Support Centre

France

Summary

Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) (an unofficial English version of the Act is available here) (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: French data protection authority (CNIL)

Summary: Rather than issuing new separated legislation for data protection, as many European jurisdictions have done, France has opted to amend Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (the Act) several times since 1978. Notable amendments have introduced the right to be forgotten, monetary penalties, and data portability.

The Act was also amended in June 2018 to implement the GDPR and was subsequently restructured to improve comprehension of the extensive changes. The Act provides for multiple derogations from the GDPR. For example, despite ending obligatory prior notification, the Act still requires prior authorisation or opinion requests from the French data protection authority (CNIL) for certain processing activities, such as the processing of health data for the purposes of research or public interest. Furthermore, the Act permits data subjects to specify what must happen to their personal data following their death.

News

Insights

September 2024

France: Overview of the recommendations on the development of AI systems with respect to data protection

In this Insight article, Marguerite Brac de La Perrière, Partner at Fieldfisher, examines the French data protection authority's (CNIL) recommendations on artificial intelligence (AI), offering guidance for applying data protection principles in AI development.

February 2024

France: CNIL's AI how-to sheets - an overview

In this Insight article, Daniela Schott and Kristin Bauer, from KINAST, explores the intricacies of data protection in artificial intelligence (AI) system development, shedding light on the critical considerations, legal foundations, and guidelines provided by the French Data Protection Authority (CNIL).

July 2022

France: Practical do's and don'ts for cookie walls and paywalls

Website operators should take note that they may be breaking the law if they force visitors to accept cookies or pay for access. The latest guidance on website cookie walls, published on 16 May 2022 by the French data protection authority ('CNIL'), sheds some light on criteria for assessing the legality of cookie walls1. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, breaks down the guidance into practical steps for website operators.

May 2022

France: CNIL opens door to cookie walls - a closer look at the new criteria

The French data protection authority ('CNIL') published, on 16 May 2022, its guidance outlining criteria for assessing the legality of cookie walls, i.e. the practice of conditioning access to a service on the acceptance, by the internet user, of the deposit of cookies or similar tracking technologies on their terminal device. In particular, the guidance follows the Council of State's decision of 19 June 2020 which held that CNIL could not impose a blanket ban on the use of cookie walls, as it had intended in the first version of its guidelines on cookies and similar trackers ('the Cookie Guidelines'), which consequently do not generally prohibit such practices in their final effective version. In this Insight article, we take a closer look at the criteria set out by CNIL, whilst also positioning the guidance in the broader context of the complex regulatory dynamics surrounding cookie walls.

May 2022

France: CNIL guidance on AI - A preview of the EU AI Act?

On 5 April 2022, the French Data Protection Authority ('CNIL') released extensive publications concerning artificial intelligence (AI).1 These publications are addressed to three main target groups, namely the broader public, experts, and scientists, as well as organisations that process personal data through AI systems - both data controllers and data processors. For the latter, the CNIL guidance is twofold: it is built around general recommendations2 and a self-assessment tool3 to measure and ensure compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). This is particularly valuable in the absence of comprehensive guidance at the EU level and is of relevance beyond France. Even though these publications are not binding as such, providers and users of AI systems subject to the GDPR should still assess their AI systems according to the CNIL's requirements. Sixtine Crouzet, Associate at Fieldfisher (Belgium) LLP, discusses the CNIL guidance in light of the AI Act.

December 2021

France: CNIL provides practical advice for DPO role, tasks, and appointment in dedicated guide

The French data protection authority ('CNIL') published1, on 16 November 2021, a practical guide on the data protection officer2 ('DPO'), notably under Article 37 to 39 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Articles 57 and 103 of the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR). Four sections of the Guide cover the role of the DPO, the designation of the DPO, the exercise of the tasks of the DPO, and support for the DPO by CNIL. As well as reiterating pertinent provisions of the GDPR regarding the central topics, CNIL incorporates best practices into its guide through practical examples and case studies, of which this Insight article provides an overview.

November 2021

Europe: COVID-19 vaccination status - What can employers collect?

With restrictions being lifted across Europe and businesses planning their return to the office, many employers, in an endeavour to prevent the spread of COVID-19, are faced with the dilemma of whether they can require their employees to be vaccinated or to show proof of their vaccination status. Besides the health and safety concerns associated with the introduction of such measures, there are also some key privacy-related considerations. In particular, an individual's vaccination status falls within the scope of health data under Article 4(15) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and is therefore a special category of personal data under Article 9 of the GDPR, meaning processing is generally prohibited, unless an exception applies.

This article outlines the local requirements in the UK, Germany, the Netherlands, France, and Italy.

May 2021

France: The new national cloud strategy - data transfers and localisation implications

The French Government ('the Government') announced1, on 17 May 2021, that Bruno Le Maire, Ministry of Economy, Finance, and Recovery, Amélie de Montchalin, Minister of Transformation and Public Service, and Cédric O, Secretary of State for Digital Transition and Electronic Communications, have presented, on the same day, the French national cloud strategy ('the Strategy'), built in line with others European initiative on the matter. OneTrust DataGuidance analyses this development and its significance.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.