Data Protection and Privacy in France: Part 7

Access

Data subjects have a right to ‘access’ the PII that a controller holds about them.

Data subjects can exercise their right of access by sending a signed and dated access request, together with proof of identity. Data subjects can request that the PII owner provides the following information:

• confirmation as to whether the controller processes the data subject’s PII;

• information related to the purposes for which the PII is processed, and the recipients or categories of recipients to whom the PII is or has been provided;

• where applicable, information related to cross-border data transfers;

• the logic involved in any automated decision making (if any);

• the communication, in an accessible form, of personal data concerning the data subject as well as any information available as to the origin of the data; and

• information allowing the data subject to know and to contest the logic underlying the automated processing in the event of a deci- sion taken based on it and producing legal effects concerning the person concerned.

The controller may oppose manifestly abusive access requests, in particular concerning their excessive number or repetitive or system- atic nature. In the event of a claim from the data subject, the burden of proving the manifestly abusive nature of the requests lies with the PII owner to whom they are addressed.

The right of access may be denied when the personal data is kept in a form that excludes any risk of invasion of the privacy of the data subjects (ie, if PII is pseudonymised or anonymised) and for a period not exceeding what is necessary for the sole purpose of statistical, scientific or historical research.

Other rights

Also to the right of access described above, data subjects are granted the rights described below. When PII has been collected by electronic means, the data subjects must be provided with a way to exercise their rights using electronic means.

Right to object

Data subjects have the right to object to the processing of their PII on legitimate grounds unless the processing is necessary for compliance with a legal obligation or when the act authorising the processing expressly excludes the data subjects’ right to object.

Data subjects also have the right to object, at no fee and without justification, to the use of PII related to them for the purposes of direct marketing by the PII owner or by an onward data controller.

Right to correct

Upon proof of their identity, data subjects may require the PII owner to correct, supplement, update, lock or erase personal data related to them that is inaccurate, incomplete, equivocal or out of date, or whose collection, use, disclosure or storage is prohibited.

When the concerned PII has been transmitted to a third party, the data controller must carry out the necessary diligence to notify such a third party of the modifications operated following the data subjects’ request.

Right to be forgotten

Data subjects have the right to request the PII controller to erase personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, in particular where one of the following grounds applies:

• the PII is no longer necessary concerning the purposes for which it was collected or otherwise processed;

• the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;

• the PII has been unlawfully processed;

• the PII has to be erased for compliance with a legal obligation in EU or EU member state law to which the controller is subject; or

• the PII has been collected concerning the offer of information society services.

On 27 March 2020, the Council of State issued a ruling on the right to be forgotten, which marks the end of a legal battle between the National Commission for Data Protection and Liberties (CNIL) and Google regarding the territorial scope of the right to be forgotten under EU law. The CNIL originally fined Google €100,000. According to the CNIL, Google’s practice was to only remove references on EU versions of its search engine following a request thereto (thus, only blocking the results in the EU-specific versions). For the CNIL, only the global removal of search results could ensure the effective protection of individuals’ rights.

Following this sanction, Google filed an appeal before the Council of State because the ‘right to be forgotten’, as it is currently established under EU data protection law is limited to the territory of the European Union and Google, therefore, cannot be forced to remove the search results globally on all its domain names extensions.

The Council of State, noting ‘several serious difficulties regarding the interpretation of the directive’, subsequently referred questions to the Court of Justice of the European Union (CJEU) for a preliminary ruling concerning the scope of the right to be forgotten.

Taking the side of Google, the CJEU in Google v CNIL (Case C-507/17) held that the scope of de-referencing only applies for results of a search carried out from within EU territory. Therefore, the results will still be accessible if a search is performed outside the European Union.

Although the CJEU ruled that the ‘right to be forgotten’ does not apply at a global scale, it clearly stated that the de-referencing must be effective at EU scale, and not only in the local version of the search engine found in the country where the individual concerned lives.

Moreover, the CJEU specifies that, although there is no obligation of global de-referencing under EU law, it is also not forbidden. Thus, a supervisory authority, and so the CNIL, has the authority to force a search engine operator to delist results on all the versions of the search engine if it is justified in some cases to guarantee the rights of the indi- viduals concerned.

Finally, the court demanded that search engine operators take effi- cient measures to prevent or, at the very least, seriously discourage an internet user from gaining access to delisted links.

Following the CJEU’s decision of 27 March 2020, the Council of State annulled the CNIL sanction on Google.

The Council of State ruled that the CNIL was not entitled to order a worldwide delisting. As a result, the sanction did not rely on an appro- priate legal ground and that there is currently no legislative provision in France that suggests that the right to dereferencing could apply outside the territory of the European Union. The Council of State also pointed out that, in any case, the right to global de-referencing would only have been permitted if the CNIL had struck a balance between the individual’s right to privacy and the general public’s right to freedom of information, which the CNIL had failed to do when it sanctioned Google.

Right to be forgotten for children

Data subjects have the right to request the PII controller to erase without undue delay the personal data that has been collected in the context of the provision of information society services where the data subject was underage at the time of collection. When the PII controller has trans- mitted the concerned data to another PII owner, the data controller shall take reasonable measures, including technical measures, to inform the onward PII owner of the data subject’s request for the deletion of any link to the data, or any copy or reproduction thereof.

This is unless the data processing is necessary:

• to exercise the right to freedom of expression and information;

• to comply with a legal obligation requiring the processing of such data or to carry out a task in the public interest or the exercise of the public authority entrusted to the controller;

• for public health;

• for archival purposes of public interest, for scientific or historical research or statistical purposes; or

• to establish or exercise legal rights.

Right of data portability

Data subjects have a right to:

• receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use;

• transfer their personal data from one controller to another;

• store their personal data for further personal use on a private device; and

• have their personal data transmitted directly between controllers without hindrance.

Digital death

Data subjects have the right to set guidelines for the retention, deletion and communication of their personal data after their death.

In a press release of 28 October 2020, the CNIL identified that every day, nearly 8,000 Facebook accounts were left abandoned following the death of their owners and wondered what solutions could be brought to this problem. To raise awareness on the subject, it has therefore published guidelines on digital death and the fate of a deceased person’s data.

Automated individual decision-making, including profiling

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless it is:

• necessary for entering into, or performance of, a contract between the data subject and a data controller;

• authorised by EU or EU member state law to which the controller is subject and that also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or

• based on the data subject’s explicit consent.

Compensation

Individuals may claim for damages when they are affected by a breach of the Law on Computer Technology and Freedom of 6 January 1978 (LIL) that qualifies as a criminal offence subject to the referral to crim- inal jurisdiction.

Also, the LIL allows under certain conditions, when several natural persons placed in a similar situation suffer damage having as a common cause a breach of the same nature of the requirements of the LIL or Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR) by a personal data controller or processor, that a group action be brought before the civil court or the competent administrative court given the individual cases presented by the claimant, who shall inform the CNIL.

In this case, compensation may amount to the total amount of damage endured by the individual, which includes moral damages or injury to feelings.

Enforcement

Where the data controller does not answer or refuses to grant the right to the data subjects’ request, the latter can refer to the CNIL or a judge to obtain interim measures against the data controller.

Judicial review

Personally identifiable information owners can appeal against orders or sanctions pronounced by the National Commission for Data Protection and Liberties in front of the Council of State.