French law for a Digital Republic
Anticipating the impact of the GDPR
27 April 2017
On 28 September 2016, the French Senate finally adopted the law for a Digital Republic (Loi n°2016-1321 pour une République numérique) designed by the government as a framework for the development of the digital economy. Among other digital related provisions, the law anticipates the entry into force, on 25 May 2018, of Regulation 2016/679 relating to personal data (the GDPR).
Penalties on a whole different scale
Pursuant to the Law for a Digital Republic, the CNIL is now able to impose financial penalties of up to €3 million (compared to previously €300,000 in the event of repeated failure). We are still far from the €20 million, or 4% of the global turnover of the company, under the GDPR but the spirit is there.
New rights for individuals, new issues for businesses
The new prerogatives granted to individuals will probably induce complexity for companies:
- Information on retention time: under the law for a Digital Republic, individuals whose data are processed should be informed of how long the company retains their data, or if that is not possible, the individuals should be informed of the criteria used to determine such duration. This provision is puzzling for international groups as it will force them to arbitrate between the retention period applicable under the rules set by the group, those set by the entity in France, the legal and regulatory rules of data retention, and the implementation of relevant process in their information systems.
- Right to oblivion for minors: when individuals turn 18, they can request from the data controller the erasure of personal data that was collected when they were minor. With the increase of social networks, particularly among teenagers, how will operators manage to address requests in what will likely be huge volumes?
A less brutal right to data portability for businesses?
The GDPR introduces the right for an individual to ask a business to provide – in a commonly used and machine-readable format – the personal data it holds in order to transfer them to another provider.
Though the law for a Digital Republic makes a reference to the GDPR with regard to personal data portability, it extends the scope of portability to other categories of data (files uploaded by the consumer, data resulting from the use of a user account, all other data facilitating the switch from one service provider to another, or data necessary to access other services).
However, providers may object to the sharing of user account data that have been subject to "significant enhancement". This exception appears to draw the line between raw and enhanced data and takes into consideration the added value of the work of operators in the creation of complex databases that are expensive and innovative (playlist design loyalty programs etc.). A decree will determine the list of enhancements deemed insignificant.
The urgent need to be prepared
By anticipating the GDPR, the law for a Digital Republic forces companies to review their organisational and technical personal data policies earlier than expected, in order to face new requirements to which considerable penalties are attached. The Law for a Digital Republic came into force on 7 October 2016.
To read this update in French please visit the Clifford Chance website.