France’s new Digital Republic Act [1] significantly strengthens protections that control how French businesses use and retain personally identifying data. The law expands the scope and authority of the 1978 French Data Protection Act and brings the country to the foreground of modernizing the legal framework of the information economy ahead of the 2018 implementation of the General Data Protection Regulation (GDPR). The Act includes a number of key amendments that improve individual privacy rights, increase the powers of French Data Protection Authority (CNIL), and impose new requirements on how companies and communication providers handle personal information.

Most importantly, the law has considerably increased the enforcement capabilities of the French Data Protection Authority (CNIL). Previously limited to a maximum fine of €300,000, they can now impose fines of up to €3 million. Once the GDPR takes effect in 2018, that amount will increase to a whopping €20 million or 4% of a business’s gross annual global turnover, whichever is greater. For the world’s largest multinational businesses, this administrative penalty could potentially run into the billions of Euros. By enacting this significant increase, France is signaling that it takes privacy protections seriously and expects businesses to make substantial investments in measures to comply.

The law has also added several new individual rights. Businesses must now notify customers how long their personal data will be held. If doing so is impossible, they must communicate the criteria used to determine the retention period. Customers can also request that businesses delete personal data collected when they were minors. If that data has been shared with third parties, they must undertake reasonably proportionate measures to notify third parties of the person’s request to delete the data.

To learn more about France's new Digital Republic Act:

[1] Loi n°2016-1321 pour une République numérique

Author: Frank Fazzio, Records Analyst at Zasio Enterprises, Inc.