France Adopts Digital Republic Law
On 7th October, the French Digital Republic Act ("Loi n°2016-1321 pour une République numérique") came into force following a year long process which began in December 2015 to amend the laws regulating various aspects of the digital economy in France. This law introduces new provisions that will regulate the digital economy as a whole (such as open data, online cooperative economy, revenge porn and access to the internet). For privacy professionals, this law is important as it introduces several key amendments under the French Data Protection Act of 1978 and other laws, prior to the GDPR's entry into force in 2018. The essential provisions of the Digital Republic Act are explained below in ten key points.
1. Higher fines pronounced by CNIL
By far, the most significant amendment to the Data Protection Act concerns the French Data Protection Authority's (CNIL) powers to impose administrative fines. Previously limited to EUR 150,000 under the amended Data Protection Act, the CNIL will now be able to impose fines up to EUR 3 million. The Digital Republic Act explains that once the GDPR comes into force in 2018, the CNIL will be able to impose administrative fines of up to EUR 20 million or 4% of total worldwide annual turnover for any data protection violations as defined under article 83 of the GDPR. But controllers in France may still be fined up to EUR 3 million for any violation to the amended Data Protection Act that is outside the scope of the GDPR. This is particularly significant in relation to the new rights that are granted to the data subjects
2. Enhanced Rights for Individuals
In the wake of the GDPR, the Digital Republic Act seeks to enhance the rights of individuals by introducing under the Data Protection Act a general right allowing them to decide and to control the uses that are made of their personal data. For example, the Digital Republic Act explicitly requires controllers to grant individuals the right to exercise their rights electronically whenever their data is collected electronically.
3. Additional Information to the Data Subjects
The Digital Republic Act now requires data controllers to inform their data subjects about the period during which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
Furthermore, all providers of online communication services to the public must inform their users specifically about the right to decide how their personal data will be processed following their death, including the right to provide their last instructions regarding the processing of their data (see below for the post mortem right to privacy).
Regarding the processing of data for purposes of medical research, the Digital Republic Act establishes that the parents or legal guardian of a minor under 18, or the legal representative of a person placed under legal guardianship, receive the information regarding the data processing and exercise the rights provided by the Data Protection Act in France. However, for certain types of medical research mentioned in the Public Health Code, minors above the age of 15 may object to their parents or legal guardian accessing the personal data about them that has been collected and processed in the course of such medical research, and may exercise alone the right to access and rectify data and the right to object to the processing.
4. Post Mortem Right to Privacy
The Digital Republic Act creates an innovative new right for individuals to decide how their personal data may be processed after their death. Before dying, any individual may give general or specific instructions regarding the storage, erasure or disclosure of his/her personal data. On the one hand, general instructions apply to all data that is collected and processed about an individual. These instructions are kept by a certified third party or the CNIL. On the other hand, individuals may send specific instructions to a given data controller instructing that controller on how it may continue to use the data it withholds about those individuals after their death. Where a controller has received specific instructions from an individual, the ongoing processing of that individual's data after his/her death is based on that individual's consent and cannot be waived in the controller's general terms of use. Naturally, what comes to mind with this new provision is the possibility given to individuals to erase their data from online profiles on social networks and other web platforms. In the absence of any instructions, the heirs of the deceased may exercise the data protection rights of the deceased.
5. Right to be Forgotten
The Digital Republic Act introduces under the Data Protection Act the right for individuals to request that their personal data be deleted without delay when such data was collected in relation to the offering of information society services at a time when they were minors. Where the data controller has shared the data with third party controllers, the initial controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform such third parties which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
If the data controller does not delete the data, or fails to respond to the data subject's request within one month, then the individual may file a complaint to the CNIL who must respond within three weeks from receiving the complaint.
6. Enhanced secrecy of correspondence
The Digital Republic Act introduces a new obligation for telecom operators and providers of electronic communication services to the public who offer online communication services (for example, providers of online messaging services) to maintain the secrecy of correspondence, including the content of the message, the sender and recipient's identity and, where applicable, the subject line and attachments of the message. The automatic processing of emails or other type of digital communications for purposes of advertisement, statistics or the enhancement of services is forbidden unless the data subject has given his/her express consent to such processing at least one year before the processing. Moreover, there must be a specific consent for each type of processing. However, electronic messages can still be analysed automatically to display, sort or dispatch messages, or to detect viruses or other forms of computer malware.
7. New Right to Data Portability for Consumers
The Digital Republic Act introduces a new section under the Consumers Code, which grants consumers a right to the recovery and portability of their personal data. This new provision requires all providers of online communication services to the public to enable consumers to recover, free of charge, all data that they have stored online, including data files, all data stored and accessible from the user's online account, and other types of data that are associated with the user's online account and that can be easily re-used and exploited by another data controller. The data controller must provide the data in a readable format. If that cannot be done, the data controller has to inform the consumer of such restriction and provide alternative ways for the user to recover his/her data.
8. Online Platform Providers
The Digital Republic Act introduces specific obligations for online platform providers. They are defined as businesses that offer to customers an online communication service to the public that 1) enables the ranking or referencing by means of a computer algorithm of content, goods or services that are offered or displayed online by third parties (e.g., search engines), or 2) allows parties to get in contact with one another in order to sell goods, offer a service, or exchange or share content, goods or services (e.g., online auction or shopping websites).
These online platform providers must provide consumers with loyal, clear and transparent information regarding 1) the general terms of use that apply to the platform and the means used to rank, reference or de-reference content, goods or services that are available via this platform; 2) whether there is a contractual or capitalistic relationship, or remuneration in case they influence the ranking or referencing of the content, goods or services that are made available on their platform; and 3) the rights and obligations of the parties in civil and fiscal matters when the platform allows consumers to contact professionals or non-professionals.
9. No restrictions on data storage
Last but not least, the final text of the Digital Republic Act has deleted the provision that would have required all data to be stored in the EU and not be transferred outside of Europe. Therefore, there are no data residency rules that would require businesses to store their data in France, and on the contrary, businesses can continue to transfer personal data outside Europe as long as they respect the EU data protection requirements under the GDPR.
10. Practical implications
With the Digital Republic Act, France has sent a clear message that it is taking personal data protection very seriously and is keen to establish strong safeguards to protect personal data. This new law also shows that even though the GDPR establishes a harmonised data protection regime across Europe, EU member states can nonetheless adopt additional or more restrictive data protection rules, and therefore, country-specific laws will continue to apply meaning that businesses may still need to comply with different national laws when processing personal data across Europe.
Now that the text has come into force, we will need to wait for the adoption of the implementing decrees, some of which are supposed to come into force before the end of the year. Thus, businesses should tackle the new challenges set up by this law as soon as possible.