Publication of a guide on "Use of personal data" by CMS Bureau Lefebvre

A concise guide to good practice in the protection of privacy on the internet

• The debate on the protection of privacy on the internet has come back into focus, with the launch in France of a national consultation process on the right to digital anonymity, and the publication of a Bill on the protection of privacy in the digital age.
• CMS Bureau Francis Lefebvre is providing its data protection expertise for the assistance of businesses, by publishing a practical guide enabling them to bring themselves into line with the regulatory requirements.

Technological progress and the development of online business, social networking sites and e-marketing, amongst other things, represent so many threats to individual privacy. French Law No. 78-17, known as the Data Protection and Privacy Act, states at its outset that information technology must not "prejudice the identity of mankind, human rights, the right to privacy, or individual or public liberties". Failure to observe the principles of the Act can be costly: article 226-17 of the French criminal code provides for penalties of up to 5 years of imprisonment and 300,000 euros in fines. The penalties could be increased further if the Bill which was presented on 6 November of last year by Senators Yves Détraigne and Anne-Marie Escoffier, and which is intended to provide "better protection for the right to privacy in the digital age", is eventually adopted. The Bill aims amongst other things to give stronger powers to the French national commission on information technology and rights (the CNIL), which is responsible for enforcing the Data Protection and Privacy Act. The financial penalties could thus be increased to 300,000 and 600,000 euros, instead of the 150,000 and 300,000 euros which currently apply.

It follows that businesses have a strong interest in conforming to the principles. To guide them in doing so, CMS Bureau Francis Lefebvre personnel specialising in protecting businesses against the risks arising from the protection of personal and sensitive data have recently published a practical summary of the rules governing the use of such data. It is particularly intended for companies’ legal, HR, and marketing and sales departments, as well as their data protection officers.

It concerns those publishing electronic platforms, software, online games and internet sites, as well as any business, national or international, wishing to bring itself into line with good practice in relation to data protection and privacy.

A social issue fuelled by technological progress and the development of social networking sites

The CMS Bureau Francis Lefebvre guide sets out and explains the rules applicable (amongst other things) to gathering, processing, transferring and storing data, and summarises the steps which should be taken to inform the data subject and confirm his or her consent. "For the collection and processing of data to be legitimate, the data controller must generally give information to the data subject concerning the use which is to be made of that data", says Anne-Laure Villedieu, a lawyer with CMS Bureau Francis Lefebvre and a co-author of the guide. Processing of data which regarded as sensitive, or in other words which relates to such things as racial or ethnic origin, or political, philosophical or religious views, is subject to specific rules which are more onerous: such data may not be gathered or used without the express consent of the subject. The storage of this type of data is also subject to strict rules, and may not be stored for longer than is necessary for the purposes for which it was gathered and processed.

Data storage has been at the heart of recent action by the CNIL. Concern over it is especially acute in relation to internet-based social networking: the frequent statements issued by the CNIL in relation to networking sites such as Facebook, which has been forced by consumer pressure to change its general terms and conditions to limit the storage of personal data, testify to this, as does the warning issued to Amazon for inappropriate sales conditions.

Public authorities are increasingly concerned with the issue: Nathalie Kosciusko-Morizet, the Secretary of State with responsibility for planning and development of the digital economy, opened the debate on the right to digital anonymity and launched a wide-ranging national consultation process involving professionals and the general public. The process is to culminate in a charter intended to safeguard privacy on the internet. The Bill proposed by Yves Détraigne and Anne-Marie Escoffier equally derives from extensive consideration of the issue of privacy in an age when digital devices "remember", and of ways to ensure that individuals are fully involved in the protection of their rights.

Recent questions over the CNIL’s powers

"The subject of protecting privacy on the internet is continually changing and making news. By way of example, on 6 November 2009 France’s highest court, the Conseil d’Etat, gave a judgment recognising a right to oppose CNIL inspection visits to business premises. This judgment was based on the provisions of the European Convention on Human Rights and Fundamental Freedoms, and related to a company, INTER CONFORT. The final result was that the Conseil d’Etat set aside the penalties ordered against INTER CONFORT, on the basis that the CNIL had not given it advance notice of the right to object to inspection visits.", explains Anne-Laure Villedieu. Where a company refuses to allow such visits, CNIL inspectors are required to put the matter before the Chairman of the competent tribunal, for authorisation of the inspection visit. The Chairman will then monitor the visit.

Anne-Laure Villedieu points out in summary that "this Conseil d’Etat judgment could force the commission to change its inspection procedures". The Bill proposed by senators Détraigne and Escoffier, if approved, would be well-timed to strengthen powers to impose penalties, and to publicise the heaviest penalties imposed by the CNIL.

About the author:Anne-Laure Villedieu, a lawyer in the firm of CMS Bureau Francis Lefebvre, practices in the field of technology law and the law of data protection. She is a member of the AFCDP (the French association of data protection officers) and of the IAPP (the International Association of Privacy Professionals).

The Intellectual Property / Technology team is led by Antoine Gendreau, a partner in the firm. It is made up of 8 lawyers acting in the field of intellectual property law and technology law, each specialising in one of the areas which make up this subject. They act both in France and internationally, in conjunction with all the members of the CMS alliance.