France’s new Digital Republic Act  significantly strengthens protections that control how French businesses use and retain personally identifying data. The law expands the scope and authority of the 1978 French Data Protection Act and brings the country to the foreground of modernizing the legal framework of the information economy ahead of the 2018 implementation of the General Data Protection Regulation (GDPR). The Act includes a number of key amendments that improve individual privacy rights, increase the powers of French Data Protection Authority (CNIL), and impose new requirements on how companies and communication providers handle personal information.
Most importantly, the law has considerably increased the enforcement capabilities of the French Data Protection Authority (CNIL). Previously limited to a maximum fine of €300,000, they can now impose fines of up to €3 million. Once the GDPR takes effect in 2018, that amount will increase to a whopping €20 million or 4% of a business’s gross annual global turnover, whichever is greater. For the world’s largest multinational businesses, this administrative penalty could potentially run into the billions of Euros. By enacting this significant increase, France is signaling that it takes privacy protections seriously and expects businesses to make substantial investments in measures to comply.
The law has also added several new individual rights. Businesses must now notify customers how long their personal data will be held. If doing so is impossible, they must communicate the criteria used to determine the retention period. Customers can also request that businesses delete personal data collected when they were minors. If that data has been shared with third parties, they must undertake reasonably proportionate measures to notify third parties of the person’s request to delete the data.
In addition, the law enumerates the right to privacy protections after a citizen passes away through a new instrument called a personal data will. Citizens can communicate their data protection “last wishes” to the CNIL through a will that specifies how to exercise their personal data privacy rights after their death. Businesses must now inform the citizen of personal data collection that this right exists.
Online communications providers must also strengthen safeguards for the confidentiality of personal communications. This includes the identity of correspondents, message contents, and subject lines. In particular, providers cannot data mine communications for statistics or advertisement unless they obtain express consent to do so; such consent is valid for a maximum period of only one year. They must also render any personal data they collect portable between service provider platforms. This ensures consumers who choose to take their business elsewhere will be able to bring their personal data along with them.
In summary, the Digital Republic Act represents a profound fortification of France’s data privacy regime, as well as a reinforcement of the relevance of local privacy regulations post-GDPR. Where some businesses might not have prioritized privacy compliance before, these changes are all but certain to prompt businesses that operate in France to build more robust privacy policies, processes, and internal controls. While compliance may require a sizable investment of time and capital, this will undoubtedly be a boon to citizens concerned with the creeping erosion of their private lives that has come from a more digitally connected lifestyle.
Contact Zasio today for a privacy impact assessment to help you navigate evolving laws proactively.