GDPR and new French data protection draft legislation

This new draft legislation on the protection of personal data is therefore intended to adapt Law No. 78-17 of 06 January 1978, on computing, databases and civil liberties, to the provisions of the “European data protection package” formed by Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data, applicable as of 25 May 2018 (GDPR), and Directive 2016/680 on data processing for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, which is to be implemented in domestic law by 06 May 2018.

It should first be recalled that with its much anticipated entry into force, GDPR will be directly applicable in Member States, in order to ensure a harmonisation of personal data protection rules in Europe. One of the first purposes of this draft legislation is therefore essentially technical and consists in repealing the existing provisions of the French law that contradict the GDPR, such as the system of prior declaration, as a rule, of the processing of personal data to the French data protection authority, the “CNIL”.

The GDPR still leaves Member States with a certain amount of free will by providing for around 50 references to national laws. The main contribution of this draft legislation is therefore, also, for France to take a stance on these national prerogatives permitted by the GDPR. For some of these references, the French Government has chosen not to adopt any specific national arrangement and to align with the GDPR, such as by renouncing the mechanism of class action even though the GDPR leaves this possibility to the Member States, or by setting the minimum age for consenting to a direct offer of online information services at 16, even though the GDPR allows Member States to lower that age down to a minimum of 13 years old.

On the other hand, for certain references to national law, the Government has profited from the leeway given by the GDPR by setting out specific rules and maintaining the current specific derogations. Thus, despite the new system of ex post facto control imposed by the GDPR, leading to the rewriting of the French system based on mechanisms of prior declaration and authorisation for processing, certain prior intervention mechanisms have been retained in the draft legislation. In this way, the Government has chosen to retain the prior control system for processing requiring the use of a person’s registration number in the national identification registry for natural persons (NIR).

For certain types of processing of sensitive data, the GDPR also authorises France to retain specific measures. In this respect, the draft legislation grants the CNIL the right to establish additional safeguards for the processing of data on criminal offences and to require additional technical and organisational measures for the processing of the biometric, genetic and health data. The draft also provides that processing pertaining to research in health matters shall continue to be subject to an authorisation process.

The GDPR also gives some room for the legal framing of profiling which is defined as an automated processing using personal data to assess certain personal aspects pertaining to a natural person for the purpose, notably, of analysing or predicting aspects concerning his or her economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The GDPR also provides that persons have the right not to be the subject of automated decision-making, and in this respect profiling is deemed equivalent to automated decision-making, unless this automated decision-making is authorised by the law of the Member State in question which must nevertheless lay down suitable measures to safeguard the person’s rights and freedoms and legitimate interests. The Government has profited from this exception allowed by the GDPR to include, in the draft legislation, the possibility for French administrative authorities to use algorithms to make automated decisions provided that suitable safeguards relating thereto are adopted. The scope of these safeguards, however, is not currently defined, a situation that the CNIL deplores in the opinion it gave on this draft legislation on 30 November 2017.

The CNIL’s opinion and the numerous other commentaries on this draft legislation should certainly lead to developments and amendments to the draft legislation on the protection of personal data, which will then be codified by way of an Ordinance into the Computing and Civil Liberties Law. In this respect, the scheduled timetable which gives until 25 May 2018 appears to be extremely tight.

Click here to read the same article in French