Legislative framework
The legislative framework for the protection of PII in France is one of the oldest in Europe, being based on the Law on Computer Technology and Freedom of 6 January 1978 (LIL). This law has been amended several times, and especially by:
- Law No. 2004-801 of 6 August 2004 to implement the provisions of Directive 95/46/EC;
- Law No. 2016-1321 of 7 October 2016, which anticipates the imple- mentation of certain provisions of Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR);
- Law No. 2018-493 of 20 June 2018, which implements the GDPR in France and further amend the LIL; and
- Ordinance No. 2018-1125 of 12 December 2018 and Decree No. 2019-536 of 29 May 2019, which complete at the legislative level the compliance of the national law with the GDPR and redraft the LIL for better readability and understanding of the law.
As a regulation, the GDPR has been in effect in France since 25 May 2018.
Further, the following international instruments on privacy and data protection also apply in France:
- Council of Europe Convention 108 on the protection of privacy and trans-border flows of personal data;
- the European Convention on Human Rights and Fundamental Freedoms (article 8 on the right of respect for private and family life); and
- the Charter of Fundamental Rights of the European Union (article 7 on the right to respect for private and family life and article 8 on the right to the protection of personal data);
- European Data Protection Board guidelines; and
- Directive 2002/58/EC on privacy and electronic communications (for cookies).
Data protection authority
The data protection authority in France is the National Commission for Data Protection and Liberties (CNIL). The CNIL is an independent public body entrusted with the following powers.
Control and investigation powers
The CNIL is vested with investigation and control powers that allow its staff to have access to all professional premises and to request, on the spot, all necessary documents and to take a copy of any useful informa- tion. CNIL staff can also access any computer programs linked to the processing of PII and recorded information. The CNIL can also conduct a documentary control where a letter accompanied by a questionnaire is sent to a PII controller and processor to assess the conformity of processing operations carried out by them or an online investigation, in particular by consulting data that are freely accessible or made directly accessible online, including under a fake identity.
Each of these controls can be used in a complementary manner.
A statement is drawn up at the end of the inspection, listing all the information gathered by the inspectors and the observations they have made.
The audited company may not invoke professional secrecy to justify any refusal to allow CNIL auditors access to computer programs or to communicate documents to them, unless the data is related to correspondence between a lawyer and his or her client, or is covered by the secrecy of journalistic processing.
In 2020, it carried out 6,500 investigative acts, including 247 formal control procedures.
In 2021, the CNIL focuses its inspection activities on three priority areas: website cybersecurity, health data security and the use of cookies. According to the CNIL, these three themes will represent around
20 per cent of the formal control procedures that will be carried out in 2021. As in previous years, controls will also be initiated following:
- complaints and claims addressed to the CNIL;
- topical issues requiring the control of the processing implemented; and
- corrective measures (formal notices and sanctions, etc) requiring new checks.
Powers of sanction
The maximum threshold of penalties that the CNIL can pronounce has been increased from €150,000 to €20 million or 4 per cent of world turn- over for companies since GDPR enactment.
The CNIL can now compel sanctioned entities to inform each data subject individually of this sanction at their own expense.
The fine of €50 million pronounced by the CNIL against Google for not properly informing its users on how data is collected across its services to present personalised advertisements is a prime example of the strengthening of its financial sanctioning power.
In 2019, decisions rendered by the CNIL showed it can deviate from its classic approach and impose financial penalties against defaulting companies without prior formal notification.
Indeed, on 25 July 2019, the CNIL imposed a fine of €180,000 on Actives Assurances, an insurance intermediary specialising in the online distribution of automobile insurance contracts, for having insufficiently protected the data of the users of its website.
Within the framework of this power of sanction, the entry into force of the GDPR has increased the CNIL’s range of sanctions. Three deci- sions taken at the end of 2020 are quite significant on this subject and are based on non-compliance with both the GDPR and the provisions of the LIL, particularly on the issue of cookies.
After receiving several complaints, the CNIL imposed financial penalties against two companies of the Carrefour group for GDPR infringe- ments concerning the information given to individuals and in particular, with respect of their rights, by imposing a penalty of €2,250,000 against Carrefour France and €800,000 against Carrefour Banque. However, the CNIL did not issue an injunction to comply since it noted that significant efforts had already been made to address the infringements.
On 7 December 2020, the CNIL’s restricted panel fined Google LLC and Google Ireland Limited a total of €100 million for having placed advertising cookies on the computers of users of the search engine google.fr without prior consent or satisfactory information.
On 10 December 2020, the CNIL also fined Amazon Europe Core a total of €35 million for having deposited advertising cookies with no prior consent and satisfactory information (article 82 of the LIL).
In this case, a client of Active Assurances discovered that he could easily access the personal data of other clients from his account. He alerted the CNIL, which carried out an online check. That same day, the CNIL alerted Active Assurance of this data breach and requested the company address it, without this request being a prior formal noti- fication. A few days later, when the company informed the CNIL that measures had been taken, a new onsite inspection revealed that the measures were not sufficient to secure the personal data in question and the CNIL considered that Active Assurance had failed to comply with its obligation of security under article 32 of the GDPR and pronounced a fine of €180,000.
This is not an isolated case. On 28 May 2019, the CNIL issued a fine of €400,000 against Sergic, a real estate company, for data secu- rity breaches and non-compliance with the data retention period under the GDPR.
Regulatory powers
CNIL powers have recently been extended; it will have to be consulted for every bill or decree related to data protection and processing. Opinions will automatically be published.
The CNIL is also entrusted with the power to certify, approve and publish standards or general methodologies to certify the compliance of personal data anonymisation processes with the GDPR, notably for the re-use of public information available online.
Cooperation with other data protection authorities
If the owner or processor of PII carries out cross-border processing either through multiple establishments in the European Union or with only a single establishment, the supervisory authority for the main or single establishment acts as the lead authority in respect of that cross- border processing.
As the lead authority, the CNIL must cooperate with the data protection authorities in other EU member states where the owner or the processor is established, or where data subjects are substantially affected, or authorities to whom a complaint has been made. Specifically, the CNIL must provide information to other data protection authorities and can seek mutual assistance from them and conduct joint investiga- tions with them on their territory.
More generally, the CNIL is required to assist other data protection authorities in the form of information or carrying out ‘prior authorisations and consultations, inspections and investigations’. The European Commission can specify forms and procedures for mutual assistance. The CNIL could also participate in joint investigation and enforcement operations with other data protection authorities, particularly when a controller has an establishment on its territory or a significant number of its data subjects are likely to be substantially affected.
Breaches of data protection
Failure to comply with data protection laws can result in complaints, data authority investigations and audits, administrative fines, penal- ties or sanctions, seizure of equipment or data, civil actions (including class actions that have been introduced by Law No. 2016-1547 of 18 November 2016 for the Modernisation of the 21st Century Justice), crim- inal proceedings and private rights of action.
Proceedings
When the CNIL finds a PII owner to be in breach of its obligations under the LIL, as a preliminary step the CNIL chairman may issue a formal notice for the PII owner to remedy the breach within a limited period. In cases of extreme urgency, this period may be reduced to 24 hours.
When the breach cannot be remedied in the context of a formal notice, the CNIL may impose one of the following sanctions without prior formal notice of adversarial procedure:
- a formal warning notification;
- a financial penalty; or
- the withdrawal of the authorisation to operate the data processing.
When the PII owner complies with the terms of the formal notice, the CNIL chairman shall declare the proceedings closed. Otherwise, the competent committee of the CNIL may, after a contradictory procedure, pronounce one of the following penalties:
- a warning notification;
- a financial penalty, except when the PII owner is a public authority;
- an injunction to cease treatment; or
- the withdrawal of the authorisation granted by the CNIL for the data processing concerned.
In the case of emergency and infringement to civil rights and free- doms, the CNIL may, after an adversarial procedure, take the following measures:
- the suspension of the operation of data processing;
- a formal warning;
- the lockdown of PII for a maximum of three months (except for certain processing carried out on behalf of the French government); or
- for certain sensitive files of the French government, the prime minister is given information for him or her to take the necessary measures to remedy the breaches.
In the event of a serious and immediate violation of rights and free- doms, the chairman of the CNIL may request, by summary application, the competent judge to order any necessary security measures.
The CNIL may also inform the public prosecutor that it has found infringements of data protection law that are criminally sanctionable.
Publicity of the penalties
The CNIL can make public the financial penalties that it pronounces. The inclusion of these sanctions in publications or newspapers is no longer subject to the bad-faith condition of the entity concerned.
Criminal sanctions
Infringements to data protection law may be punished by imprisonment for a maximum period of five years and a criminal fine up to €300,000 (articles 226-16 to 226-22-1 of the Criminal Code). However, criminal sanctions are hardly ever pronounced.