SUMMARY

13 December 2019

Specifying the GDPR: Member States perspective - France

Summary by Alessandra Calvi, Researcher at BPH-LSTS / VUB

SUMMARY

On 12 November 2019, the Brussels Privacy Hub (BPH) inaugurated a new series of events aimed at initiating an overview of national perspectives and legal developments related to the General Data Protection Regulation (GDPR), entitled “Specifying the GDPR: Member States perspectives”.

The ambition of this new series is to offer a space for academic discussion around the many issues triggered by national laws that specify, develop or somehow modulate GDPR interpretation and implementation across the various Member States. As regards the format, there shall be three events per year, where national experts will be invited to discuss, in an open way, the major points regarding the Regulation in the legal framework of their expertise, together with selected experts providing broader views on national developments.

The kick-off event was devoted to developments in France.

The invited speakers were Karolina Mojzesowicz (Deputy Head of Data Protection Unit at European Commission-DG JUST), who put forward general considerations about GDPR specification in the various Member States; and Olivia Tambou (Senior Lecturer in European Law at Université Paris-Dauphine), who presented the main features and challenges of the of GDPR-related developments in France.  

The discussion was chaired by Gloria González Fuster (Co-Director of LSTS / VUB), who also opened the event and introduced the speakers.

Karolina Mojzesowicz introduced the GDPR’s special nature. She noted that, although it is a Regulation,  Member States are allowed to further specify its provisions in relation to some issues (e.g. Art. 8 GDPR for child consent), as well as obliged to adopt a limited number of implementing measures (e.g. Art. 85 on processing and freedom of expression and information) and to adapt their legislation to the extent necessary, notably by repealing contradictory provision. She warned that national specification rules have nevertheless always to be framed by Ar. 8 of the Charter of Fundamental Rights of the European Union and Art. 16 of Treaty on the Functioning of the European Union, in the sense that they cannot undermine these provisions.  

In relation to the work of the European Commission in this regard, she noted that it had prioritized the fully operationalization of the European Data Protection Board (EDPB), and stressed the importance of reaching out to national Data Protection Authorities (DPAs). In this context she expressed concern with national DPA guidance, concretely about cookies, which would appear to be at odds with EDPB guidance.  

She indicated that before and after the 25 May 2018, the European Commission has engaged in bilateral contacts with Member States to support adequate national specification of the GDPR. Referring to issues that have emerged in relation to national developments, she mentioned changes in the legislation in Germany (including issues related to the adequacy status of Switzerland); Portugal, where the DPA has declared it intention to disapply certain articles of the national law related to the GDPR; or Romania, concerning Art. 85 GDPR. In general, she referred to the attention granted by the European Commission to possible divergent interpretations of ‘legitimate interest’, as well as national provisions relation to Art. 23 GDPR (restrictions of data subject rights), and expressed concerns about the potential fragmentation stemming both from the allowed specifications of the GDPR and from the (ab)use of specification clauses.

Olivia Tambou presented the French approach to the GDPR. She explained that French data protection law had been deeply reformed in 2016, introducing already some elements of the GDPR. After that, the Loi informatique et Libertés (LIL), encompassing both provisions related to the GDPR and the Law Enforcement Directive, was adopted in 2018, in the form of ordinance due to time constraints.

Tambou described France as a pioneer in data protection law, particularly attached to the symbolic connotations of its original instruments,  that generally made a moderate use of opening clauses, introducing nevertheless rules on specific processing situations and other specific issues. She highlighted that French law reproduces almost all definitions present in EU law, although somehow paradoxically not that of personal data.

She explained how the LIL introduced restrictions based on with Art. 23 GDPR, for example excluding the right to access for certain processing for statistical, scientific and historical research purposes (Art. 49 III LIL), and establishing an indirect right of access, rectification, and erasure for certain processing for taxes recovery purposes (Art. 52 LIL).

She pointed out how other adaptations, as the limitation of prior formalities and the reinforcement of CNIL powers, appear to be in line with GDPR rationale.

As regards the other specific issues, she mentioned the residence criterion for the application of French Law in cross-border cases in relation to opening clauses (Art. 3 II LIL), aimed at resolving potential horizontal conflicts between national laws regarding the implementation of opening clauses; the rules for processing personal data of  minors, where Art. 45 LIL introduces an obligation of dual consent, both from minors between 13 and 15 years old and from the holder of the parental responsibility of the child; the new legal  basis for administrative individual automated decision making (Art . 47 LIL), aimed at legalizing the generalisation of the use of algorithms by the public administration by adding safeguard measures, as the prior information to the data subject about the use and the logic of the algorithms in an intelligible way (Conseil constitutionnel Decision no. 2018-765 DC of 12 June 2018); or the provision regarding a collective action for damages (Art. 37 III LIL), that can be brought independently from the mandate of data subjects, but that the possibilities granted to associations are limited only to declared associations existing for at least 5 years (Art. 37 III, IV LIL).

The last point raised particular interest. Karolina Mojzesowicz pointed out that NGOs can claim damages only if authorized by national law, otherwise data subjects have to lodge complaints by themselves. She added that Art. 80 GDPR was conceived to support enforcement, and does not pursue as such facilitating economic benefit. She warned, however, against the risk that after 5 years infringements may be prescribed. Also, Gloria González Fuster expressed concerns on possible national limitations of the associations entitled to exercise representative actions, notably in cross-border scenarios. Olivia Tambou clarified that the goal of the provision was presumably to avoid that associations were created on ad hoc basis only to bring claims, and added that associations are entitled to bring claims to defend the rights of residents in France and established in France. She referred to a recent case against Google for disproportionate geolocalisation of processing.

As regards specific processing situations, Olivia Tambou explained that the LIL introduced also provisions about digital will, concerning personal data of deceased persons (Art. 86, 84 LIL) and prior formalities for the processing of health data. On the relationship between data processing and freedom of expression and information, she clarified that a foreseen derogation applies only to professional journalists.

On the assessment of GDPR application, she admitted that the number of declared data breaches in France is somehow suspiciously low, and that only few sanctions have been issued after the GDPR entered into force. She also communicated that there is currently a strong debate in France on the need of developing facial recognition processing.  

Commenting on the specification of the GDPR in France but more generally in Europe, Karolina Mojzesowicz, emphasised that as a general principle national legislation should not reproduce definitions already contained in the GDPR. She pointed out that establishing a certification mechanism of Data Protection Officers (DPOs) might be in tension with the guidelines of the European Data Protection Board (EDPB), that are limited to data management, and expressed concern regarding the limited harmonization in respect to national “black lists” and “white lists” on the processing operation requiring and not requiring of Data Protection Impact Assessment.

Gloria González Fuster concluded the discussion thanking the speakers for the lively debate.

Additional resources related to these event series can be found here.

Copyright © Brussels Privacy Hub

Copyright © Brussels Privacy Hub