Update on French law

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

The last two lines of the GDPR, which repeals Article 94 of Directive 95/46/EC, i.e. the previous reference text on data protection, are as follows: "It shall apply from 25 May 2018. This Regulation shall be binding in its entirety and directly applicable in all Member States." There is therefore no need for transcription into a law at the national level. Nevertheless, States are invited to do so, which corresponds to the practice of many of them. Where we see that Europe is not yet a federation, far from it.

France has therefore drawn up a draft law (a text submitted to parliament, the sole holder of legislative power, but proposed by the government) incorporating the provisions of the European regulation on the protection of personal data (known as the "European package"). This text, presented in mid-December 2017 by Minister of Justice Nicole Belloubet, was adopted on February 13, 2018, by the National Assembly, with a very large majority (505 votes in favor, 18 votes against, and 24 abstentions). For it to come into force, it still needs to be approved by the Senate, which will examine it from March 20 (we therefore do not know the result at the time of writing, at the beginning of March, but there is no reason for senators to vote differently from their fellow MPs on this point).

Yesterday, it was the 1978 Data Protection Act that applied. This longevity shows the intelligence of the promoters of this law at the time (the internet did not exist), even if it is now obsolete. The new law therefore replaces that of 1978, just as the GDPR replaces the 1995 directive at the European level. To the provisions of the regulation that we have seen, it adds those of a directive applicable to criminal files (which would notably concern the national file of genetic fingerprints, that of stadium bans, or even the processing of criminal records).

"This involves streamlining preliminary formalities in favor of a process of accountability for stakeholders and strengthening individual rights. In return, the CNIL's powers are strengthened and the penalties incurred are considerably increased," said Ms. Belloubet, echoing the philosophy of the European regulation.

The law goes even further than the GDPR on two points: the age of "digital majority" and class actions. On the first point, we recall that the GDPR sets it at 16 years, but allows states to lower it to 13. France has chosen an intermediate position: "A minor may consent alone to the processing of personal data from the age of 15" (this one-year lowering did not come from the government, but from the deputies themselves, in the form of an amendment to the initial draft). Between the ages of 13 and 15, parental consent is required. Below 13, all data collection is prohibited. But how can such provisions be enforced when we know that, according to a CNIL study in June 2017, 63% of 11-14 year-olds are registered on a social network, that 4 out of 10 lie about their age and that platforms or social networks set their own rules (it is possible to register on Facebook without parental authorization from the age of 13)?

The other strong point of the new data protection law is the possibility of class actions, already initiated by the 2014 and 2016 laws, but which this time would allow for compensation for damages of a "material or moral nature," whereas until now only economic damages were taken into account. Despite the difficulty of implementing such a procedure, it is an additional means of pressure on companies that is established by the new French law.

The French text, in accordance with the GDPR, which provides for exceptions for security-related areas, maintains prior authorization for the processing of "biometric data necessary for the identification or verification of the identity of individuals." Similarly, European law does not apply to a dozen so-called "sovereignty" files, such as the file of alerts for the prevention of radicalization of a terrorist nature (FSPRT).

One surprising aspect of the law seems to have received little mention: the bill empowers the government to rewrite the entire Data Protection Act within six months, in the form of an ordinance (Article 38 of the Constitution, the government acts in an area that is notably that of Parliament). This new data protection law would therefore have a limited duration? Not only does this seem surprising, given that the main content of the law is the transposition of a major European regulation, designed to last. But furthermore, one wonders why Parliament would relinquish its power over such a fundamental issue. Finally, how can we require companies to comply by May 25, 2018, if the rules of the game are changed in the coming months?

The rare consensus in our country on the new measures in favor of data protection should not prevent us from listening to criticism, when it comes from people with undeniable expertise in the matter. We will simply mention two of them.

The first is from Yann Padova, former secretary general of the CNIL, now a lawyer at Baker McKenzie, who wrote in Les Échos on January 29: "Our world is experiencing a deluge of data, their volume doubling every twenty-four months. Facilitating their analysis, seeking new correlations, and encouraging the emergence of innovative services—this is the challenge of Big Data today and artificial intelligence tomorrow. By refusing to exploit this possibility, the bill is choosing conservatism. Given the strengths of our French industry and our mathematical school, this choice is regrettable. It demonstrates once again the lack of consideration of the link between innovation, data protection, and industrial development."

The second is from Laurent Alexandre, a specialist in artificial intelligence (among others), whose illuminating analyses have been enlightening us for years about the impact of NBIC (nano, bio, computer science, cognitive science) technologies on our lives. In his column of January 24, 2018, entitled "Should the CNIL be abolished?", he writes: "... AI finds unexpected correlations between data, which seem, a priori, uninteresting. Any restriction on data collection certainly handicaps all operators, but above all allows Chinese or American companies to prosper without European competition." And further: "In Brussels, we need a Thatcher of data to lead the technological war. On a French scale, we need to revolutionize the CNIL, which is led by a remarkable team, but which is pursuing the wrong goal. We need to enrich its mission by integrating the technological interests of our country."

This is not the place to open a debate. But these two wise perspectives show us that the legitimate protection of personal data must not be exercised to the detriment of innovation and economic development, otherwise we will be vassalized.