The national data protection authority (CNIL) has published its opinion on the draft bill amending the French data protection act for the implementation of the GDPR

On December 13, 2017, the French Minister of Justice presented to the Council of Ministers, the draft bill amending the French Data Protection Act.

The French Government plans to publish an order for the effective implementation of Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 (General Data Protection Regulation – GDPR) which will come into effect on May 25, 2018.

However, no details were given regarding the legislative agenda. The national data protection authority (CNIL) regretted a “too late schedule” for the review of the French Data Protection Act, having been reminded that it will be necessary to act quickly so that the amended French Data Protection Act will come into force on May 25, 2018.

As this stage, the draft bill includes a Title I related to the common provisions with the GDPR, and a Title II which brings amendments to make the French Data Protection Act compliant with the GDPR.

So, the French Data Protection Authority (CNIL) is designated as the national supervisory authority within the meaning and for the application of the GDPR.

It is also specified that the CNIL may accredit certification bodies, on the basis of accreditation issued by the French Accreditation Committee (COFRAC) and may certify persons, products, systems or procedures in order to demonstrate compliance with the GDPR and national law, including for the personal data anonymization process.

The CNIL is also empowered to encourage the development of codes of conduct defining the obligations incumbent on personal data controllers and processors to comply with the GDPR.

The CNIL may also introduce submissions to any jurisdiction in connection with dispute related to the application of the GDPR and the national law.

The bill also removes the regime of prior declaration for the processing of personal data mentioned in Articles 22 to 24 of the French Data Protection Act.

In line with the GDPR, personal data controllers will have to carry out a data protection impact assessment to evaluate the risk on personal data protection and, if necessary, to consult the CNIL when the treatment will involve a high risk if the personal data controller in charge of the treatment did not establish appropriate measures to mitigate the risk.

Regarding the categories of personal data, the bill repeats the principle that prohibits the processing of “sensitive” personal data and in the meantime extends the scope of these data. However, the processing of health data is subject to specific guidelines. Excluding prior authorization from the CNIL, the processing of health data must comply with a methodological reference that will be adopted jointly by the CNIL and the National Institute of Health Data mentioned in Article L. 1462-1 of the French public health Code.

The simplification of the procedure on health data is therefore not demonstrated.

Muriel Féraud-Courtin

Muriel Féraud-Courtin, Partner, has more than 19 years’ experience in commercial law and works in close cooperation with the lawyers of the international network of Deloitte Legal. Muriel specializes in […]