France - Data Protection
History of Data Protection in FRANCE
France introduced legislation relating to personal data and computer files as far back as the late 1970s, with law Nr. 79-17 of 6 January 1978. This Act also set up the French Data Protection Authority, the CNIL. Legislation covering research conducted in the heath sector was introduced in 1994.
Despite this early start in introducing data protection legislation in France, it took 9 years for Directive 95/46/EC to be introduced. In the meantime, the protection of privacy during the processing of information was covered in a piecemeal fashion, by the Law of 12 April 2000 on the Rights of Citizens and their Relationship with Administration, and the Law of 4 March 2002 on Patients' Rights.
Following a lengthy legislative process, the Directive was finally incorporated into French law with Law Nr. 2004-801 of 6 August 2004 relating to the Protection of Data Subjects as Regards the Processing of Personal Data. This law amended the 1978 law, and the bulk of it came into force immediately.
Summary of Data Protection in FRANCE
| Title of Data Protection Legislation | Law 2004-801 of 6 August 2004 modifying law 78-17 of 6 January 1978 relating to the Protection of Data Subjects as Regards the Processing of Personal Data (in French) |
| Name of supervisory authority | Commission Nationale de l' Informatique et des Libertes (CNIL) |
| General Powers of supervisory authority |
The CNIL's duties are outlined in Article 11 of the new Law. As in the 1978 Act, the CNIL registers notifications, informs on rights, oversees the correct application of the law (advice and warnings). It also provides opinions on the legitimacy of the processing (authorization requests), and engages in jurisdictional recourse in the case of a breach of the law and oversees the whole procedure. The CNIL also has the power to control the initiation of the processing (Article 44), as well as the power to impose sanctions, for example: warnings, injunctions to stop the processing, and financial sanctions (Articles 45 to 49). The CNIL can also carry out on-the-spot audits concerning any file counting personal data, and issue warning to the controllers if required, or inform the public prosecutor. Finally, the CNIL plays the role of intermediary between data subjects and controllers (through the request to access). At the request of the professional organizations that represent controllers, the CNIL assesses the ‘professional rules’ and gives labels to products, or procedures recognized as conforming to the Law (Article 11-3˚ a, b, c) as provided by Article 27 of the Directive. |
| Who has standing to notify the supervisory authority of breaches? | Anybody, provided they can show that their interest in the matter is justified. |
| What are the penalties for data controllers if they breach the law? | Article 45 of the 2004 law sets out the sanctions for breaches of the law. These include fines, imprisonment, publishing the information of the case in newspapers or other publications (for which the sanctioned person must pay), ceasing processing operations and removing the controller's authorisation to process. |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Yes. The processing of identification numbers by private bodies must be authorised by the Supervisory Authority. The processing of identification numbers by public bodies must be authorised by decree taken by the Conseil d'Etat after opinion given by the CNIL. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably necessary to get consent when is not impracticable or inappropriate. |
| Does the Data Protection Legislation cover the deceased? | No. In French law, the notion of ‘physical persons’ only concerns living persons. |
| Who is able to indirectly identify the data subject? | Anybody |
Laws and Regulations
- Legifrance
- contains French legislation, codes and laws in preparation
- Law 2004-801 of 6 August 2004 - French version
- Law 78-17 of 6 January 1978 - French version
- Law 2002-303 of 4 March 2002 related to the rights of patients and to the quality of the health system (Click on Legislation and enter the number of the law in the research section) - French version
- Law 2004-800 on Bioethics - French version
- Law 2004-806 on the governance of the public health system - French version
Institutions
- CNIL - Commission Nationale de L'informatique et des Libertes (in French)
- National Consultative Bioethics Committee (in French & English)
- Le Comite d'ethique pour les sciences (COMETS) (in French & English)
Links
- Droit-Tic - Law and New Information/Communication Technologies - In French with some English
- Julien Le Clainche, 'La protection des donnees personnelles nominatives dans le cadre de la recherche dans le domaine de la sante' Comparaison du droit francais et du droit americain (This paper can be found under "DROITS DE LA PERSONNALITÉ") - In French.