CNIL. Any non-compliant processing still requires prior authorisation.

    These same principles apply to automated processing for the purposes of health-related research or studies and for evaluating or analysing healthcare or prevention practices or activities.

Main obligations and processing requirements 

  • Consent: Except in limited cases, the CNIL does not recognise the employee’s consent as given freely to the employer acting as a data controller in the context of an employment relationship. Therefore, the employer cannot generally rely on employees’ consent as a basis for the processing or transfer of personal data.
Data subjects’ information

Article 32 DPA requires more information to be provided directly on the form:

  • the data controller’s identity;
  • the purpose of each of the processing operations;
  • whether data collected is mandatory or not for the request to be examined;
  • the data subjects’ rights under the DPA, including the right to set out guidelines relating to the fate of data after death.

Information required under French law includes all data subjects’ rights and must be provided whether the processing operation is based on consent or not. 

Records of processing

Article 70-14 DPA provides that the record of processing must specify the lawful basis of processing.

The CNIL has released a template document detailing the fulfilment process to establish the record of processing obligation. This document is an example and is not binding (https://www.cnil.fr/fr/RGDP-le-registre-des-activites-de-traitement).

Data subject rights 

Data subject have the following rights issued from the GDPR: 

  • The right to information and transparency;
  • The right of access;
  • The right to rectification;
  • The right to erasure;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object;
  • right not to be subject to a decision based solely on automated processing, including profiling.

The Law for a Digital Republic has also established the Post Mortem right to Privacy for the data subject (as mentioned in the derogations section above).

Processing by third parties 

Under Art 28 GDPR, data controllers are required to ensure that any data processors (or sub-processors) engaged (for example contractors or suppliers) are assessed to ensure they comply with the GDPR. Further, specific contractual provisions must be put in place with such entities in line with the specific items set out in Art 28 GDPR and article D.110-2 of the Decree.

Transfers out of country

Similar to provisions of Chapter V GDPR.

Pursuant to article 43 quinquies DPA if the CNIL believes that a data subject’s allegations concerning a personal data breach are founded, it may now ask the French Council of State (Conseil d’Etat) to suspend the transfer of data, imposing a fine if necessary, and refer to the ECJ for a preliminary ruling to assess the validity of the European Commission’s decision authorising or approving the necessary appropriate safeguards (adequacy decision or other).

Data Protection Officer

Need to appoint a Data Protection Officer (DPO) if required under Article 37 GDPR.

The appointment of a DPO is notified via the website of the CNIL.

The CNIL has adopted a certification referential and an accreditation referential for the DPO.

Security

The requirements on security are similar as those required by GDPR.

The CNIL has issued a specific guide on security measures to be implemented by data controllers and processors in January 2018. Further information can be found here: https://www.cnil.fr/fr/un-nouveau-guide-de-la-securite-des-donnees-personnelles.

Breach notification

If required under Article 33/34 GDPR.

Where the reporting of unauthorised disclosure or access is likely to pose a risk to national security, defence or public security, such notification is not required (FDPA, art. 40, III; Decree, art. 91-2-1).

Such exemption only applies where the processing is required to comply with a legal obligation or where it is necessary to perform a task carried out in the public interest vested in the controller.

Direct marketing

The data controller cannot send unsolicited marketing messages without prior consent from the recipient (article L34-5 of Postal and Electronic Communications Code) unless:

  • the consumer is already a customer of the company, the marketing message concerns similar products and services purchased by the consumer, and such products and services are offered by the same person or company.
  • the marketing messages are non-commercial in nature (e.g. charity).

In every case, at the time of collection of their e-mail address, the prospect must be:

  • informed that their personal data will be used for marketing purposes.
  • able to easily and freely object to such use at any time at the original point where their details were collected, and in each subsequent marketing communication.

In the B2B context, there is no need for prior consent provided that the recipient has been informed about the fact that its details will be used for marketing purposes and is given the possibility to object to such use. The marketing messages must be relevant to the role or activity of the professional solicited.

Cookies

Regarding article 32(II) DPA, Cookies cannot be used or stored on user’s device unless:

  • the user has been provided with clear and comprehensive information about the cookie(s).
  • the user has given explicit consent to use of the cookie(s) before implementation.
  • the user is provided with sufficient information to refuse the cookie(s).

The only cookies exempted from the requirement to obtain consent are “technical cookies” in these circumstances:

  • where the use of the cookie is for the sole purpose of permitting or facilitating electronic communication.
  • cookies that are strictly necessary for providing a service expressly requested by a user (e.g. electronic cart).
  • some audience/analytics cookies only when they comply with the conditions defined by the DPA.

Prior to any implementation of a cookie on the user’s device, a banner with the statutory information must be displayed when the user accesses the website.

The cookie policy must give the user the option of refusing the cookie(s) at any time.

Cookies must not be retained for more than 13 months from the moment they were accepted by the user.

Useful Links

Cyber Security

Last updated 28 November 2018

Risk scale

Laws and regulations

French Defence Code.

French Post and Electronic Communications Code.

Act No. 2013-1168 of 18 December 2013 (Military Programming Act 2014-2019) on military programming for the years 2014 to 2019 which contains various provisions concerning national defence and security – articles 21 and seq. - (and its implementing decrees);

Act No. 2018-607 of 13 July 2018 (Military Programming Act 2019-2025) on military programming for the years 2019 to 2025 which contains various provisions concerning national defence and security – articles 34 and 35.

Act No.2018-133 of 26 February 2018 implementing various provisions of European Union law in the field of security and its implementing decrees and orders (“Cybersecurity Act 2018”):

  • Decree No. 2018-384 of 23 May 2018 on the networks and information systems security of essential and digital services providers (“Implementation Decree”);
  • Order (Arrêté)of 13 June 2018 fixing the rules of notifications provided in articles 8, 11 and 20 of Decree n° 2018-384 of 23 May 2018 on the networks and information systems security;
  • Order (Arrêté) of 14 September 2018 fixing security rules and deadlines provided in art. 10 of Decree n° 2018-384 of 23 May 2018 on the networks and information systems security.

Anticipated changes to law

No anticipated changes to law.

Stage of legislative implementation of NIS Directive 

The NIS Directive has been fully implemented.

Application

The Military Programming Act 2014-2019 (especially Article 22) sets out several cybersecurity obligations applicable to “vitally important operators” (opérateurs d’importance vitale) – VIOs – as defined in Article L.1332-1 of the French Defence Code.

The Military Programming Act 2019-2025 provides with measures to strengthen the protection against cyber-attacks through the use of telecommunications operators.

The Cybersecurity Act 2018 has created two new categories of operators subject to cybersecurity obligations:

“Operators of essential services” (OES) 
The OES are defined as any public or private entity providing an essential service for the maintenance of critical societal and / or economic activities relying on networks and information systems and whose service could be seriously affected in the event of a network security incident. Pursuant to the implementing decree No. 2018-384 of 23 May 2018 on the security of networks and information systems of essential service operators and digital service providers, the OES are designated by the Prime Minister in various sectors, such as Energy, Transportation, Banking, Financial Markets Infrastructures, Health, Digital Infrastructures etc. In this respect, the Prime Minister notifies operators individually of his intention to appoint them as an OES and from this notification, the operator is able to submit observations within a month.

Digital service providers” (DSP) 
The DSP are defined as any legal entity providing a digital service. The services concerned are the online search engines, online marketplaces and cloud computing services.  

The ANSSI and the Prime Minister have initiated the appointment of the first OES since 9 November 2018. 

Authority

The French National Cybersecurity Agency, known as “the ANSSI” (Agence nationale de la sécurité des systèmes d’information): https://www.ssi.gouv.fr

Key obligations

Under the French Defence Code and Article 22 of the Military Programming Act 2014-2019, the state is responsible for ensuring that VIOs are sufficiently secure. To do ensure this, VIOs must:

  • comply with rules set by the Prime Minister on the protection for the security of the information systems, such as not connecting certain systems to the internet;
  • communicate, any cyber security incident, without delay, to the Prime Minister;
  • implement detection systems using government-certified service providers;
  • verify, on the request of the Prime Minister, the security level of critical information systems using an audit system;
  • ensure the ability to impose measures on operators in a major crisis;
  • implement a crisis management procedure in the event of major cyber-attacks.

Under Article L33-14 of French Post and Electronic Communications Code telecommunications operators:

  • are allowed to use, on the electronic communications networks they operate, after a prior information of the ANSSI, devices using technical identifiers solely for the purpose of detecting events that may affect the security of their subscribers' information systems;
  • may be requested by the ANSSI to use, where appropriate, identifiers that the ANSSI provides them with, if the ANSSI it is aware of a threat that could affect the security of information systems
  • have to notify the ANSSI without delay when they have detected events that could affect the security of information systems;
  • at the request of the ANSSI, have to notify their subscribers of the vulnerability of their information systems or the breaches they have suffered.

Under Article L.2321-2-1 of the French Defence Code, when the ANSSI becomes aware of a threat that could affect the security of public authorities' information systems, the ANSSI may implement devices with information identifiers on the networks of a telecommunications operator, a host or service providers.

Under the Cybersecurity Act 2018, OES essentially have to:

  • comply with security rules set out in the following areas
    • governance of network and information system security
    • protecting the security of networks and information systems
    • defending the security of networks and information systems 
    • resilience of activities
  • notify any cyber security incident, without delay, to the ANSSI when these incidents have or may have a significant impact on the continuity of services.

Under the Cybersecurity Act 2018 the DSP must:

  • Appoint a representative established on the national territory of the ANSSI if it is established outside the European Union and does not have any representative within the European Union;
  • Guarantee an appropriate level of security according to the existing risks and to do so, identify the risks threatening the security of the information systems and take the technical and organisational measures necessary and proportionate to manage these risks, avoid incidents and minimise their impact so as to guarantee the continuity of their services;
  • Notify any cybersecurity incident, without delay, to the ANSSI when these incidents have a significant impact on the provision of these services.

The Cybersecurity Act 2018 implementation decree and orders (arrêtés) have set the rules applicable to the OES and DSP with respect to the notifications and the safety rules of the IT system.  

Penalties/enforcement

Under Article 22 of the Military Programming Act 2014-2019 and Article L.1332-7 of the French Defence Code, non-compliance by the VIOs with their key obligations listed above incurs a fine of EUR 150,000.

Under Article 34 of 2019-2025 and Article L.2321-2-2 of the French Defence Code, telecommunications operators who prevent the implementation of the measures provided for in Article L2321-2-1 are punishable by a fine of EUR 150,000.

Under Article 226-3 of the French Criminal Code, the use of any technical mean or device to intercept and capture data, without Ministerial authorisation, is punishable by up to five years of imprisonment and a fine of EUR 300,000 (EUR 1,5 million for a legal person – Article 131-38 of the French Criminal Code).

Under the Cybersecurity Act 2018, OES may be subject to the following fines:

  • EUR 100,000 in case of non-compliance with security rules
  • EUR 75,000 in case of failure to communicate a cyber security incident 
  • EUR 125,000 in case of obstruction of inspection operations

DSP may be subject to the following fines:

  • EUR 75,000 in case of non-compliance with security rules
  • EUR 50,000 in case of failure to communicate a cyber security incident
  • EUR 100,000 in case of obstruction of inspection operations

The Prime Minister is entitled to control the compliance of the OSE and DSP with their obligations under the Cybersecurity Act 2018. The investigations are carried out by ANSSI or by qualified service providers.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. CERT-FR (Computer Emergency Response Team) formerly called CERTA (https://www.cert.ssi.gouv.fr/).

CERT-FR is the contact team capable of receiving alerts from ANSSI at all hours in the event of a cyber-attack. CERT-FR deals with cyber incidents occurring in France and involving administration and VIOs. Its main missions are:  detecting threats and vulnerabilities in systems, particularly through a technological survey; leading the resolution of cyber incidents; helping to implement measures to future incidents; organising global coordination with other entities.

Is there a national incident management structure for responding to cyber security incidents?

The French National Cybersecurity Agency (ANSSI) is responsible for replying to cybersecurity incidents targeting strategically important institutions.

The Ministry of Defence and the Ministry of the Interior also assume functions of prevention of all forms of cybercrime.

Other cyber security initiatives

PRIS (Incident Response Providers)

Cyber Defence Command Unit (COMCYBER) reporting to the Chief of the Defence Staff.

Useful links 

 

< back to Overview 

Authors

Maxime Hanriot
Maxime Hanriot
Associate
Paris