France – French Digital Republic bill: in anticipation of the GDPR
Published 1 February 2016
What does this cover?
After years of debates and further to a public consultation held last September, discussions on the French Digital Republic bill (the Bill), proposed by Axelle Lemaire the Secretary of State for the Digital Development, have finally started before the French National Assembly prior to its definitive adoption in the upcoming months.
The Bill intends to establish a new framework to support innovation and covers a wide range of topics related to open data, personal data protection and the continuous improvement of digital access. Interestingly, some of the key measures of the Bill that concern personal data protection are clearly anticipating the new obligations contained under the future GDPR. The Bill addresses:
- Data portability: the providers of public online communications services shall offer the user a possibility to retrieve its personal data in an easily accessible and reusable format
- Information on the storage of personal data: the data controller shall always inform data subjects about the duration of their personal data storage
- Online exercise of rights for data subjects: where personal data has been collected online, the data controller shall provide the data subjects with the possibility to exercise the rights attached to their personal data online (e.g. access, rectification, opposition)
Simplified erasure rights for minors: subject to a few exceptions, data subjects shall have the right to obtain the erasure of their personal data collected by information society services when they were below the age of 18
- Clarifications on the personal data of the deceased: the Bill clarifies the conditions under which a deceased person’s personal data can be accessed, rectified or erased
In addition, the powers of the French Data Protection Authority (the CNIL) have been strengthened and, further to CNIL’s opinion on the Bill dated 19 November 2015, the number of potential sanctions has also been increased including:
- Reduced minimum remediation period: prior to the CNIL issuing a sanction, the minimum remediation period shall be reduced from five days to 24 hours
- Individual notification of sanctions: the CNIL could order the controller to notify the sanction pronounced against it to each of the data subjects concerned
- Amount of fines: instead of the current maximum amount of EUR 150,000, the CNIL could issue fines up to EUR 20,000,000 or 4% of the worldwide annual turnover
The Bill shall, in principle, enter into force after its publication, except for provisions requiring a government decree (e.g. open data, right to erasure for minors) and provisions on data portability that would benefit from an 18 month transition period.
Article submitted by Thierry Dor, Partner and Dane Rimsevica, Associate – Gide Loyrette Nouel – Paris, France
What action could be taken to manage risks that may arise from this development?
Organisations in France should follow the legislative process of the Bill’s adoption to ensure compliance with any new obligations under the Bill when it enters into force.