A bill on Better Protection of Privacy in the Digital Age adopted by the French Senate on 23 March 2010 will be submitted to the National Assembly. The bill aims to amend French law significantly on many points. The bill is available on-line on www.senat.fr/dossier-legislatif/ppl09-093.html
The bill covers the following topics :
• the appointment of a CIL (data protection officer) would become mandatory for certain organisations where the number of employees processing data exceeds a specific threshold or for which processing activities, such as the processing of sensitive, biometric, genetic or judicial data, require the prior authorisation of the CNIL. More generally, the bill aims at making the CIL a central figure of the compliance process (inter alia for data breach notifications);
• the notification of security/data breaches (the current draft is far reaching and leaves a number of issues to be dealt with by implementing regulations);
• without the issue of IP addresses being addressed directly, any number identifying an individual accessing communication services should be included within the definition of personal data;
• the data controllers’ obligations in relation to (i) the content of the information provided to data subjects (e.g. on retention periods or transfer to third parties) and (ii) the manner in which data subjects are informed (e.g. dedicated page on web site) should be increased. The bill also distinguishes between data subjects’ right to object to the use of their personal data and their right to delete their personal data after it has been processed;
• cookies (the current draft offers some flexibility on the subject of "prior" opt in);
• additional rules on the creation of national files relating to public security or criminal offences and/or convictions;
• the fines imposed by the CNIL would be increased to a maximum of EUR 300,000, EUR 600,000 in case of repeated breaches, and the sanctions would be made public (no longer limiting the publication to cases where the data controller acted in bad faith);
• the CNIL’s right to intervene in criminal and civil court proceedings should be increased;
• the court of the place of residence of the data subject should have jurisdiction;
• investigations should be facilitated by the possibility for the CNIL to obtain a court order in case of urgency (in which case, data controllers will no longer be able to object to the entry into their premises); and
• education on data protection at school should be introduced.
The above shows that the scope of the bill is quite broad and that it will require relatively important organisational measures for data controllers.
There is some uncertainty on the date at which this bill would effectively become law as the French government does not seem to be in a hurry to put this bill on the agenda of the National Assembly. There is also the argument as to whether it is appropriate to enact a law before the revision of the EU data protection framework that has been initiated by the EU Commission, but this argument may lose its strength if it is confirmed that the timetable for this revision is effectively postponed.