FRANCE. Chapter XX OVERVIEW



Similar documents
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Personal Data Act (1998:204);

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

DATA PROTECTION POLICY

AlixPartners, LLP. General Data Protection Statement

Corporate Policy. Data Protection for Data of Customers & Partners.

on the transfer of personal data from the European Union

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Guidelines on Data Protection. Draft. Version 3.1. Published by

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Data Protection Policy.

CROATIAN PARLIAMENT 1364

Recommendations for companies planning to use Cloud computing services

The potential legal consequences of a personal data breach

THE TRANSFER OF PERSONAL DATA ABROAD

GSK Public policy positions

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

LOI INFORMATIQUE ET LIBERTES ACT N OF 6 JANUARY 1978

technical factsheet 176

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

AIRBUS GROUP BINDING CORPORATE RULES

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Federal Act on Data Protection (FADP) Aim, Scope and Definitions

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Article 29 Working Party Issues Opinion on Cloud Computing

Information Governance Policy

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

Appendix 11 - Swiss Data Protection Act

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Data Protection in Ireland

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

Personal Data Act (523/1999)

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

Data protection issues on an EU outsourcing

DATA PROTECTION LAWS OF THE WORLD. India

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

Data Processing Agreement for Oracle Cloud Services

Data protection policy

ECSA EuroCloud Star Audit Data Privacy Audit Guide

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Scottish Rowing Data Protection Policy

Act CLXV of on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure

Merchants and Trade - Act No 28/2001 on electronic signatures

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

DATA PROTECTION AND DATA STORAGE POLICY

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

INERTIA ETHICS MANUAL

Merthyr Tydfil County Borough Council. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy

Table of contents: ***

Clause 1. Definitions and Interpretation

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Business Ethics Policy

Data protection compliance checklist

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Declaration of Internet Rights Preamble

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

DIFC LAW NO. 1 OF 2007

Office 365 Data Processing Agreement with Model Clauses

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Privacy & Data Security: The Future of the US-EU Safe Harbor

The eighth data protection principle and international data transfers

How To Protect Your Data In European Law

University of Limerick Data Protection Compliance Regulations June 2015

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

Data Protection Standard

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Mitigating and managing cyber risk: ten issues to consider

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Standard conditions of purchase

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Response of the Northern Ireland Human Rights Commission on the Health and Social Care (Control of Data Processing) NIA Bill 52/11-16

DATA PROTECTION POLICY

Act on Background Checks

Legislative Language

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

Corporate Information Security Policy

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Transcription:

Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection Directive 95/46/EC (the Data Protection Directive), 2 but almost 10 years late. French Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (the Data Protection Law) was amended by the Law of 6 August 2004 on protecting individuals with regard to the processing of personal data by adopting a law that regulates the collection and processing of personal data across all sectors of the economy. The most recent amendment to the Data Protection Law was dated 24 August 2011. Decree No. 2005-1309 of 20 October 2005, enacting the Data Protection Law, was amended by Decree No. 2007-451 of 25 March 2007. Offences against the provisions of the French Data Protection Law are qualified and sanctioned by Articles 226-16 to 226-24 of the Criminal Code. The Criminal Code also lays down the penalties for privacy and cybersecurity offences. For example, violations of privacy (such as the act of recording the words or image of individuals without their consent) are sanctioned in accordance with Article 226-1 et seq. of the Code. Article 226-4-1 of the Criminal Code, created by a law of 14 March 2011, renders digital identity theft liable to one year in prison and a 15,000 fine. Moreover, Article 323-1 of the same Code provides for a penalty of two years imprisonment and a fine of 30,000 in cases of unauthorised access to a computer system. 1 Merav Griguer is a partner at Dunaud Clarenc Combles & Associés. 2 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. 1

In France, compliance with the French data protection framework has become a major concern for public and private companies. There are two main reasons for this: to avoid heavy penalties imposed by the French data protection authority (CNIL) 3 and to protect those companies reputation. On 27 February 2014, the President of the CNIL was elected President of the Article 29 Working Party, European supervisory authorities group, for two years. I THE YEAR IN REVIEW The CNIL grants endorsements to products or procedures for the protection of individuals with regard to the processing of data, such as training and audits. On 23 January 2014 the CNIL adopted a new standard enabling it to grant endorsements of digital safety deposit box products. 4 The CNIL imposed, for the second time, a 150,000 fine on Google for lack of information, not defining a period of data holding, absence of a legal basis for the combination of data and lack of the data subject s consent. The scope of whistle-blowing procedures authorised by the CNIL was extended by Resolution No. 2014-042 of 30 January 2014 (AU-004). Henceforth if a whistleblowing procedure on finances; accounting; banking and the fight against corruption; anti-competitive practices; the fight against discrimination and harassment in the workplace; or health, hygiene and safety or environmental protection complies with AU-004, CNIL authorisation can be automatically given without delay. If the whistleblowing procedure is not compliant with the CNIL standard, the authorisation of the CNIL is required, which may take several months because of the large volume of applications to be processed by the CNIL. II REGULATORY FRAMEWORK i Privacy and data protection legislation and standards Privacy and data protection laws and regulations French Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties was amended by the Law of 6 August 2004 implementing the Data Protection Directive in national law and entered into force two years later. Law No. 2004-575 of 21 June 2004 on confidence in the digital economy (LCEN), in particular Article 22 which implements the provisions of European Directive 3 National Commission on Computers and Civil Liberties. 4 Resolution No. 2014-017 of January 23, 2014 establishing a standard for issuing endorsements of digital safety deposit boxes for secure data storage. 2

2000/31/EC of 8 June 2000 5 on Electronic Commerce and some of the provisions of Directive 2002/58/EC, 6 regulating direct marketing. The LCEN 7 and Decree No. 2011-219 of 25 February 2011 8 regulate processing of personal identification, location and traffic data of individuals contributing to the creation of online content. The EU Telecoms Package 9 directives regulating the use of cookies were integrated into the French Data Protection Law by Government Order No. 2011-1012 of 24 August 2011 on Electronic Communications. A new Article 32-II has, therefore, been integrated into the French Data Protection Law. Key definitions under French standards a Data controller: unless expressly designated by legislative or regulatory provisions relating to processing, a data controller is a person, public authority, department or any other body that determines the purposes and means of data processing; 10 b data subject: an individual to whom the data covered by the processing relates; 11 c data processor: a person who acts under the authority of the data controller or of the processor or any person who processes personal data on behalf of the data controller; 12 d personal data: any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them; 13 e processing of personal data: any operation or set of operations in relation to such data by whatever mechanism especially obtaining, recording, organising, storing, adapting, altering, retrieving, consulting, using, disclosing via communication, disseminating or any other making available, aligning or combining, blocking, deleting or destroying; 14 f recipient of processing of personal data: any authorised person to whom the data is disclosed, other than the data subject, data controller, subcontractor and 5 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services (in particular electronic commerce), in the internal market. 6 Directive 2002/58/EC of the European Parliament and Council of 12 July 2002 on processing personal data and protecting privacy in electronic communications sector. 7 Law No. 2004-575 of 21 June 2004 on Confidence in the Digital Economy. 8 Decree No. 2011-219 of 25 February 2011 on holding and communicating data to identify any person contributing to creation of online content. 9 Directive 2009/136/EC and Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009. 10 Article 3 of the Data Protection Law. 11 Article 2 of the Data Protection Law. 12 Article 35 of the Data Protection Law. 13 Article 35 of the Data Protection Law. 14 Article 35 of the Data Protection Law. 3

g persons who, through their work, are in charge of processing data, except legally entitled authorities that in particular situations ask the data controller to send them the personal data concerned; and sensitive personal data: personal data that reveals, directly or indirectly, the racial and ethnic origins, political, philosophical, religious opinions or trade union affiliation of persons, or their health or sexuality. 15 Data protection authority The CNIL is the independent administrative authority responsible for ensuring personal data 16 protection. For this purpose, the CNIL has significant powers, including a supervisory power and the power to impose penalties. CNIL members and accredited officers have access from 6am to 9pm for the exercise of their functions, to the places, premises, surroundings, equipment or buildings used for the processing of personal data for professional purposes. Penalties for non-compliance are as high as 300,000. Penalties are often published by the CNIL, which conducts about 500 checks per year. As a regulator, the CNIL authorises the processing of information regarding a subject s politics, philosophy, medical state and sexuality, genetics, offences, waiver of rights, combination, social security number, social difficulties and biometric data. The French authority also receives notifications relating to other processing. ii General obligations for data handlers Data controllers must comply with the five essential data protection principles set out below. 17 Collection Personal data must be collected and processed fairly and lawfully. Data should not be collected without the knowledge of the data subject. The data controller must provide the data subject with the information required by Article 32 of the Data Protection Law. The data subject s consent must be obtained, except when data processing, for example: a complies with any legal obligation to which the data controller is subject; b c d is necessary to protect the data subject s life; is necessary for the execution of either a contract to which the data subject is a party or steps taken at the request of the data subject before entering into a contract; or pursues a legitimate interest for the data controller or the data recipient, provided this is not incompatible with the interests or the fundamental rights and liberties of the data subject. 15 Article 8 of the Data Protection Law. 16 Article 11 of the Data Protection Law. 17 Articles 6, 7, 23, 24 and 32 of the Data Protection Law. 4

Processing Data must be processed for specified, explicit and legitimate purposes. The legitimacy of the processing of personal data is assessed in particular in the light of French legislation and the data subject s individual rights. Data cannot subsequently be processed in a manner that is incompatible with such purposes. Nevertheless, further data processing for statistical, scientific and historical purposes may be considered legitimate. Nature of processed data Data must be adequate, relevant and not excessive in relation to the purposes for which is is obtained and further processing. Data must be accurate, complete and up to date. Data storage Data must be stored for a period no longer than is necessary for the purposes for which the data is collected and processed. Requirements for processing data The data controller must complete all necessary formalities before processing data. Data controllers called upon to process personal data must notify the CNIL. Simplified notifications can be communicated if the data processing complies with the relevant standard established and published by the CNIL. An authorisation application must be submitted to the CNIL in special cases, such as the processing of political, philosophical, medical and sexual information on a subject; genetic data, offences, waivers of a personal right; combinations; social security number; social difficulties; and biometrics. Moreover, data transfers outside the EU are generally subject to the authorisation procedure. A data controller not established in France, or any other EEA country, but who is using equipment in France to process personal data other than merely for the purposes of transit in France has to appoint a representative in France. Some data processing is exempt from formalities. This is true for any data processing subject to standards drawn up and published by the CNIL or processing for which the data controller has appointed a personal data protection officer charged with independently ensuring compliance with the obligations of the Data Protection Law, except for data transfer outside the European Union. Currently there are no legal requirements under French law to appoint a data protection officer, even if the CNIL strongly recommends this. iii Technological innovation and privacy law Anonymisation Anonymous data does not fall within the scope of the French Data Protection Law. However, the CNIL considers that perfect anonymisation must be irreversible. This means that all information identifying an individual directly or indirectly is removed so that it will be impossible to re-identify this person. For example, the CNIL recommends 5

generating a secret code that is long enough and difficult to memorise and to apply a one-way function to the data. 18 The anonymisation of sensitive data is submitted to the authorisation of the CNIL. 19 Big data Although such processing is not prohibited, the CNIL pays particular attention to big data processed for the purpose of marketing or tracking without the knowledge and the consent of the data subject. The CNIL is more especially concerned about connected objects, self-quantified data (data provided by the individuals themselves 20 but hosted by the data controller who has access to sensitive data) and new devices that store a significant amount of data without security and confidentiality guarantees and without transparency for users. Bring your own devices The CNIL considers that the use by employees of personal devices at work presents a risk of breach of privacy for the employee and the security of his or her data. The relevant data controller must take technical and practical measures to ensure the protection of employees privacy and data. Cloud computing The CNIL considers that data subjects suffer from a lack of transparency on the part of cloud service providers, and more especially in terms of security and transparency. According to the CNIL, data subjects generally do not know whether their data is transferred and to which country. In June 2012, the CNIL published recommendations for companies planning to use cloud computing services: a clearly identify the data and processing operations that will be hosted in the cloud; b define your own requirements for technical and legal security; c carry out a risk analysis to identify security measures essential for the company; d identify the relevant type of cloud for the planned processing; e choose a service provider offering sufficient guarantees (in particular by assessing the level of protection provided by the service provider for data processed); f review internal security policy; and g monitor changes over time. The CNIL also describes the essential items that should appear in a cloud computing service contract. 18 2010 Personal Data Security Guide. 19 Article 8-III of the Data Protection Law. 20 Device enabling measurement and analysis of your own personal data. 6

Cookies and similar technologies By Government Order No. 2011-1012 of 24 August 2011 on Electronic Communications, the Data Protection Law s new Article 32-II, which implements the European Telecoms Package directives regulating the use of cookies, was incorporated into French law. The CNIL published Resolution No. 2013-378 of 5 December 2013 adopting a recommendation on cookies and other trackers referred to in Article 32-II of the Data Protection Law. Accordingly, data subjects must be informed in a clear and comprehensive manner by the data controller. Moreover data subjects must give their prior consent to the implementation of cookies within their device (computer, smartphone, tablet, etc.). Consent is not required for cookies exclusively intended to enable or facilitate communication by electronic means or for cookies strictly necessary for the provision of an online communication service at the user s express request. iv Specific regulatory areas Whistle-blowing biometric devices Whistle-blowing procedures are subject to CNIL authorisation. The CNIL has published a standard (AU-004) 21 that allows data controllers to process a simplified notification if they comply with the framework provided by the CNIL standard. The scope of the standard is limited but has recently been extended by Resolution No. 2014-042 of 30 January 2014. This standard may encourage whistle-blowing procedures enabling the reporting of violations in the following areas: financial, accounting and banking information; the fight against corruption and anti-competitive practices; the fight against discrimination and harassment in the workplace; and health and safety and environmental protection. Biometric devices identifying individuals by their behavioural, physical or biological characteristics are subject to special CNIL control and cannot be implemented without its prior authorisation. The French authority has published standards applicable to certain biometric devices that allow data controllers to process a simplified notification if they comply with the framework provided by the CNIL s standard. The CNIL has, for example, published standards relative to hand contour recognition to control workplace access 22 and fingerprint recognition to control workplace access. 23 21 Single Authorisation AU-004 adopted by Resolution No. 2005-305 of 8 December 2005 on single authorisation for automated processing of personal data implemented within whistleblowing procedures. 22 Single Authorisation AU-007 adopted by Resolution No. 2012-322 of 20 September 2012. 23 Single Authorisation AU-008 adopted by Resolution No. 2006-102 of 27 April 2006. 7

Electronic marketing Electronic marketing is regulated by the LCEN 24 and Decree No. 2011-219 of 25 February 2011 25 on the processing of identification, location and traffic data relative to persons creating online content. Electronic marketing is possible provided that consumers have given their explicit consent to be contacted at the time of collecting of their e-mail address. Consent is not required if the consumer is already a customer of the company and if the products or services proposed to the consumer are similar to those already provided by the company. The customers concerned must at the time of collection of their e-mail address be informed that their e-mail address will be used for electronic marketing and they must be able, freely and easily, to oppose the use of their e-mail address for this purpose. Two professional electronic marketing ethics codes have been recognised by the CNIL in accordance with the Data Protection Law. 26 Health Article L1111-8 of the Public Health Code provides that personal health data collected or produced during prevention, diagnosis or treatment activities must be hosted by accredited hosting providers. The Ministry of Health publishes the list of accredited hosting service providers. Foreign hosting providers may also be subject to the approval procedure. IV INTERNATIONAL DATA TRANSFER Data controllers may not transfer personal data to a country that is not a Member State of the European Union if the country is not considered, by the European Commission, as providing a sufficient level of protection of individuals privacy, liberties and fundamental rights with regard to European standards. 27 There are various exemptions including: 28 a if the data subject has expressly consented to the transfer; b if the transfer is necessary for the protection of the data subject s life or the protection of the public interest; c if the transfer is necessary to meet obligations ensuring the establishment, exercise or defence of legal claims; 24 Law No. 2004-575 of 21 June 2004 on confidence in the digital economy. 25 Decree No. 2011-219 of 25 February 2011 on holding and communicating data to identify anyone contributing to the creation of online content. 26 Resolution No. 2005-51 of 30 March 2005 on review of a draft code of conduct introduced by French Union for Direct Marketing on use of electronic contact details for direct marketing and Resolution No. 2005-47 of 22 March 2005 on review of a draft code of ethics presented by National Union for Direct Communication on electronic direct communications. 27 Article 68 of the Data Protection Law. 28 Article 69 of the Data Protection Law. 8

d e f g h i if the transfer is necessary for the legal consultation, in accordance with legal conditions, of a public register that, according to legislative and regulatory provisions, is intended for public information and is open for public consultation or by any person demonstrating a legitimate interest; if the transfer is necessary for the performance of a contract between the data controller and the data subject, or of pre-contractual measures taken in response to the data subject s request; if the transfer is necessary for the conclusion or performance of a contract, either concluded or to be concluded in the interest of the data subject between the data controller and a third party; if the EU s standard contractual clauses (Model Contracts) are used for the transfer of personal data; if the data controller has entered into binding corporate rules (BCRs); 29 or if the recipient of the data transferred is a company in the US self-certified under the US Safe Harbor scheme organised by the US Department of Commerce. V COMPANY POLICIES AND PRACTICES The wording and updating of policy and practices is a sign of good management of personal data taken into account by the CNIL in the event of checks or audits provided they are in full compliance with applicable law and take into account both technological developments and the CNIL s evolving doctrine. It is particularly recommended that companies have: a a personal data protection and privacy policy; b a storage and archive policy; c a process for the management of access rights; d a register of personal data processing, including risk assessments; e f notices of information specific to each situation; and a code of conduct for good uses of technology resources, internet and social media usage. VI DISCOVERY AND DISCLOSURE Any communication of information under Discovery proceedings shall be in accordance with Article 23 of the Hague Convention of 18 March 1970 and Article 1b of Law No. 68-678 of 27 July 1968, 30 (the French blocking statute ). The French Data Protection Law applies since the communication involves personal data processing and transfers of personal data outside the European Union. 29 BCRs are internal rules developed by the Article 29 Working Party to govern international data transfers within companies or groups of companies. 30 Created by Law No. 80-538 of 16 July 1980 on disclosure of documents or information on an economic, commercial, industrial and technical matter to individuals or foreign corporations. 9

As a result, dependent on circumstances, a notification or a demand of authorisation to the CNIL is necessary. Discovery procedures must meet the following principles: a legitimacy of processing and maintaining of professional secrecy; b proportionality and adequacy of data (local data filtering); c limited period of storage; d security measures; e provision of information to data subjects on their rights; and f compliance with provisions relating to personal data transfers. The CNIL has published recommendations regulating the e-discovery procedure. 31 VII PUBLIC AND PRIVATE ENFORCEMENT i Enforcement agencies The CNIL is responsible for enforcing the French Data Protection Law. For this purpose, the CNIL may: 32 a receive claims, petitions and complaints relating to the carrying out of the processing of personal data and inform the initiators of such actions of the decisions taken regarding them; b respond to requests from public authorities and courts for an opinion and advise individuals and bodies that set up or intend to set up automatic processing of personal data; c immediately inform the Public Prosecutor of offences of which it has knowledge and may present its observations in criminal proceedings. d entrust one or several of its members or its general secretary to undertake or have undertaken by staff members audits and controls relating to any processing. In the event of a breach, the Select Committee of the CNIL has the power to pronounce penalties after the due hearing of all parties, 33 such as: a warning a data controller failing to comply with the obligations required by the Data Protection Law; b financial penalties; or c injunctions to cease processing. If processing or using processed data leads to violation of rights and liberties, the Select Committee may, after hearing both parties, initiate an emergency procedure to decide on suspending processing for a maximum period of three months. 31 Resolution No. 2009-474 of 23 July 2009 on recommendation for transfer of personal data within American discovery judicial procedures. 32 Article 11 of the Data Protection Law. 33 Article 45 of the Data Protection Law. 10

During the hearing of the parties by the Select Committee, data controllers may be represented by their attorney. ii Recent enforcement cases Examples of recent enforcement cases by the CNIL: The search engine Google was fined 150,000 on 3 January 2014 for several breaches of the French Data Protection Law including lack of information, unlimited period of storage and failure to obtain consent. Google has lodged an appeal with the French Council of State, which is the supreme court for administrative matters. In order to help the company Google with its compliance efforts resulting from several sanctions imposed by various European national data protection authorities including the CNIL s sanction referred to above, the Article 29 Working Party the group of European data protection authorities - adopted and published a package of dedicated measures to achieve compliance with the applicable legal framework. The purpose of this compliance package is to offer specific and practical measures that could be implemented quickly by Google Inc to meet the requirements of the European data protection framework. A diet coaching website was sanctioned on 26 June 2014 by the CNIL by a published warning for lack of information, lack of security and confidentiality of data and failure to cooperate with CNIL standards. The CNIL orders about 500 audits per year and imposes more than 10 penalties per year. VIII CONSIDERATIONS FOR FOREIGN ORGANISATIONS The Data Protection Law applies to processing of personal data if the data controller is established on French territory. Data controllers operating within an establishment, whatever its legal form, are considered to be on French territory. 34 The Data Protection Law applies to processing of personal data if the data controller even if it is not French or situated in any other Member State of the European Union uses a means of processing located on French territory, unless the processing is merely for the purposes of transit through this territory or that of any other Member State of the European Union. In such cases, data controllers shall notify the CNIL of the appointment of a representative established on French territory who will represent them for the fulfillment of the duties required by the Data Protection Law. IX CYBERSECURITY AND DATA BREACHES Cybersecurity of industrial control systems vital operators Law No. 2013-1168 of 18 December 2013 on military planning for the years 2014 to 2019 and various provisions relating to defence and national security (the 2013 Military 34 Article 5 of the Data Protection Law. 11

Planning Law) 35 provides that it is the responsibility of the state to ensure adequate security of vital operators critical systems. The state must: a determine obligations, such as the prohibition of certain systems connected to the internet; b implement detection systems by providers certified by the state; c check the security level of critical information systems using an audit system; and d in the event of a major crisis, it may impose the necessary measures on operators. Vital operators are required to report incidents to the relevant authorities to give advance warning to companies potentially affected by the same type of attack. 36 Cyber attacks have been identified as one of the main threats to national territory by the French White Paper on Defence and National Security, published on 17 June 2008. The French Network and Information Security Agency (ANSSI), under the authority of the Prime Minister and the auspices of the Secretary General for National Defence, has published key measures to improve the cybersecurity of industrial control systems. The ANSSI specifies that the two documents 37 will serve as a basis for elaborating the rules required by the 2013 Military Planning Law. Administrative access to information and data connection for the purpose of investigation The 2013 Military Planning Law 38 provides that the intelligence services of the Ministries of Defence, the Interior, the Economy and the Ministry for the Budget may access personal information and data connections (including location-based mobile terminals, such as smartphones in real time) stored by electronic communications operators, ISPs and hosts, for the following reasons: a searching information relating to national security; b c safeguarding essential elements of France s scientific and economic potential; and prevention terrorism, organised crime and the prevention of rebuilding or maintaining dissolved groups. Breach of security public electronic communication services Article 38 of Government Order No. 2011-1012 of 24 August 2011 implementing the European Telecom Package directives, 39 provides that security breaches (any breach of security leading accidentally or unlawfully to destruction, loss, alteration, disclosure or 35 Articles L2321-1 et seq. of the Defence Code; Articles L1332-6-1 et seq. of the Defence Code. 36 Article L1332-6-2 of the Defence Code. 37 One describes a classification method for industrial control systems and key measures to improve their cybersecurity; the other gives a more in-depth description of applicable cybersecurity measures. 38 Article L. 246-1 and following of Homeland Security Code. 39 Directive 2009/136/EC and Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009. 12

unauthorised access to personal data processed in the context of providing electronic communication services to the public) should be immediately notified to the CNIL. Only providers to the public of electronic communication services using electronic communication networks with open public access are concerned by this new requirement. They must establish an inventory of violations and keep it available to the CNIL. Article 34 b created by Government Order No. 2011-1012 provides that if a violation is likely to breach personal data security or the privacy of a subscriber or any other individual, the provider shall also immediately notify the party affected. Criminal penalties for cybersecurity attacks The Criminal Code lays down penalties for cybersecurity offences. For example, Article 226-4-1 of the Criminal Code, created by a law of 14 March 2011, renders digital identity theft liable to one year in prison and a 15,000 fine. Moreover, Article 323-1 of the Criminal Code penalises unauthorised access to a computer system by two years imprisonment and a fine of 30,000. X OUTLOOK The legislative framework is not sufficient to ensure protection of personal data. New concepts are emerging to strengthen protection of privacy and personal data. Privacy by design, for example, aims to integrate personal data protection from the outset in terms of technology, internal practices and physical infrastructure. Moreover, the main players in areas of new technology are currently working on the development of codes for cloud computing services. It has been observed that protecting personal data and privacy is becoming a competitive issue for companies seeking to differentiate themselves via this guarantee of quality. 13

DUNAUD CLARENC COMBLES & ASSOCIÉS 4 avenue Hoche 75008 Paris France Tel: +33 1 43 18 83 95 Fax: +33 1 40 54 05 15 merav.griguer@dcc-associes.com www.dcc-associes.com MERAV GRIGUER Dunaud Clarenc Combles & Associés Merav Griguer is a partner at Dunaud Clarenc Combles & Associés. Ms Griguer s practice includes personal data protection and privacy, audit and compliance, control procedure and litigation before the French data protection authority (CNIL), big data, online reputation, e-commerce, cybersecurity and WIPO arbitration. Further, Ms Griguer has experience in the following sectors: banking and insurance; the pharmaceuticals and cosmetic industry; the medical industry; metallurgy; luxury products; and media, communications and the internet. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information