In the wake of the GDPR (the EU General Data Protection Regulation), which comes into force in May of 2018, the French government passed a bill, the Digital Republic Act (Loi n°2016-1321 pour une République numérique), which aimed to enhance and elevate the power of regulatory bodies on both the French and EU level to prosecute businesses who do not comply with existing and upcoming data regulations (1). Both of these regulations, the French Loi pour une République numérique and the GDPR, ostensibly intend to work in tandem to protect the rights of individuals with regard to their presence online and the data collected about them. But, whereas many EU countries judge the GDPR to be sufficient regulation for the protection of their citizens, France has deemed the GDPR to be too lenient and lacking in prescriptive power. This creates a problem, however, as businesses must now navigate both EU and French civil law. It is ironic as this gap between EU and state-specific regulation was exactly what the GDPR originally set out to harmonize. And thus, whereby creating its own law specific to France, France has not only chipped away at the limited prescriptive power and harmony GDPR hoped to achieve, but also cut off its nose to spite its face as the success of France’s Loi pour une République numérique is inextricably linked to the success of the GDPR which France has now de-fanged; a serpent eating its own tail.
According to the EU Commission, the GDPR intendeds to “harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.” (2) The French, upon hearing this, were not sufficiently satisfied with the aims of the GDPR. Thus, on the 7th of October last year, the French passed their own Digital Republic Act which went took effect immediately; amending the French Data Protection Act of 1978 and preempting the effective date of the GDPR. This new French law overhauled nearly every aspect of the digital economy in France and introduced a slew of new provisions regulating everything from open data to the online cooperative economy, revenge porn to the civil right of access to the internet. While proponents of the law find it necessary for the protection of French citizens online, others criticize France for fragmenting an EU regulation whose a priori aim was to harmonize data privacy laws across Europe—easing bureaucratic and corporate malaise (3). This new French law, critics argue, has reinstalled the same feeling of unease and policy contradictions across the EU-space that the GDPR was intended to address.
Nonetheless, the French, in passing the Digital Republic Act, have taken a clear stance on the side of the individual’s online protections, the way their data is processed, and how this data is used by bis business. Central to the new law are 5 key principles which are claimed by French policymakers to bolster the GDPR once it comes into force: Finality (otherwise known as “intents, purposes, and reuse”), pertinence (otherwise known as “strict necessity”), conservation (otherwise known as the data “shelf life”), individuals’ rights (including the rights to access, oppose, and rectify personal data as well as the “right to be forgotten”), and security and confidentiality (otherwise known as reasonable protection measures) as well as 3 supplementary regulations unique to the French law; the explicit rights of individuals (see below), data storage regulations (or deregulations on domestic data storage facilities) and the CNIL—the French data protection authority—maximum penal regulations (increased from 150,000 euros to 20 million euros or 4% of total worldwide turnover)(4). According to France, it is whereby these principles alongside the GDPR, data protection standards will be codified in France. (5) Currently only the French Digital Republic Act is in effect, the GDPR coming into force this May; however, the French law has begun, independent of the EU, to transform the data protection landscape in Europe.
EXPLICIT Rights of individuals IN FRANCE (6)
- Right to access your personal data
- Right to rectify or modify data that has been collected about you
- Right to oppose the use of your personal data
- Right to post-mortem data privacy
- Right to be forgotten (for minors under age of 18)
- Right to data portability and data recovery
- Right to exercise rights electronically for data is collected electronically
With the adoption of the Digital Republic Act, France is sending a strong message to businesses that it stands in favor of individual personal data protections over corporate data freedoms with regard to the way individuals and businesses interact online. These new legal safeguards are meant to protect personal data and provide legal remedies to individuals who often have no way of contesting the data collected about them—and indeed no way of correcting it. Furthermore, this new French law also reminds European policymakers and businesses that even though the GDPR aimed to establish a harmonized data protection regime within Europe, EU individual states can still adopt additional or more restrictive data protection rules. Therefore, country-specific data protection laws will continue to apply as long as they don’t expressly contradict the initiatives of the GDPR (7)—such as this one just passed by France. The result for businesses in France or who are operating within France is that they will still need to comply with a myriad of different national regulations alongside the EU laws when processing personal data across Europe; doing little in the way of easing bureaucratic hurdles and aiding business in understanding the regulations they need to follow (8).
Today, due to this new law, businesses in France and across the EU are increasingly “on the hook” for protecting of the personal data they collect (9). What this means for a business operating in France in practical terms is in order to fully protect itself from personal data misuse lawsuits and the other related legal actions against it, the business must take action not only to ensure it is complying with the new GDPR data protection laws to the “T, but also will be increasingly proactive in protecting itself in a legal manner (by updating their terms and conditions) against unforeseeable—and increasingly common—data leaks, hacks, or network breaches. Resulting from the contravention of the French Digital Republic Act, even actions which are customarily outside a business’s control are now contentions of liability for which the business can be held accountable and sued.
Thus, it is no longer enough for a business to comply with the relevant data regulations and act in good faith under one unified law; as both the EU, and moreover and to a larger extent, France, hold businesses accountable for data protection in all circumstances. Ergo, businesses must protect themselves against the unforeseeable and increasingly probable possibility of a data breach to which they solely will be held accountable yet of which they are not fully responsible (10). In this milieu of uncertainty, businesses have been forced into legally sidestepping any major data protection guarantees under its terms and conditions, rather using language such as “foreseeable consequences,” “reasonable situations,” and “appropriate mechanisms” in an attempt to protect themselves from the unforeseeable, unreasonable, and inappropriate reality of data breaches and hacks (11). While the CNIL has laid out a 6-step process for companies trying to overhaul their internal guidelines to follow the new French data protection laws, this may not be enough to keep such a company from being sued for breach of either French or EU law. In response, businesses are essentially stating in their terms and conditions, “we will do our best to protect your data, we will not break the law knowingly, but we know our best is not good enough. Data leaks happen. We cant control what happens to your data. Please don’t sue”—Hardly a standard that gives its customers confidence (12).