SlideShare a Scribd company logo

French Digital Republic Act

Jan Dhont
Jan Dhont

The French Digital Republic Act gives new powers to the French data protection authority (DPA). It allows the DPA to issue fines up to €3 million for violations of data protection law, which may increase to €20 million under the GDPR. It also provides the DPA new oversight powers related to encryption and anonymization standards. Additionally, the act establishes several new individual rights for French citizens relating to access, rectification, erasure, and portability of their personal data.

1 of 4
Download to read offline
WWW.ALSTON.COM This advisory is published by Alston & Bird LLP to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions. Privacy & Data Security ADVISORY n OCTOBER 25, 2016 The French Digital Republic Act Gives New Powers to the French DPA by Jan Dhont, Jim Harvey, David Keating and Delphine Charlot On October 7, the French Digital Republic Act (the “Act”) was adopted following a widely publicized consultation process. The Act amends the French Data Protection Act and modifies French law in various domains, including consumer protection, electronic payment services, medical research and intellectual property. The Act constitutes a first step in the implementation of the General Data Protection Regulation (GDPR), which will apply in all EU member states beginning May 25, 2018. The Act in particular establishes new rights for individuals and new powers for the French data protection authority (DPA). Further modifications of the French Data Protection Act implementing the GDPR are forthcoming. CNIL’s New Powers Encryption and anonymization The French DPA (CNIL) is charged with overseeing and promoting the development of encryption technologies. Furthermore, it may create, approve or publish anonymization standards. Interestingly, the Act’s emphasis on security was complemented by industry efforts, as demonstrated by a recent agreement of French telecom operators on the use of encryption for the storage of electronic communications. Sanctions The CNIL may issue financial sanctions of up to €3 million for infringements of the French Data Protection Act. It is expected that this limit will be raised to €20 million when the GDPR is fully implemented in France. Importantly, the Act implements the provisions of the GDPR pertaining to the criteria DPAs may take into account in determiningsanctions.Morespecifically,undertheAct,theCNILmaytakeintoaccount(1)theintentionalornegligent character of the infringement; (2) measures adopted to mitigate the damage to the individuals; (3) the extent to which the infringer has cooperated with the CNIL; (4) the categories of personal data affected by the infringement; and (5) the manner in which the infringement became known to the CNIL. The procedure for issuing sanctions under the French Data Protection Act has been slightly modified, as companies may be sanctioned without the prior issuance of an injunction in cases where the infringement may not be remedied. Such cases will most likely be specified in the upcoming implementing decrees.
WWW.ALSTON.COM 2 Cooperation with other DPAs The CNIL may audit companies on behalf of a DPA from a country outside the EU that offers an equivalent level of data protection. The CNIL must enter into an agreement that defines the terms of the collaboration with the DPA. NewRightsforIndividuals Right of self-determination The Act provides that any individual has the right to decide and control the use of his or her personal data. In its comment on the Act, the CNIL highlighted that this provision is inspired by the German constitutional right of informational self-determination. Right of access and rectification The Act does not significantly modify the procedure for individuals to access or rectify their personal data. The Act makes it clear, however, that when the data is collected through electronic means, individuals are entitled to make an electronic request for access, rectification or erasure of their personal data. Right to be forgotten Anindividualhasarighttoobtaintheerasureofpersonaldataifthedatawascollectedinthecontextofaninformation service and he or she was a minor at the time of collection. Companiesmustimplementthisrightwithinonemonthfollowingaspecificrequestforerasure.Inaddition,theymust make reasonable efforts to inform data controllers to whom they have disclosed the data of the request for erasure. Specific exceptions may apply, including when a company needs the personal data for compliance with a legal obligation or litigation purposes. Data portability The Act does not introduce provisions on data portability into the French Data Protection Act. Rather, it modifies the French Consumer Code to provide for data portability and makes a clear reference to the direct application of the GDPR’s provisions on data portability. Consumers have a right to“retrieve”the entirety of their personal data in the systems of any online service provider. More specifically, online service providers must implement a feature by which consumers may obtain files that have been published online, data that users may access on their profiles, and other types of personal data associated with a user account. In determining whether such other types of personal data are subject to the data portability right, the online service provider will consider whether the data is necessary for the migration of the data to another online service provider, as well as the economic impact of the concerned services, the intensity of the competition between the providers and other financial considerations. Therighttodataportabilityisnotabsoluteandmaybelimitedif,forinstance,portabilityinterfereswiththeprotection of business secrets and intellectual and industrial property, or if the data constitutes a “significant enrichment” for the provider the data is being transferred from. The conditions establishing such “significant enrichment” will be defined in a decree.
WWW.ALSTON.COM 3 Notice requirements TheActaddsnewnoticeelementsinlinewiththeGDPR.Morespecifically,privacynoticesmustindicateapplicabledata retention periods, or where it is not possible to define a specific period, the criteria used to determine such periods. A specific provision—which constitutes a particularity of French law—requires that notices clarify that individuals are entitled to give instructions regarding the handling of their personal data after their death. Rights of the deceased A detailed process is in place for individuals to exercise control over their data after their death. Individuals may give general instructions that will apply to the entirety of their personal data or specific instructions for certain sets of personal data. The French Digital Republic Act is available (in French) here. The CNIL’s press release on the bill is available (in French) here. A summary description of the French Digital Republic Act is available (in English) here.
4 © ALSTON & BIRD LLP 2016 ATLANTA: One Atlantic Center  n  1201 West Peachtree Street  n  Atlanta, Georgia, USA, 30309-3424  n 404.881.7000 n  Fax: 404.881.7777 BEIJING: Hanwei Plaza West Wing  n  Suite 21B2  n  No. 7 Guanghua Road  n  Chaoyang District  n  Beijing, 100004 CN  n  +86 10 8592 7500 BRUSSELS: Level 20 Bastion Tower  n  Place du Champ de Mars  n  B-1050 Brussels, BE  n  +32 2 550 3700  n  Fax: +32 2 550 3719 CHARLOTTE: Bank of America Plaza  n  101 South Tryon Street  n  Suite 4000  n  Charlotte, North Carolina, USA, 28280-4000  n 704.444.1000  n  Fax: 704.444.1111 DALLAS: 2828 North Harwood Street  n  18th Floor  n  Dallas, Texas, USA, 75201  n 214.922.3400 n  Fax: 214.922.3899 LOS ANGELES: 333 South Hope Street  n  16th Floor  n  Los Angeles, California, USA, 90071-3004  n 213.576.1000 n  Fax: 213.576.1100 NEW YORK: 90 Park Avenue  n  15th Floor  n  NewYork, NewYork, USA, 10016-1387  n 212.210.9400 n  Fax: 212.210.9444 RESEARCH TRIANGLE: 4721 Emperor Blvd.  n  Suite 400  n  Durham, North Carolina, USA, 27703-85802  n 919.862.2200  n  Fax: 919.862.2260 SILICON VALLEY: 1950 University Avenue  n  5th Floor   n  East Palo Alto, CA 94303-2282  n 650.838.2000 n  Fax: 650.838.2001 WASHINGTON, DC: The Atlantic Building  n  950 F Street, NW  n  Washington, DC, USA, 20004-1404  n 202.239.3300 n  Fax: 202.239.3333 If you would like to receive future Privacy & Data Security Advisories electronically, please forward your contact information to privacy.post@alston.com. Be sure to put“subscribe”in the subject line. If you have any questions or would like additional information, please contact your Alston & Bird attorney or one of the following: WWW.ALSTON.COM 4 Members of Alston & Bird’s Privacy & Data Security Group William H. Jordan 404.881.7850 202.756.3494 bill.jordan@alston.com W. Scott Kitchens 404.881.4955 scott.kitchens@alston.com John L. Latham 404.881.7915 john.latham@alston.com Dawnmarie R. Matlock 404.881.4253 dawnmarie.matlock@alston.com Kimberly Kiefer Peretti 202.239.3720 kimberly.peretti@alston.com T.C. Spencer Pryor 404.881.7978 spence.pryor@alston.com Karen M. Sanzaro 202.239.3719 karen.sanzaro@alston.com Dominique R. Shelton 213.576.1170 dominique.shelton@alston.com Paula M. Stannard 202.239.3626 paula.stannard@alston.com David M. Stein 213.576.1063 david.stein@alston.com Brian Stimson 404.881.4972 brian.stimson@alston.com Peter Swire 240.994.4142 peter.swire@alston.com Daniel G. Taylor 404.881.7567 dan.taylor@alston.com Jeffrey E. Tsai 650.838.2095 213.576.2608 jeff.tsai@alston.com Katherine M. Wallace 404.881.4706 katherine.wallace@alston.com Michael Zweiback 213.576.1186 michael.zweiback@alston.com James A. Harvey 404.881.7328 jim.harvey@alston.com David C. Keating 404.881.7355 202.239.3921 david.keating@alston.com Kristine McAlister Brown 404.881.7584 kristy.brown@alston.com Angela T. Burnette 404.881.7665 angie.burnette@alston.com Lisa H. Cassilly 404.881.7945 212.905.9155 lisa.cassilly@alston.com Cari K. Dawson 404.881.7766 cari.dawson@alston.com Jan Dhont +32 2 550 3709 jan.dhont@alston.com Derin B. Dickerson 404.881.7454 derin.dickerson@alston.com Clare H. Draper IV 404.881.7191 clare.draper@alston.com Christina Hull Eikhoff 404.881.4496 christy.eikhoff@alston.com Sarah Ernst 404.881.4940 sarah.ernst@alston.com Jon Filipek +32 2 550 3754 jon.filipek@alston.com Peter K. Floyd 404.881.4510 peter.floyd@alston.com Daniel Gerst 213.576.2528 daniel.gerst@alston.com Jonathan M. Gordon 213.576.1165 jonathan.gordon@alston.com Elizabeth Helmer 404.881.4724 elizabeth.helmer@alston.com John R. Hickman 404.881.7885 john.hickman@alston.com Donald Houser 404.881.4749 donald.houser@alston.com Follow us: On Twitter @AlstonPrivacy On our blog – www.AlstonPrivacy.com

Recommended

FOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representativesFOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representativesbjknight
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04Jan Dhont
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisAngad Dayal
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake Morgan
 

Recommended

FOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representativesFOI reply from MoJ regarding meetings between Grayling and BFG representatives
FOI reply from MoJ regarding meetings between Grayling and BFG representativesbjknight
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands legalandgeneral
 
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018
"The EU General Data Protection Regulation: GDPR" - TRA Annual Meeting 2018TRA - Tax Representative Alliance
 
scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04scce-cep-2015-06-Dhont-1-04
scce-cep-2015-06-Dhont-1-04Jan Dhont
 
GDPR - A practical guide
GDPR - A practical guideGDPR - A practical guide
GDPR - A practical guideAngad Dayal
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
GDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisGDPR A Practical Guide with Varonis
GDPR A Practical Guide with VaronisAngad Dayal
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake lapthorn In House Lawyer forum - 11 Sept 2012Blake Morgan
 
Research and The Law
Research and The LawResearch and The Law
Research and The LawMichael Bromby
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?Gabrielė Songin
 
GDPR Information
GDPR InformationGDPR Information
GDPR InformationOxford City Council
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORTMartina Lindblad
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
Evertio Schrems II
Evertio Schrems IIEvertio Schrems II
Evertio Schrems IIFanny Surjana
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR"John "Jeb"" Beckwith
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR"John "Jeb"" Beckwith
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...LJ Gilland Real Estate Pty Ltd
 
Breve sintesi della "Personal Information Protection Law" cinese
Breve sintesi della "Personal Information Protection Law" cineseBreve sintesi della "Personal Information Protection Law" cinese
Breve sintesi della "Personal Information Protection Law" cineseEdoardo Ferraro
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?VILT
 
The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016Matheson Law Firm
 
Pbm snr denton nick_graham
Pbm snr denton nick_grahamPbm snr denton nick_graham
Pbm snr denton nick_grahammobilesquared Ltd
 
Tangible Data Protection White Paper
Tangible Data Protection White PaperTangible Data Protection White Paper
Tangible Data Protection White PaperNick Banbury
 
Privacy Policy Primer
Privacy Policy PrimerPrivacy Policy Primer
Privacy Policy PrimerKurt Edelbrock
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)Aurélie Pols
 
Memorias Avanzado[1]
Memorias Avanzado[1]Memorias Avanzado[1]
Memorias Avanzado[1]guesta4a90
 
Drogas no gracias
Drogas no graciasDrogas no gracias
Drogas no graciasBenjamín González
 

More Related Content

What's hot

GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookPlr-Printables
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyKate Chan
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...John Nas
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...LJ Gilland Real Estate Pty Ltd
 
Breve sintesi della "Personal Information Protection Law" cinese
Breve sintesi della "Personal Information Protection Law" cineseBreve sintesi della "Personal Information Protection Law" cinese
Breve sintesi della "Personal Information Protection Law" cineseEdoardo Ferraro
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataIAB Europe
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?VILT
 
The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016Matheson Law Firm
 
Tangible Data Protection White Paper
Tangible Data Protection White PaperTangible Data Protection White Paper
Tangible Data Protection White PaperNick Banbury
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsThe Economist Media Businesses
 
Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)Aurélie Pols
 

What's hot (20)

Research and The Law
Research and The LawResearch and The Law
Research and The Law
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
No Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data PrivacyNo Man is an Island: The Battle for Data Privacy
No Man is an Island: The Battle for Data Privacy
 
Are you compliant?
Are you compliant?Are you compliant?
Are you compliant?
 
GDPR Information
GDPR InformationGDPR Information
GDPR Information
 
FINAL REPORT
FINAL REPORTFINAL REPORT
FINAL REPORT
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
 
Evertio Schrems II
Evertio Schrems IIEvertio Schrems II
Evertio Schrems II
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...By 23 February 2018 we will have new mandatory data breach reporting obligati...
By 23 February 2018 we will have new mandatory data breach reporting obligati...
 
Breve sintesi della "Personal Information Protection Law" cinese
Breve sintesi della "Personal Information Protection Law" cineseBreve sintesi della "Personal Information Protection Law" cinese
Breve sintesi della "Personal Information Protection Law" cinese
 
GIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal DataGIG Working Paper 02/2017 - The Definition of Personal Data
GIG Working Paper 02/2017 - The Definition of Personal Data
 
GDPR - Are you ready?
GDPR - Are you ready?GDPR - Are you ready?
GDPR - Are you ready?
 
The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016The International Comparative Legal Guide to: Data Protection 2016
The International Comparative Legal Guide to: Data Protection 2016
 
Pbm snr denton nick_graham
Pbm snr denton nick_grahamPbm snr denton nick_graham
Pbm snr denton nick_graham
 
Tangible Data Protection White Paper
Tangible Data Protection White PaperTangible Data Protection White Paper
Tangible Data Protection White Paper
 
Privacy Policy Primer
Privacy Policy PrimerPrivacy Policy Primer
Privacy Policy Primer
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)Spain is responsible for 80% of European Data Protection fines. (on page 3)
Spain is responsible for 80% of European Data Protection fines. (on page 3)
 

Viewers also liked

Memorias Avanzado[1]
Memorias Avanzado[1]Memorias Avanzado[1]
Memorias Avanzado[1]guesta4a90
 
Ericsson ConsumerLab: Smartphone Usage Experience Report
Ericsson ConsumerLab: Smartphone Usage Experience ReportEricsson ConsumerLab: Smartphone Usage Experience Report
Ericsson ConsumerLab: Smartphone Usage Experience ReportEricsson
 
#Xm@s Marketing Checklist (website, e-mail, promotions)
#Xm@s Marketing Checklist (website, e-mail, promotions)#Xm@s Marketing Checklist (website, e-mail, promotions)
#Xm@s Marketing Checklist (website, e-mail, promotions)Ewa Sámek
 
7 Tools for your Puppetized Devops stack
7 Tools for your Puppetized Devops stack7 Tools for your Puppetized Devops stack
7 Tools for your Puppetized Devops stackKris Buytaert
 
TEGNOLOGIA INNOVACION
TEGNOLOGIA INNOVACIONTEGNOLOGIA INNOVACION
TEGNOLOGIA INNOVACIONdiego diaz
 
Polish Saturday School employment
Polish Saturday School employment Polish Saturday School employment
Polish Saturday School employment Karolina Forbes
 
Paridera del parque
Paridera del parqueParidera del parque
Paridera del parqueiesmonreal
 
Seminario Concon
Seminario ConconSeminario Concon
Seminario Conconguestef05b7
 
School objects teacher Helena (Clase de los Marcianitos)
School objects teacher Helena (Clase de los Marcianitos)School objects teacher Helena (Clase de los Marcianitos)
School objects teacher Helena (Clase de los Marcianitos)María Dolores López Yustres
 
Zoom Interiors by Egger & DixiePly
Zoom Interiors by Egger & DixiePlyZoom Interiors by Egger & DixiePly
Zoom Interiors by Egger & DixiePlyRafael A. Caprile
 
Telered.com.es
Telered.com.esTelered.com.es
Telered.com.espuchi286
 
Firefox OS - Answering global challenges
Firefox OS - Answering global challengesFirefox OS - Answering global challenges
Firefox OS - Answering global challengesChristian Heilmann
 
21 Spieltag Ausfall Hockenheim
21 Spieltag Ausfall Hockenheim21 Spieltag Ausfall Hockenheim
21 Spieltag Ausfall Hockenheimguest02f2f9af
 
Arquitectos & Ingenieros Ejemplo
Arquitectos & Ingenieros EjemploArquitectos & Ingenieros Ejemplo
Arquitectos & Ingenieros EjemploEduardo Hdz
 
Figures geometriques
Figures geometriquesFigures geometriques
Figures geometriquescatifel
 

Viewers also liked (20)

Memorias Avanzado[1]
Memorias Avanzado[1]Memorias Avanzado[1]
Memorias Avanzado[1]
 
Drogas no gracias
Drogas no graciasDrogas no gracias
Drogas no gracias
 
Ericsson ConsumerLab: Smartphone Usage Experience Report
Ericsson ConsumerLab: Smartphone Usage Experience ReportEricsson ConsumerLab: Smartphone Usage Experience Report
Ericsson ConsumerLab: Smartphone Usage Experience Report
 
Micro 10
Micro 10Micro 10
Micro 10
 
#Xm@s Marketing Checklist (website, e-mail, promotions)
#Xm@s Marketing Checklist (website, e-mail, promotions)#Xm@s Marketing Checklist (website, e-mail, promotions)
#Xm@s Marketing Checklist (website, e-mail, promotions)
 
7 Tools for your Puppetized Devops stack
7 Tools for your Puppetized Devops stack7 Tools for your Puppetized Devops stack
7 Tools for your Puppetized Devops stack
 
TEGNOLOGIA INNOVACION
TEGNOLOGIA INNOVACIONTEGNOLOGIA INNOVACION
TEGNOLOGIA INNOVACION
 
Polish Saturday School employment
Polish Saturday School employment Polish Saturday School employment
Polish Saturday School employment
 
Paridera del parque
Paridera del parqueParidera del parque
Paridera del parque
 
Seminario Concon
Seminario ConconSeminario Concon
Seminario Concon
 
School objects teacher Helena (Clase de los Marcianitos)
School objects teacher Helena (Clase de los Marcianitos)School objects teacher Helena (Clase de los Marcianitos)
School objects teacher Helena (Clase de los Marcianitos)
 
Zoom Interiors by Egger & DixiePly
Zoom Interiors by Egger & DixiePlyZoom Interiors by Egger & DixiePly
Zoom Interiors by Egger & DixiePly
 
Logback
LogbackLogback
Logback
 
Telered.com.es
Telered.com.esTelered.com.es
Telered.com.es
 
Firefox OS - Answering global challenges
Firefox OS - Answering global challengesFirefox OS - Answering global challenges
Firefox OS - Answering global challenges
 
Cultura
CulturaCultura
Cultura
 
21 Spieltag Ausfall Hockenheim
21 Spieltag Ausfall Hockenheim21 Spieltag Ausfall Hockenheim
21 Spieltag Ausfall Hockenheim
 
Arquitectos & Ingenieros Ejemplo
Arquitectos & Ingenieros EjemploArquitectos & Ingenieros Ejemplo
Arquitectos & Ingenieros Ejemplo
 
Figures geometriques
Figures geometriquesFigures geometriques
Figures geometriques
 
Tribus urbanas
Tribus urbanasTribus urbanas
Tribus urbanas
 

Similar to French Digital Republic Act

The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...Symantec
 
Implementation of the French Sunshine Act: one Year on
Implementation of the French Sunshine Act: one Year onImplementation of the French Sunshine Act: one Year on
Implementation of the French Sunshine Act: one Year onDaniel Kadar
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingJes Breslaw
 
Forensic Science Informatics Computers & The Law Powerpoint
Forensic Science Informatics Computers & The Law PowerpointForensic Science Informatics Computers & The Law Powerpoint
Forensic Science Informatics Computers & The Law PowerpointSteve Bishop
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issuesStefan Schippers
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.Matthias Dobbelaere-Welvaert
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012lilianedwards
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection ActYizi
 
Legislation
LegislationLegislation
Legislationmegabyte
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataRenato Monteiro
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 

Similar to French Digital Republic Act (20)

The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...The Evolution of Data Privacy - A Symantec Information Security Perspective o...
The Evolution of Data Privacy - A Symantec Information Security Perspective o...
 
Implementation of the French Sunshine Act: one Year on
Implementation of the French Sunshine Act: one Year onImplementation of the French Sunshine Act: one Year on
Implementation of the French Sunshine Act: one Year on
 
Data protection
Data protectionData protection
Data protection
 
delphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-maskingdelphix-wp-gdpr-for-data-masking
delphix-wp-gdpr-for-data-masking
 
Forensic Science Informatics Computers & The Law Powerpoint
Forensic Science Informatics Computers & The Law PowerpointForensic Science Informatics Computers & The Law Powerpoint
Forensic Science Informatics Computers & The Law Powerpoint
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
Gdpr and usa data privacy issues
Gdpr and usa data privacy issuesGdpr and usa data privacy issues
Gdpr and usa data privacy issues
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018[REPORT PREVIEW] GDPR Beyond May 25, 2018
[REPORT PREVIEW] GDPR Beyond May 25, 2018
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
GPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-RightGPDR_Get-Data-Protection-Right
GPDR_Get-Data-Protection-Right
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
Draft data protection regn 2012
Draft data protection regn 2012Draft data protection regn 2012
Draft data protection regn 2012
 
Data Protection Act
Data Protection ActData Protection Act
Data Protection Act
 
Legislation
LegislationLegislation
Legislation
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
How to Protect Your Data
How to Protect Your DataHow to Protect Your Data
How to Protect Your Data
 
Draft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal DataDraft Bill on the Protection of Personal Data
Draft Bill on the Protection of Personal Data
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 

French Digital Republic Act

  • 1. WWW.ALSTON.COM This advisory is published by Alston & Bird LLP to provide a summary of significant developments to our clients and friends. It is intended to be informational and does not constitute legal advice regarding any specific situation. This material may also be considered attorney advertising under court rules of certain jurisdictions. Privacy & Data Security ADVISORY n OCTOBER 25, 2016 The French Digital Republic Act Gives New Powers to the French DPA by Jan Dhont, Jim Harvey, David Keating and Delphine Charlot On October 7, the French Digital Republic Act (the “Act”) was adopted following a widely publicized consultation process. The Act amends the French Data Protection Act and modifies French law in various domains, including consumer protection, electronic payment services, medical research and intellectual property. The Act constitutes a first step in the implementation of the General Data Protection Regulation (GDPR), which will apply in all EU member states beginning May 25, 2018. The Act in particular establishes new rights for individuals and new powers for the French data protection authority (DPA). Further modifications of the French Data Protection Act implementing the GDPR are forthcoming. CNIL’s New Powers Encryption and anonymization The French DPA (CNIL) is charged with overseeing and promoting the development of encryption technologies. Furthermore, it may create, approve or publish anonymization standards. Interestingly, the Act’s emphasis on security was complemented by industry efforts, as demonstrated by a recent agreement of French telecom operators on the use of encryption for the storage of electronic communications. Sanctions The CNIL may issue financial sanctions of up to €3 million for infringements of the French Data Protection Act. It is expected that this limit will be raised to €20 million when the GDPR is fully implemented in France. Importantly, the Act implements the provisions of the GDPR pertaining to the criteria DPAs may take into account in determiningsanctions.Morespecifically,undertheAct,theCNILmaytakeintoaccount(1)theintentionalornegligent character of the infringement; (2) measures adopted to mitigate the damage to the individuals; (3) the extent to which the infringer has cooperated with the CNIL; (4) the categories of personal data affected by the infringement; and (5) the manner in which the infringement became known to the CNIL. The procedure for issuing sanctions under the French Data Protection Act has been slightly modified, as companies may be sanctioned without the prior issuance of an injunction in cases where the infringement may not be remedied. Such cases will most likely be specified in the upcoming implementing decrees.
  • 2. WWW.ALSTON.COM 2 Cooperation with other DPAs The CNIL may audit companies on behalf of a DPA from a country outside the EU that offers an equivalent level of data protection. The CNIL must enter into an agreement that defines the terms of the collaboration with the DPA. NewRightsforIndividuals Right of self-determination The Act provides that any individual has the right to decide and control the use of his or her personal data. In its comment on the Act, the CNIL highlighted that this provision is inspired by the German constitutional right of informational self-determination. Right of access and rectification The Act does not significantly modify the procedure for individuals to access or rectify their personal data. The Act makes it clear, however, that when the data is collected through electronic means, individuals are entitled to make an electronic request for access, rectification or erasure of their personal data. Right to be forgotten Anindividualhasarighttoobtaintheerasureofpersonaldataifthedatawascollectedinthecontextofaninformation service and he or she was a minor at the time of collection. Companiesmustimplementthisrightwithinonemonthfollowingaspecificrequestforerasure.Inaddition,theymust make reasonable efforts to inform data controllers to whom they have disclosed the data of the request for erasure. Specific exceptions may apply, including when a company needs the personal data for compliance with a legal obligation or litigation purposes. Data portability The Act does not introduce provisions on data portability into the French Data Protection Act. Rather, it modifies the French Consumer Code to provide for data portability and makes a clear reference to the direct application of the GDPR’s provisions on data portability. Consumers have a right to“retrieve”the entirety of their personal data in the systems of any online service provider. More specifically, online service providers must implement a feature by which consumers may obtain files that have been published online, data that users may access on their profiles, and other types of personal data associated with a user account. In determining whether such other types of personal data are subject to the data portability right, the online service provider will consider whether the data is necessary for the migration of the data to another online service provider, as well as the economic impact of the concerned services, the intensity of the competition between the providers and other financial considerations. Therighttodataportabilityisnotabsoluteandmaybelimitedif,forinstance,portabilityinterfereswiththeprotection of business secrets and intellectual and industrial property, or if the data constitutes a “significant enrichment” for the provider the data is being transferred from. The conditions establishing such “significant enrichment” will be defined in a decree.
  • 3. WWW.ALSTON.COM 3 Notice requirements TheActaddsnewnoticeelementsinlinewiththeGDPR.Morespecifically,privacynoticesmustindicateapplicabledata retention periods, or where it is not possible to define a specific period, the criteria used to determine such periods. A specific provision—which constitutes a particularity of French law—requires that notices clarify that individuals are entitled to give instructions regarding the handling of their personal data after their death. Rights of the deceased A detailed process is in place for individuals to exercise control over their data after their death. Individuals may give general instructions that will apply to the entirety of their personal data or specific instructions for certain sets of personal data. The French Digital Republic Act is available (in French) here. The CNIL’s press release on the bill is available (in French) here. A summary description of the French Digital Republic Act is available (in English) here.
  • 4. 4 © ALSTON & BIRD LLP 2016 ATLANTA: One Atlantic Center  n  1201 West Peachtree Street  n  Atlanta, Georgia, USA, 30309-3424  n 404.881.7000 n  Fax: 404.881.7777 BEIJING: Hanwei Plaza West Wing  n  Suite 21B2  n  No. 7 Guanghua Road  n  Chaoyang District  n  Beijing, 100004 CN  n  +86 10 8592 7500 BRUSSELS: Level 20 Bastion Tower  n  Place du Champ de Mars  n  B-1050 Brussels, BE  n  +32 2 550 3700  n  Fax: +32 2 550 3719 CHARLOTTE: Bank of America Plaza  n  101 South Tryon Street  n  Suite 4000  n  Charlotte, North Carolina, USA, 28280-4000  n 704.444.1000  n  Fax: 704.444.1111 DALLAS: 2828 North Harwood Street  n  18th Floor  n  Dallas, Texas, USA, 75201  n 214.922.3400 n  Fax: 214.922.3899 LOS ANGELES: 333 South Hope Street  n  16th Floor  n  Los Angeles, California, USA, 90071-3004  n 213.576.1000 n  Fax: 213.576.1100 NEW YORK: 90 Park Avenue  n  15th Floor  n  NewYork, NewYork, USA, 10016-1387  n 212.210.9400 n  Fax: 212.210.9444 RESEARCH TRIANGLE: 4721 Emperor Blvd.  n  Suite 400  n  Durham, North Carolina, USA, 27703-85802  n 919.862.2200  n  Fax: 919.862.2260 SILICON VALLEY: 1950 University Avenue  n  5th Floor   n  East Palo Alto, CA 94303-2282  n 650.838.2000 n  Fax: 650.838.2001 WASHINGTON, DC: The Atlantic Building  n  950 F Street, NW  n  Washington, DC, USA, 20004-1404  n 202.239.3300 n  Fax: 202.239.3333 If you would like to receive future Privacy & Data Security Advisories electronically, please forward your contact information to privacy.post@alston.com. Be sure to put“subscribe”in the subject line. If you have any questions or would like additional information, please contact your Alston & Bird attorney or one of the following: WWW.ALSTON.COM 4 Members of Alston & Bird’s Privacy & Data Security Group William H. Jordan 404.881.7850 202.756.3494 bill.jordan@alston.com W. Scott Kitchens 404.881.4955 scott.kitchens@alston.com John L. Latham 404.881.7915 john.latham@alston.com Dawnmarie R. Matlock 404.881.4253 dawnmarie.matlock@alston.com Kimberly Kiefer Peretti 202.239.3720 kimberly.peretti@alston.com T.C. Spencer Pryor 404.881.7978 spence.pryor@alston.com Karen M. Sanzaro 202.239.3719 karen.sanzaro@alston.com Dominique R. Shelton 213.576.1170 dominique.shelton@alston.com Paula M. Stannard 202.239.3626 paula.stannard@alston.com David M. Stein 213.576.1063 david.stein@alston.com Brian Stimson 404.881.4972 brian.stimson@alston.com Peter Swire 240.994.4142 peter.swire@alston.com Daniel G. Taylor 404.881.7567 dan.taylor@alston.com Jeffrey E. Tsai 650.838.2095 213.576.2608 jeff.tsai@alston.com Katherine M. Wallace 404.881.4706 katherine.wallace@alston.com Michael Zweiback 213.576.1186 michael.zweiback@alston.com James A. Harvey 404.881.7328 jim.harvey@alston.com David C. Keating 404.881.7355 202.239.3921 david.keating@alston.com Kristine McAlister Brown 404.881.7584 kristy.brown@alston.com Angela T. Burnette 404.881.7665 angie.burnette@alston.com Lisa H. Cassilly 404.881.7945 212.905.9155 lisa.cassilly@alston.com Cari K. Dawson 404.881.7766 cari.dawson@alston.com Jan Dhont +32 2 550 3709 jan.dhont@alston.com Derin B. Dickerson 404.881.7454 derin.dickerson@alston.com Clare H. Draper IV 404.881.7191 clare.draper@alston.com Christina Hull Eikhoff 404.881.4496 christy.eikhoff@alston.com Sarah Ernst 404.881.4940 sarah.ernst@alston.com Jon Filipek +32 2 550 3754 jon.filipek@alston.com Peter K. Floyd 404.881.4510 peter.floyd@alston.com Daniel Gerst 213.576.2528 daniel.gerst@alston.com Jonathan M. Gordon 213.576.1165 jonathan.gordon@alston.com Elizabeth Helmer 404.881.4724 elizabeth.helmer@alston.com John R. Hickman 404.881.7885 john.hickman@alston.com Donald Houser 404.881.4749 donald.houser@alston.com Follow us: On Twitter @AlstonPrivacy On our blog – www.AlstonPrivacy.com