On November 6, 2009, the French Senate proposed a new draft law to reinforce the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Draft Law”). Following a Report on the same topic issued last spring, the Senate made concrete proposals with this Draft Law to amend the Data Protection Act.
The Draft Law requires that data controllers provide information on their data processing activities to their data subjects in a clear, specific and easily accessible manner. The data subjects would be able to exercise their right of access more easily, including by email. The Draft Law also distinguishes between the data subject’s right to object to the use of his/her personal data for commercial purposes and his/her right to delete his personal data after it has been processed.
The Draft Law also proposes an increase in the obligations of data controllers. Organizations with more than fifty employees that either access or process the personal data are required to appoint a data protection officer. In addition to his obligation to inform the data subjects about a data processing activity, a data controller would have to obtain a data subject’s consent to process data (including for the use of cookies), except if a legal exception applies. Data controllers would also have to implement stronger security measures to preserve the security and confidentiality of personal data. In particular, in case of a data security breach, a data controller would have to notify the French data protection authority (“CNIL”), which would then decide whether to inform the data subjects concerned by this breach.
Finally, passage of the law would increase the CNIL’s enforcement authority. Fines imposed by the CNIL for violations of the law would be increased to a maximum €600,000 (instead of the current €300,000). The CNIL’s decisions to sanction data controllers would be published more frequently. The CNIL would further gain the right to produce written observations or to be heard in any civil, criminal or administrative court hearing.
This Draft Law will now be examined by a Committee of the Senate before it is discussed and submitted for a general vote. Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who were consulted by the Senate in the course of drafting the new law. View the Draft Law in French.
“The Draft Law also distinguishes between the data subject’s right to object to the use of his/her personal data for commercial purposes and his/her right to delete his personal data after it has been processed.”
It will be interesting to watch whether this distinction – one clearly within the intent of the Data Protection Directive – has a sufficiently large negative commercial impact to cause it to be reconsidered as being unbalanced.
By so clearly separating further commercial use of personal information from the stated primary intent at point of collection, practices such as requiring that a person remain on an e-marketing list for the duration of a “free” sweepstakes draw (which often can run up to one year) may become unprofitable, thus changing the economic value to the commercial operator and eliminating such offers or seriously changing their value proposition.
It may be possible to argue that, being in the basic nature of the economic compromise which makes the giveaway feasible, keeping the person’s data on the e-marketing list is in fact a core part of the stated primary intent. However, I doubt this, because: if a person submits their information even under the clear understanding that they must continue to receive e-marketing until a sweepstakes drawing takes place, and later they withdraw that consent, they will in effect have paid in to the commercial operator up until the point in time of their withdrawal of consent, and then be able to receive no economic value whatsoever, which would likely be found to be unbalanced.
“Organizations with more than fifty employees that either access or process the personal data are required to appoint a data protection officer.”
Further detail is needed:
Is this DPO to be a dedicated position? If so, then the cost is probably too high to be justified in companies as small as 50 people.
Is this DPO required to have a certain amount of training and a certain level of independence / protection in the execution of his duties? Then, again, the cost is probably too high to be justified in companies as small as 50 people.
Of course, both of these are matters only of scale, not of concept. While I do always caution against ever-increasing regulatory mandates which raise the cost of doing business, as long as the floor level is set reasonably, the smart business takes this mandate and makes good privacy practice also good business, as we see from our most successful privacy peers.