Privacy & Cybersecurity Law Blog

On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly.  If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL.  The amendments are summarized below.

Sanction Authority.  The Bill increases the deterrent effect of the CNIL’s sanctions by explicitly authorizing the CNIL to publish the sanctions it imposes on data controllers.  In addition, the procedure for sanctioning violators would require the Chairman of the CNIL to notify data controllers who breach the law prior to sanctioning them.

Investigatory Powers.  On November 6, 2009, and July 7, 2010, the French State Council (Conseil d’État) annulled several of the CNIL’s sanctions on the grounds that the CNIL’s on-site investigations violated Article 8 of the Council of Europe’s Convention for the Protection of Human Rights and Fundamental Freedoms (i.e., the right to respect for private and family life).  The State Council ruled that data controllers must be given advance notice of their right to object to an on-site inspection by the CNIL.  The State Council also ruled that the CNIL may not conduct surprise inspections without notifying the data controller or obtaining the prior approval of a judge.

Further to these rulings, the Bill adds a new provision to the Data Protection Act which would require the CNIL to obtain a court order to conduct an on-site inspection if the relevant data controller objects to such inspection.  However, under exigent circumstances (if, for example, there is risk that the data controller might destroy or conceal evidence), a judge may authorize a surprise inspection without advance notice to the data controller.

Powers of the Chairman of the CNIL.  The Bill also reduces the Chairman’s powers by limiting his involvement in the decision-making process with respect to investigations and sanctions.  The power to impose sanctions would lie entirely in the hands of the CNIL’s “restricted committee” (la formation restreinte).  To comply with Article 6.1 of the Convention for the Protection of Human Rights and Fundamental Freedoms (i.e., the right to a fair trial), however, the Chairman and Vice-Chairman of the CNIL would no longer be members of the restricted committee, and thus would not be involved in the sanctioning process.

Finally, the Bill includes an addition to the Data Protection Act which specifies that the position of Chairman of the CNIL is incompatible with any professional activity, elected mandate or other public service, as well as any direct or indirect involvement with companies in the electronic communications or technology sectors.

The Bill is available (in French) on the French National Assembly’s website.

This Bill was formally adopted by the French National Assembly on January 18, 2011.