Part 2 - SCOPE

Exempt sectors and institutions

The Law on Computer Technology and Freedom of 6 January 1978 (LIL) is generally applicable to all public bodies and all non-public enti- ties that process personally identifiable information (PII) and intends to cover all sectors. However, certain processing carried out by public authorities is subject to specific obligations that differ from the general obligations imposed upon private entities, for example:

  • processing of PII by public bodies for reasons of national security is subject to a specific regime supervised by the executive power; and
  • processing of PII managed by judicial authorities related to offences, convictions and security measures is subject to a specific regime supervised by the executive power.

The following categories of data processing fall outside the scope of the LIL:

  • processing of PII solely for journalistic or artistic purposes; and
  • processing of PII by a natural person in the course of a purely personal or household activity.

Communications, marketing and surveillance laws

The LIL neither directly covers the interception of communica- tions nor surveillance of individuals when implemented for public interest purposes.

This is subject to the authority of a dedicated public authority, the National Commission for Monitoring Intelligence Techniques. This field is regulated by several laws, mainly Law No. 91-646 of 10 July 1991 and Law No. 2015-912 of 24 July 2015.

Article 87 of the LIL states, however, that all ‘processing of personal data for the purpose of the prevention, investigation, detection or prosecu- tion of criminal offences or the execution of criminal penalties’ is only lawful if it complies with the provisions of articles 89 and 90 of the LIL, namely:

  • if the processing concerns state security, defence or public safety or if its purpose is the prevention, investigation, recording or pros- ecution of criminal offences, it must be authorised by order of the competent minister after a reasoned opinion from the National Commission for Data Protection and Liberties (CNIL); and
  • if the processing is of sensitive data as defined in article 6, I, of Law No. 78-17, it must also be authorised by a decree of the Council of State issued after a reasoned and published opinion from the CNIL, in which case the processing operations covered by these articles may concern the surveillance of data subjects.

On 12 January 2021, the CNIL’s restricted committee sanctioned the French Ministry of the Interior for having illegally used drones equipped with cameras, in particular, to monitor compliance with containment measures related to the covid-19 pandemic. It also ordered the Ministry to cease all drone flights until a normative framework authorises it.

Although surveillance is not, as such, covered by the LIL, certain articles are applicable to regulate and secure such practices.

Law No. 2004-575 of 21 June 2004 for confidence in the digital economy established the principle of the prohibition of any direct pros- pecting by email, autodialler machines or faxes, carried out from the contact details of natural persons who have not expressed their prior consent to such messages.

These provisions concerning Electronic marketing have been included in the Postal and Electronic Communication Code (article L34-5 et seq) and in the Consumer Code (article L121-20-5 et seq).

Other laws

Processing of health PII is subject to the provisions of the Public Health Code as well as to the LIL.

The solicitation by autodialler machine, email or fax, and the sale or transfer of PII for prospecting purposes using these, is subject to the provisions of the Postal and Electronic Communications Code.

PII formats

The LIL is aimed at covering all forms of PII, which means any informa- tion relating to an individual who is identified or who could be directly or indirectly identified, by reference to an identification number or the combination of one or several elements.

Also, the LIL applies to automatic processing and to non-automatic processing of PII that forms part of a filing system (or is intended to form part of a filing system), except for processing carried out for personal purposes. Accordingly, even records of PII in paper form may be subject to the LIL.

Finally, the LIL also distinguishes between data that could be called ‘standard’ (eg, identification and contact details, etc) and data that is also called sensitive or particular. The latter is subject to a prohibition on processing as a matter of principle unless the controller processing them justifies an exception formulated in article 9 of Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR) and article 6 of the LIL.

Extraterritoriality

The LIL applies to the processing of PII carried out by a PII owner that is established in France, whether or not the processing takes place in France. In this context, ‘establishment’ is broadly interpreted as it refers to all sorts of ‘installation’, regardless of its legal form; or that is not established in France, but uses a means of processing located in French territory, for instance, hosting data, internet service provider and cloud services, among others.

Covered uses of PII

In principle, the LIL applies to all processing of PII, except for that carried out for purely personal purposes. The controller determines the purposes for which and how PII is processed, whereas the processor processes PII only on behalf of the controller. The duties of the processor towards the controller must be specified in a contract or another legal act.

In principle, the PII controller is the principal party for responsibili- ties such as collecting consent, enabling the right to access or managing consent-revoking. However, the GDPR introduces direct obligations for PII processors (including security, international transfers and record keeping, etc) and thus they can be held directly liable by data protection authorities for breaches of the GDPR and the LIL.

Controllers and processors are also jointly and severally liable where they are both responsible for damage caused by a breach.

On 27 January 2021, the CNIL’s Restricted Section imposed penal- ties of €150,000 and €75,000 on a controller and its processor for not having taken satisfactory measures to deal with credential stuffing attacks on the controller’s website.

This decision shows that although the controller must commu- nicate documented instructions to its processor and decide on the implementation of security measures, the processor must also seek the most appropriate technical and organisational solutions to ensure the security of personal data, and propose them to the controller.

This decision, which is not public, must be considered as an alert. If the two actors have distinct obligations, this does not prevent them from developing a cooperative relationship to ensure the security of the data of the persons concerned.