Data protection and privacy in France

Click here to view original web page at
Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The legislative framework for the protection of PII in France is one of the oldest in Europe as it is based on the Law on Computer Technology and Freedom dated 6 January 1978 (Loi Informatique et Liberté, or LIL). This law has been amended several times since then, and especially by:

As a regulation, the GDPR has been directly effective in France since 25 May 2018.

Furthermore, the following international instruments on privacy and data protection also apply in France:

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The data protection authority in France is the National Commission for Data Protection and Liberties (CNIL). The CNIL is an independent public body entrusted with the following powers.

Powers of sanction

The maximum threshold of penalties that the CNIL can pronounce has been increased from €150,000 to €20 million or 4 per cent of world turnover for companies since the GDPR.

The CNIL can now compel sanctioned entities to inform each data subject individually of this sanction at their own expense.

It may also impose financial penalties without prior formal notification by the bodies where the failure to fulfil obligations cannot be brought into conformity.

It can also limit temporarily or definitively a specific processing.

Control and investigation powers

The CNIL is vested with investigation and control powers that allow its staff to have access to all professional premises and to request, on the spot, all necessary documents and to take a copy of any useful information. CNIL staff can also access any computer programs linked to the processing of PII and to recorded information. The CNIL can also conduct a documentary control where a letter accompanied by a questionnaire is sent to a PII controller and/or processor to assess the conformity of processing operations carried out by them or an online investigation, in particular by consulting data that are freely accessible or made directly accessible online, including under a fake identity.

In 2019, the CNIL will focus its supervisory action on three main themes, directly resulting from the entry into force of the GDPR:

Regulatory powers

The powers of the CNIL have recently been extended, as it will have to be consulted for every bill or decree related to data protection and processing. Opinions will automatically be published.

The CNIL is also entrusted with the power to certify, approve and publish standards or general methodologies to certify the compliance of personal data anonymisation processes with the GDPR, notably for the reuse of public information available online.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

If the owner or processor of PII carries out cross-border processing either through multiple establishments in the EU or with only a single establishment, the supervisory authority for the main or single establishment acts as lead authority in respect of that cross-border processing.

As lead authority, the CNIL must cooperate with the data protection authorities in other member states where the owner or the processor is established, or where data subjects are substantially affected, or authorities to whom a complaint has been made. Specifically, the CNIL has to provide information to other data protection authorities and can seek mutual assistance from them and conduct joint investigations with them on their territories.

More generally, the CNIL is required to provide assistance to other data protection authorities in the form of information or carrying out ‘prior authorisations and consultations, inspections and investigations’. The European Commission can specify forms and procedures for mutual assistance. The CNIL could also participate in joint investigation and enforcement operations with other data protection authorities, particularly when a controller has an establishment on its territory or a significant number of its data subjects are likely to be substantially affected.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Failure to comply with data protection laws can result in complaints, data authority investigations and audits, administrative fines, penalties or sanctions, seizure of equipment or data, civil actions (including class actions that have been introduced by Law No. 2016-1547 dated 18 November 2016 for the Modernisation of the 21st Century Justice), criminal proceedings and private rights of action.


When the CNIL finds a PII owner to be in breach of its obligations under the LIL, as a preliminary step the CNIL chairman may issue a formal notice for the PII owner to remedy the breach within a limited period of time. In cases of extreme urgency, this period may be reduced to 24 hours.

When the breach cannot be remedied in the context of a formal notice, the CNIL may impose one of the following sanctions without prior formal notice of adversarial procedure:

When the PII owner complies with the terms of the formal notice, the CNIL chairman shall declare the proceedings closed. Otherwise, the competent committee of CNIL may, after a contradictory procedure, pronounce one of the following penalties:

In case of emergency and infringement to civil rights and freedoms, the CNIL may, after an adversarial procedure, take the following measures:

In the event of a serious and immediate violation of rights and freedoms, the chairman of the CNIL may request, by summary application, the competent judge to order any necessary security measures.

The CNIL may also inform the public prosecutor that it has found infringements of data protection law that are criminally sanctionable.

Publicity of the penalties

The CNIL can make public the financial penalties that it pronounces. The inclusion of these sanctions in publications or newspapers is no longer subject to the condition of bad faith of the entity concerned.

Criminal sanctions

Infringements to data protection law may be punished by imprisonment for a maximum period of five years and a criminal fine up to €300,000 (articles 226-16 to 226-22-1 of the Criminal Code). However, criminal sanctions are hardly ever pronounced.


Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The LIL is generally applicable to all public bodies and all non-public entities that process PII and intends to cover all sectors. However, certain processing carried out by public authorities is subject to specific obligations that differ from the general obligations imposed upon private entities, for example:

The following categories of data processing fall outside the scope of the LIL:

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The LIL does not cover the interception of communications nor surveillance of individuals when implemented for public interest purposes.

This is subject to the authority of a dedicated public authority, the National Commission for Monitoring Intelligence Techniques. This field is regulated by several laws, mainly Law No. 91-646 of 10 July 1991 and Law No. 2015-912 of 24 July 2015.

Electronic marketing is subject to the Postal and Electronic Communication Code (article L. 34-5 et seq) and to the Consumer Code (article L. 121-20-5 et seq).

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Processing of health PII is subject to the provisions of the Public Health Code as well as to the LIL.

The solicitation by automatic calling machines, email or fax, and the sale or transfer of PII for prospecting purposes using these, is subject to the provisions of the Postal and Electronic Communications Code.

PII formats

What forms of PII are covered by the law?

The LIL is aimed at covering all forms of PII, which means any information relating to an individual who is identified or who could be directly or indirectly identified, by reference to an identification number or to the combination of one or several elements.

In addition, the LIL applies to automatic processing and to non-automatic processing of PII that forms part of a filing system (or is intended to form part of a filing system), with the exception of processing carried out for personal purposes. Accordingly, even records of PII in paper form may be subject to the LIL.


Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The LIL applies to processing of PII carried out by a PII owner:

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

In principle, the LIL applies to all processing of PII, with the exception of that carried out for purely personal purposes. The controller determines the purposes for which and the means by which PII is processed, whereas the processor processes PII only on behalf of the controller. The duties of the processor towards the controller must be specified in a contract or another legal act.

In principle, the PII controller is the principal party for responsibilities such as collecting consent, enabling the right to access or managing consent-revoking. However, the GDPR introduces direct obligations for PII processors (including security, international transfers, record keeping, etc) and thus they can be held directly liable by data protection authorities for breaches of the GDPR and the LIL.

Controllers and processors are also jointly and severally liable where they are both responsible for damage caused by a breach.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Every collection, processing or use of PII needs to be justified under French data protection law. In principle, the ground for legitimate processing must be the consent of the data subject, but the LIL introduced statutory legal exemptions to obtain the consent of the data subject for some processing when it is carried out for the following purposes:

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

French law is more restrictive for the processing of specific types of PII, known as sensitive personal data. As a matter of principle, processing of sensitive data is prohibited.

The LIL provides a non-exhaustive list of sensitive PII by nature, which is PII that reveals, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of individuals, or that concerns their health or sexual life. This category of sensitive data by nature can only be processed in the following cases, among others:

In relation to the use of PII in the employment context, the CNIL published several opinions on monitoring the activities of employees, video surveillance, discrimination, localisation data and collection of PII in the recruitment process. Moreover, in France, employers cannot rely on consent for processing involving PII of its employees, since the employees cannot freely consent as they are by nature subordinated to the employer.

Moreover, processing can be prohibited due to its context, such as the processing of PII relating to offences, convictions and security measures, which can only be carried out by a limited number of specific entities.

Furthermore, according to the law on the protection of personal data, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15, which differs from the threshold of 16 years provided in the GDPR.

The law on the protection of personal data establishes a principle of prohibition of decisions producing legal effects on the sole basis of automated processing, including profiling intended to define the profile of the person concerned or to evaluate certain aspects of his or her personality. Such a provision maintains a certain gap with the GDPR, since the law is based on a prohibition in principle of such automated processing while the GDPR refers to an ‘individual right’ of the person concerned ‘not to be the subject of a decision based solely on automated processing, including profiling’.

Data handling responsibilities of owners of PII


Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

As a general rule, data subjects shall be provided with the following information when their PII is collected:

Where the data was not obtained from the data subject, the information must be provided at the time of recording of the personal data or, if disclosure to a third party is planned, no later than at the time the data is disclosed for the first time.

Exemption from notification

When is notice not required?

Notice is not required if the data subject already received such information. Furthermore, in cases where the data subject did not provide his or her PII directly, the data controller is exempted from the notification obligation if:

Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The LIL grants rights to data subjects allowing them to have some control over the use of their PII. The relevant rights in this field are notably the right to rectify inaccurate or out-of-date PII, and the right to be forgotten, in order to obtain the deletion of such PII (see question 38).

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

As a general rule, the PII controller shall ensure that the processed PII is adequate, relevant and not excessive in relation to the purposes for which it is collected and for onward processing. In addition, the PII owner shall also ensure that PII is accurate, complete and, if necessary, updated. In this respect, the law provides that the PII owner shall take appropriate measures to ensure that inaccurate or incomplete data for the purposes for which it is collected or processed is erased or rectified.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

PII owners are required to limit the processing of PII to what is strictly necessary for the purpose of the processing. The amount of PII collected and processed must be proportionate to the purposes of the processing.

The LIL also provides that the PII must only be kept in a form enabling the data subject to be identified for a period that does not exceed the time necessary for the purposes for which the PII is collected and processed. Accordingly, if the legitimate ground of the processing has disappeared or expired, the controller should erase, anonymise or pseudonymise the PII.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

The finality principle is a core principle of data protection regulation in France. PII can only be collected for specified, explicit and legitimate purposes and must not be further processed in a way incompatible with those purposes.

Furthermore, the CNIL already encourages PII controllers to implement the ‘data minimisation’ principle (which is consecrated in the GDPR), as well as the systematic use, where applicable, of anonymisation and pseudonymisation techniques.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

PII can be processed for new purposes provided that such onward processing is not incompatible with the initial purposes for which the PII was collected and subject to the data subject’s rights and the principle of data minimisation.

Processing of PII for new purposes when such purposes are statistical, historical or medical research is generally considered as compatible with the initial purpose.

Processing of PII for new purposes even incompatible with the initial purpose is also possible with the prior consent of the data subject.


Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Data controllers must protect PII against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks.

Data controllers are required to take steps to:

The CNIL issued guidelines on 23 January 2018 on the security measures to be implemented by data controllers, in line with the requirement of the GDPR, to guarantee the security of personal data processing. These guidelines encourage data controllers to perform a privacy impact assessment, which shall be carried out in consideration of the two following pillars:

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

With the GDPR, there is a general obligation for PII controllers to report PII data breaches to the CNIL without undue delay and, where feasible, not later than 72 hours after becoming aware of it. However, an exception to this notification exists when the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, reasons will have to be provided to the supervisory authority.

The notification shall at least:

Moreover, when the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall notify the data breach to the data subject without undue delay. This notification can be waived if the CNIL considers that:

The PII owner must keep an updated record of all PII breaches, which must contain the list of conditions, effects and measures taken as remedies. This record must be communicated to the CNIL on request.

Failure to meet the above requirements exposes the owners of PII to an administrative fine of up to €10,000,000 or, in case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Providers of electronic communication services are also subject to an obligation to notify the CNIL within 24 hours in the event of a PII breach. In this respect, when the PII breach may affect PII or the privacy of a data subject, the PII controller shall also notify the concerned data subject without delay.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

Controllers and processors may decide to appoint a data protection officer (DPO). However, this is mandatory for public sector bodies, those involved in certain listed sensitive processing or monitoring activities or where local law requires an appointment to be made.

The DPO assists the owner or the processor in all issues relating to the protection of the PII. In a nutshell, the DPO must:

Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

PII controllers are required to maintain a record of processing activities under their responsibilities as referred to in article 30 of the GDPR. Processors of PII are also required to maintain such a record about personal data that controllers engage them to process.

While an exemption from the above obligations applies to organisations employing fewer than 250 people, this exemption will not apply where sensitive data is processed and where owners or processors of PII find themselves in the position of:

New processing regulations

Are there any obligations in relation to new processing operations?

Since the GDPR is directly effective in France, controllers and processors of PII are required to apply a privacy-by-design approach by implementing technical and organisational measures to show that they have considered and integrated data compliance measures into their data-processing activities. These technical and organisational measures might include the use of pseudonymisation techniques, staff training programmes and specific policies and procedures.

In addition, when processing is likely to result in a high risk to the rights and freedoms of natural persons, owners and controllers are required to carry out a detailed privacy impact assessment (PIA). Where a PIA results in the conclusion that there is indeed a high, and unmitigated, risk for the data subjects, controllers must notify the supervisory authority and obtain its view on the adequacy of the measures proposed by the PIA to reduce the risks of processing.

Controllers and processors may decide to appoint a DPO (see question 22).

Registration and notification


Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

PII controllers or processors are not required to register with the CNIL.

Since the entry into force of the GDPR, owners and processors no longer have the obligation to declare the PII processing they carry out to the CNIL.

However, the law on personal data maintains the requirement of a prior authorisation from the CNIL for the following processing:


What are the formalities for registration?

The formalities of registration for data processing requiring prior authorisation must be performed for each new PII processing operation.

The formalities are free of charge and can be realised on the CNIL’s website and are non-renewable since they remain valid for the whole duration of the processing. The following information must be provided:


What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Failure to comply with the registration obligation can be punished by imprisonment for a maximum period of five years and a criminal fine of up to €300,000 (article 226-16 and 226-16-1 A of the Criminal Code).

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

The CNIL can refuse its registration if some of the information to be provided is missing or if the PII collected for the processing is too broad in relation to its purpose. In such cases, the PII owner cannot carry out the intended data processing. Failure to comply with a refusal of the CNIL to authorise processing is subject to criminal sanctions (see question 27).

Public access

Is the register publicly available? How can it be accessed?

On 30 August 2017, the CNIL published on its website a register that lists the formalities completed since 1979 by data controllers (public and private). This register can be consulted freely, with ease, via the CNIL website.

Effect of registration

Does an entry on the register have any specific legal effect?

The PII controller may only be allowed to start carrying out the processing upon registration and receipt of authorisation from the CNIL.

The registration as such does not exempt a data controller from any of its other obligations. After the registration, data controllers still need to ensure that the processing complies with the information disclosed in the notification and with data protection standards.

Other transparency duties

Are there any other public transparency duties?

Not to our knowledge.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

Under the LIL regime, any person that processes PII on behalf of the data controller is regarded as a processor. The processor may only process PII under the data controller’s instructions.

When a data controller outsources some of its processing or transfers PII in relation with such processing to a sub-contractor (ie, a data processor), it must establish an agreement with that processor.

This agreement shall specify the obligations incumbent upon the processor as regards the obligation of protection of the security and confidentiality of the data and provide that the processor may act only upon the instruction of the data controller.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Generally, there are no specific restrictions on the disclosure of PII other than the general data protection principles provided by the LIL.

Nevertheless, disclosure of sensitive PII such as health data is limited to certain institutions and professionals, unless the data controller has obtained a specific and express consent of the data subject for the disclosure of such PII.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

PII can be transferred freely to other countries within the EEA, as well as to countries recognised by the European Commission as providing an ‘adequate level of data protection’.

Such transfers of PII from France are permitted to Canada (under certain conditions), Switzerland, Argentina, Guernsey, the Isle of Man, Jersey, the Faroe Islands, Andorra, Israel, Uruguay and New Zealand.

Furthermore, transfers of PII from France to recipients established in the US are permitted to the extent that they are registered under the Privacy Shield certification.

Moreover, a controller or processor may transfer PII to other countries, or to recipients in the United States who have not chosen to sign up to the Privacy Shield, only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The appropriate safeguards may be provided for by:

Subject to the authorisation from the CNIL, the appropriate safeguards may also be provided for, in particular, by:

However, in the absence of an adequacy decision or of appropriate safeguards as descried above, a transfer of personal data to a third country or an international organisation shall take place if:

Data controllers must inform data subjects of the data transfer and provide the following information:

Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

The cross-border transfer must be approved by the CNIL when it is based on:

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

Restrictions on cross-border transfers apply to transfers from the PII owner based in France to a data processor outside of the EEA. Onward transfers are in principle subject to the restrictions in force in the recipient’s jurisdiction. By exception, SCCs contain specific requirements for onward transfers.

Rights of individuals


Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Data subjects have a right to ‘access’ the PII that a controller holds about them.

Data subjects can exercise their right of access by sending a signed and dated access request, together with proof of identity. Data subjects can request that the PII owner provides the following information:

The controller may oppose manifestly abusive access requests, in particular with respect to their excessive number or repetitive or systematic nature. In the event of a claim from the data subject, the burden of proving the manifestly abusive nature of the requests lies with the PII owner to whom they are addressed.

The right of access may be denied when the personal data is kept in a form that excludes any risk of invasion of the privacy of the data subjects (ie, if PII is pseudonymised or anonymised) and for a period not exceeding what is necessary for the sole purpose of statistical, scientific or historical research.

Other rights

Do individuals have other substantive rights?

In addition to the right of access described above, data subjects are granted the rights described below. When PII has been collected by electronic means, the data subjects must be provided with a way to exercise their rights using electronic means.

Right to object

Data subjects have the right to object to the processing of their PII on legitimate grounds, unless the processing is necessary for compliance with a legal obligation or when the act authorising the processing expressly excludes the data subjects’ right to object.

Data subjects also have the right to object, at no fee and without justification, to the use of PII related to them for the purposes of direct marketing by the PII owner or by an onward data controller.

Right to correct

Upon proof of their identity, data subjects may require the PII owner to correct, supplement, update, lock or erase personal data related to them that is inaccurate, incomplete, equivocal or out of date, or whose collection, use, disclosure or storage is prohibited.

When the concerned PII has been transmitted to a third party, the data controller must carry out the necessary diligence to notify such third party of the modifications operated in accordance with the data subjects’ request.

Right to be forgotten

Data subjects have the right to request the PII controller to erase personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, in particular where one of the following grounds applies:

Right to be forgotten for children

Data subjects have the right to request the PII controller to erase without undue delay the personal data that has been collected in the context of the provision of information society services where the data subject was under age at the time of collection. When the PII controller has transmitted the concerned data to another PII owner, the data controller shall take reasonable measures, including technical measures, to inform the onward PII owner of the data subject’s request for the deletion of any link to the data, or any copy or reproduction thereof.

This is unless the data processing is necessary:

Right of data portability

Data subjects have a right to:

‘Digital death’

Data subjects have the right to set guidelines for the retention, deletion and communication of their personal data after their death.


Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Individuals may claim for damages when they are affected by a breach of the LIL that qualifies as a criminal offence subject to the referral to criminal jurisdiction.

In this case, compensation may amount to the total amount of damage endured by the individual, which includes moral damages or injury to feelings.


Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Where the data controller does not answer or refuses to grant the right to the data subjects’ request, the latter can refer to the CNIL or a judge to obtain interim measures against the data controller.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

Not applicable.


Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

PII owners can appeal against orders or sanctions pronounced by the CNIL in front of the Supreme Court for the administrative order (the Council of State).

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

Data controllers may install cookies or equivalent devices subject to the data subject’s prior consent. Such consent may derive from the browser or other application settings. The following categories of cookies require the prior consent of the data subject:

As regards analytics, the CNIL considers that these cookies may be exempted from prior consent subject to the following:

Implied consent is now accepted and companies must implement a two-step approach for obtaining consent.

Data controllers must use a banner providing the following information to the website user:

The CNIL recommends that to ensure that the data subject’s consent is unambiguous, the banner shall not disappear until the individual continues to navigate on the website, for example, by clicking on an element of the website or navigating to another page of the website.

The CNIL considers that the consent given by the data subject is only valid for 13 months. After this period, the consent of data subjects shall be collected again with the same conditions. Accordingly, the cookies’ lifetime shall be limited to 13 months from the date of the first deposit on the user’s device. New visits of the user to the website shall not automatically extend the cookies’ lifespan.

In addition, data subjects shall be provided with an easy way to withdraw their consent to the deposit of cookies at any time.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

Sending unsolicited marketing messages is prohibited without the prior consent of the recipient. Such consent of the data subject cannot derive from:

Under the following conditions, the prior consent of the data subject is not required to address unsolicited marketing messages:

In a B2B relationship, the prior consent of the recipient is not required provided that:

Direct marketing by regular mail or telephone is not subject to the prior consent of the recipient, but the recipient has the possibility to object to it by signing up to an opt-out list. In France, this list is called Bloctel, which is the governmental opt-out list for telephone marketing.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

There is no specific provision applicable to cloud computing in the LIL or the GDPR. The CNIL issued guidelines addressed to companies contemplating subscription to cloud computing services dated 25 June 2012. These guidelines contain seven recommendations by the CNIL that should be taken into account by data controllers when assessing the opportunity to migrate to cloud services, as well as a template clause to be inserted into agreements with cloud computing services providers.

The recommendations are to:

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Since the implementation of the GDPR one year ago, many national data protection authorities have reported a sharp increase in the number of complaints. In France, the CNIL recently observed a 32 per cent increase in the number of complaints received in 2018, largely attributable to the RGPD. Indeed, the CNIL has received more than 11,900 complaints since May 2018. During the first nine months of the RGPD, the EDPB reported 144,376 complaints.

In the first major example, on 25 and 28 May 2018, the CNIL received group complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN was mandated by 10,000 people to refer the matter to the CNIL. In the two complaints, the associations reproach Google for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.

As a result, Google has been fined €50 million by the CNIL for not properly informing to its users how data is collected across its services to present personalised advertisements. The CNIL noticed that the information on the data-processing activities provided to users was neither easily accessible to users nor always clear or comprehensive.

The CNIL also observed that Google doesn’t properly obtain users’ consent to target them with personalised ads. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalisation is diluted in several documents and does not enable the user to be aware of their extent, with a several clicks required to access the full information. Therefore, the CNIL underlined that the user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.

Finally, we can also underlines that the CNIL is more likely to make public the sanctions that it imposes on the PII controller or processor.