Here’s an open secret about Americans on the cusp of retirement age: They know how to use technology. Having been in the workforce as the digital age gestated from a fever dream into the driver of nearly every aspect of work and life in the developed world, this cohort understands its transformative power at a level digital natives have yet to grasp. Over the next decade, roughly 132 million Americans 50 and older will spend over $84 billion annually on technology.
As they approach retirement, affluent, well educated seniors are still driving technological development, participating in the digital economy as it grows and changes, and preparing for an aging process that will be largely dependent on emerging technologies to increase satisfaction, comfort, and life expectancy.
However, one of the profound changes retirement brings is access to technology. Leaving the workplace can mean losing a wealth of expensive support, from high speed internet connections and the software programs that allow seamless communication, to hardware that can be impossible to afford on a budget. And yes, that includes the person in IT who knows how to convert documents into PDFs. (Here’s another deeply held secret from a boomer: They absolutely know how to do that. They just love to see your reaction when they ask for your help. Eyerolls are always funny.)
Teasing aside, here are five critical considerations to make before transitioning out of the tech rich workplace.
Make cyber security a priority. The loss of a workplace IT infrastructure means heightened exposure to hacking, so deepening your personal knowledge about security breaches and investing in affordable, personal use security tools is a must. Don’t be put off by any implied condescension you might perceive by seeking simplified help – Internet 101.org is a great place to start the process.
Forget about remembering passwords. Leaving the office shouldn’t mean swapping strong protection of digital assets for passwords that are easy to remember and a breeze for hackers to exploit. Encrypted password managers such as 1Password provide affordable protection, generous storage, and email support.
Enroll in autopay. Just because you’re retired doesn’t mean the bills stop. Making sure they get paid automatically, on time, every month will take a huge weight off your shoulders. On the flip side, any income you have still have coming in: social security, a pension, etc., you can arrange to be automatically deposited in the account of your choosing. Being retired means you should be out there enjoying life, not spending several hours a week doing amateur accounting.
Set up online trading. You want your money to last through a long retirement. Now that you have more time, you might want to take a more hands-on approach to your investments. Services such as Ally Invest and E-Trade make it simple and easy to manage your portfolio and do self-directed trades on a daily basis.
Compromise smartly. The temptation to sacrifice capability for cost can be very compelling, especially when it comes to smartphones. While there is a fun new crop of flip phones hitting the market that may take you back to the simpler days of flip up and gab, like the updated foldable Motorola Razr, prioritize the features that are most important to you — whether it’s a great camera, the ability to use multiple apps, or mil-std ruggedization — and make sure the phone of your choice makes the grade. You’ll want something that can still keep up with your lifestyle and let you video chat with the grandkids.
Think before you ditch. Switching away from a “does it all” desktop system to a tablet or laptop may make sense from a portability standpoint, but be sure your computer investments match the quality of life you’re expecting. Desktops can be much cheaper to buy than laptops, giving you the freedom to buy both. Desktop performance is better, more flexible, and far more robust than tablets; laptops that offer equivalent desktop performance are typically cumbersome and heavy despite being optimized for mobility. If you’re a gamer, crafter, or have a penchant for art, having a desktop in your post-work tech arsenal will be a very worthwhile spend.
Plan your digital estate. You’re planning to leave your work environment, not your entire life, but now is the time to think about what may happen to your digital identity and it’s a risky aspect of estate planning to neglect. In the Digital Cheat Sheet, Everplans recommends the following steps to take:
Make a list of all your digital assets and make a plan on how they should be accessed after your passing. This includes your personal data, passwords, and hardware.
Choose an executor for these assets who will follow your wishes on erasing, preserving, or sharing data, and with whom you want your digital legacy to be shared.
Store this information where it can be readily accessed by a trusted family member, attorney, or your appointed executor.
Legalize your wishes. With the exception of Louisiana, Kentucky, and the District of Columbia, there are state provisions for digital asset legalization. Work with your estate planner to incorporate your digital assets into your will. Remember: Never include passwords or private data in your will, as it is a public document that anyone can access.
Retirement isn’t the end of your life, it’s the beginning of enjoying what you’ve worked so hard for. Set yourself up for success much the same way you did in your career. There’s a whole world of things to do that you might have missed out on. A smart retirement will enable you to make the most of your time while living on the go. Get after it!
There are 2.37 billion people who regularly log on to Facebook at least once a month to send messages and check out photos, yet in 50 years’ time there could be more dead people with profiles on the platform than living ones, according to research by the Oxford Internet Institute.
What happens to all the information we’ve created online when we kick the bucket? Who owns it and what can we do about it?
These questions psychologist Elaine Kasket is attempting to answer in her book, All The Ghosts In The Machine: The Digital Afterlife Of Your Personal Data. Released in paperback this week, it aims to help us understand our digital footprints and how we can take control of them before it’s too late.
What Kasket wants you to know, first, is that it’s not a book about death or grieving, it’s about understanding how we use tech and its impact. “What people need to realise is that because of the involvement and control of tech companies, there are a lot of issues around access, a lot of expectations, that are not met. We assume that digital stuff obeys the same law of ownership and control as physical stuff.”
Kasket says her interest in digital death started when she was a teenage goth in the mid-Eighties as the internet was starting to gain traction. But it really took off when she joined Facebook in 2007. When 32 people died in the Virginia Tech shooting in the US that year, the platform decided to memorialise accounts instead of instantly deleting them, following criticisms from family and friends of those killed. “I was interested from a psychological perspective in how people were using the site and commenting on photos to speak directly to the deceased.”
Dealing with memorialisation online was something Twitter recently grappled with. Last November, the platform had to roll back plans to cull accounts that hadn’t been used in more than six months following a public outcry over what would happen to accounts of the deceased. The Twitter profile of former Guardian journalist and writer Deborah Orr is a particular sore point for her friends and followers — author Jojo Moyes tweeted to say it felt like she had been “erased” after the platform removed the account.
But for Kasket, this is part of the conundrum. “What kind of moral obligation does Twitter have? It’s considered a duty of care to preserve the data of dead users. Why? Isn’t that just another instance of us relying on technology to do the things that we should bear the responsibility for ourselves?”
What’s online isn’t forever, particularly when it comes to storing all this data in the cloud. It takes money and energy to keep servers going — we already know the environmental costs of bitcoin, with one study last year estimating that for every $1 generated in the cryptocurrency’s value in 2018, and climate damages in the US. Think of the energy being used to keep dead social media profiles alive. As the OII figures demonstrated, it’ll only get bigger.
Then there’s the issues of trying to shut down a social media account owned by someone who is no longer here. Passwords could be put away and only an authenticated fingerprint could unlock them. Kasket is particularly worried about the impact of deepfakes: videos edited using AI to modify someone’s speech. “If James Dean is going to be deepfaked into a film, then a citizen can be deepfaked into a bank account being drained when the system is not aware the person is dead.”
So what can we do about it? You can begin by making a digital will. Farewill, a digital will-writing specialist, raised £7.5 million in funding last year (farewill.com). Make sure to include information such as: “I want my Facebook profile to be memorialised.” You can also nominate a digital executor who can remove or memorialise your accounts; Google and Facebook both offer these services, whilst Twitter says it’s “looking into” it.
Be wary of what you give access to. If you have digital skeletons, then maybe lock those accounts away instead of opening them up to future discoveries. Kasket also advises “going old-school” — the photos that you have stored on Facebook? Download them onto an external hard drive or print them. “It’s a fascinating conundrum that we’re dealing with,” says Kasket. “Once upon a time the dead had no rights to privacy or data protection but that’s before we left behind so much identifiable and personable data.”
Before you post that next Twitter musing on the headline of the day, maybe use that time to look into creating a digital will. After all, there’s no time like the present.
All the Ghosts In The Machine: The Digital Afterlife Of Your Personal Data by Dr Elaine Kasket is out now (£9.99, Robinson/Little Brown UK)
Esther Earl never meant to tweet after she died. On 25 August 2010, the 16-year-old internet vlogger died after a four-year battle with thyroid cancer. In her early teens, Esther had gained a loyal following online, where she posted about her love of Harry Potter, and her illness. Then, on 18 February 2011 – six months after her death – Esther posted a message on her Twitter account, @crazycrayon.
“It’s currently Friday, January 14 of the year 2010. just wanted to say: I seriously hope that I’m alive when this posts,” she wrote, adding an emoji of a smiling face in sunglasses. Her mother, Lori Earl from Massachusetts, tells me Esther’s online friends were “freaked out” by the tweet.
“I’d say they found her tweet jarring because it was unexpected,” she says. Earl doesn’t know which service her daughter used to schedule the tweet a year in advance, but believes it was intended for herself, not for loved ones after her death. “She hoped she would receive her own messages … [it showed] her hopes and longings to still be living, to hold on to life.”
Although Esther did not intend her tweet to be a posthumous message for her family, a host of services now encourage people to plan their online afterlives. Want to post on social media and communicate with your friends after death? There are lots of apps for that! Replika and Eternime are artificially intelligent chatbots that can imitate your speech for loved ones after you die; GoneNotGone enables you to send emails from the grave; and DeadSocial’s “goodbye tool” allows you to “tell your friends and family that you have died”. In season two, episode one of Black Mirror, a young woman recreates her dead boyfriend as an artificial intelligence – what was once the subject of a dystopian 44-minute fantasy is nearing reality.
But although Charlie Brooker portrayed the digital afterlife as something twisted, in reality online legacies can be comforting for the bereaved. Esther Earl used a service called FutureMe to send emails to herself, stating that her parents should read them if she died. Three months after Esther’s death, her mother received one of these emails. “They were seismically powerful,” she says. “That letter made us weep, but also brought us great comfort – I think because of its intentionality, the fact that she was thinking about her future, the clarity with which she accepted who she was and who she hoped to become.”
Because of the power of Esther’s messages, Earl knows that if she were dying, she would also schedule emails for her husband and children. “I think I would be very clear about how many messages I had written and when to expect them,” she adds, noting they could cause anxiety for relatives and friends otherwise.
Yet while the terminally ill ponder their digital legacies, the majority of us do not. In November 2018, a YouGov survey found that only 7% of people want their social media accounts to remain online after they die, yet it is estimated that by 2100, there could be 4.9bn dead users on Facebook alone. Planning your digital death is not really about scheduling status updates for loved ones or building an AI avatar. In practice, it is a series of unglamorous decisions about deleting your Facebook, Twitter and Netflix accounts; protecting your email against hackers; bestowing your music library to your friends; allowing your family to download photos from your cloud; and ensuring that your online secrets remain hidden in their digital alcoves.
“We should think really carefully about anything we’re entrusting or storing on any digital platform,” says Dr Elaine Kasket, a psychologist and author of All the Ghosts in the Machine: Illusions of Immortality in the Digital Age. “If our digital stuff were like our material stuff, we would all look like extreme hoarders.” Kasket says it is naive to assume that our online lives die with us. In practice, your hoard of digital data can cause endless complications for loved ones, particularly when they don’t have access to your passwords.
“I cursed my father every step of the way,” says Richard, a 34-year-old engineer from Ontario who was made executor of his father’s estate four years ago. Although Richard’s father left him a list of passwords, not one remained valid by the time of his death. Richard couldn’t access his father’s online government accounts, his email (to inform his contacts about the funeral), or even log on to his computer. For privacy reasons, Microsoft refused to help Richard access his father’s computer. “Because of that experience I will never call Microsoft again,” he says.
Our devices capture so much stuff, we don’t think about the consequences for when we’re not here
Compare this with the experience of Jan-Ole Lincke, a 24-year-old pharmaceutical worker from Hamburg whose father left up-to-date passwords behind on a sheet of paper when he died two years ago. “Getting access was thankfully very easy,” says Lincke, who was able to download pictures from his father’s Google profile, shut down his email to prevent hacking, and delete credit card details from his Amazon account. “It definitely made me think about my own [digital legacy],” says Lincke, who has now written his passwords down.
Yet despite growing awareness about the data we leave behind, very few of us are doing anything about it. In 2013, a Brighton-based company called Cirrus Legacy made headlines after it began allowing people to securely leave behind passwords for a nominated loved one. Yet the Cirrus website is now defunct, and the Guardian was unable to reach its founder for comment. Clarkson Wright & Jakes Solicitors, a Kent-based law firm that offered the Cirrus service to its clients, says the option was never popular.
“We’ve been aware for quite a period now that the big issue for the next generation is digital footprints,” says Jeremy Wilson, head of the wills and estates team at CWJ. “Cirrus made sense and ticked a lot of boxes but, to be honest, not one client has taken us up on it.”
Wilson also notes that people don’t know about the laws surrounding digital assets such as the music, movies and games they have downloaded. While many of us assume we own our iTunes library or collection of PlayStation games, in fact, most digital downloads are only licensed to us, and this licence ends when we die.
What we want to do and what the law allows us to do with our digital legacy can therefore be very different things. Yet at present it is not the law that dominates our decisions about digital death. “Regulation is always really slow to keep up with technology,” says Kasket. “That means that platforms and corporations like Facebook end up writing the rules.”
In 2012, a 15-year-old German girl died after being hit by a subway train in Berlin. Although the girl had given her parents her online passwords, they were unable to access her Facebook account because it had been “memorialised” by the social network. Since October 2009, Facebook has allowed profiles to be transformed into “memorial pages” that exist in perpetuity. No one can then log into the account or update it, and it remains frozen as a place for loved ones to share their grief.
The girl’s parents sued Facebook for access to her account – they hoped to use it to determine whether her death was suicide. They originally lost the case, although a German court later granted the parents permission to get into her account, six years after her death.
“I find it concerning that any big tech company that hasn’t really shown itself to be the most honest, transparent or ethical organisation is writing the rulebook for how we should grieve, and making moral judgments about who should or shouldn’t have access to sensitive personal data,” says Kasket. The author is concerned with how Facebook uses the data of the dead for profit, arguing that living users keep their Facebook accounts because they don’t want to be “locked out of the cemetery” and lose access to relatives’ memorialised pages. As a psychologist, she is also concerned that Facebook is dictating our grief.
“Facebook created memorial profiles to prevent what they called ‘pain points’, like getting birthday reminders for a deceased person,” she says. “But one of the mothers I spoke to for my book was upset when her daughter’s profile was memorialised and she stopped getting these reminders. She was like, ‘This is my daughter, I gave birth to her, it’s still her birthday’.”
While Facebook users now have the option to appoint a “legacy contact” who can manage or delete their profile after death, Kasket is concerned that there are very few personalisation options when it comes to things like birthday reminders, or whether strangers can post on your wall. “The individuality and the idiosyncrasy of grief will flummox Facebook every time in its attempts to find a one-size-fits-all solution,” she says.
Matthew Helm, a 27-year-old technical analyst from Minnesota, says his mother’s Facebook profile compounded his grief after she died four years ago. “The first year was the most difficult,” says Helm, who felt some relatives posted about their grief on his mother’s wall in order to get attention. “In the beginning I definitely wished I could just wipe it all.” Helm hoped to delete the profile but was unable to access his mother’s account. He did not ask the tech giant to delete the profile because he didn’t want to give it his mother’s death certificate.
Conversely, Stephanie Nimmo, a 50-year-old writer from Wimbledon, embraced the chance to become her husband’s legacy contact after he died of bowel cancer in December 2015. “My husband and I shared a lot of information on Facebook. It almost became a bit of an online diary,” she says. “I didn’t want to lose that.” She is pleased people continue to post on her husband’s wall, and enjoys tagging him in posts about their children’s achievements. “I’m not being maudlin or creating a shrine, just acknowledging that their dad lived and he played a role in their lives,” she explains.
Nimmo is now passionate about encouraging people to plan their digital legacies. Her husband also left her passwords for his Reddit, Twitter, Google and online banking accounts. He also deleted Facebook messages he didn’t want his wife to see. “Even in a marriage there are certain things you wouldn’t want your other half to see because it’s private,” says Nimmo. “It worries me a little that if something happened to me, there are things I wouldn’t want my kids to see.”
When it comes to the choice between allowing relatives access to your accounts or letting a social media corporation use your data indefinitely after your death, privacy is a fundamental issue. Although the former makes us sweat, the latter is arguably more dystopian. Dr Edina Harbinja is a law lecturer at Aston University, who argues that we should all legally be entitled to postmortem privacy.
If we don’t start making decisions about our digital deaths, then someone else will be making them for us
“The deceased should have the right to control what happens to their personal data and online identities when they die,” she says, explaining that the Data Protection Act 2018 defines “personal data” as relating only to living people. Harbinja says this is problematic because rules such as the EU’s General Data Protection Regulation don’t apply to the dead, and because there are no provisions that allow us to pass on our online data in wills. “There can be many issues because we don’t know what would happen if someone is a legacy contact on Facebook, but the next of kin want access.” For example, if you decide you want your friend to delete your Facebook pictures after you die, your husband could legally challenge this. “There could be potential court cases.”
Kasket says people “don’t realise how much preparation they need to do in order to make plans that are actually able to be carried out”. It is clear that if we don’t start making decisions about our digital deaths, then someone else will be making them for us. “What one person craves is what another person is horrified about,” says Kasket.
How close are we to a Black Mirror-style digital afterlife?
Esther Earl continued to tweet for another year after her death. Automated posts from the music website Last.fm updated her followers about the music she enjoyed. There is no way to predict the problems we will leave online when we die; Lori Earl would never have thought of revoking Last.fm’s permissions to post on her daughter’s page before she died. “We would have turned off the posts if we had been able to,” she says.
Kasket says “the fundamental message” is to think about how much you store digitally. “Our devices, without us even having to try, capture so much stuff,” she says. “We don’t think about the consequences for when we’re not here any more.”
Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?
The legislative framework for the protection of PII in France is one of the oldest in Europe as it is based on the Law on Computer Technology and Freedom dated 6 January 1978 (Loi Informatique et Liberté, or LIL). This law has been amended several times since then, and especially by:
Law No. 2004-801 dated 6 August 2004 to implement the provisions of Directive 95/46/CE;
Law No. 2016-1321 dated 7 October 2016, which anticipates the implementation of certain provisions of the EU General Data Protection Regulation 2016/679 (GDPR);
Law No. 2018-493 of 20 June 2018 , which implements the GDPR in France and further amend the LIL;
Ordinance No. 2018-1125 of 12 December 2018 and Decree No. 2019-536 of 29 May 2019, which complete at the legislative level the compliance of the national law with the GDPR and redraft the LIL for a better readability and urderstanding of the law.
As a regulation, the GDPR has been directly effective in France since 25 May 2018.
Furthermore, the following international instruments on privacy and data protection also apply in France:
the Council of Europe Convention 108 on the Protection of Privacy and Trans-Border Flows of Personal Data;
the European Convention on Human Rights and Fundamental Freedoms (article 8 on the right to respect for private and family life); and
the Charter for Fundamental Rights of the European Union (article 7 on the right to respect for private and family life and article 8 on the right to the protection of personal data).
Data protection authority
Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.
The data protection authority in France is the National Commission for Data Protection and Liberties (CNIL). The CNIL is an independent public body entrusted with the following powers.
Powers of sanction
The maximum threshold of penalties that the CNIL can pronounce has been increased from €150,000 to €20 million or 4 per cent of world turnover for companies since the GDPR.
The CNIL can now compel sanctioned entities to inform each data subject individually of this sanction at their own expense.
It may also impose financial penalties without prior formal notification by the bodies where the failure to fulfil obligations cannot be brought into conformity.
It can also limit temporarily or definitively a specific processing.
Control and investigation powers
The CNIL is vested with investigation and control powers that allow its staff to have access to all professional premises and to request, on the spot, all necessary documents and to take a copy of any useful information. CNIL staff can also access any computer programs linked to the processing of PII and to recorded information. The CNIL can also conduct a documentary control where a letter accompanied by a questionnaire is sent to a PII controller and/or processor to assess the conformity of processing operations carried out by them or an online investigation, in particular by consulting data that are freely accessible or made directly accessible online, including under a fake identity.
In 2019, the CNIL will focus its supervisory action on three main themes, directly resulting from the entry into force of the GDPR:
respect of the rights of the data subjects;
the processing of minors’ data; and
the sharing of responsibilities between controllers and processors.
The powers of the CNIL have recently been extended, as it will have to be consulted for every bill or decree related to data protection and processing. Opinions will automatically be published.
The CNIL is also entrusted with the power to certify, approve and publish standards or general methodologies to certify the compliance of personal data anonymisation processes with the GDPR, notably for the reuse of public information available online.
Legal obligations of data protection authority
Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?
If the owner or processor of PII carries out cross-border processing either through multiple establishments in the EU or with only a single establishment, the supervisory authority for the main or single establishment acts as lead authority in respect of that cross-border processing.
As lead authority, the CNIL must cooperate with the data protection authorities in other member states where the owner or the processor is established, or where data subjects are substantially affected, or authorities to whom a complaint has been made. Specifically, the CNIL has to provide information to other data protection authorities and can seek mutual assistance from them and conduct joint investigations with them on their territories.
More generally, the CNIL is required to provide assistance to other data protection authorities in the form of information or carrying out ‘prior authorisations and consultations, inspections and investigations’. The European Commission can specify forms and procedures for mutual assistance. The CNIL could also participate in joint investigation and enforcement operations with other data protection authorities, particularly when a controller has an establishment on its territory or a significant number of its data subjects are likely to be substantially affected.
Breaches of data protection
Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?
Failure to comply with data protection laws can result in complaints, data authority investigations and audits, administrative fines, penalties or sanctions, seizure of equipment or data, civil actions (including class actions that have been introduced by Law No. 2016-1547 dated 18 November 2016 for the Modernisation of the 21st Century Justice), criminal proceedings and private rights of action.
When the CNIL finds a PII owner to be in breach of its obligations under the LIL, as a preliminary step the CNIL chairman may issue a formal notice for the PII owner to remedy the breach within a limited period of time. In cases of extreme urgency, this period may be reduced to 24 hours.
When the breach cannot be remedied in the context of a formal notice, the CNIL may impose one of the following sanctions without prior formal notice of adversarial procedure:
a formal warning notification;
a financial penalty; or
the withdrawal of the authorisation to operate the data processing.
When the PII owner complies with the terms of the formal notice, the CNIL chairman shall declare the proceedings closed. Otherwise, the competent committee of CNIL may, after a contradictory procedure, pronounce one of the following penalties:
a warning notification;
a financial penalty, except when the PII owner is a public authority;
an injunction to cease treatment; or
the withdrawal of the authorisation granted by the CNIL for the data processing concerned.
In case of emergency and infringement to civil rights and freedoms, the CNIL may, after an adversarial procedure, take the following measures:
the suspension of the operation of data processing;
a formal warning;
the lockdown of PII for a maximum of three months (except for certain processing carried out on behalf of the French Administration); or
for certain sensitive files of the French Administration, the Prime Minister is given information in order for him to take the necessary measures to remedy the breaches.
In the event of a serious and immediate violation of rights and freedoms, the chairman of the CNIL may request, by summary application, the competent judge to order any necessary security measures.
The CNIL may also inform the public prosecutor that it has found infringements of data protection law that are criminally sanctionable.
Publicity of the penalties
The CNIL can make public the financial penalties that it pronounces. The inclusion of these sanctions in publications or newspapers is no longer subject to the condition of bad faith of the entity concerned.
Infringements to data protection law may be punished by imprisonment for a maximum period of five years and a criminal fine up to €300,000 (articles 226-16 to 226-22-1 of the Criminal Code). However, criminal sanctions are hardly ever pronounced.
Exempt sectors and institutions
Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?
The LIL is generally applicable to all public bodies and all non-public entities that process PII and intends to cover all sectors. However, certain processing carried out by public authorities is subject to specific obligations that differ from the general obligations imposed upon private entities, for example:
processing of PII by public bodies for reasons of national security is subject to a specific regime supervised by the executive power; and
processing of PII managed by judicial authorities related to offences, convictions and security measures is subject to a specific regime supervised by the executive power.
The following categories of data processing fall outside the scope of the LIL:
processing of PII solely for journalistic or artistic purposes; and
processing of PII by a natural person in the course of a purely personal or household activity.
Communications, marketing and surveillance laws
Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.
The LIL does not cover the interception of communications nor surveillance of individuals when implemented for public interest purposes.
This is subject to the authority of a dedicated public authority, the National Commission for Monitoring Intelligence Techniques. This field is regulated by several laws, mainly Law No. 91-646 of 10 July 1991 and Law No. 2015-912 of 24 July 2015.
Electronic marketing is subject to the Postal and Electronic Communication Code (article L. 34-5 et seq) and to the Consumer Code (article L. 121-20-5 et seq).
Identify any further laws or regulations that provide specific data protection rules for related areas.
Processing of health PII is subject to the provisions of the Public Health Code as well as to the LIL.
The solicitation by automatic calling machines, email or fax, and the sale or transfer of PII for prospecting purposes using these, is subject to the provisions of the Postal and Electronic Communications Code.
What forms of PII are covered by the law?
The LIL is aimed at covering all forms of PII, which means any information relating to an individual who is identified or who could be directly or indirectly identified, by reference to an identification number or to the combination of one or several elements.
In addition, the LIL applies to automatic processing and to non-automatic processing of PII that forms part of a filing system (or is intended to form part of a filing system), with the exception of processing carried out for personal purposes. Accordingly, even records of PII in paper form may be subject to the LIL.
Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?
The LIL applies to processing of PII carried out by a PII owner:
who is established in France, whether or not the processing takes place in France. In this context, ‘establishment’ is broadly interpreted as it refers to all sorts of ‘installation’, regardless of its legal form; or
who is not established in France, but who uses a means of processing located in French territory, for instance, hosting data, internet service provider, cloud services, among others.
Covered uses of PII
Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?
In principle, the LIL applies to all processing of PII, with the exception of that carried out for purely personal purposes. The controller determines the purposes for which and the means by which PII is processed, whereas the processor processes PII only on behalf of the controller. The duties of the processor towards the controller must be specified in a contract or another legal act.
In principle, the PII controller is the principal party for responsibilities such as collecting consent, enabling the right to access or managing consent-revoking. However, the GDPR introduces direct obligations for PII processors (including security, international transfers, record keeping, etc) and thus they can be held directly liable by data protection authorities for breaches of the GDPR and the LIL.
Controllers and processors are also jointly and severally liable where they are both responsible for damage caused by a breach.
Legitimate processing of PII
Legitimate processing – grounds
Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?
Every collection, processing or use of PII needs to be justified under French data protection law. In principle, the ground for legitimate processing must be the consent of the data subject, but the LIL introduced statutory legal exemptions to obtain the consent of the data subject for some processing when it is carried out for the following purposes:
the respect of a legal obligation of the data controller;
the protection of the data subject’s life (interpreted restrictively);
the performance of a public service mission entrusted to the data controller or the data recipient;
the performance of either a contract to which the data subject is a party or steps taken at the request of the data subject prior to entering a contract; or
the pursuit of the data controller’s or the data recipient’s legitimate interest provided such interest is not incompatible with the fundamental rights and interests of the data subject.
Legitimate processing – types of PII
Does the law impose more stringent rules for specific types of PII?
French law is more restrictive for the processing of specific types of PII, known as sensitive personal data. As a matter of principle, processing of sensitive data is prohibited.
The LIL provides a non-exhaustive list of sensitive PII by nature, which is PII that reveals, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of individuals, or that concerns their health or sexual life. This category of sensitive data by nature can only be processed in the following cases, among others:
the data subject gave prior express consent;
the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving his or her consent;
the processing is carried out by a foundation, association or any other non-profit organisation with political, philosophical, religious or trade union objectives, in the course of its legitimate activities;
the processing relates to PII that has been made public by the data subject; or
the processing is necessary for the establishment, exercise or defence of legal claims.
In relation to the use of PII in the employment context, the CNIL published several opinions on monitoring the activities of employees, video surveillance, discrimination, localisation data and collection of PII in the recruitment process. Moreover, in France, employers cannot rely on consent for processing involving PII of its employees, since the employees cannot freely consent as they are by nature subordinated to the employer.
Moreover, processing can be prohibited due to its context, such as the processing of PII relating to offences, convictions and security measures, which can only be carried out by a limited number of specific entities.
Furthermore, according to the law on the protection of personal data, a minor may consent to the processing of personal data alone with regard to the offer of information society services from the age of 15, which differs from the threshold of 16 years provided in the GDPR.
The law on the protection of personal data establishes a principle of prohibition of decisions producing legal effects on the sole basis of automated processing, including profiling intended to define the profile of the person concerned or to evaluate certain aspects of his or her personality. Such a provision maintains a certain gap with the GDPR, since the law is based on a prohibition in principle of such automated processing while the GDPR refers to an ‘individual right’ of the person concerned ‘not to be the subject of a decision based solely on automated processing, including profiling’.
Data handling responsibilities of owners of PII
Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?
As a general rule, data subjects shall be provided with the following information when their PII is collected:
the identity of the data controller;
contact details for the data protection officer, where applicable;
the purposes and the legal basis of the processing;
the category of personal data;
when PII is collected via a questionnaire, whether replies to the question are compulsory or optional;
the consequences of an absence of reply;
the categories of recipients of the data;
information on the data subject’s rights and the method to be used to exercise them (ie, the right to access the collected PII and to rectify, complete, update, block or delete it if inaccurate, incomplete, equivocal or expired; and the right to direct the use of their PII after their death);
the intended transfer of PII outside the EEA;
the storage duration or the criteria that will be used to determine the duration;
the right to lodge a complaint with a supervisory authority; and
the existence of automated decision-making, including profiling and, if applicable, meaningful information about the logic used and the significance and envisaged consequences of such processing for the data subject.
Where the data was not obtained from the data subject, the information must be provided at the time of recording of the personal data or, if disclosure to a third party is planned, no later than at the time the data is disclosed for the first time.
Exemption from notification
When is notice not required?
Notice is not required if the data subject already received such information. Furthermore, in cases where the data subject did not provide his or her PII directly, the data controller is exempted from the notification obligation if:
informing the data subject proves impossible or would involve a disproportionate effort, in particular in the context of statistical, historical or scientific research, or for the purpose of medical examination of the population with a view to protecting and promoting public health;
the data subject already has the information;
the PII is recorded only to comply with statutory and legal obligations; or
the PII must remain confidential subject to an obligation of professional secrecy regulated by EU or member state law, including a statutory obligation of secrecy.
Control of use
Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?
The LIL grants rights to data subjects allowing them to have some control over the use of their PII. The relevant rights in this field are notably the right to rectify inaccurate or out-of-date PII, and the right to be forgotten, in order to obtain the deletion of such PII (see question 38).
Does the law impose standards in relation to the quality, currency and accuracy of PII?
As a general rule, the PII controller shall ensure that the processed PII is adequate, relevant and not excessive in relation to the purposes for which it is collected and for onward processing. In addition, the PII owner shall also ensure that PII is accurate, complete and, if necessary, updated. In this respect, the law provides that the PII owner shall take appropriate measures to ensure that inaccurate or incomplete data for the purposes for which it is collected or processed is erased or rectified.
Amount and duration of data holding
Does the law restrict the amount of PII that may be held or the length of time it may be held?
PII owners are required to limit the processing of PII to what is strictly necessary for the purpose of the processing. The amount of PII collected and processed must be proportionate to the purposes of the processing.
The LIL also provides that the PII must only be kept in a form enabling the data subject to be identified for a period that does not exceed the time necessary for the purposes for which the PII is collected and processed. Accordingly, if the legitimate ground of the processing has disappeared or expired, the controller should erase, anonymise or pseudonymise the PII.
Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?
The finality principle is a core principle of data protection regulation in France. PII can only be collected for specified, explicit and legitimate purposes and must not be further processed in a way incompatible with those purposes.
Furthermore, the CNIL already encourages PII controllers to implement the ‘data minimisation’ principle (which is consecrated in the GDPR), as well as the systematic use, where applicable, of anonymisation and pseudonymisation techniques.
Use for new purposes
If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?
PII can be processed for new purposes provided that such onward processing is not incompatible with the initial purposes for which the PII was collected and subject to the data subject’s rights and the principle of data minimisation.
Processing of PII for new purposes when such purposes are statistical, historical or medical research is generally considered as compatible with the initial purpose.
Processing of PII for new purposes even incompatible with the initial purpose is also possible with the prior consent of the data subject.
What security obligations are imposed on PII owners and service providers that process PII on their behalf?
Data controllers must protect PII against accidental or unlawful destruction, loss, alteration and disclosure, particularly when processing involves data transmission over networks.
Data controllers are required to take steps to:
ensure that PII in their possession and control is protected from unauthorised access and use;
implement appropriate physical, technical and organisational security safeguards to protect PII; and
ensure that the level of security is appropriate with the amount, nature and sensitivity of the PII.
The CNIL issued guidelines on 23 January 2018 on the security measures to be implemented by data controllers, in line with the requirement of the GDPR, to guarantee the security of personal data processing. These guidelines encourage data controllers to perform a privacy impact assessment, which shall be carried out in consideration of the two following pillars:
the principles and fundamental rights identified as ‘not negotiable’, which are set by law and must be respected. They shall not be subject to any modulation, irrespective of the nature, seriousness or likelihood of the risks incurred; and
the management of risks on data subjects that allows data controllers to determine which appropriate technical and organisational measures shall be taken to protect the PII.
Notification of data breach
Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?
With the GDPR, there is a general obligation for PII controllers to report PII data breaches to the CNIL without undue delay and, where feasible, not later than 72 hours after becoming aware of it. However, an exception to this notification exists when the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made within 72 hours, reasons will have to be provided to the supervisory authority.
The notification shall at least:
describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
describe the likely consequences of the personal data breach; and
describe the measures taken or proposed to be taken by the owner to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Moreover, when the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall notify the data breach to the data subject without undue delay. This notification can be waived if the CNIL considers that:
the controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
appropriate technical and organisational protection was in place at the time of the incident (eg, encrypted data); or
the notification would trigger disproportionate efforts (instead a public information campaign or ‘similar measures’ should be relied on so that affected data subjects can be effectively informed).
The PII owner must keep an updated record of all PII breaches, which must contain the list of conditions, effects and measures taken as remedies. This record must be communicated to the CNIL on request.
Failure to meet the above requirements exposes the owners of PII to an administrative fine of up to €10,000,000 or, in case of an undertaking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Providers of electronic communication services are also subject to an obligation to notify the CNIL within 24 hours in the event of a PII breach. In this respect, when the PII breach may affect PII or the privacy of a data subject, the PII controller shall also notify the concerned data subject without delay.
Data protection officer
Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?
Controllers and processors may decide to appoint a data protection officer (DPO). However, this is mandatory for public sector bodies, those involved in certain listed sensitive processing or monitoring activities or where local law requires an appointment to be made.
The DPO assists the owner or the processor in all issues relating to the protection of the PII. In a nutshell, the DPO must:
monitor compliance of the organisation with all regulations regarding data protection, including audits, awareness-raising activities and training of staff involved in processing operations;
advise and inform the owner or processor, as well as their employees, of their obligations under data protection regulations;
act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights; and
cooperate with the data protection authorities (DPAs) and act as a contact point for DPAs on issues relating to processing.
Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?
PII controllers are required to maintain a record of processing activities under their responsibilities as referred to in article 30 of the GDPR. Processors of PII are also required to maintain such a record about personal data that controllers engage them to process.
While an exemption from the above obligations applies to organisations employing fewer than 250 people, this exemption will not apply where sensitive data is processed and where owners or processors of PII find themselves in the position of:
carrying out processing likely to result in a risk (not just a high risk) to the rights of the data subjects;
processing personal data on a non-occasional basis; or
processing sensitive data or data relating to criminal convictions.
New processing regulations
Are there any obligations in relation to new processing operations?
Since the GDPR is directly effective in France, controllers and processors of PII are required to apply a privacy-by-design approach by implementing technical and organisational measures to show that they have considered and integrated data compliance measures into their data-processing activities. These technical and organisational measures might include the use of pseudonymisation techniques, staff training programmes and specific policies and procedures.
In addition, when processing is likely to result in a high risk to the rights and freedoms of natural persons, owners and controllers are required to carry out a detailed privacy impact assessment (PIA). Where a PIA results in the conclusion that there is indeed a high, and unmitigated, risk for the data subjects, controllers must notify the supervisory authority and obtain its view on the adequacy of the measures proposed by the PIA to reduce the risks of processing.
Controllers and processors may decide to appoint a DPO (see question 22).
Registration and notification
Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?
PII controllers or processors are not required to register with the CNIL.
Since the entry into force of the GDPR, owners and processors no longer have the obligation to declare the PII processing they carry out to the CNIL.
However, the law on personal data maintains the requirement of a prior authorisation from the CNIL for the following processing:
of biometric or genetic data by the state;
for research, study or evaluation in the field of health.
What are the formalities for registration?
The formalities of registration for data processing requiring prior authorisation must be performed for each new PII processing operation.
The formalities are free of charge and can be realised on the CNIL’s website and are non-renewable since they remain valid for the whole duration of the processing. The following information must be provided:
the identity and the address of the data controller;
the purposes of the processing and the general description of its functions;
if necessary, the combinations, alignments or any other form of relation with other processing;
the PII processed, its origin and the categories of data subjects to which the processing relates;
the period of retention of the processed information;
the department responsible for carrying out the processing;
the authorised recipients to whom the data may be disclosed;
the function of the person where the right of access is exercised, as well as the measures relating to the exercise of this right;
the steps taken to ensure the security of the processing and data, the safeguarding of secrets protected by law and, if necessary, information on recourse to a sub-contractor; and
if applicable, any transfer of PII that is envisaged outside of the EEA.
What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?
Failure to comply with the registration obligation can be punished by imprisonment for a maximum period of five years and a criminal fine of up to €300,000 (article 226-16 and 226-16-1 A of the Criminal Code).
Refusal of registration
On what grounds may the supervisory authority refuse to allow an entry on the register?
The CNIL can refuse its registration if some of the information to be provided is missing or if the PII collected for the processing is too broad in relation to its purpose. In such cases, the PII owner cannot carry out the intended data processing. Failure to comply with a refusal of the CNIL to authorise processing is subject to criminal sanctions (see question 27).
Is the register publicly available? How can it be accessed?
On 30 August 2017, the CNIL published on its website a register that lists the formalities completed since 1979 by data controllers (public and private). This register can be consulted freely, with ease, via the CNIL website.
Effect of registration
Does an entry on the register have any specific legal effect?
The PII controller may only be allowed to start carrying out the processing upon registration and receipt of authorisation from the CNIL.
The registration as such does not exempt a data controller from any of its other obligations. After the registration, data controllers still need to ensure that the processing complies with the information disclosed in the notification and with data protection standards.
Other transparency duties
Are there any other public transparency duties?
Not to our knowledge.
Transfer and disclosure of PII
Transfer of PII
How does the law regulate the transfer of PII to entities that provide outsourced processing services?
Under the LIL regime, any person that processes PII on behalf of the data controller is regarded as a processor. The processor may only process PII under the data controller’s instructions.
When a data controller outsources some of its processing or transfers PII in relation with such processing to a sub-contractor (ie, a data processor), it must establish an agreement with that processor.
This agreement shall specify the obligations incumbent upon the processor as regards the obligation of protection of the security and confidentiality of the data and provide that the processor may act only upon the instruction of the data controller.
Restrictions on disclosure
Describe any specific restrictions on the disclosure of PII to other recipients.
Generally, there are no specific restrictions on the disclosure of PII other than the general data protection principles provided by the LIL.
Nevertheless, disclosure of sensitive PII such as health data is limited to certain institutions and professionals, unless the data controller has obtained a specific and express consent of the data subject for the disclosure of such PII.
Is the transfer of PII outside the jurisdiction restricted?
PII can be transferred freely to other countries within the EEA, as well as to countries recognised by the European Commission as providing an ‘adequate level of data protection’.
Such transfers of PII from France are permitted to Canada (under certain conditions), Switzerland, Argentina, Guernsey, the Isle of Man, Jersey, the Faroe Islands, Andorra, Israel, Uruguay and New Zealand.
Furthermore, transfers of PII from France to recipients established in the US are permitted to the extent that they are registered under the Privacy Shield certification.
Moreover, a controller or processor may transfer PII to other countries, or to recipients in the United States who have not chosen to sign up to the Privacy Shield, only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The appropriate safeguards may be provided for by:
a legally binding and enforceable instrument between public authorities or bodies;
binding corporate rules approved by the CNIL;
standard data protection clauses – model clauses designed by the European Commission to facilitate transfers of personal data from the EU to all third countries, while providing sufficient safeguards for the protection of individuals’ privacy; or
a code of conduct approved by the CNIL, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
a certification mechanism approved by the CNIL together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
Subject to the authorisation from the CNIL, the appropriate safeguards may also be provided for, in particular, by:
contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
However, in the absence of an adequacy decision or of appropriate safeguards as descried above, a transfer of personal data to a third country or an international organisation shall take place if:
the data subject has explicitly consented to its transfer after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or
the transfer is necessary under one of the following conditions:
protection of the data subject’s life;
protection of the public interest;
to meet obligations ensuring the establishment, exercise or defence of legal claims;
consultation of a public register that is intended for public information and is open for public consultation or by any person demonstrating a legitimate interest;
performance of a contract between the data controller and the data subject, or of pre-contractual measures taken in response to the data subject’s request; or
conclusion or performance of a contract, either concluded or to be concluded in the interest of the data subject between the data controller and a third party.
Data controllers must inform data subjects of the data transfer and provide the following information:
the country where the recipient of the data is established;
the nature of the data transferred;
the purpose of the transfer;
categories of the recipients; and
the level of protection of the state concerned or adopted alternative measures.
Notification of cross-border transfer
Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?
The cross-border transfer must be approved by the CNIL when it is based on:
contractual clauses concluded between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
provisions inserted into administrative arrangements between public authorities or public bodies which include enforceable and effective data subject rights.
If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?
Restrictions on cross-border transfers apply to transfers from the PII owner based in France to a data processor outside of the EEA. Onward transfers are in principle subject to the restrictions in force in the recipient’s jurisdiction. By exception, SCCs contain specific requirements for onward transfers.
Rights of individuals
Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.
Data subjects have a right to ‘access’ the PII that a controller holds about them.
Data subjects can exercise their right of access by sending a signed and dated access request, together with proof of identity. Data subjects can request that the PII owner provides the following information:
confirmation as to whether the controller processes the data subject’s PII;
information related to the purposes for which the PII is processed, and the recipients or categories of recipients to whom the PII is or has been provided;
where applicable, information related to cross-border data transfers;
the logic involved in any automated decision making (if any);
the communication, in an accessible form, of personal data concerning the data subject as well as any information available as to the origin of the data; and
information allowing the data subject to know and to contest the logic underlying the automated processing in the event of a decision taken on the basis of it and producing legal effects with regard to the person concerned.
The controller may oppose manifestly abusive access requests, in particular with respect to their excessive number or repetitive or systematic nature. In the event of a claim from the data subject, the burden of proving the manifestly abusive nature of the requests lies with the PII owner to whom they are addressed.
The right of access may be denied when the personal data is kept in a form that excludes any risk of invasion of the privacy of the data subjects (ie, if PII is pseudonymised or anonymised) and for a period not exceeding what is necessary for the sole purpose of statistical, scientific or historical research.
Do individuals have other substantive rights?
In addition to the right of access described above, data subjects are granted the rights described below. When PII has been collected by electronic means, the data subjects must be provided with a way to exercise their rights using electronic means.
Right to object
Data subjects have the right to object to the processing of their PII on legitimate grounds, unless the processing is necessary for compliance with a legal obligation or when the act authorising the processing expressly excludes the data subjects’ right to object.
Data subjects also have the right to object, at no fee and without justification, to the use of PII related to them for the purposes of direct marketing by the PII owner or by an onward data controller.
Right to correct
Upon proof of their identity, data subjects may require the PII owner to correct, supplement, update, lock or erase personal data related to them that is inaccurate, incomplete, equivocal or out of date, or whose collection, use, disclosure or storage is prohibited.
When the concerned PII has been transmitted to a third party, the data controller must carry out the necessary diligence to notify such third party of the modifications operated in accordance with the data subjects’ request.
Right to be forgotten
Data subjects have the right to request the PII controller to erase personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay, in particular where one of the following grounds applies:
the PII is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
the PII has been unlawfully processed;
the PII has to be erased for compliance with a legal obligation in EU or member state law to which the controller is subject; or
the PII has been collected in relation to the offer of information society services.
Right to be forgotten for children
Data subjects have the right to request the PII controller to erase without undue delay the personal data that has been collected in the context of the provision of information society services where the data subject was under age at the time of collection. When the PII controller has transmitted the concerned data to another PII owner, the data controller shall take reasonable measures, including technical measures, to inform the onward PII owner of the data subject’s request for the deletion of any link to the data, or any copy or reproduction thereof.
This is unless the data processing is necessary:
to exercise the right to freedom of expression and information;
to comply with a legal obligation requiring the processing of such data or to carry out a task in the public interest or in the exercise of the public authority entrusted to the controller;
to public health;
to archival purposes of public interest, for scientific or historical research or for statistical purposes; or
to establish or exercise legal rights.
Right of data portability
Data subjects have a right to:
receive a copy of their personal data in a structured, commonly used, machine-readable format that supports re-use;
transfer their personal data from one controller to another;
store their personal data for further personal use on a private device; and
have their personal data transmitted directly between controllers without hindrance.
Data subjects have the right to set guidelines for the retention, deletion and communication of their personal data after their death.
Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?
Individuals may claim for damages when they are affected by a breach of the LIL that qualifies as a criminal offence subject to the referral to criminal jurisdiction.
In this case, compensation may amount to the total amount of damage endured by the individual, which includes moral damages or injury to feelings.
Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?
Where the data controller does not answer or refuses to grant the right to the data subjects’ request, the latter can refer to the CNIL or a judge to obtain interim measures against the data controller.
Exemptions, derogations and restrictions
Further exemptions and restrictions
Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.
Can PII owners appeal against orders of the supervisory authority to the courts?
PII owners can appeal against orders or sanctions pronounced by the CNIL in front of the Supreme Court for the administrative order (the Council of State).
Specific data processing
Describe any rules on the use of ‘cookies’ or equivalent technology.
Data controllers may install cookies or equivalent devices subject to the data subject’s prior consent. Such consent may derive from the browser or other application settings. The following categories of cookies require the prior consent of the data subject:
cookies related to targeted advertising;
social networks’ cookies generated in particular by their buttons of sharing when collecting personal data without the consent of the persons concerned; and
As regards analytics, the CNIL considers that these cookies may be exempted from prior consent subject to the following:
information must be given to users who must be able to oppose processing (this opposition must be possible from any terminal);
the data collected must not be cross-checked with other processing (client files or statistics of attendance of other sites, for example);
the cookies must be used only for the purpose of anonymous statistics and should not allow the tracking of navigation on different sites;
raw attendance data associating an identifier must also not be retained for more than 13 months; and
the use of an IP address to geolocate the user should not allow the street to be determined: only the first two bytes of the IPv4 addresses can be preserved and possibly used for delocalisation (for IPv6 only the first six bytes can be retained).
Implied consent is now accepted and companies must implement a two-step approach for obtaining consent.
Data controllers must use a banner providing the following information to the website user:
purposes of the cookies;
that further navigation on the website constitutes valid consent to the storage of cookies on their device; and
an explanation of how disabling cookies might affect the data subject’s use of the website or app.
The CNIL recommends that to ensure that the data subject’s consent is unambiguous, the banner shall not disappear until the individual continues to navigate on the website, for example, by clicking on an element of the website or navigating to another page of the website.
The CNIL considers that the consent given by the data subject is only valid for 13 months. After this period, the consent of data subjects shall be collected again with the same conditions. Accordingly, the cookies’ lifetime shall be limited to 13 months from the date of the first deposit on the user’s device. New visits of the user to the website shall not automatically extend the cookies’ lifespan.
In addition, data subjects shall be provided with an easy way to withdraw their consent to the deposit of cookies at any time.
Electronic communications marketing
Describe any rules on marketing by email, fax or telephone.
Sending unsolicited marketing messages is prohibited without the prior consent of the recipient. Such consent of the data subject cannot derive from:
a pre-ticked box; or
general acceptance of terms and conditions.
Under the following conditions, the prior consent of the data subject is not required to address unsolicited marketing messages:
when the information of the data subject has been collected on the occasion of a purchase in accordance with the applicable data protection rules;
the marketing messages concern products or services similar to those purchased by the data subject; and
the data subject is provided with an easy way to opt out of receiving marketing messages when the data is collected and with each marketing message.
In a B2B relationship, the prior consent of the recipient is not required provided that:
the recipient has been informed that his or her email address would be used to address marketing messages;
the recipient has the possibility to oppose the use of his or her email address for the purpose of direct marketing at the time of its collection and with each message; and
the marketing messages must be in relation to the recipient’s profession.
Direct marketing by regular mail or telephone is not subject to the prior consent of the recipient, but the recipient has the possibility to object to it by signing up to an opt-out list. In France, this list is called Bloctel, which is the governmental opt-out list for telephone marketing.
Describe any rules or regulator guidance on the use of cloud computing services.
There is no specific provision applicable to cloud computing in the LIL or the GDPR. The CNIL issued guidelines addressed to companies contemplating subscription to cloud computing services dated 25 June 2012. These guidelines contain seven recommendations by the CNIL that should be taken into account by data controllers when assessing the opportunity to migrate to cloud services, as well as a template clause to be inserted into agreements with cloud computing services providers.
The recommendations are to:
establish a precise mapping of the data and processing that will be migrating to the cloud and the related risks;
define technical and legal security requirements adapted to the categories of data and processing;
carry out a risk analysis to identify the security measures to be implemented to preserve the essential interests of the company;
identify the type of cloud services and data hosting appropriate with respect to all data processing;
select cloud service providers that provide adequate security and confidentiality guarantees;
review and adapt the internal security policies of the company; and
carry out regular assessments of the cloud services.
Update and trends
Key developments of the past year
Are there any emerging trends or hot topics in international data protection in your jurisdiction?
Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?
Since the implementation of the GDPR one year ago, many national data protection authorities have reported a sharp increase in the number of complaints. In France, the CNIL recently observed a 32 per cent increase in the number of complaints received in 2018, largely attributable to the RGPD. Indeed, the CNIL has received more than 11,900 complaints since May 2018. During the first nine months of the RGPD, the EDPB reported 144,376 complaints.
In the first major example, on 25 and 28 May 2018, the CNIL received group complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN was mandated by 10,000 people to refer the matter to the CNIL. In the two complaints, the associations reproach Google for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.
As a result, Google has been fined €50 million by the CNIL for not properly informing to its users how data is collected across its services to present personalised advertisements. The CNIL noticed that the information on the data-processing activities provided to users was neither easily accessible to users nor always clear or comprehensive.
The CNIL also observed that Google doesn’t properly obtain users’ consent to target them with personalised ads. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalisation is diluted in several documents and does not enable the user to be aware of their extent, with a several clicks required to access the full information. Therefore, the CNIL underlined that the user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.
Finally, we can also underlines that the CNIL is more likely to make public the sanctions that it imposes on the PII controller or processor.
Imagine you have a close friend you frequently communicate with via text. One day, they suddenly die. You reel, you cry, you attend their funeral. Then you decide to pick up your phone and send them a message, just like old times.
“I miss you,” you type. A little response bubble appears at the bottom of the screen. “I miss you too,” comes the reply. You keep texting back and forth. It’s just like they never left.
The possibility of digitally interacting with someone from beyond the grave is no longer the stuff of science fiction. The technology to create convincing digital surrogates of the dead is here, and it’s rapidly evolving, with researchers predicting its mainstream viability within a decade. But what about the ethics of bereavement—and the privacy of the deceased? Speaking with a loved one evokes a powerful emotional response. The ability to do so in the wake of their death will inevitably affect the human process of grieving in ways we’re only beginning to explore.
“Fifty or 60 years from now, [millennials] will have reached a point in their lives where they each will have collected zettabytes [1 trillion gigabytes] of data, which is just what is needed to create a digital version of yourself,” Rahnama says.
Donning it “augmented eternity,” Rahnama’s AI program builds upon the digital archive a person has left behind: emails, texts, tweets, and even snapchats. He feeds these into artificial neural networks, which are like model brains that understand language patterns and process new information. Thanks to the neural network’s ability to “think” for itself, the person’s “digital being continues to evolve after the physical being has passed on.” In this way, an augmented-eternity bot would keep aware of current events, develop new opinions, and become an entity that is based on a real person rather than a facsimile of who they were at their time of death.
Chatting with ghosts
Rahnama’s augmented-eternity programs are still in development, but another researcher had developed a slightly different kind of working prototype. Eugenia Kuyda, co-founder of Russian AI start-up Luka, launched a program on their app last year that allows the public to engage with Roman Mazurenko, Kuyda’s best friend, who was killed in car accident in 2015. Kuyda’s aim was to use digital-afterlife technology to create a memorial in the form of a chatbot available to anyone interested in talking to Roman. But she had her reservations.
“I was worried: Would I get the tone right, would we be able to do something that will help remember a person, and won’t be in any way offensive to anyone that knew and loved Roman?” she says. “I was afraid to get it wrong, to make it not a beautiful memory for a friend but something creepy and strange.”
In life, Roman had an interest in technology’s ability to “disrupt death”. He was fascinated by the bizarre consequences of being “outlived” by the vast archive of digital information we create in this mortal coil. Kuyda therefore thought Roman was the perfect candidate for this experimental memorial, and went about creating the bot. Once complete, she was amazed and delighted to experience her friend’s wit once again. Romanbot expressed Roman’s insecurities, his poetic perspective, and his self-deprecating sense of humor. The bot was so convincing it even earned a seal of approval from Roman’s mother.
But while chatbots are good at imitating their progenitors’ patterns of speech, they’re not satisfying substitutes for real people. “It’s more like a shadow of a person,” Kuyda says. “At this point, it’s similar to us talking to god, or imagining we’re talking to someone we’ve lost, or even talking to a therapist.“
Fans of the sci-fi show Black Mirror may recognize a similar situation as the premise of a 2013 episode titled “Be Right Back.” In this story, a widow uses a service to collect her dead partner’s digital footprint (texts, emails, photos, audio recordings) to reconstitute him first into a chatbot able to exchange text messages with her, and then ultimately into a realistic android. The narrative suggests that attempts to preserve our loved ones in a digital afterlife will result in painful repercussions. It also raises the question of whether a service able to turn a dead person into a chatbot would be venturing into an ethical gray area, interfering with our ability to process the reality of death.
Grieving the digital dead
Andrea Warnick is a Toronto-based grief counselor and thanatologist who studies the scientific, psychological, and social aspects of death. She sees a potential therapeutic application for digital-afterlife technology—not necessarily in its ability to allow us to chat with lost loved ones, but by facilitating conversations about the dead within their network of bereaved friends and family.
“In modern society, many people are hesitant to talk about someone who has died for fear of upsetting those who are grieving—so perhaps the importance of continuing to share stories and advice from someone who has died is something that we humans can learn from chatbots,” she says.
Warnick says the common advice is people should “move on” after a death. But she feels Western society could benefit from a reminder that just because someone is dead doesn’t mean they’re gone. “However, given our society’s general discomfort with death and grief, I have concerns that they have the potential to be misused as well, possibly leading to situations in which people are further alienated in their grieving process,” Warnick adds.
The hope is that chatbots don’t undermine the importance of human connection and support for those who are grieving; that the vivid and often uncomfortable emotional labor of caring for the bereaved is not wholly outsourced to bots. After all, death may soon be the most apparent thing differentiating humans from advancing AI, and distancing ourselves from its stark reality doesn’t seem like a prescient way to improve our relationship with the meaning of life.
Privacy is also an issue relevant to digital afterlife programs. While Kuyda had faith that Mazurenko would give her Romanbot project his blessing, she also crafted it with far less than a zettabyte of data. This is the amount that Rahmana sees as being crucial for an all-knowing bot to be capable of being all-revealing, too. “We have to consider an individual’s privacy when it comes to passing on virtual profiles,” Rahmana says. “You should be able to own your data and only pass it along to people you trust, so allowing people to engage with their own ancestors would be likely.”
Even as digital afterlife technology advances to offer increasingly accurate simulacrums of our dead, their most significant quality may not be simulating what someone we love might say, but rather their ability to give the illusion of them listening to us instead. “It’s not about what we hear, it’s about what we say,” Kuyda says.
In this way, chatbots can provide the bereaved with a space to express thoughts and feelings about their loved ones both in private and within their communities. In time, this could help normalize conversations about death and the intensity of sorrow.
Talking to someone from beyond the grave may sound creepy. But it may offer some measure of comfort to your loved ones. It’s like the high-tech equivalent of putting together a scrapbook, or writing letters for your kids to open when you pass. Plus, it’s less frightening to think of death when you know you won’t vanish wholly into the void—but remain, in a sense, in the hearts and text conversations of the people you loved the most.