On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament (“Joint Committee”) reached a common position on the French ‘Digital Republic’ Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act.
No Data Localization Requirement
One of the issues discussed by the Joint Committee was the amendment (corrigendum No. 473) adopted by the French Senate on April 27, 2016. This amendment added a data localization provision to the French Data Protection Act, requiring that personal data be stored in a data center located in the EU and not transferred outside of the EU. The French Government was against this amendment which ignored current and future cross-border data transfer restrictions. Unsurprisingly, the amendment was deleted by the Joint Committee.
Additional Information Requirement
The Joint Committee approved other amendments that anticipate EU General Data Protection Regulation (“GDPR”) requirements. The amendments include the obligation for companies, acting as data controllers, to inform individuals of the data retention period, or if that is not possible, of the criteria used to determine that period. Currently, businesses are not required to specify data retention period(s) in their privacy notices.
Notably, the ‘Digital Republic’ Bill adopted by the Joint Committee significantly increases the maximum level of fines for violations of the French Data Protection Act. Currently, the French Data Protection Authority (“CNIL”) may impose fines of up to €150,000 for first infringements, or up to €300,000 for repeat infringements. With the new amendment approved by the Joint Committee, the CNIL will be able to immediately impose a fine of up to €3 million until the GDPR becomes applicable. In this respect, the Joint Committee introduced a new provision to confirm that, as of May 25, 2018, the CNIL will impose fines prescribed by the GDPR (i.e., fines of up to, as the case may be, (1) €10 million or 2 percent of annual worldwide turnover, or (2) €20 million or 4 percent of annual worldwide turnover) to the extent that the data processing falls under the scope of the GDPR. For those data processing activities that will not be subject to the GDPR, the CNIL could impose fines of up to €3 million. In this respect, the French Government will present to the French Parliament a report on the amendments to the French Data Protection Act made necessary by the entry into force of the GDPR by June 30, 2017.
The French Digital Republic Bill now needs to be formally adopted by both chambers of the French Parliament.