Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

France still to implement the EU Data Protection Directive [2000] PLBIRp 35; (2000) 55 Privacy Laws and Business International Report 6

France still to implement the EU data directive

A report by Ingrid Wilson

FRANCE IS ONE OF THE FEW EU member states that has not yet transposed the EU Data Protection Directive into national law. The new law is expected to introduce rules for online processing, and new regulations for the processing of sensitive data.

Ariane Mole, Head of the IT and Privacy Department at Cabinet Alain Bensoussan, a Paris-based law firm, gave a presentation on the future law at the Privacy Laws & Business Annual Conference in July. As France's data protection legislation is yet to be published, her presentation reflected on what is expected to be in the new law. She had "great expectations" that the law would be in place at the beginning of 2001, hopefully before the sanctions from the European Union. The current 1978 Act applies until the new Act has been passed.

Ariane Mole gave an overview of the main obligations in the French law which will apply to any data controller established in France, or to any data controller not established in the European Union, but who makes use of equipment situated in France. The legislation will include a requirement for notification of automated data processing to the data protection authority (CNIL), prior checking of "risky" processing, obligations relating to sensitive data, international transfers and requirements to provide information to data subjects.

POWERS OF THE CNIL

The CNIL will have additional supervisory powers including:

o Audits - the CNIL may enter company premises following a complaint, or on its own initiative, for example, in response to an issue raised in the media;

o The power to engage in legal proceedings - at the moment the CNIL refers cases to the public prosecutor who makes the decision whether to prosecute; and

o What many firms in France fear most - the power to award financial penalties. These are administrative fines which are added to any fine and compensation decided by the judge. In the current draft, these penalties can be up to 3% of a firm's turnover.

With regard to international transfers outside the European Union, the CNIL may give authorisation if the controller ensures an adequate level of protection. If not, the CNIL can delay authorisation for six months while asking the European Commission for a decision.

Ariane Mole noted that the draft also deals with the issue of tracing users of the Internet, which is of much concern in France. She emphasised the importance of the information notice, as individuals must be informed of the use of cookies and the handling of connection data. Behavioural profiling of data subjects using the Internet is subject to prior checking.

PRIOR CHECKING

Ariane Mole also reported on an important feature of the draft French law - the requirement for prior checking. Where processing may present a specific risk to the individual, data controllers must receive authorisation from the CNIL prior to engaging in such processing. This system is not new to France where the public sector is currently subject to prior checking procedures.

Prior checking is included in the EU Data Protection Directive as an option for Member States. Under the French draft, prior checking is required for any of the following categories of information:

o Sensitive data (automated or not), which also includes national identification numbers and social security numbers. These data may only be processed with consent:

o Offences and criminal convictions;

o Files excluding individuals from a right or benefit of contract (blacklists);

o Combination between files belonging to different entities; and

o Personality or behaviour profiles (behavioural segmentation) collected or accessible over a network (especially tailored for the Internet).

SENSITIVE DATA

Ariane Mole highlighted some differences in France's draft law in relation to sensitive data. The definition of "sensitive data" varies slightly from the EU definition by including "morals" as opposed to "sexual life" for the reason that the term "morals" was considered to be broader. The nation- al identification number is also included as sensitive information, as well as "free text", which is a big topic in France.

Free text encompasses "free commentary or opinion", and was included as a result of a case in France where a customer of a bank saw disparaging comments written about him on screen and made a complaint to the CNIL. An audit revealed a vast amount of data recorded in this free text format and it was apparent that staff were not informed of appropriate ways of handling this facility. The bank was named publicly. Ariane Mole emphasised the importance of informing users about the technical tools at their disposal.

INFORMING DATA SUBJECTS - INDIRECT DATA COLLECTION

Another interesting aspect of France's draft law relates to informing data subjects. Where there is an indirect collection of personal data from other sources, the controller must check the contracts to ensure that there is a clause to confirm that the data subjects were duly informed in the beginning. This places the obligations for informing data subjects clearly on the first collector. An exemption applies where it is impossible to find the data subjects (similar to the Directive). Use of the exemption must be notified to the CNIL.

Ariane Mole concluded her presentation by emphasising the importance of procedures for handling personal data, noting that for many firms, a lack of procedures can give rise to problems, which can result in complaints to the CNIL.

ANSWERS TO QUESTIONS

A question and answer session followed the presentation. Concern was raised about the impact of organisations going back to the individual to inform them of changes to the use of their information. The Directive indicates that if it would cost too much, there is no obligation. Ariane Mole noted that it is not stated in the same terms in France's draft law, however where it is "impossible" to go back to the data subject, there is no obligation in French law ("impossible" is not defined).

The capacity of the CNIL to cope was questioned, particularly in relation to the policy of prior checking. Ariane Mole concurred with the view that it was too much work, but she noted that the public sector prior checking currently undertaken by the CNIL will be replaced by private sector prior checking once the law is in place. It was also pointed out that it is a criminal offence if organisations do not comply with the prior checking rules - a big risk for organisations to take.

A question was asked about prior checking in the context of profiling over the Internet, and what, in particular, the CNIL would be looking for. This would be compliance in relation to information provided to data subjects. For example, were they advised if their data will be sold for marketing purposes, or informed of their rights?

Ariane Mole can be contacted at Cabinet Alain Bensoussan 29, rue du Colonel Pierre Avia 75508 Paris cedex 15, France, Tel: + 33 1 41 33 35 35 Fax: +33 1 41 33 35 36. This presentation was written for Privacy Laws & Business by Ingrid Wilson. She previously worked as Senior Promotion & Education Officer at the Office of the Federal Privacy Commissioner, Australia. She is now a Data Protection Officer with the London Borough of Chelsea and Kensington. She can be contacted by e-mail: ingrid.wilson@rbkc.gov.uk.