Support Centre

France

Summary

Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) (an unofficial English version of the Act is available here) (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: French data protection authority (CNIL)

Summary: Rather than issuing new separated legislation for data protection, as many European jurisdictions have done, France has opted to amend Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (the Act) several times since 1978. Notable amendments have introduced the right to be forgotten, monetary penalties, and data portability.

The Act was also amended in June 2018 to implement the GDPR and was subsequently restructured to improve comprehension of the extensive changes. The Act provides for multiple derogations from the GDPR. For example, despite ending obligatory prior notification, the Act still requires prior authorisation or opinion requests from the French data protection authority (CNIL) for certain processing activities, such as the processing of health data for the purposes of research or public interest. Furthermore, the Act permits data subjects to specify what must happen to their personal data following their death.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.

In this Insight article, Marguerite Brac de La Perrière, Partner at Fieldfisher, examines the French data protection authority's (CNIL) recommendations on artificial intelligence (AI), offering guidance for applying data protection principles in AI development.

In this Insight article, Daniela Schott and Kristin Bauer, from KINAST, explores the intricacies of data protection in artificial intelligence (AI) system development, shedding light on the critical considerations, legal foundations, and guidelines provided by the French Data Protection Authority (CNIL).

Website operators should take note that they may be breaking the law if they force visitors to accept cookies or pay for access. The latest guidance on website cookie walls, published on 16 May 2022 by the French data protection authority ('CNIL'), sheds some light on criteria for assessing the legality of cookie walls1. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, breaks down the guidance into practical steps for website operators.

The French data protection authority ('CNIL') published, on 16 May 2022, its guidance outlining criteria for assessing the legality of cookie walls, i.e. the practice of conditioning access to a service on the acceptance, by the internet user, of the deposit of cookies or similar tracking technologies on their terminal device. In particular, the guidance follows the Council of State's decision of 19 June 2020 which held that CNIL could not impose a blanket ban on the use of cookie walls, as it had intended in the first version of its guidelines on cookies and similar trackers ('the Cookie Guidelines'), which consequently do not generally prohibit such practices in their final effective version. In this Insight article, we take a closer look at the criteria set out by CNIL, whilst also positioning the guidance in the broader context of the complex regulatory dynamics surrounding cookie walls.

On 5 April 2022, the French Data Protection Authority ('CNIL') released extensive publications concerning artificial intelligence (AI).1 These publications are addressed to three main target groups, namely the broader public, experts, and scientists, as well as organisations that process personal data through AI systems - both data controllers and data processors. For the latter, the CNIL guidance is twofold: it is built around general recommendations2 and a self-assessment tool3 to measure and ensure compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This is particularly valuable in the absence of comprehensive guidance at the EU level and is of relevance beyond France. Even though these publications are not binding as such, providers and users of AI systems subject to the GDPR should still assess their AI systems according to the CNIL's requirements. Sixtine Crouzet, Associate at Fieldfisher (Belgium) LLP, discusses the CNIL guidance in light of the AI Act.

The French data protection authority ('CNIL') published1, on 16 November 2021, a practical guide on the data protection officer2 ('DPO'), notably under Article 37 to 39 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Articles 57 and 103 of the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR). Four sections of the Guide cover the role of the DPO, the designation of the DPO, the exercise of the tasks of the DPO, and support for the DPO by CNIL. As well as reiterating pertinent provisions of the GDPR regarding the central topics, CNIL incorporates best practices into its guide through practical examples and case studies, of which this Insight article provides an overview.

With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.

This article outlines the local requirements in the UK, Germany, the Netherlands, France, and Italy.

The French Government ('the Government') announced1, on 17 May 2021, that Bruno Le Maire, Ministry of Economy, Finance, and Recovery, Amélie de Montchalin, Minister of Transformation and Public Service, and Cédric O, Secretary of State for Digital Transition and Electronic Communications, have presented, on the same day, the French national cloud strategy ('the Strategy'), built in line with others European initiative on the matter. OneTrust DataGuidance analyses this development and its significance.