General presentation of the French law a) Scope of application and principles
The 1995 directive applies to both the public and private sectors, within the scope of community jurisdiction. The French personal data protection law has an even broader scope of application, since it also covers activities related to public security, defence, and security of the State (with the necessary adaptations).
Under the directive, the French law is applied both to automated processing and to man- ual files, with the exception of processing undertaken in the exercise of exclusively personal or domestic activities.
In order to assure a high level of protection, the definition of the essential con- cepts by the directive, and by French law, is as broad as possible, and allows inclusion of voices and images of individuals, as well as the later appearing RFID. The defini- tion of data processing allows inclusion of the nanotechnologies and the Internet.
The directive has harmonized the principles of lawfulness of processing in all European countries. As a reminder, these are:
— the principle of responsibility of the persons that engage in processing;
— the principal of transparency (which implies knowledge of the existence of processing, and the possibility for individuals to know what data are recorded in the processing);
— the principle of a determined and lawful purpose;
— the principle of proportionality between the data recorded and the reten- tion period;
— the principle of security and confidentiality of the data;
— the principle of consent of the data subject, except in specified cases.
The first article of the “Informatics and Freedom” law, unchanged since the beginning, is the pillar for the protection principles, and underlies the actions of the supervisory authority:
Informatics must serve every citizen. Its development must be undertaken within the framework of international cooperation. It must not jeopardize hu- man identity, human rights, the privacy of individuals, or individual or public freedoms.
b)The National Commission on Informatics and Freedom and its missions
The uniqueness of the European personal data protection system lies in the institution of supervisory authorities, independent and with effective powers. The supposition is double: the actors, public and economic, cannot at the same time be judges and parties. Such agencies are capable of adapting to changing situa- tions, especially to the fact of technological evolution.
The National Commission on Informatics and Freedom (CNIL) is the French supervisory authority, created by the law of 6 January 1978. It is a single agency with national jurisdiction, which has a very specific charter. In fact, it was the first French “independent administrative authority”: an institution of the State, but not subject to the hierarchical authority of a minister.
The independence of the CNIL also is reflected by its composition and the manner of appointing its members. It is a collegial body comprised of 17 mem- bers of diverse backgrounds. It elects a chairman and vice chairman from among its members. It freely establishes its internal regulations.
The general mission of the CNIL is to oversee respect for the rights and free- dom of individuals, satisfying itself that processing complies with the require- ments of law. Evolutions of technologies and the consequences they may have on the functioning of society, human rights and privacy must be very closely watched.
In addition to its traditional activities, which are those of any supervisory au- thority (providing information and advice to data subjects, controllers and the public authorities, registration of file notices, handling of complaints and moni- toring processing, etc.), the CNIL in 2004 inherited new functions, such as the
possibility of issuing opinions regarding professional rules, and granting certifica- tions of products or processes.1The law henceforth requires that the commission advise the government regarding matters of international cooperation, and co- operate with the other authorities in the field of personal data protection.
In performing its missions, the supervisory authority often must seek balance between divergent or even contradictory interests. This is the case of reconcilia- tion of security demands, for example combating terrorism, with individual rights and freedoms. It is also necessary to balance the interests related to transparency and access to information with those related to protection of privacy. The CNIL, as in several other European countries, in this regard advocates complete removal of names and addresses of data subjects from judicial decisions placed on the Internet.
The principal innovations in the 2004 law
The law of 6 August 2004 has profoundly changed the French approach to su- pervision of data processing. It has used all options available under the directive to alleviate and simplify notice procedures, compensated for by greater supervi- sion of the most dangerous processing. Similarly, there has been a rebalancing as between prior control of processing, which always has been the CNIL’s preferred mode of operation, and after the fact control, particularly based on a new power of administrative sanction.
a) Relief regarding prior proceedings (notification) and the creation of the “personal data protector”
Under the directive, processing that involves personal data must be notified to the supervisory authority prior to being undertaken. The 2004 law has eliminated the distinction between the public and private sectors. Notification now is a com- mon requirement. In this regard, the commission’s supervision is limited to veri- fying that the notification meets the formal requirements, and registering it. The CNIL can simplify notification for certain processing considered to be of little danger, strictly limiting it by regulations issued by it.2
Going even further in simplification, the law contemplates cases in which no formality is required (in particular legal registers used only for informing the public
1 The power to certify products and processes, which is not expressly contemplated by the directive, ex- ists only in the German landof Schleswig-Holstein.
2 The CNIL to date has issued 50 of these “simplified rules”.
and certain processing undertaken by associations). It also gives the CNIL authority to grant exemptions from notification for such processing as does not present risks to rights and freedoms. The French authority already has used this power on several occasions (for example regarding paying personnel, and a short time ago regarding blogs or websites created by private persons).
Another essential innovation of the amended French law is the creation of
“data protectors” (called “informatics and freedoms correspondents” in France).
The system, contemplated on an optional basis by the directive, comes to us from Germany, and has also been adopted by Holland and Sweden. A company or agency that appoints a “protector” is relieved of compliance with notice proce- dures, except in those cases in which authorization is required. This means that with respect to the applicable matters the action of the correspondent becomes that of the commission.
The functions of the correspondent are essentially maintaining the list of pro- cessing undertaken by the company, responding to requests from data subjects (in particular regarding the exercise of the rights of access, rectification and op- position), and in general advising the controller regarding protection of person- al data and compliance with the law.
Since the end of 2005, when the correspondent mechanism became opera- tional, some 170 organizations have appointed one.
b)Strengthening prior control of “risky” processing
Relief regarding prior proceedings for most processing allows a refocus with respect to the processing presented, by reason of the nature of the data recorded or the purpose of the processing, on specific risks to the rights and freedoms of individuals. True prior control implies verification of both the lawfulness of the processing and the contemplated guarantees. This in particular involves: entry and processing of “sensitive” data, of genetic or biometric data, the processing of data regarding violations or convictions, processing that may result in exclusion from a right or contract, interconnections of files that have different purposes, etc. The CNIL’s control of such processing consists of granting or denying an au- thorization binding on the controllers.
The French authority already has issued several decisions authorizing or reject- ing biometric control devices for access to certain premises, regarding the fight against Internet falsification (peer-to-peernetworks), and professional alert devices (the famous ethics linesimplemented in application of the Sarbanes-Oxley Act).
Regarding biometric control devices, the CNIL through its decisions has de- veloped some assessment criteria for authorization or rejection of such processing.
The first criterion refers to the kind of biometric technique used. The commis- sion authorizes processing using so-called “non-tracking” technologies (for exam- ple the shape of the hand), because they do not involve a risk of use for other pur- poses without knowledge of the data subject. By contrast, it is very strict regarding the use of “tracking” biometric techniques (fingerprints, facial recognition, etc.), for which a second assessment criterion is taken into account. The CNIL author- izes devices based on recording the tracked information on a separate medium (card), if security objectives so justify, or if the device is used voluntarily (with the difficulty of assuring the free and informed consent of data subjects). The CNIL allows data to be entered in a database only if strong security requirements are in play (airports, nuclear plants, etc.).
Finally, the directive has confirmed that the recognized protection level must be assured in cases of international transfers. For this reason, processing that con- templates transfer of data to countries that do not provide a sufficient level of pro- tection also must be authorized. In this context the commission verifies both the lawfulness of the transfer and the safeguards presented by the contract clauses or internal rules applicable thereto.