In France, the fundamental legislation for protection of personal data is Act no. 78-17 dated January 6 1978, referred to as the Data Protection and Privacy Act. Decree No. 2005-1309 dated October 20 2005 has since completed the statutory framework.
The 1978 Act was amended by Act No. 2004-801 dated August 6 2004 for protection of natural persons with regard to processing of personal data, which was introduced to implement directive 95/46/EC dated 24 October 1995 for protection of natural persons with regard to processing of personal data and free circulation of those data.
French data protection authority the Commission Nationale de l’Informatique and des Libertés (CNIL) is tasked with monitoring compliance with the Data Protection and Privacy Act, which gives it five main responsibilities:
to inform and advise controllers and data processing subjects of their rights and duties;
- to guarantee the right of access of data subjects to processed data;
- to inventory files and issue authorisations for processing “at-risk” data, issue notices with respect to public processing using an individual’s national ID number, and receive declarations with respect to other processing;
- to oversee automatic processing of personal information, check compliance with the Data Protection and Privacy Act, and impose penalties for breaches;
- to regulate activity of this type, through simplified procedures or specific approvals allowing the most common, least dangerous kinds of processing to be carried out with reduced formality, or under waivers dispensing with the need for any declaration in the case of kinds of processing judged to pose no risk to individual liberty.