carol a.f. umhoefer
Law No. 78 17 of 6 January 1978 on “Information Technology, Data Files and Civil Liberty”
(“Law”) is the principal law regulating data protection in France.
The EU Data Protection Directive 95/46/EC was implemented via Law No. 2004 8021 of
6 August 2004 which amended the Law?
Enforcement of the Law is principally through the “Commission Nationale Informatique et
Definition of Personal Data
Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to him or her.
Definition of Sensitive Personal Data
Personal data that reveals directly or indirectly, racial and ethnic origins, political, philosophical, religious opinions or trade union affiliation of persons, or that concern their health or sexual life.
National Data Protection Authority
Commission National de l’informatique et des Liberties (cnil)
8, rue Vivienne
75083 Paris Cedex 02
The CNIL is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardize human identity or breach human rights, privacy or individual or public liberties.
Except for certain data processing that is subject to exemption, authorization, ministerial order or decree issued by the Supreme Administrative Court (“Conseil d’Etat”), the processing of personal data requires a prior declaration to the CNIL.
The prior declaration to the CNIL shall specify, amongst other things:
■ The purpose(s) of the processing;
■ the identity and the address of the data controller (i.e. the natural or legal person who determines the purpose and the means of the personal data processing and implements such decisions itself or appoints a data processor to implement them);
■ The possible interconnections between databases;
■ The types of personal data processed and the categories of persons concerned by the
■ The recipients of the processed data;
■ The time period for which the data will be kept;
■ The department or person(s) in charge of implementing the data processing;
■ The recipients or categories of recipients of the personal data;
■ The measures taken in order to ensure the security of the processing; and
■ The existence of a data transfer to a country outside of the EU regarded by the CNIL as not providing an adequate level of protection.
The CNIL may also exempt certain processes from prior declaration, in view of their purposes, addressees, the nature of the processed data, the length of their conservation or the concerned persons. Other processes may require only a simplified prior declaration.
Data Protection Officers
There is no legal requirement for organizations to appoint a data protection officer (known as a
Correspondent Informatique et liberties or CIL in France).
However, an organization is exempt from making prior declarations to the CNIL if the organization has appointed a data protection officer (“DPO”).
The appointment of a DPO does not exempt an organization from requesting prior authorization, where necessary (e.g. transfer of data to a country that does not provide an adequate level of protection to personal data).
The DPO is in charge of verifying the compliance of data processing with the Law. The DPO communicates, to any person who requests, information on the processing such as its purposes, interconnections, the types of data and the categories of concerned persons, the length of data conservation and the services in charge of implementing the processing.
Collection and Processing
Any personal data must be processed in a manner consistent with the following general
■ all personal data is processed fairly and lawfully;
■ all personal data is collected for specific, explicit and legitimate purposes and are subsequently processed in accordance with these purposes;
■ all personal data collected is adequate, relevant, and non-excessive in view of the purposes
for which they are collected; and
■ all personal data is accurate, comprehensive and, when necessary, kept up to date.
The processing of personal data shall have received the individual’s consent or shall fulfill one of
The following conditions:
■ processing is required by law;
■ The purpose of the processing is to protect the individual’s life;
■ The purpose of the processing is to carry out a public service;
■ processing relates to the performance of a contract to which the concerned individual is a
■ processing relates to the realization of the legitimate interest of the data controller or of the data recipient, subject to the interest and fundamental rights and liberties of the concerned individual.
Where sensitive personal data is processed, a different list of specific conditions applies.
Whichever of the above conditions is relied upon, the person from whom the personal data is collected must be informed of:
■ The identity of the data controller and, as the case may be, the data processor;
■ The purposes of the data processing;
■ The recipients or categories of recipients of the data;
■ the right to object, for a legitimate purpose, to the collection of such data, a right to access the collected data and a right to have the processed data rectified, completed, blocked or deleted; and
■ Where data is to be transferred outside the EU, and specific details on where and why the data is newly transferred.
Transfer of a data subject’s personal data to a non EU/European Economic Area country is allowed if the country guarantees to individuals a sufficient level of protection in terms of privacy and fundamental rights and liberties. The sufficient nature of the protection is assessed taking into account national laws, applicable security measures, specific characteristics of the processing, such as its purpose and duration, as well as the nature, origin and destination of the processed data.
For data transfers to the United States, companies that adhere to the US/EU Safe Harbor principles are deemed to offer adequate protection.
Data controllers may transfer personal data out of the European Economic Area to countries that are not deemed to offer adequate protection if the transfer is necessary:
■ For the protection of the individual’s life;
■ For the protection of the public interest;
■ to comply with obligations allowing the acknowledgement, the exercise or the defense of a
■ for consultation of a public register intended for the public’s information;
■ for the performance of a contract between the data controller and the individual, or pre
Contractual measures undertaken at the individual’s request;
■ For the conclusion or the performance of a contract in the interest of the individual, between
The data controller and a third party.
The CNIL may allow transfers if the above conditions are not fulfilled provided there is an adequate level of protection by reason of contractual provisions e.g. by standard contractual clauses (Model Clauses) approved by the European Commission, or internal rules (Binding Corporate Rules) applicable to data exporter and data importer.
The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and, amongst other things, prevent alteration, corruption or access by unauthorized third parties.
A data processor may only process personal data on behalf and upon instruction given by the data controller. The data processor must provide sufficient guarantees in terms of security and confidentiality, but even if this is the case, the data controller remains liable for compliance with these obligations.
The Law does not set out any obligation to notify the CNIL or the data subject in the event of a data security breach.
The CNIL has the power to proceed with verifications of any data processing, and, as the case may be, to request a copy of every document that it considers useful in view of its mission.
The CNIL also has the power to pronounce different sanctions that vary in accordance with the severity of the violation committed by the data controller:
■ Warnings and notices to comply with the obligations defined in the Law; or
■ if the data controller does not comply with the notice, the CNIL has the power to order a financial sanction up to EUR 150,000 for the first violation, and in the case of a second violation in the following 5 years, up to EUR 300,000 or 5% of the company’s turnover (limited to EUR 300,000), and/or to order that the company immediately cease the data processing.
In accordance with Articles 226 16 to 226 24 of the French Criminal Code, various violations of the Law may constitute a misdemeanor. For example, the violation, even by negligence,
of the prior declaration requirements (see Registration above) is punishable by up to 5 years’
Imprisonment, and/or a fine of up to EUR 300,000 (for natural persons), or a fine up to
EUR 1.5M and/or other sanctions (for legal persons).
The Act does not contain explicit provisions with respect to electronic marketing. However the CNIL has issued guidelines on the basis of French consumer law and electronic communications law.
The CNIL distinguishes between B2B and B2C relationships.
In any event, all electronic marketing messages must specify the name of the advertiser and allow the recipient to object to the reception of similar messages in the future.
electronic marketing to consumers (B2c):
Electronic marketing activities are authorised provided that the recipient has given consent at
the time of collection of his/her email address. This principle does not apply when:
■ The concerned individual is already a customer of the company and if the marketing messages sent pertain to products or services similar to those already provided by the company.
■ The marketing messages are not commercial in nature.
In any event the concerned individual must be informed at the time of collection of his/her email address (i) that it will be used for electronic marketing activities (ii) that he/she may object to such use.
Electronic Marketing to Professionals (B2B):
Electronic marketing activities are authorized provided that the recipient has been informed at the time of collection of his/her email address (i) that it will be used for electronic marketing activities (ii) that he/she may object to such use.
The message sent must relate to the concerned individual’s professional activity.
Please note that email addresses such as email@example.com are not subject to prior consent and right to object.
Online Privacy (including cookies and Location Data)
Cookies – The EU Cookie Directive has been implemented in the Law. It states that any subscriber or user of electronic communications services must be fully and clearly informed by the data controller or its representative of (i) the purpose of any cookie (i.e. any means
of accessing or storing information on the subscriber’s/user’s computer), and (ii) the means of refusing cookies, unless the subscriber/user has already been so informed. Cookies are lawfully deployed only if the subscriber/user has expressed consent after having received such information.
However, the foregoing provisions do not apply (i) to cookies the sole purpose of which is to allow or facilitate electronic communication by a user, or (ii) if the cookie is strictly necessary to provide on line communication services specifically requested by the user.
In November 2011 and again in April 2012, the CNIL issued guidance for cookies.
The CNIL considers that certain cookies are not covered by the Law (e.g. cookies used to constitute a “basket” on a e-commerce platform, session ID cookies etc).
Regarding consent, the CNIL has specified that consent must be (i) freely given (i.e. in circumstances where the user has a choice to refuse consent), (ii) specific (i.e. relate to a specific cookie associated with a clearly defined purpose), and (iii) informed (i.e. the user must be given information beforehand, specifying the cookie’s purpose as well as the possibility to revoke consent). Valid consent can be expressed via browser settings if the user can choose the cookies he/she accepts and for which purpose. However, according to the CNIL, commonly used browsers do not offer compliant settings.
The CNIL regards the following consent collection mechanisms as compliant:
■ a banner at the top of a webpage;
■ a consent request zone overprinting on the site’s homepage; and
■ boxes to tick when registering for an online service.
The CNIL considers that the website owner is liable for allowing a third party to install a cookie on the user’s computer.
The April 2012 guidance also reaffirms that these rules apply to all cookies whether containing personal data or not.
The April 2012 guidance also reminds operators that non-compliance with French law can
Trigger financial penalties (see enforcement section).
Location and Traffic Data – The Postal and Electronic Communications Code deals with the collection and processing of location and traffic data by electronic communication service providers (“CSPs”).
All traffic data held by a CSP must be erased or anonymised. However, traffic data may be retained e.g.:
■ For the purpose of finding, observing and prosecuting criminal offences;
■ For the purpose of billing and payment of electronic communications services; or
■ for the CSP’s marketing of its own communication services, provided the user has given consent thereto.
Subject to exceptions (observing and prosecuting criminal offences; billing and payment of electronic communications services), location data may be used in very limited circumstances, e.g.:
■ During the communication, for the proper routing of such communication; or
■ Where the subscriber has given informed consent, in which case the location data may be processed and stored after the communication has ended.