Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France - Data Protection Overview
Back

France - Data Protection Overview

October 2024

1. Governing Texts

In France, the French Act No. 2018-493 of 20 June 2018 (only available in French here) (the Amendment Law) incorporates the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) provisions in the existing Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (only available in French here) (the 1978 Act), which governs the protection of personal data.

For greater clarity, the law has been rewritten via Ordinance No. 2018-1125 of 12 December 2018 (only available in French here) (the 2018 Ordinance), which took effect on June 1, 2019.

The French data protection authority is the 'Commission nationale de l'informatique et des libertés' (or CNIL) and its guidelines clarify the 1978 Act.

1.1. Key acts, regulations, directives, bills

Historically, France has been subject to the unamended 1978 Act, creating CNIL. It was enacted following the so-called 'SAFARI' scandal revealed in 1974, in the French newspaper, Le Monde, regarding the French administration's plan to interconnect nominative files via social security numbers creating thus the need to regulate the use of personal data (only available in French here).

The 1978 Act has been amended several times, including by Law No. 2004-801 as of 6 August 2004 implementing the Directive 95/46/CE on protection of personal data (only available in French here), and in 2016 by the 1978 Act for a Digital Republic as of 7 October 2016 (the Digital Republic Act) (only available in French here), which anticipated the GDPR regarding algorithms, children, anonymization of criminal data in court decisions, financial sanctions, and most importantly France's characteristic feature: digital inheritance.

Almost a month after the entry into force of the GDPR, notwithstanding an emergency enactment procedure and the submission of provisions to the Conseil Constitutionnel (French Constitutional Court) to ensure compliance with the French Constitution of 4 October 1958 (only available in French here), the Amendment Law finally modified Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (official version available in French here; unofficial English version available here) with a retroactive entry into force on May 25, 2018.

At that time, the GDPR implementation technique was characterized by France's symbolic choice to maintain the 1978 Act's architecture, preserving the principles that were identified 40 years ago by the legislator, and repealing only contradictory provisions. However, this method led to unsatisfactory results in terms of legibility. Some provisions appeared redundant, while others were unclear regarding their practical application or resulted in having a meaning diverging substantially from the GDPR provisions.

The first enforcement decree, published on August 3, 2018, Decree No. 2018-687 of August 1, 2018 (only available in French here) (Decree No. 2018-687), specifies the organization and functioning of CNIL (e.g. quorum, investigations, cooperation with other data protection authorities, complaint filling through an online form), provides that CNIL is to publish the lists of processing operations for which a Data Protection Impact Assessment (DPIA) is required (DPIA Blacklist) (CNIL has since fulfilled its mandate to issue its DPIA Blacklist in Deliberation No. 2018-328 of 11 October 2018 - the full DPIA Blacklist issued by CNIL including examples of such blacklisted processing operations is only available in French here), details the data subjects' rights (e.g. conditions and guarantees under which the rights of access, rectification, restriction and opposition may be waived in the event of data processing for scientific, historical research, or statistical purposes), and establishes the list of categories of data processing (administrative, financial, operational, and medical) which may derogate from the data breach notification obligations.

Furthermore, and in addition to Decree No. 2018-687, other enforcement decrees were enacted to finalize French law's adaptation to European personal data protection regulations. In particular, Decree No. 2019-536 of 29 May 2019 (only available in French here) (the Implementing Decree) constitutes the final step in bringing national law into line with the GDPR. The Implementing Decree ensures the consistency of the revised 1978 Act with European regulation, specifies data subjects' rights, adapts procedural rules before CNIL, repeals Decree No. 2005-1309 of 20 October 2005 (only available in French here), and above all brings into force the 1978 Act as amended by the Ordinance No. 2018-1125. The adoption of the 2018 Ordinance resolved the criticisms raised by the Amendment Law and finally modified the architecture of the 1978 Act by rewriting the entire text in order to improve its legibility, ensure consistency with other regulations in force, and correct any error and omission for coherence with the GDPR.

The 1978 Act is organized around five titles relating to:

  • common provisions including definitions of the essential concepts by express reference to the GDPR, the material and territorial scope of application, the fundamental principles of personal data protection, the rules on special categories of personal data as well as those on the organization and functioning of CNIL, and finally the criminal provisions (Article 1 to 41 of the 1978 Act);
  • personal data processing provisions as provided for in the GDPR (Article 42 to 86 of the 1978 Act);
  • personal data processing provisions as provided for in the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (the Data Protection Directive) (Article 87 to 114 of the 1978 Act);
  • exclusively national personal data processing provisions concerning State security and defense (Article 115 to 124 of the 1978 Act); and
  • personal data processing provisions regarding Overseas France (i.e. French-administered territories outside Europe) (Article 125 to 128 of the 1978 Act).

More recently, Law No. 2024-449 as of May 21, 2024 (SREN) (only available in French here), which aims to secure and regulate the digital space, amended the 1978 Act by extending its scope and granting new powers to CNIL.

Therefore, it is still the provisions of the 1978 Act integrating the GDPR and its decrees that set the general framework applicable to the protection of personal data in France.

1.2. Guidelines

CNIL regularly publishes guidance, mainly only available in French, on its website which, for the moment, relates more to the GDPR than the 1978 Act itself. Among such guidance, the following should be highlighted:

  • The Six-Step GDPR Compliance Methodology (only available in French here);
  • Recommendations on Data Protection Officers (DPOs) (only available in French here);
  • Recommendations on log records (only available in French here);
  • Guidance on personal data security (only available in French here);
  • Recommendation on multi-factor authentication (only available in French here);
  • Guidance on employees' rights (only available in French here);
  • Guidance on ISO 27701, an international standard addressing personal data protection (English version here), and ISO/IEC 42001 for organizations that provide or use artificial intelligence (AI) systems (only available in French here);
  • Practical factsheets on the development of AI and AI how-to sheets (English version available here) and guidance on how to deploy generative AI (only available in French here);
  • Practical guides to inform organizations on the use of cloud services (encryption and data security) (only available in French here);
  • Recommendations on the opening (open data) and reuse of data published on the Internet (only available in French here);
  • Guidance on the right to delisting (only available in French here);
  • Guidelines on cookies and other trackers (only available in French here);
  • Guidelines on Data Protection Impact Assessments (DPIA) (only available in French here);
  • Two reference methodologies for accessing the main National Health Data System (in French 'Système national des données de santé' or SNDS) (only available in French here) and practical sheets for data matching processes (only available in French here);
  • Draft Guide on Transfer Impact Assessment (TIA) (English version available here);
  • Questions & Answers on the adequacy decision for the EU-U.S. Data Privacy Framework (only available in French here); 
  • Guidance on whistleblowing (only available in French here);
  • Guidance on the processing of personal data intended to the management of pharmacies (only available in French here); and
  • Various other guidelines, recommendations and practical information on different topics such as anonymization techniques, health related topics, public affairs and lobbying, amateur and professional sports, Binding Corporate Rules (BCRs), personal data breach notification, consent, and profiling.

In addition to general guidance, CNIL has also published a range of GDPR compliance tools, including online forms (e.g. personal data breach notifications (only available in French here), the appointment of a DPO (only available in French here), etc.); templates (e.g. record of processing activities (available here), etc.); as well as software (e.g. Privacy Impact Assessment Software, an open source software to detect cookies deposited on users' devices by websites (only available in French here), etc.), a self-assessment tool to check the maturity level of a Group's BCR project (only available in French here); and a tool to visualize the evolution of the 1978 Act over time (until 2022), article per article called 'the Life of Law' (only available in French here).

CNIL also launched 'sandboxes' with the aim to provide support and legal certainty to selected projects concerning emerging issues. The first sandbox in 2021 was dedicated to digital health. For 2022, CNIL sandbox was dedicated to digital tools in the field of education or EdTech. CNIL published the recommendations made to the actors accompanied during the first two editions of sandboxes (English version available here). For its third edition, the sandbox is dedicated to the use of AI in the public service (only available in French here).

CNIL also offers 'enhanced support' that, contrary to 'sandbox', is not focused on a specific area, may relate to projects which are already implemented and for which there is no need to raise new legal issues. For the first edition, CNIL selected three digital companies and provided legal and technical responses tailored to their projects in order to guide them towards full GDPR compliance, particularly in the field of AI (English version available here). CNIL announced its enhanced support for four more companies for six months in September 2024 (only available in French here).

CNIL is also in the process of transforming its now-obsolete instruments, such as authorization procedures, into soft law guidance (only available in French here). For instance, in January 2022, CNIL published two reference documents (only available in French here), the Standard on Processing of Personal Data for the purposes of debt management and the Standard on Processing of Personal Data for the purposes of commercial activities  (both constituting the 'commercial activities management' reference framework). Pending the adoption of new standards, CNIL explained that its previous deliberation and authorization can be used to 'orientate conformity'.

Finally, CNIL published several webinars, including webinars related to accessing the main National Health Data System (only available in French here), data sharing by application programming interface (API) (only available in French here), DPIA (only available in French here), whistleblowing (only available in French here).

1.3. Case law

Since the entry into force of the GDPR, CNIL has sanctioned several violations in breach of the legislation and issued warnings against companies (sanctions available in French here). In 2023, 42 sanctions were imposed by CNIL, amounting to approximately €89 million euros (report only available in French here).

For example, notable sanctions have been imposed for:

  • failure to respect the right to object to processing;
  • failure to comply with cookies requirements (especially lack of information, valid consent, and for not enabling users to refuse the cookies placed on their terminal as easily as to accept them) (notably against Google for €150 million and Facebook for €60 million on December 31, 2021) and more recently against Yahoo for €10 million on December 29, 2023 (decision available in French here), Criteo for €40 million on June 15, 2023 (decision available in French here), and Voodoo (decision available in French here), Tik Tok (decision available in French here) and Apple (decision only available in French here), all three decisions adopted on December 29, 2022;
  • failure to rely on a lawful legal basis (notably Clearview AI for €20 million on October 17, 2022 (decision only available in French here));
  • failure to provide information to data subjects (for instance, the Group Canal + on October 12, 2023 (decision only available in French here));
  • failure to cooperate with the data protection;
  • data security breaches;
  • failure to comply with the obligation to limit the data retention period;
  • failure to comply with the obligation to facilitate the exercise of rights; and
  • failure to comply with the obligation to process adequate and relevant data.

2. Scope of Application

2.1. Personal scope

As long as the processing concerns personal data, the 1978 Act applies whether the data controller or processor is a legal or natural person, public, or private.

Article 48 of the 1978 Act also provides for the application of certain provisions (right of any person to lay down guidelines for the storage and deletion of their personal data after their death) of the 1978 Act to deceased individuals.

2.2. Territorial scope

Article 3 of the 1978 Act provides that all the provisions of the 1978 Act apply to the processing of personal data carried out in the context of the activities of an establishment of a controller or a processor on the French territory, whether or not the processing takes place in France.

National rules adopted on the basis of the GDPR to adapt or supplement the rights and obligations of the GDPR will also apply where the data subject resides in France, including where the controller is not established in France. However, for processing carried out for journalistic, academic, artistic, or literary expression purposes the national rules applicable are those to which the data controller is subject when it is established in the European Union.

The SREN law aims to secure and regulate the digital space, amended Article 3 of the 1978 Act by extending its scope. The amendment specifies that Titles I and II of the 1978 Act apply to the processing of personal data of data subjects which are located on French territory, by a controller or a processor not established in the EU, when such processing is related to the monitoring of these data subjects' behavior within the EU, particularly through the collection of their personal data with the aim of linking them with data related to their online activities.

2.3. Material scope

Article 2 of the 1978 Act provides that it applies to the automated processing of personal data and to the non-automated processing of personal data contained or destined to appear in a filing system.

Processing carried out by natural persons for the exercise of strictly personal or domestic activities are not subject to the 1978 Act.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

CNIL is the national data protection authority according to the meaning and for the application of the GDPR. It is an independent administrative authority composed of 18 members, including parliamentarians, representatives of high courts, qualified public figures, and a chairperson.

As to institutional proceedings, the members congregate in plenary sessions, and, since 2004, CNIL's Restricted Committee, which is composed of five members and a Chair, can impose diverse sanctions in case of non-compliance with data protection legislation.

3.2. Main powers, duties and responsibilities

As the French data protection authority, CNIL's main mission is to control and audit compliance with data protection legislation and impose sanctions in case of a failure to remedy breaches.

Under the GDPR, CNIL's right to gain entry and inspection remain essentially the same as it was under the previous French data protection regime, and while the nature of premises regarding on-site searches is more clearly specified, it is still subject to professional secrecy. The 1978 Act now also provides for the possibility to use a borrowed identity for online controls (even though the power to conduct online audits was established in 2014).

At the end of the audit process, CNIL examines the gathered information and documents and drafts an inspection report. When the breaches are noted as serious, CNIL can impose sanctions. However, the French Constitutional Court ruled that neither the warnings nor the formal notices pronounced by CNIL's chairperson according to Article 20 of the 1978 Act constitute 'sanctions' that are punitive in nature.

In addition to its historical responsibilities, CNIL is awarded the power to adopt or encourage the development of new soft law instruments (such as guidelines, recommendations, codes of conduct, model regulations, reference methodologies for health data processing, certification mechanisms, standards, etc.).

Furthermore, since 2020, European cooperation has increased, and its mechanisms are now an integral part of CNIL's activity in the context of cross-border processing controls. For instance:

  • in July 2024, in cooperation with CNIL, the Lithuanian data protection authority (VDAI) issued a fine of approximately €2.3 million on Vinted UAB for multiple violations affecting platform users. Since Vinted headquarters are in Lithuania, the VDAI was the competent authority to conduct investigations. CNIL closely cooperated with the VDAI throughout the procedure, as well as with other relevant data protection authorities from Poland, the Netherlands, Germany and Spain (press release available here).
  • in February 2022, CNIL, in cooperation with its European counterparts, was able to issue a formal notice to a website editor for its use of Google Analytics. Following the filing of 101 complaints in all 30 States of the European Economic Area (EEA) by None of your business (NOYB) (founded by Mr. Schrems), the European Data Protection Board (EDPB) established a task force to jointly examine the legal issues raised and coordinate EEA States' position. Thus, thanks to this cooperation, CNIL ruled that personal data collected and processed through Google Analytics is transferred by Google to the United States without adequate safeguards excluding the possibility of access to personal data by US intelligence services.
  • in 2021, CNIL participated in close cooperation with the Luxembourg data protection authority (CNPD) to the procedure led against Amazon Europe Core that resulted in the highest sanction pronounced by a European data protection authority to date (€746 million on July 16, 2021) (although Amazon's appeal is still pending and the decision not enforceable yet). The claim was addressed to CNIL by a French association.

For 2024, CNIL's control program (published on February 8, 2024) focused on the following areas: data relating to minors, files linked to the Olympic and Paralympic games, electronic sales receipts and loyalty programs, and people's right to access. These four major concerns follow:

  • the Olympic and Paralympic games which deployed major security measures (e.g., QR codes, access authorizations, and the use of augmented cameras), and data collected from an important number of data subjects as part of the ticketing services;
  • the exposure of minors to social networks, dating sites, and online gaming platforms at an increasingly early age. This can lead to the massive collection of information about their identity, preferences and lifestyle, with significant repercussions for their privacy, psychological well-being and socio-professional future; and
  • the collection of information about consumers involved in loyalty programs (e.g., eating habits, household composition, children's age categories, presence of pets, etc.) and offered in most supermarket chains, which can be reused for commercial prospecting or advertising targeting. In addition, the recent dematerialization of till receipts may also lead to additional processing of personal data.

The SREN law which aims to secure and regulate the digital space, was adopted to comply with new EU regulations and increases CNIL's powers (available only in French here). In accordance with the Digital Services Act (DSA), the SREN law designated CNIL as the competent authority to ensure compliance with certain obligations arising from the DSA, applicable to online platforms (e.g., strengthened transparency obligations regarding targeted advertising, prohibition of profiling based on sensitive data and profiling of minors). In this context, CNIL is granted new control measures (e.g., the power to seize any document under judicial supervision, the ability to record the responses of individuals being interviewed) and will also be able to adopt corrective measures, including fines.

The SREN law also regulates the conditions under which pornographic websites must verify the age of their visitors. The French audiovisual and digital communications authority (ARCOM), will rely on CNIL's expertise to find a fair balance between the need to verify internet users' age and data protection issues.

Furthermore, the SREN law provides for the deployment of an 'anti-scam' cybersecurity filter for the general public, aimed at better protecting internet users from the risks encountered when accessing malicious web pages or websites (e.g., phishing, identity theft). These pages and websites could be flagged to the public for their malicious nature, but also be delisted or blocked. To ensure the proportionality of the system, a qualified individual selected from among the members of CNIL College will be responsible for overseeing these measures.

The SREN law also gives CNIL a new mission (press release only available in French here) as it becomes the competent authority responsible for the public national register of recognized data altruism organizations, as defined by Article 23 of the Data Governance Act (DGA).

4. Key Definitions

Data controller: There is no definition of 'controller' in the 1978 Act. Article 2 refers to the definitions provided by Article 4 of the GDPR. Thus, a controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data processor: Article 2 provides for the application of the definition of 'processor' provided in Article 4 of the GDPR. Thus, a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Personal data: There is no definition of 'personal data' in the 1978 Act. Article 2 of the 1978 Act refers to the definitions provided by Article 4 of the GDPR. Thus, personal data is any information relating to an identified or identifiable natural person.

Data subject: There is no definition of 'data subject' in the 1978 Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, a data subject is an identified or identifiable natural person.

Sensitive data: There is no definition of 'sensitive data' in the 1978 Act. However, Article 6 of the 1978 Act provides for the same definition as Article 9 of the GDPR. Thus, sensitive data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, health data, data concerning sex life or sexual orientation of a natural person.

Health data: There is no definition of 'health data' in the 1978 Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, health data means personal data related to the physical or mental health of a natural person.

Biometric data: There is no definition of 'biometric data' in the 1978 Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, biometric data is personal data resulting from specific technical processing relating to the physical, physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person.

Pseudonymization: There is no definition of 'pseudonymization' in the 1978 Act. Article 2 provides for the application of the definition provided in Article 4 of the GDPR. Thus, pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

5. Legal Bases

5.1. Consent

Regarding a minor's consent, Article 45 of the 1978 Act specifies that a minor may consent alone to the processing of personal data with regard to the direct provision of information society services from the age of 15. Where the minor is under the age of 15, processing shall be lawful only if consent is given jointly by the minor concerned and the holder(s) of parental authority over that minor.

In addition, French law no. 2023-566 of 7 July 2023 on the digital majority and the fight against online hate (only available in French here) imposes new obligations on social networks operating in France regarding minors. These service providers are required to:

  • prevent minors under the age of 15 from subscribing to their services without the authorization of the holder(s) of parental authority; and
  • implement technical solutions to verify the age of minors and the holder(s) of parental authority that comply with a set of guidelines to be drawn up by ARCOM) (only available in French here), after consultation with CNIL.

It should also be noted that, with regard to processing in the electronic communications sector, Article 82 of the 1978 Act, which provides information on data subjects and the use of cookies, altered the wording of the former Article 32 of the 1978 Act, which provided that such use required the 'approval' of the data subject, which according to CNIL allowed obtaining such approval via scrolling down, browsing, or swiping through the website or application.

Article 82 of the 1978 Act in its redaction provides that the use of cookies requires the consent of the data subject.

Regarding cookies, CNIL published a Deliberation on September 17, 2020, adopting guidelines on the application of Article 82 of the 1978 Act regarding the use of 'cookies and tracking devices' Deliberation No. 2020-091(only available in French here) (the Cookies Guidelines).

In the Cookies Guidelines, CNIL states that:

  • navigation on a website can no longer be considered a valid expression of the user's consent. Individuals must explicitly consent to the placement of cookies by a clear positive action. Otherwise, cookies or trackers cannot be placed on their device;
  • withdrawal of consent should be as easy as to give consent and possible at any time;
  • refusal of cookies and trackers should be as easy as acceptance;
  • individuals must be clearly informed of the purposes of the trackers before they consent, as well as the consequences of accepting or refusing them;
  • individuals must be informed of the identity of all the actors depositing cookies on their devices, at the time consent is collected; and
  • the organizations operating the trackers must be able to demonstrate, at any time, the valid collection of the user's consent.

The Cookies Guidelines also provide that certain tracking devices are exempted from the collection of consent, such as cookies and trackers allowing authentication of the user, retaining content of shopping cart on e-commerce websites or cookies retaining the user's choice on the use of cookies and trackers.

CNIL also adopted practical recommendations to comply with the Cookies Guidelines including good practices to collect the user's consent examples of user interfaces (only available in French here).

Finally, in a decision dated June 19, 2020, the Council of State ruled that CNIL could not impose a general and absolute ban on making access to a website conditional on the consent to the deposit of trackers for targeted advertising purposes (i.e. suppression of the provision of the guidelines prohibiting the practice of 'cookie walls'). Consequently, the CNIL has amended its Cookies Guidelines, but only on that particular aspect.

In addition, following complaints from NOYB, CNIL, and its European counterparts, gathered within the Cookie Banner Task Force, published a report on cookie banners (EDPB cookie banner report) on January 17, 2023, setting out the common positions of the European data protection authorities on the practices and design of cookie banners (press release only available in French here). According to the EDPB cookie banner report, the European data protection authorities consider that the design of cookie banners must enable users to understand what they are consenting to and how to express their choice. In this respect, the authorities agreed that a case-by-case examination of cookie banners should be carried out to determine whether the design chosen is not manifestly misleading to users.

CNIL is also monitoring the evolving practices on the web regarding cookies and business models, particularly with the announcement of the end of 'third-party cookies' in Google Chrome in 2025. In this context, CNIL commissioned an economic study of the possible consequences of this evolution and published its main conclusions (only available in French here).

CNIL has also published guidance regarding audience measurement tools in terms of data transfers (only available in French here) and the requirement of consent (only available in French here). As a reminder, audience measurement tools are used to obtain information about the navigation of visitors on a website or mobile application

5.2. Contract with the data subject

There are no variations from the GDPR.

5.3. Legal obligations

There are no variations from the GDPR.

5.4. Interests of the data subject

There are no variations from the GDPR.

5.5. Public interest

There are no variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no variations from the GDPR.

5.7. Legal bases in other instances

Historical and scientific research purposes

The 1978 Act provides that personal data can be retained beyond the time necessary to fulfill historical, statistical, scientific purposes for which they are processed and that further processing for such purposes shall be considered compatible with the original purposes of data collection (Article 4 of the 1978 Act). Exemptions from the obligation of the controller to inform data subjects are provided for processing necessary to data retention for historical, statistical, or scientific purposes, where data was initially collected for another purpose (Article 79 of the 1978 Act).

The right of access provided for in the 1978 Act does not apply to personal data retained (Article 49 of the 1978 Act):

  • in a form clearly excluding any risk to the privacy of the data subjects concerned;
  • for a period not exceeding time necessary for the sole purpose of establishing statistics or scientific or historical research; and

Finally, where processing is for archival purposes in the public interest, rules are determined by Articles L.211-2 and L. 212-3 of the French Estate Code (only available in French here) (Articles 4 and 78 of the 1978 Act).

6. Principles

Article 4 of the 1978 Act provides for the same principles as the GDPR; i.e.:

  • lawfulness, fairness and transparency: the processing must be transparent for processing under GDPR;
  • purpose limitation;
  • data minimization: for this principle, the 1978 Act specifies that personal data must not be excessive for processing relating to:
    • the prevention, investigation, detection, or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State and;
    • State national security, defense or public security purposes;
  • accuracy;
  • storage limitation; and
  • integrity and confidentiality.

7. Controller and Processor Obligations

7.1. Data processing notification

In accordance with the GDPR, France has abolished its prior notification regime (i.e. simplified or standard declarations or authorization requests are as a principle not required anymore); however, some processing must still be notified to CNIL for authorization or request for an opinion.

So far, CNIL has only identified processing of health data for research purposes and for public interest purposes as triggering this prior notification obligation and has published the relevant authorization request forms online (only available in French here).

In addition, Articles 31 and 32 of the 1978 Act provide that authorization by decree or ministerial ruling is required for processing:

  • of special categories of data (sensitive data specified in Article 6(I) of the 1978 Act);
  • biometric and genetic data necessary to identify persons or control identity on behalf of the State; and
  • for State national security, defense or public security purposes, and relating to the prevention, search, finding or prosecution of criminal offenses or to the enforcement of criminal convictions or detention orders on behalf of the State (these 'sovereignty processing operations' remain unchanged).

Finally, the specific list of categories of controllers and purposes of processing using the social security number of natural persons ('NIR') has been published by Decree on 21 June 2019 Decree No. 2019-341 of 19 April 2019 (only available in French here).

7.2. Data transfers

The 1978 Act provides for the following two restrictions on data transfers:

  • for the processing of personal data by the competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; and
  • for processing concerning State security and defense.

Regarding the processing relating to the prevention, investigation, detection or prosecution of criminal offenses or to the execution of criminal penalties or detention orders on behalf of the State, Article 112 of the 1978 Act provides that the data controller may only transfer data or authorize the transfer of data already transferred to a non-EU State when:

  • the transfer is necessary for the purpose of the prevention, investigation, detection, investigation, and prosecution of criminal offenses or the execution of criminal penalties;
  • the personal data is transferred to a controller established in that non-EU State or within an international organization which is a competent authority responsible for the prevention, investigation, detection, investigation, and prosecution of criminal offenses or the execution of criminal penalties in France;
  • if the personal data originates from another State, the State that transmitted the data has previously authorized this transfer in accordance with its national law;
  • as provided by Article 36 of the Data Protection Directive, in case of an adequacy decision or, in the absence of such a decision, a legally binding instrument providing appropriate safeguards or, in the absence of such a decision and instrument, the controller has assessed all the circumstances of the transfer and considers that there are such appropriate safeguards;
  • the specific derogations of Article 38 of the Data Protection Directive apply; or
  • the conditions of Article 39 of the Data Protection Directive are fulfilled.

Regarding processing for State national security, defense or public security purposes, Article 123 of the 1978 Act provides that the data controller may transfer personal data only if:

  • the State ensures an adequate level of protection of the privacy and fundamental rights and freedoms of individuals with regard to the processing of such data;
  • the specific derogations provided by Article 49 of the GDPR apply; or
  • the transfer is authorized by a decree, issued after an opinion of the CNIL, where the processing guarantees an adequate level of protection of privacy and the fundamental rights and freedoms of individuals.

A new remedy is created for CNIL in terms of data transfers outside of the EU to implement the European Court of Justice's Judgment of 6 October 2015, Maximillian Schrems v. Data Protection Commissioner C-362/14, EU:C:2015:650, in the event of a case, submitted against a controller or processor, where the CNIL considers the grievances regarding protection of rights and liberties of a data subject to be founded, in the context of data transfers to non-EU states or international organizations (Article 39 of the 1978 Act).

CNIL can request the Council of State, the highest administrative court in France in charge of reviewing CNIL's decisions, to suspend data transfers to an 'adequate' country outside of the EU.

Following the Court of Justice of the European Union (CJEU) decision of Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (Schrems II) 16 July 2020 invalidating the 'Privacy Shield' and the adoption by the European Commission of the new Standard Contractual Clauses on June 4, 2021, CNIL has published detailed guidance to assist data controllers identify and manage transfers of personal data outside the EU (only available in French here). CNIL also published several guides and recommendations for transfers of personal data to the United States.

Following the EU Commission's adequacy decision for the EU-US Data Privacy Framework (DPF) according to which the EU Commission, recognizes that the DPF ensures an adequate level of protection for personal data transferred from the EU to organizations in the US that are included in the Data Privacy Framework List (maintained and made publicly available by the U.S. Department of Commerce), the CNIL has released an FAQ on US adequacy (only available in French here).

The CNIL clarifies that organizations subject to the GDPR (controllers or processors) may now transfer personal data to certified organizations that have made an annual and public commitment to adhere to the DPF without being required to set up a transfer tool under Article 46 of the GDPR or rely on a derogation under Article 49 of the GDPR. The CNIL also recalls that transfers to US organizations outside the EU-US DPF require appropriate safeguards, such as standard contractual clauses, or any other transfer tool listed in Article 46 of the GDPR. In these cases, it is the data exporters' responsibility to conduct a transfer impact assessment (TIA) that may be based on the analysis of US legislation conducted by the European Commission in its new adequacy decision.

In this regard, CNIL is drafting a TIA guide to establish a methodology, a checklist, which identifies various elements to be considered when carrying out a TIA.

CNIL has already published guidance on data transfers, such as regarding standard contractual clauses, and more recently on BCR, including how to prepare a BCR file and when and how to submit a BCR project to CNIL (only available in French here).

7.3. Data processing records

Articles 57 and 60 of the 1978 Act explicitly refer to Article 30 of the GDPR providing that the controller, processor and, where appropriate, their representative shall keep the data processing record under the conditions laid down in Article 30 of the GDPR.

Regarding the processing for the prevention, investigation, detection, or prosecution of criminal offences or to the execution of criminal penalties or detention orders on behalf of the State, Article 100 of the 1978 Act provides that the controller and its processor shall keep a data processing record as provided by Article 30 of the GDPR and this record shall also contain a general description of the measures aimed at ensuring a level of security appropriate to the risk, an indication of the legal basis of the processing operation, including transfers, for which the personal data are intended and, where appropriate, the use of profiling.

7.4. Data protection impact assessment

National activities subject to prior consultation/authorization

According to Article 62 of the Act, the controller must carry out a DPIA prior to the processing of personal data in the conditions provided for in Article 35 of the GDPR.

In addition to the DPIA Blacklist published by CNIL, which indicates activities which are subject to the requirement of a DPIA, CNIL has adopted, through Deliberation No. 2019-118 of 12 September 2019 (only available in French here), its list of processing activities which are not subject to the requirement of a DPIA ('the DPIA Whitelist').

A DPIA must be conducted when the processing is likely to create a high risk to the rights and freedoms of the persons concerned.

Thus, generally, processing operations which fulfill at least two of the following criteria are subject to a DPIA:

  • assessment/scoring (including profiling);
  • automatic decision with legal or similar effect;
  • systematic monitoring;
  • collection of sensitive data;
  • collection of personal data on a large scale;
  • data crossing;
  • vulnerable persons (patients, elderly, children, etc.);
  • innovative use (use of a new technology); and
  • exclusion of the benefit of a right/contract.

For example, if a company sets up a system which monitors the activity of its employees, this data processing meets the criteria of systematic monitoring and that of data concerning vulnerable persons, therefore the implementation of a DPIA will be necessary.

The DPIA Blacklist specifies 14 types of processing for which a DPIA is required, provided that these processing activities meet at least two of the above-mentioned criteria:

  • health data processing carried out by health or medico-social establishment for the care of individuals;
  • processing of genetic data from 'vulnerable' individuals (patients, employees, children, etc.);
  • processing operations establishing persons' profiles for human resources management purposes;
  • processing operations for the purpose of constantly monitoring the activity of the employees involved;
  • processing for the purpose of social and health alerts and reports management;
  • processing for the purpose of professional alerts and reports management;
  • processing of health data required for the establishment of a data warehouse or registry;
  • processing involving profiling of individuals which may result in their exclusion from the benefit of a contract, or in its suspension or rupture;
  • shared processing of observed contractual breaches which may lead to the exclusion or suspension from the benefit of a contract;
  • profiling processing using data from external sources;
  • processing of biometric data for the purpose of uniquely identify a natural person including 'vulnerable' individuals (students, elderly, patients, asylum seekers, etc.);
  • requests examination and social housing management;
  • processing for the purpose of providing social or medico-social support of individuals; and
  • processing of large-scale location data.

If it appears that the level of residual risk of the processing remains high after conducting the DPIA, the controller is required by Article 63 of the 1978 Act to consult CNIL before carrying out such processing.

Practical tools are available in English on CNIL's website, such as the PIA software mentioned above which helps with reusing DPIAs, and DPIA guides (templates, knowledge bases, methodology, and guides applicable to connected objects).

CNIL Guide on Carrying out a DPIA explains how and in which cases a DPIA is mandatory regarding AI systems. It includes guidance on conducting a DPIA for the development of AI systems, the risks to consider and the actions to be taken based on the results of the DPIA. For instance, CNIL indicates that among the above list of personal data processing, several may rely on AI systems, such as those involving profiling or automated decision-making: in this case, a DPIA is always required.

CNIL also considers that for the development of all the high-risk systems covered by the EU Artificial Intelligence Act (AI Act), conducting a DPIA will be presumed necessary when their development or deployment involves the processing of personal data. Furthermore, the CNIL considers that the development of a foundation model or a general-purpose AI system, given that their uses cannot be exhaustively identified in most cases, requires the completion of a DPIA when it involves the processing of personal data.

National activities not subject to prior consultation/authorization

A DPIA is not required in the following cases:

  • when processing does not present a high risk to the rights and liberties of data subjects;
  • when the nature, scope, context and purposes of the proposed processing are very similar to a processing for which an impact assessment has already been conducted;
  • where processing is legally required or necessary for the performance of a public service task (Article 6(1)(c) and (e) of the GDPR), provided that the following conditions are met:
    • it has a legal basis in EU or EU Member State legislation;
    • an impact assessment has already been conducted when this legal basis was adopted; and
    • this legislation regulates this processing operation; and
  • when the processing corresponds to an exception determined by CNIL in accordance with Article 35(5) of the GDPR.

Regarding this final exemption, CNIL's DPIA Whitelist specifies that the following types of processing, among others, do not require a DPIA:

  • processing implemented solely for human resources purposes and in accordance with the conditions laid down in the applicable texts, for the sole management of the staff of bodies employing fewer than 250 persons, with the exception of the use of profiling;
  • processing for the purpose of supplier relationship management;
  • processing implemented under the conditions provided for in the texts relating to the management of the electoral register of municipalities;
  • processing for the management of the activities of works councils and committees;
  • processing of health data necessary for the care of a patient by a health professional practicing in an individual capacity in a doctor's surgery, pharmacy or medical biology laboratory;
  • processing operations carried out for the sole purpose of managing physical access controls and timetables for the calculation of working time, without any biometric devices, with the exception of processing operations revealing sensitive or highly personal data; and
  • processing relating to breathalyzer tests, strictly regulated by a text and implemented in the context of transport activities for the sole purpose of preventing drivers from driving a vehicle under the influence of alcohol or drugs.

7.5. Data protection officer appointment

Article 57 of the 1978 Act provides that the controller shall appoint a DPO under the conditions of Chapter IV, Section 4 of the GDPR. Article 103 of the 1978 Act also provides for the mandatory appointment of a DPO but only for competent authorities (i.e. public authority or any other body or entity entrusted with the exercise or prerogatives of public authority, such as the judicial authority, the police, and repressive authorities) for the purposes of prevention, investigation, prosecution of criminal offenses or the enforcement of criminal convictions, when acting as controllers.

CNIL has issued guidance on the appointment of a DPO specifically for competent authorities (only available in French here).

The appointment of a DPO is one of the key points of compliance for CNIL. It has strongly encouraged French companies to appoint DPOs, even where the company is not under an obligation to do so under the GDPR's criteria.

The appointment of the DPO must be notified online to CNIL by filling out a form with the contact details of the controller (or processor) and of the DPO. The notification to CNIL can be done online in four steps, only available in French, here.

CNIL offers guidance on the role of the DPO (only available in French here).

Furthermore, Deliberation No. 2018-318 of 20 September 2018 Adopting the Criteria of the Standard of Qualification of the DPO (only available in French here) (Deliberation No. 2018-318) adopted criteria standards on the certification reference system, setting out a list of 17 required competencies to be certified as a DPO, including:

  • the DPO must understand the principles of, for example, lawful processing, data minimization, data accuracy, and data retention;
  • the DPO must be able to identify the legal basis of a processing activity;
  • the DPO must be able to organize and participate in data protection audits;
  • the candidate must know how to identify personal data breaches which require notification to CNIL and data subjects; and
  • the DPO must know whether or not it is necessary to carry out a DPIA.

Deliberation No. 2018-317 of 20 September 2018 Adopting the Criteria of the Reference Framework of Accreditation of Certification Bodies for the Certification of the Competences of the DPO (only available in French here) adopts the accreditation framework, setting out the criteria for organizations who wish to be certified by CNIL to certify DPOs according to the provisions of Deliberation No. 2018-318.

7.6. Data breach notification

Article 58 of the 1978 Act refers to Article 33 of the GDPR for data breach notification to CNIL.

The 1978 Act also provides an obligation of communication of the data breach to the data subject in accordance with Article 34 of the GDPR, and specifies that for processing necessary to comply with a legal obligation or regarding a task of public interest, this obligation may be waived when it is likely to constitute a threat to national security, national defense or public safety, in the cases provided for in Article 85 of the Implementing Decree, namely:

  • processing involving personal data likely to enable persons whose anonymity is protected to be directly or indirectly identified; and
  • processing of administrative, financial and operational management data, as well as processing of health data.

Sectoral obligations

The 1978 Act specifically requires providers of electronic communication services to document the breaches so CNIL can verify compliance and to notify a data breach to CNIL, as well as the data subject, except if CNIL finds that the controller has implemented appropriate protective measures to make the data concerned by the violation incomprehensible to any unauthorized person (Article 83 of the 1978 Act).

7.7. Data retention

There are no specific provisions regarding the timeframes for retaining data in the Act.

However, CNIL published, in July 2020, a practical guide on data retention periods (only available in French here) (the Practical Guide) detailing the main principles of personal data retention and providing practical advice on their implementation.

The Practical Guide does not provide a compilation of definite retention periods to be observed by controllers but gives guidance on how to determine the retention period of personal data where no law, regulation, or guideline provide for a specific time frame. However, CNIL regularly provides guidelines or recommends good practices regarding retention periods for specific processing. For instance, in its recommendation on the use of cookies and tracking devices (only available in French here), CNIL has considered that a duration of six months for cookies' lifetime was good practice or that audience measurement tracking devices' lifetime should not exceed 13 months.

In addition, where CNIL publishes standards, it also gives guidance on applicable retention periods (the list is only available in French here). For example, the standard on processing of personal data for the purposes of commercial activities (only available in French here) provides that customer personal data used for direct marketing purposes may be kept until the end of the commercial relationship and then for a period of three more years or until the data subject withdraws their consent.

In particular, CNIL recommends assessing the retention period or the criteria for determining it with regard to the purposes of processing (e.g., the duration of the business relationship) and to keep documentation justifying this assessment. To this end, it provides an analysis grid to identify reasonable durations for each retention phase of personal data (i.e., current use, intermediate archiving and, where applicable, definitive archiving).

7.8. Children's data

Albeit this provision has been subject to lengthy parliamentary debates, the 1978 Act lowers the age for valid consent given by children from 16 to 15 years old regarding the offer of information society services (Article 45 of the 1978 Act). However, for other processing, such as processing necessary to perform an online contract with a minor will thus not need to comply with those provisions, due to the definition of information society services by Directive 98/48/EC of the European Parliament and of the Council of 20 July 1998 amending Directive 98/34/EC laying down a Procedure for the Provision of Information in the field of Technical Standards and Regulations.

When the individual is younger than 15, consent will need to be provided jointly by the minor and their parent.

Controllers also are subject to an obligation of information towards such minor, the wording of which must be adapted to their age since children must be made aware of the risks of using the internet, notably when they create an account on social networks.

The new threshold of 15 years of age underlines the willingness to harmonize French legislation in general since it already corresponds to the sexual majority age and to the age at which health data can be factored in surveys.

On August 9, 2021, CNIL published Recommendations on the protection of minors online. These recommendations pursue the following objectives:

  • regulating the ability of minors to act online;
  • encouraging minors to exercise their rights;
  • supporting parents in minors' education to digital;
  • seeking parental consent for minors under the age of 15;
  • promoting parental control tools that respect the minor's privacy and best interests;
  • strengthening the information and rights of minors through design;
  • checking the age of the minor and parental consent to respect the child's privacy; and
  • providing specific safeguards to protect the interests of the child.

For each of these objectives, CNIL has adopted dedicated recommendations and has recently published numerous educational content for children and their parents and teachers including games and short videos. On January 20, 2022, CNIL also published a standard relating to the processing of personal data commonly carried out by organizations in the context of the social, medico-social, educational, and/or judicial support they provide to minors and young adults under twenty-one years old (only available in French here).

7.9. Special categories of personal data

Article 6 of the 1978 Act provides that it is prohibited to process the following sensitive data: personal data revealing the alleged racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of a natural person or to process genetic or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning the sex life or sexual orientation of a natural person.

As an exception, Article 6 provides that these sensitive data can be processed in the cases mentioned in Article 9(2) of the GDPR and for processing justified by public interest and duly authorized.

In addition, Article 44 of the 1978 Act provides that Article 6 of the 1978 Act does not apply for:

  • processing necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services and carried out by a member of a health profession, or by another person bound by an obligation of professional secrecy by virtue of their duties;
  • statistical processing carried out by the French National Institute of Statistics and Economic Studies (Insee) or one of the ministerial statistical offices;
  • processing of health data justified by the public interest and complying with Section 3 of Chapter III of the 1978 Act dedicated to processing of personal data in the health field;
  • processing in accordance with CNIL standard regulations implemented by employers or administrations regarding biometric data strictly necessary to control access to workplaces, and to devices and applications used by the employees;
  • processing of public information contained in court decisions; and
  • processing necessary for public research, if carried out for an important public interest purpose.

Furthermore, for some specific data, the government chose to use the room for maneuver allowed by the GDPR and set a specific regime for its processing.

Regarding the processing of genetic or biometric data carried out on behalf of the State for the authentication or control of the identity of individuals, Article 32 of the 1978 Act provides that authorization by decree of the Council of State is required after the reasoned opinion of CNIL.

An authorization procedure is required for health data processing (Article 66 of the 1978 Act) (except in cases of health alerts in emergency situations (Article 67 of the 1978 Act), and processing for research, study or evaluation purposes in the health field (Article 73 of the 1978 Act) that do not comply with CNIL's toolkits and model regulations, which can be established with the National Institute of Health Data, acknowledging that a simple declaration attesting compliance with these instruments shall allow implementation of such processing.

Section 3 of Chapter III, Title II of the 1978 Act provides that CNIL's authorization must be given within two months otherwise the authorization is deemed granted unless the two months period has been extended (Article 66 of the 1978 Act), and that controls will be operated with an audit committee, created at the initiative of the government (Article 77 of the 1978 Act).

In addition, the regime includes specific provisions regarding minors aged 15 or over, that may in particular object to holders of parental authority having access to data concerning them collected in course of the research, study, or evaluation in the health field, or being informed of such processing in cases provided for in Article 70 of the Act.

Social security number (NIR)

As per Article 30 of the Act, Decree No. 2019-341 of 19 April 2019 on the Implementation of Processing Operations Involving the Use of the Registration Number in the National Directory of Identification of Natural Persons or Requiring the Consultation of this Directory (only available in French here) (the NIR Decree) lists categories of controllers and purposes allowed regarding processing activities using the NIR. It includes notably the following:

  • processing for the fulfillment of their tasks in the field of social protection, including when the use of the registration number in the national identification register of natural persons is necessary for the performance of assessments, studies, statistics, and research, or for the implementation of exchanges or treatments involving several social protection actors;
  • the National Public Health Agency, for the management and follow-up of health alerts; and
  • companies, in order to fulfill their reporting obligations requiring the use of the registration number in the national identification register for natural persons, and for the automated processing of payroll and personnel management resulting from legal or regulatory provisions and collective agreements concerning declarations, calculation of contributions and payments to dedicated organizations.

The CNIL has also published guidance on the NIR Decree (only available in French here).

In December 2020, CNIL published a practical guide on the modalities for the circulation of NIR for health research for the purpose of data matching with the National Health Data System (only available in French here). Recently, CNIL supplemented this guide with additional practical sheets (only available in French here).

Criminal conviction and offense data

Criminal convictions are dealt with by Article 46 of the Act. Such processing can be implemented by:

  • jurisdictions, public authorities, and legal persons managing a public service;
  • auxiliaries of justice (such as mediators or experts) for the strict exercise of their functions, as well as entities collaborating with judicial entities;
  • natural or legal persons, for the purpose of enabling them to prepare and, where appropriate, to initiate and follow legal proceedings as victims, defendants or on their behalf and to enforce the decision rendered;
  • associations providing assistance to victims under agreement with the Ministry of Justice;
  • collective management organizations acting on behalf of the intellectual property rights they manage, or on behalf of victims of intellectual property rights violations; and
  • re-users of public information contained in court decisions, provided that processing is neither intended to nor has the effect of allowing the reidentification of the persons concerned.

With respect to the final point, Law No. 2016-1321 of 7 October 2016 for a Digital Republic (only available in French here) (the Digital Republic Act) already imposed the implementation of a prior study in order to verify the possibility of reidentifying persons when the data is communicated.

In addition, Article 76 of the Decree of 29 May 2019 extended the list of persons authorized to process these categories of personal data including to:

  • associations providing assistance for the reintegration of individuals placed under the authority of the justice system;
  • educational, social or medico-social support institutions;
  • public or private educational institutions, boarding schools and all authorized structures supporting juvenile delinquents; and
  • judicial representatives designated for the protection of adults.

7.10. Controller and processor contracts

Article 60 of the 1978 Act explicitly refers to Article 28 of the GDPR providing that the processing carried out by a data processor shall be governed by a contract or any legal act binding the data processor and the data controller, in a written form, complying with the conditions laid down in Article 28 of the GDPR.

Regarding processing concerning State security and defense, according to Article 122 of the Act, the contract between the data processor and the data controller must contain an indication of the obligations of the data processor with regard to the protection of the security and confidentiality of the data and provides that the data processor may only act on the instructions of the data controller.

8. Data Subject Rights

8.1. Right to be informed

Article 48 of the 1978 Act expressly refers to Articles 12 to 14 of the GDPR for the conditions of right of information's application.

These articles list the information that the controller shall give to data subjects when personal data is collected directly from them or collected indirectly.

In addition to the information provided for in Articles 13 and 14 of the GDPR, Article 48 of the 1978 Act also provides that the controller shall give information to the data subject about the right to define guidelines on the fate of personal data after death (Article 48 of the 1978 Act).

However, this right of information can be limited. Beside limitations of the GDPR, data subjects' right to information is limited by the 1978 Act when:

  • processing is carried out for the purposes of journalism or literary and artistic expression (Article 80 of the 1978 Act);
  • processing is carried out for the purposes of prevention, investigation, and prosecution of criminal offenses in the conditions of Articles 107 and 108 of the Act;
  • processing is carried out for archival purposes in the public interest, for scientific or historical research or for statistical purposes, when the data was originally collected for another purpose (Article 79 of the 1978 Act); and
  • regarding the indirect collection of personal data, when:
    • processing is carried out for archival purposes in the public interest, for scientific or historical research or for statistical purposes, when the data was originally collected for another purpose (Article 79 of the 1978 Act); and
    • processing is carried out on behalf of the State and is relevant to public security, or by public administration to check or recover taxes, or to check on the activities of legal and natural persons which may lead to the detection of an infringement or failure, an administrative fine or penalty (Article 48 of the Act, in application of Article 23 of the GDPR); and
    • personal data is transmitted by an administrative authority to an intelligence service. In this case, data subjects are not entitled to be informed of this transmission (this exception has been added to Article 48 of the 1978 Act by and the Law on the prevention of acts of terrorism and intelligence Law No. 2021-998 of 30 July 2021).

8.2. Right to access

Variations within the 1978 Act on the GDPR's right to access consist of the following.

For processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to monitor or recover taxes, according to Article 52 of the Act, the right of access shall be addressed to the CNIL.

For processing carried out by the financial courts in the context of their non-judicial tasks as provided for by the Code of Financial Courts (only available in French here), Article 52 of the 1978 Act provides that the right of access may be restricted under the conditions laid down in of Article 23(1)(e) and (h) of the GDPR.

Regarding health data, Article 64 of the 1978 Act provides that such data is to be communicated to the data subject, according to their choice, directly or through the intermediary of a doctor whom they designate for this purpose, in compliance with the provisions of Article L. 1111-7 of the Public Health Code (only available in French here) (Article L 1111-7 of the Public Health Code provides that if no exceptions apply, the data must be communicated to the data subject no later than eight days after their request and no sooner than after a 48-hour period of reflection has been observed and that a specific condition applies for minors).

Regarding the processing relating to the prevention, investigation, detection, or prosecution of criminal offenses or to the execution of criminal penalties or detention orders on behalf of the State, except where the personal data are contained either in a judicial decision or in a judicial file being processed in the course of criminal proceedings, Article 107 of the 1978 Act provides that if and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society for:

  • avoiding hindering investigations, enquiries, or administrative or judicial proceedings;
  • avoiding hindering the prevention, detection, investigation, or prosecution of criminal offenses or the execution of criminal sanctions; and
  • protecting public security, national security, rights, and freedoms of others, the data controller may refuse or limit the data subject's right of access. In this case, the data controller shall inform the data subject, as soon as possible, of any refusal or limitation of access as well as the reasons for the refusal or limitation except if this communication risks compromising one of the purposes set out above.

Regarding processing relating to State security and defense, Article 118 of the 1978 Act provides that requests to exercise the right of access are addressed to CNIL. Where CNIL finds, in agreement with the controller, that the communication of the data contained therein does not harm its purposes, State security, defense or public security, such data may be communicated to the applicant. However, according to Article 119 of the Act, where the processing involves information the disclosure of which would not harm the purposes for which it is intended, it may be provided that the right of access may be exercised by the data subject with the controller directly.

8.3. Right to rectification

Regarding the right to rectification, Article 50 of the 1978 Act explicitly refers to Article 16 of the GDPR.

Variations within the 1978 Act on the GDPR's right to rectification consist of the following.

According to Article 52 of the Act, for processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to monitor or recover taxes, the right of rectification shall be addressed to CNIL.

Regarding the processing relating to the prevention, search, finding or prosecution of criminal offenses or to the enforcement of criminal convictions or detention orders on behalf of the State, Article 106 provides that the data subject has the right to obtain from the data controller the rectification as soon as possible of any personal data concerning them which are inaccurate.

The data controller shall:

  • inform the data subject of any refusal to rectify and the reasons for the refusal;
  • communicate the rectification of inaccurate personal data to the competent authority from which the data originated; and
  • notify the recipients.

Except where the personal data are contained either in a judicial decision or in a judicial file being processed in the course of criminal proceedings, Article 107 of the 1978 Act provides that if and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society for (i) avoiding hindering investigations, enquiries or administrative or judicial proceedings (ii) avoiding hindering the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal sanctions; or (iii) protecting public security, national security, rights and freedoms of others, the data controller may not inform the person of the refusal to rectify personal data or of the reasons for this decision.

The data controller shall inform the data subject of the possibility of exercising their rights through CNIL or through legal recourse.

Regarding processing relating to State security and defense, Article 118 of the 1978 Act provides that requests to exercise the right of rectification are addressed to CNIL. Where CNIL finds, in agreement with the controller, that the communication of the data contained therein does not harm its purposes, State security, defense or public security, such data may be communicated to the applicant. However, according to Article 119 of the Act, where the processing involves information the disclosure of which would not harm the purposes for which it is intended, it may be provided that the right of rectification may be exercised by the data subject with the controller directly.

8.4. Right to erasure

Article 51 of the 1978 Act expressly refers to Article 17 of the GDPR for the implementation of the right to erasure.

Nevertheless, this right is subject to the limitations provided in Article 17 of the GDPR and additional limitations provided for in the Act:

  • Article 106 (III) of the Act, regarding processing for the purposes of prevention, investigation, and prosecution of criminal offenses, provides that instead of deleting, the controller is entitled to only limit the processing in certain cases.
  • Article 52 of the 1978 Act provides that for processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to check or recover taxes, requests of the exercise of the right of deletion must be addressed to CNIL in application of Article 118 of the Act, as well as for processing relating to State security and defense.

Under the Act, the right to erasure can be invoked in the context of processing for journalistic, artistic, or academic purposes, contrary to what is provided in Article 17(3)(a) of the GDPR. However, towards this contradiction, Article 17 of the GDPR will prevail, thus removing the right to erasure for processing with these specific purposes.

Besides, Article 51 of the 1978 Act contains specific provisions for the right to erasure when the data subject was a minor (i.e., under 18 years old) at the time of the data collection.

This provision deals specifically with the right to erasure in respect of personal data relating to children that is processed in the context of online services, also provided for in Article 17 of the GDPR referring to Article 8. The effect is that any request for erasure in that particular context, and any complaint handling process, will be dealt with under the Act, and not under Article 17 of the GDPR.

Finally, Article 51 of the 1978 Act provides that the data subject is entitled to refer to CNIL the non-execution of the deletion of personal data.

Regarding the right to de-referencing, the Council of State acknowledges the CJEU judgments (Google LLC v. CNIL C‑507/17 and GC and others v. CNIL C‑136/17) of 24 September 2019 and rendered several decisions (13 decisions dated December 6, 2019) (only available in French here) according to which (i) the right to de-referencing applies to the European territory, and (ii) when a request for de-referencing relates to sensitive data (including political opinions, religious or philosophical beliefs or sex life as well as criminal conviction), a balance must be sought between the fundamental rights of the person requesting such de-referencing and those of internet users potentially interested in that information. The Council of State further published a legal note setting out the conditions applicable to the right to be forgotten.

8.5. Right to object/opt-out

The 1978 Act provides that the right of the data subject to object to processing can be exercised under the conditions of Article 21 of the GDPR (Article 56 of the 1978 Act).

Consequently, the 1978 Act is in line with the reduced scope of exercise of this right provided for by the GDPR. Indeed, whereas the right under Article 21 of the GDPR only applies to personal data processed under the 'legitimate interest' or 'public interest grounds' (though individuals can withdraw their consent to processing at any time, which is effectively also a right to object to processing based on consent), the 1978 Act used to provide, in its former version, that this right applied to personal data processed on the basis of all grounds other than the 'legal obligation' ground.

Moreover, the reduction in the scope of exercise of this right is also reflected in the exceptions to it, extended by the amended version of the Act. According to Article 56 of the Act, the right to object cannot be exercised where the processing is legally required, or where there is an overriding express provision authorizing the processing, in addition to the 'compelling legitimate interest' exception provided for in the GDPR (except in the case of marketing, where the right to object is absolute).

8.6. Right to data portability

The 1978 Act does not implement variations of GDPR on the right to data portability, as it expressly refers to Article 20 of the GDPR (Article 55 of the 1978 Act).

8.7. Right not to be subject to automated decision-making

Article 47 of the 1978 Act expressly forbids that a court decision involving an assessment of a person's conduct may be based on an automatic processing of personal data intended to evaluate certain aspects of the person's personality.

Article 47 of the 1978 Act also provides that no decision which has legal effects on or significantly affects a person may be taken solely on the basis of automated processing of personal data, including profiling. However, according to Article 47 of the Act, and excluding the event where the administration decides on an administrative appeal, this last prohibition is limited in some cases:

  • the exceptions provided for in Article 22 of the GDPR; and
  • individual administrative decisions taken in compliance with French legislation, provided that the processing does not involve sensitive data referred to in Article 6 of the Act, and that the controller ensures that the algorithmic processing and its developments are controlled in order to be able to explain to the data subject the way in which the processing has been carried out.

There are no such limitations regarding processing relating to State security and defense (Article 120 of the 1978 Act) and processing for the purposes of prevention, investigation, and prosecution of criminal offenses (Article 95 of the 1978 Act). Article 95 of the 1978 Act adds that any profiling that discriminates against natural persons on the basis of special categories of personal data is prohibited.

8.8. Other rights

Right to restriction of processing

The 1978 Act does not implement variations of GDPR on the right to restriction of processing, as it expressly refers to Article 18 of the GDPR (Article 53 of the 1978 Act).

Right of deceased individuals

If by principle, Article 84 of the 1978 Act provides that the data subject's rights expire upon his death, the 1978 Act also introduces in Article 85 of the 1978 Act some additional rights for the deceased, as introduced by the Digital Republic Act. It allows data subjects to provide guidelines as to the fate of their data after death (erasure/retention of data or communication to a third party). Even though it was initially targeting social media companies, it applies to every organization. A person can be designated to carry out these instructions, and thus has authority, upon the death of the data subject, to read the directives and request their implementation by the concerned controller. These guidelines can be general (where they relate to all data concerning the data subject) or specific (where they only concern specific data processing operations):

  • general guidelines can be entrusted to a trusted third party which will be certified by CNIL; or
  • special guidelines can also be entrusted to controllers (social networks, online messaging, etc.) in the event of death; they are subject to the specific consent of the data subject and may not result solely from the latter's approval of the general conditions of use.

In the absence of guidelines, the heirs have the possibility to exercise certain rights, including the right of access, if necessary, to settle the deceased's estate.

9. Penalties

The 1978 Act specifies the formal powers of CNIL, and its Restricted Committee and/or chairperson, to take corrective actions and impose sanctions in case of breach by controllers or processors of their obligations under the GDPR or the Act, or against a certification body (Articles 20 to 23 of the 1978 Act).

Whereas the sanction procedure under the previous regime was conducted in two steps (an optional notice phase followed by an adversarial sanction phase), CNIL's chairperson or Restricted Committee can now carry out actions and impose sanctions, when there is a need to act in order to protect the rights and liberties of data subjects, in the following graduated manner (Article 20 of the 1978 Act):

  • initial warning;
  • formal notice to comply within a certain period; and

if the controller/processor is still in breach, it can:

  • issue a call to order;
  • issue an injunction to comply with the GDPR or the 1978 Act (under penalty of up to €100,000 per late day);
  • order temporary or definitive restriction on processing;
  • revoke a certification or to issue an order to the certifying body to refuse or to withdraw the certification that has been granted;
  • prohibit processing or withdraw an authorization under the GDPR or the Act;
  • suspend of data flow to a third-party country or international organization; and/or
  • suspend partially or totally the approval of BCRs.

Pursuant to Article 20 of the Act, coercive actions and financial sanctions may not always be preceded by a formal notice. This principle was confirmed by the Council of State in a decision dated October 9, 2020, and applied by the CNIL against Le Figaro, as stated in the decision of 27 July 2021 imposing a financial penalty of €50.000 for violations relating to the use of cookies.

Furthermore, the Act No. 2022-52 of 24 January 2022 relating to criminal liability and internal security (only available in French here) (Act No. 2022-52), has introduced a new Article 22-1 to the 1978 Act which set forth a simplified enforcement procedure. This simplified procedure may only be initiated by the chairman of the Restricted Committee if the following conditions are met and taking into consideration the seriousness of the breaches observed:

  • the chairman of the Restricted Committee considers that the following corrective measures are appropriate:
    • call to order; and/or
    • injunction to comply with the GDPR or the Act, provided that it does not exceed €100 for each day of delay; and/or
    • administrative fine pursuant to the GDPR or the 1978 Act provided that the fine does not exceed €20,000.
  • the chairman of the Restricted Committee considers that the case does not present any particular difficulty, in light of the established case law or previous decisions issued by the Restricted Committee.

Corrective actions and sanctions can also be carried out and/or imposed in case of urgency, such as temporary interruption of processing, restriction of processing and suspension of the controller/processor's certification, and the new power to request an urgent opinion or a binding decision from the EDPB (Article 21(III) of the 1978 Act). However, in practice, CNIL rarely applies large sanctions and prefers a more cooperative approach, discussing with the controller/processor and working with them towards compliance.

The 1978 Act provides for the possible publication of sanctions in newspapers or other media, as a sanction, at the expense of the breaching party, and where, for instance, a high number of data subjects is involved (Article 22 of the 1978 Act).

It should also be noted that the 2018 Ordinance added to the arsenal of criminal offenses of the 1978 Act the fact of obstructing the action of CNIL, now punishable by a €15,000 fine (multiplied by five for legal entities) and one year's imprisonment (Article 226-22-2 of the Penal Code).

Furthermore, any administrative fine imposed by CNIL may be deducted from a criminal fine imposed by a French criminal judge in a pending similar procedure.

The GDPR provides for a €20 million cap or 4% of global turnover, for acts committed after May 25, 2018. Article 20 of the 1978 Act now provides for fines up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. In addition, controllers became obligated to individually inform data subjects of such sanction, and CNIL started being able to impose financial penalties without prior notice where the violation could not be brought into conformity.

Finally, the last paragraph (IV) of Article 20 of the Act, added by the Act No. 2022-52, provides that when a case has been referred to the Restricted Committee, the chairman may order the respondent to produce the elements requested by the CNIL and, if the respondent failed to respond to a previous formal notice, a penalty which may not exceed €100 per day of delay may also be issued.

Class action

The 1978 Act provides for an individual compensation procedure in relation to class actions (Article 37 of the 1978 Act). Class actions for consumer and competition law breaches were implemented in 2014 and their scope was extended in 2016 to other matters including personal data protection, discrimination, labor law, environmental law and health.

Therefore, although data protection class actions are not new under French law, their scope was limited before the GDPR as they were only aimed at stopping a breach and did not provide for the possibility for data subjects to claim compensation. These compensation claims are now possible in court under the GDPR regime as included in Chapter 1 of Title V of the Act No. 2016-1547 (only available in French here) and Chapter X of Title VII of Book VII of the Code of Administrative Justice (only available in French here) provides procedural provisions dealing with class actions brought before a competent civil or administrative court.

The class of individuals who can bring an action is limited to:

  • certain privacy associations, provided they have been 'regularly declared' (i.e. they have made the necessary declaration to the relevant prefecture (of title, object, registered offices of the association as well as information on the persons responsible for its administration);
  • consumers' associations (where the processing of the personal data affects consumers); and
  • employees or civil servants' trade union representatives.

In addition, the class of individuals who can bring an action includes organizations whose object is relating to the protection of rights and freedoms or involves the defense of interests in relation to the purposes of the contentious processing (Article 38 of the 1978 Act) but only for the exercise of the data subjects' rights.

The judge may order, upon request during trial, a collective liquidation damages procedure, or, after trial, individual compensation procedure. Persons wishing to be compensated must belong to the class and apply individually by addressing a request to the person found liable or, if he or she has not responded to that request, to the claimant who then receives a warrant to seize the judge for compensation. Individual compensation can also be obtained through mediation.

9.1 Enforcement decisions

CNIL has issued various enforcement actions, which include the following, among others.

On January 21, 2019, CNIL imposed a financial penalty of €50 million against Google LLC, in accordance with the GDPR, for lack of transparency, inadequate information and lack of valid consent regarding personalized advertising. On June 19, 2020, the Council of State dismissed the complaints against it and validated CNIL's decision (only available in French here).

On November 18, 2020, CNIL imposed a financial penalty of €2,250,000 and €800,000 against Carrefour France and Carrefour Banque for various violations of the GDPR (both only available in French here and here).

On December 7, 2020, CNIL imposed a financial penalty for a total of €100 million against GOOGLE LLC and GOOGLE IRELAND LIMITED for failure to obtain users' prior consent before placing advertising cookies and lack of information on the use of search engine google.fr (only available in French here).

On July 20, 2021, CNIL imposed a financial penalty of €1.75 million on AG2R La Mondiale Group for failing to comply with obligations relating to retention periods and information to individuals (only available in French here).

On July 26, 2021, CNIL imposed a financial penalty of €400,000 on Monsanto for failure to inform data subjects of the processing of their data for lobbying purposes (only available in French here).

On December 31, 2021, CNIL imposed two financial penalties of (1) €150 million on GOOGLE LLC and GOOGLE IRELAND LIMITED (courtesy translation available here) and (2) €60 million on FACEBOOK IRELAND LIMITED (courtesy translation available here); for failure to comply with the regulation on the use of cookies including data subjects' consent and consent withdrawal and the obligation to inform individuals on the use of cookies.

On June 23, 2022, CNIL imposed a financial penalty of €1 million on TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE for failure to comply with its obligations regarding direct marketing (right to object) and to respect data subjects' rights to information, right of access and right to object (only available in French here).

On October 17, 2022, CNIL imposed a financial penalty of €20 million against CLEARVIEW AI for unlawful processing of personal data, failure to respect individuals' rights and lack of cooperation with CNIL. In addition, the CNIL issued an order to cease collecting and using data on individuals in France without a legal basis and delete the data already collected. CNIL added to this injunction a penalty of €100,000 per day of delay (courtesy translation available here).

On December 19, 2022, CNIL imposed a financial penalty of €60 million against MICROSOFT IRELAND OPERATIONS LIMITED, in particular for failing to implement a mechanism that allows data subjects to refuse cookies as easily as to accept them (only available in French here).

On December 29, 2022, CNIL imposed a financial penalty of €3 million against VOODOO, a smartphone games publisher, for using a technical identifier for advertising purposes without the user's consent (only available in French here).

On June 15, 2023, CNIL imposed a financial penalty of €40 million against CRITEO, a digital marketing company, in particular for failing to ensure that its partners (e.g. publishers) obtained consent from their users for the use of Criteo's cookie (only available in French here).

On October 12, 2023, CNIL imposed a financial penalty of €600,000 against GROUPE CANAL+ in particular for failing to comply with its obligations regarding commercial prospecting and to facilitate the exercise of data subjects' rights (including the right to be informed and data subjects' access right) (only available in French here).

On December 27, 2023, CNIL imposed a financial penalty of €32 million against AMAZON FRANCE LOGISTIQUE, for setting up an excessively intrusive system for monitoring employee activity and performance. The company was also fined for video surveillance without information or sufficient security (only available in French here).

On December 29, 2023, CNIL imposed a financial penalty of €10 million against YAHOO EMEA LIMITED in particular for failing to respect the choice of Internet users who refused cookies on its 'Yahoo.com' website and for not allowing users of its 'Yahoo! Mail' messaging service to freely withdraw their consent to cookies (only available in French here).