Data protection and cybersecurity laws in France

Data protection

1. Local data protection laws and scope

  • Data Protection and Privacy Act No. 78/17 dated 6 January 1978 as amended:
    •  by the Parliament by the Law n°2018-493 of 20 June 2018 implementing the EU General Data Protection Regulation 2016/679 (GDPR) and EU Data Protection Law Enforcement Directive 2016/680,
    • By Ordinance No. 2018-1125 dated 12 December 2018 adopted pursuant to article 32 of Act No. 2018-493 of 20 June 2018 on the protection of personal data (the “DPA”). https://www.cnil.fr/fr/la-loi-informatique-et-libertes
  • Application decree 2005-1309 dated 20 October 2005 as modified by Decree 2018-687 dated 1 August 2018  and Decree n° 2019-536 dated 29 May 2019 (the “decree”) https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000038528420?r=suVD86a68e
  • Application Decree n° 2019-341 dated 19 April 2019 about processing including social security number and its purposes
  • Law No. 2016/1321 for a Digital Republic of 7 October 2016 (“Law for a Digital Republic”)
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) covers requirements for electronic communications networks and services, including cookies and direct marketing by electronic means. PECR implemented the EU Privacy and Electronic Communications Directive (ePrivacy Directive) in France.

2. Data protection authority

Commission Nationale de l’Informatique et des Libertés – CNIL

3. Anticipated changes to local laws

Proposal for a regulation of the European Parliament and Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (regulation on privacy and electronic communications, “ePrivacy”).

4. Sanctions & non-compliance

Administrative sanctions:

In case of non-compliance with the DPA, the CNIL may:

  • issue a warning to the data controller;
  • order a financial sanction proportional to the severity of the violation, up to EUR 20m or in the case of a company up to 4% of the worldwide annual turnover (the higher amount being taken into account);
  • seek an injunction to temporarily or permanently cease the processing or withdraw its authorisation to process data;
  • order to comply with requests to exercise the rights of persons;
  • order to bring the processing in compliance;
  • conduct onsite and online inspections (notably by using fake identities);
  • issue public non-compliance warnings.

Criminal sanctions:

Failure to comply with the DPA is punishable by five years’ imprisonment and a fine of up to EUR 300,000 (EUR 1.5m if the data controller is a legal person).

5. Registration / notification / authorisation

Specific types of data are subject to authorisation:

  • Social security numbers (RNIPP registration numbers): French Law maintains a prior authorisation regime except for the categories of data controllers listed in the Council of State’s (Conseil d’Etat) Decree dated 19 April 2019. However, no authorisation is required for the processing of social security numbers performed solely for public interest related purposes, for scientific or historical research purposes or statistical purposes, or for supplying users with one or more online government services, under certain conditions. These purposes do not in fact require such strict regulation, provided that additional safeguards are in place.
  • Biometric and Health Data: the CNIL, in collaboration with the INDS (French National Health Data Institute) has issued standard rules and reference documents for the processing of health data. The processing may take place if it complies with these requirements, provided however that the data controllers first submit a declaration of compliance to the CNIL. Any non-compliant processing still requires prior authorisation.
  • These same principles apply to automated processing for the purposes of health-related research or studies and for evaluating or analysing healthcare or prevention practices or activities. 

6. Main obligations and processing requirements

There are no major derogations from the GDPR.

However, it is important to note:

Consent

Except in limited cases, the CNIL does not recognise the employee’s consent as given freely to the employer acting as a data controller in the context of an employment relationship. Therefore, the employer cannot generally rely on employees’ consent as a basis for the processing or transfer of personal data.

Data subjects’ information

The information to provide to data subjects are the same as those requested under GDPR. Additional information on data subject’s rights on the right to set out guidelines relating to the fate of data after death must be provided.

Information required under French law includes all data subjects’ rights and must be provided whether the processing operation is based on consent or not. 

Records of processing

The CNIL has released a template document detailing the fulfilment process to establish the record of processing obligation. This document is an example and is not binding. 

Data Protection Impact Assessment 

The CNIL has released the lists of treatments for which a DPIA is and is not required. 

7. Data subject rights

Post Mortem right to Privacy (Articles 84 and seq. DPA)

Article 84 DPA provides the data subject with an additional right, that is the possibility for that data subject to define guidelines for the storage, erasure and communication of personal data after his or her death.

8. Processing by third parties

There are no derogations from the GDPR

9. Transfers out of country

There are no derogations from the GDPR

Pursuant to Article 39 DPA if the CNIL believes that a data subject’s allegations concerning a personal data breach are founded, it may now ask the Council of State (Conseil d’Etat) to suspend the transfer of data, imposing a fine if necessary, and refer to the ECJ for a preliminary ruling to assess the validity of the European Commission’s decision authorising or approving the necessary appropriate safeguards (adequacy decision or other).

10. Data Protection Officer

There are no derogations from the GDPR.

The appointment of a DPO must be notified via the CNIL website.

The CNIL has adopted a certification referential and an accreditation referential for the DPO’s certifications issued by certification bodies.

11. Security

The CNIL has issued a specific guide on security measures to be implemented by data controllers and processors in January 2018. Further information can be found here: https://www.cnil.fr/fr/un-nouveau-guide-de-la-securite-des-donnees-personnelles.

12. Breach notification

Where the reporting of unauthorised disclosure or access is likely to pose a risk to national security, defence or public security, such notification is not required (DPA, art. 58 , III; Decree, art. 91-2-1).

Such exemption only applies where the processing must comply with a legal obligation or where it is necessary to perform a task carried out in the public interest vested in the controller.

13. Direct marketing

The data controller cannot send unsolicited marketing messages without prior consent from the recipient (article L34-5 of Postal and Electronic Communications Code) unless:

  • the consumer is already a customer of the company, the marketing message concerns similar products and services purchased by the consumer, and such products and services are offered by the same person or company;
  • the marketing messages are non-commercial in nature (e.g. a charity).

In every case, at the time of collection of their email address, the prospect must be:

  • informed that their personal data will be used for marketing purposes;
  • able to easily and freely object to such use at any time at the original point where their details were collected, and in each subsequent marketing communication.

In the B2B context, there is no need for prior consent provided that the recipient has been informed about the fact that its details will be used for marketing purposes and is given the possibility to object to such use. The marketing messages must be relevant to the role or activity of the professional solicited.

15. Risk scale

Severe.

NA

Cybersecurity

1. Local cybersecurity laws and scope

French Post and Electronic Communications Code.

Act No. 2013-1168 of 18 December 2013 (Military Programming Act 2014-2019) on military programming for the years 2014 to 2019 which contains various provisions concerning national defence and security – articles 21 and seq. - (and its implementing decrees);

Act No. 2018-607 of 13 July 2018 (Military Programming Act 2019-2025) on military programming for the years 2019 to 2025 which contains various provisions concerning national defence and security – articles 34 and 35.

Act No.2018-133 of 26 February 2018 implementing various provisions of European Union law in the field of security and its implementing decrees and orders (“Cybersecurity Act 2018”):

  • Decree No. 2018-384 of 23 May 2018 on the networks and information systems security of essential and digital services providers (“Implementation Decree”);
  • Order (Arrêté) of 13 June 2018 setting the rules of notifications provided in articles 8, 11 and 20 of Decree n° 2018-384 of 23 May 2018 on network and IT system security;
  • Order (Arrêté) of 14 September 2018 setting security rules and deadlines provided in art. 10 of Decree n° 2018-384 of 23 May 2018 on the network and IT system security.

2. Anticipated changes to local laws

There are no changes anticipated at the local level, apart from the adoption at the EU level of the NIS2 Directive.

3. Application 

The Military Programming Act 2014-2019 (especially Article 22) sets out several cybersecurity obligations applicable to “vitally important operators” (opérateurs d’importance vitale) – VIOs – as defined in Article L.1332-1 of the French Defence Code.

The Military Programming Act 2019-2025 provides with measures to strengthen the protection against cyberattacks through the use of telecommunications operators.

The Cybersecurity Act 2018 has created two new categories of operators subject to cybersecurity obligations:

Operators of essential services (OES)

The OES are defined as any public or private entity providing an essential service for the maintenance of critical societal and/or economic activities relying on networks and information systems and whose service could be seriously affected in the event of a network security incident. Pursuant to the implementing Decree No. 2018-384 of 23 May 2018 on the security of networks and information systems of essential service operators and digital service providers, the OES are designated by the Prime Minister in various sectors, such as energy, transportation, banking, financial markets infrastructure, health, digital infrastructure etc. In this respect, the Prime Minister notifies operators individually of his intention to appoint them as an OES and from this notification, the operator may submit observations within a month.

Digital service providers (DSPs)

The DSPs are defined as any legal entity providing a digital service. The services concerned are the online search engines, online marketplaces and cloud computing services.  

The French National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d’information, ANSSI) and the Prime Minister appointed the first OES on 9 November 2018. 

4. Authority

5. Key obligations 

Under the French Defence Code and Article 22 of the Military Programming Act 2014-2019, the state is responsible for ensuring that VIOs are sufficiently secure. To do this, VIOs must:

  • comply with rules set by the Prime Minister on the protection for the security of the information systems, such as not connecting certain systems to the internet;
  • communicate, any cybersecurity incident, without delay, to the Prime Minister;
  • implement detection systems using government-certified service providers;
  • verify, on the request of the Prime Minister, the security level of critical information systems using an audit system;
  • ensure the ability to impose measures on operators in a major crisis;
  • implement a crisis management procedure in the event of major cyberattacks.

Under Article L33-14 of French Post and Electronic Communications Code telecommunications operators:

  • are allowed to use, on the electronic communications networks they operate, after a prior information of the ANSSI, devices using technical identifiers solely for the purpose of detecting events that may affect the security of their subscribers' information systems;
  • may be requested by the ANSSI to use, where appropriate, identifiers that the ANSSI provides them with, if the ANSSI it is aware of a threat that could affect the security of information systems
  • have to notify the ANSSI without delay when they have detected events that could affect the security of information systems;
  • at the request of the ANSSI, have to notify their subscribers of the vulnerability of their information systems or the breaches they have suffered.

Under Article L.2321-2-1 of the French Defence Code, when the ANSSI becomes aware of a threat that could affect the security of public authorities' information systems, the ANSSI may implement devices with information identifiers on the networks of a telecommunications operator, a host or service providers.

Under the Cybersecurity Act 2018, OES essentially have to:

  • comply with security rules set out in the following areas
    • governance of network and information system security,
    • protecting the security of networks and information systems,
    • defending the security of networks and information systems,
    • resilience of activities;
  • notify any cyber security incident, without delay, to the ANSSI when these incidents have or may have a significant impact on the continuity of services.

Under the Cybersecurity Act 2018 the DSP must:

  • Appoint a representative established on the national territory of the ANSSI if it is established outside the European Union and does not have any representative within the European Union;
  • Guarantee an appropriate level of security according to the existing risks and to do so, identify the risks threatening the security of the information systems and take the technical and organisational measures necessary and proportionate to manage these risks, avoid incidents and minimise their impact so as to guarantee the continuity of their services;
  • Notify any cybersecurity incident, without delay, to the ANSSI when an incident has a significant impact on the provision of these services.

The Cybersecurity Act 2018 implementation decree and orders (arrêtés) have set the rules applicable to the OES and DSP with respect to the notifications and the safety rules of the IT system.

6. Sanctions & non-compliance 

Under the Cybersecurity Act 2018, OES may be subject to the following fines:

  • EUR 100,000 in case of non-compliance with security rules
  • EUR 75,000 in case of failure to communicate a cybersecurity incident 
  • EUR 125,000 in case of obstruction of inspection operations

DSPs may be subject to the following fines:

  • EUR 75,000 in case of non-compliance with security rules
  • EUR 50,000 in case of failure to communicate a cybersecurity incident
  • EUR 100,000 in case of obstruction of inspection operations

The Prime Minister is entitled to control the compliance of the OES and DSPs with their obligations under the Cybersecurity Act 2018. The investigations are carried out by ANSSI or by qualified service providers.

Under Article 22 of the Military Programming Act 2014-2019 and Article L.1332-7 of the French Defence Code, non-compliance by the VIOs with their key obligations listed above incurs a fine of EUR 150,000.

Under Article 34 of 2019-2025 and Article L.2321-2-2 of the French Defence Code, telecommunication operators that prevent the implementation of the measures provided for in Article L2321-2-1 are punishable with a fine of EUR 150,000.

Under Article 226-3 of the French Criminal Code, the use of any technical means or device to intercept and capture data, without ministerial authorisation, is punishable by up to five years of imprisonment and a fine of EUR 300,000 (EUR 1.5m for a legal person – Article 131-38 of the French Criminal Code).

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes. CERT-FR (Computer Emergency Response Team) formerly called CERTA (https://www.cert.ssi.gouv.fr/).

CERT-FR is the contact team on call to receive alerts from ANSSI at all hours in the event of a cyberattack. CERT-FR deals with cyber incidents occurring in France and involving the administration and VIOs. Its main missions are: detecting threats and vulnerabilities in systems, particularly through a technological survey; leading the resolution of cyber incidents; helping to implement measures to future incidents; organising global coordination with other entities.

8. National cybersecurity incident management structure

The French National Cybersecurity Agency (ANSSI) is responsible for replying to cybersecurity incidents targeting strategically important institutions.

The Ministry of Defence and the Ministry of the Interior also assume functions of prevention of all forms of cybercrime.

9. Other cybersecurity initiatives 

PRIS (Incident Response Providers)

Cyber Defence Command Unit (COMCYBER) reporting to the Chief of the Defence Staff.

Portrait of Anne-Laure Villedieu
Anne-Laure Villedieu
Partner
Paris
Portrait of Maxime Hanriot
Maxime Hanriot
Associate
Paris