Data Protection in France
| Data Protection in France | |
|---|---|
 | |
| Data Protection Authority: | CNIL (France) |
| National Implementation Law (Original): | Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés |
| English Translation of National Implementation Law: | [n/a English Translation] |
| Official Language(s): | French |
| National Legislation Database(s): | Légifrance |
| English Legislation Database(s): | n/a |
| National Decision Database(s): | Link |
Legislation
History
The French government enacted its first data protection act in 1978, the Law n° 78-17 of 6 January 1978 relative à l'informatique, aux fichiers et aux libertés, so-called law "Informatique et Libertés". Directive 95/46/ex has been transposed by the law n° 2004-801 du 6 août 2004 which modified the law "Informatique et Libertés.
National constitutional protections
The right to the protection of personal data falls within the scope of application of the right to the respect for private life. Indeed, it is acknowlegded that the right to respect for private life protects individual from interferance, such as the disclosure or publication of personal data (see, Cassation, Civ. 1, 5 Nov. 1996).
The right to the respect for private life has a constitutional value in France, in accordance with the Constiutional Council decision of July 1999 (see, Constitutionnel Council, decision n° 99-416 DC of 23 July 1999). The Constitutional Council conferred to the right to the respect for private life a constitutional value as it is directly implied in Article 2 of the Declaration of Human and civic rights of 1789, which forms part of the body of constitutional rules and principles by reference to which the Constitutionnal Council can adjudicate.
National GDPR implementation law
In France the GDPR is implemented by the Law "Informatique et Libertés", as modified by the Loi n° 2018-493 of 20 June 2018 , the Decree n° 2018-687 of 1st August 2018 which has been enacted to implement the aforementionned Law and lastly, the Order n° 2018-1125 of 12 December 2018.
Age of consent
The age of consent is 15 years following Article 45 of the Law "Informatique et Libertés".
Freedom of Speech
The interplay between the right to the protection of personal data and the freedom of expression has been clarified by Article 80 of the Law "Informatique et Libertés".
Employment context
Article 44 of the Law "Informatique et Libertés" provides for a provisions which applies in employment context to the extent that it concerns the necessary processing of biometric data to the control of the access to the workplace and monitoring of apps and devices used during employees', interns', agents' tasks.
Research
The specific rules related to a processing for archival purposes in the public interest, for scientific or historical research or for statistical purposes are laid dwon in Articles 78 and 79 of the Law "Informatique et Libertés".
Other relevant national provisions and laws
The Law "Informatique et Libertés" gathers all the provisions related ot the processing of personal data. It includes cross references to other French laws such as labor law or criminal law.
National ePrivacy Law
The French government transposed the ePrivacy Directive by modifying several domestic laws. The Law "Informatique et Libertés" has been modified by the Law n° 2004/801 of 6 August 2004, the Law n° 575 of 21 June 2004 and the Law n° 669 of 9 July 2004.
Procedural information
Applicable Procedural Law
The CNIL operates under the law "Informatique et Libertés" under the conditions laid down by Articles 19 to 29.
Complaints Procedure under Art 77 GDPR
The Supreme administrative Court (the "Conseil d'Etat") is the first and last judicial intance before which the CNIL's decisions are challenged, pursuant to Article R 311-1 of the Code of Administrative Justice.
Any CNIL's decision can be challenged within the four months following the notification of the decision, with the conditions and limits provided for in Articles R 411-1 to R 421-7 and R 432-1 to R 441-1 of the Code of Administrative Justice.
You can find the provisions of the Code of Administrative Justice in French here.
Ex Officio Procedures under Art 57 GDPR
The CNIL can run ex officio procedures out of its own motion. Its powers are described under Article 8 of the law "Informatique et Libertés".
Data Protection Authority
The French Data Protection Commission (Commission Nationale de l’Informatique et des Libertés) is the national data protection authority for France.
→ Details see CNIL (France)
Judicial protection
Civil Courts
The Civil Courts have jurisdiction to address privacy rights' issues insofar it does not fall within the scope of competence of the Administrative Courts.
Administrative Courts
The Administrative Courts have jurisdiction depending on the issue at stake, as clarified criteria determined and applied by the Court of Conflict (the "Tribunal des conflits"). For example, the dispute has to concern a public entity exercising its prerogative of public powers or an act which has been taken by a public entity, such as the CNIL, public works, public services, public domains, public servants...
Constitutional Council
The constitutional Council has jurisdiction to adjucate legislative and executive acts insofar they are contrary to the body of constitutional rules and principles. There are two kinds of procedure : one is before the adoption of the act, the other one is in the event where a question for constitutionality is raised during a dispute ( the "question prioritaire de constitutionnalité"). The conditions and limits to these procedures are laid down in the Code of Administrative Justice and the Constitution of 1958.
