28-03-2018
Participation as a jury and intervention by Maître Carole COUSON-WARLOP
lawyer in intellectual property law, in the National Intellectual Property Pleading Competition. The Cabinet ARTLEX supports the competition ...
23-03-2018
The limitation of liability clause survives the cancellation of the contract
By a judgment of February 7, 2018 (Cass. Com., February 7, 2018, appeal no. 16-20352), the Court of Cassation operates a reversal of case law regarding the fate_cc781905-5cde-3194 -bb3b-136bad5cf58d_clauses...
NEWS
18-07-2018
Law relating to the protection of personal data - « LIL 3 »
Law No. 2018/493 on the protection of personal data of June 20, 2018 (hereinafter " Loi ") adapts French legislation to the provisions of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (hereinafter " RGPD ") and with those of Directive (EU) 2016/680 relating to the processing carried out for the purposes of prevention, investigation and prosecution of criminal offences, or the execution of criminal penalties (hereinafter "_cc781905 -5cde-3194-bb3b-136bad5cf58d_Directive »).
In order to transpose the " European data protection package ", the Government has chosen to retain the architecture of Law No. 78/17 of 6 January 1978 relating to data processing, files and freedoms.
While this represents considerable progress in adapting our national law to developments in European law, this adaptation remains unfinished. Indeed, the decree that should specify certain provisions of the Law has still not been published. In addition, the rewriting of the entire Data Protection Act is referred to an ordinance which will have to be taken within the next six months.
The GDPR left Member States with certain leeway to make clarifications or limitations to the provisions of the GDPR (about fifty options in total). Recital 8 of the GDPR specified, however, that they should be limited « to the extent necessary to guarantee consistency and to make the national provisions understandable for the persons to whom they apply. ". The purpose of the Act was thus to choose the options available to it.
We note that the margins of appreciation have only been used in a measured way by the French legislator, thus promoting European harmonization. As examples :
-
We emphasize the maintenance of prior formalities for certain processing of personal data, in particular processing involving the Registration Number in the Directory of natural persons or those relating to genetic and biometric data necessary for the authentication or identity check of persons.
-
The numerical majority is set at 15 years (compared to 16 in the GDPR). However, a special feature has been introduced by law for minors under the age of 15, for whom consent must be given jointly with that of the holder or holders of parental authority.
This principle of double consent calls for a few remarks. On the one hand, one can wonder about the concrete implementation of this requirement of double consent when subscribing, for example, to a personal account on social networks, which obliges to provide even more personal data… On the other hand, it will be necessary to articulate these rules with those relating to the legal validity of an act performed by a non-emancipated minor. Remember that the non-emancipated minor can perform acts of everyday life alone. In such a case, if under contract law the intervention of the legal representatives of the minor is not required, their consent will nevertheless be required by the rules relating to personal data.
-
In addition, the Law uses the room for maneuver left to the Member States to derogate from the obligation to notify any data breach, in particular when there is a risk for national security, national defense or public security._cc781905-5cde- 3194-bb3b-136bad5cf58d_
-
The Law adds new exceptions to those provided for by the GDPR concerning the processing of sensitive data. -bb3b-136bad5cf58d_strictly necessary to control access to workplaces as well as devices and applications used in the context of the missions entrusted to employees, agents, trainees or service providers ” and processing on the reuse of public information appearing in court decisions provided that they have " neither for purpose nor for effect to allow the re-identification of data subjects ".
-
Concerning the prohibition to take a decision producing legal effects with regard to a person or affecting him significantly on the sole basis of automated data processing, an exception is provided for in the Law for administrative decisions taken on the sole basis of an algorithm. However, the use of such decisions remains regulated, as underlined by the Constitutional Council in its decision 2018-765 of June 12, 2018. Indeed, they must not be based on the processing of sensitive data (defined in Article 8) and be surrounded by a certain number of guarantees. They must in particular mention that they have been adopted on the basis of an algorithm, and that the main characteristics of the implementation of the algorithm must be communicated at the request of the person concerned. Finally, the individual administrative decision must be subject to administrative appeal.
In addition, we can underline the maintenance by law of certain specificities of French law such as the right to define directives relating to the fate of one's personal data after one's death. The choice to retain this right may seem surprising in this movement to harmonize European regulations on the protection of personal data.
Finally, we regret the absence of details concerning the appointment of a data protection officer, the new obligations of the data controller or the new rights of individuals, concerning which many questions still remain unanswered and make it difficult Easy to comply with GDPR.
Regarding the right to data portability, it is absent from the Law. On the other hand, the legislator has removed all the provisions of the Consumer Code relating to the right to the recovery and portability of data in favor of consumers (articles L. 224- 42-1 and following of the Consumer Code). This deletion can be explained in particular by the difficulties resulting from the implementation of two distinct regimes for data portability, which did not fully overlap. It was nevertheless an important legal arsenal for consumers. The right to portability, which is now limited to personal data only (governed by article 20 of the GDPR), is therefore restricted.
To conclude, we can regret the complexity and the lack of readability of the Law. The difficulties of understanding are explained in particular by the Government's choice to make only the changes essential to the implementation of the GDPR and the Directive. This results in the entanglement of three distinct regimes : the GDPR, the Directive, and national provisions. This lack of clarity and the lack of details, particularly with regard to the obligations of data controllers, hinder the compliance of the actors concerned. This leads us to wonder about the control strategy that will be adopted by the CNIL with regard to compliance with the new requirements for the protection of personal data. In this respect, the CNIL recently specified the three main themes to which it will focus its attention, namely processing related to recruitment, the supporting documents requested by real estate agencies, as well as processing relating to the management of paid parking services. carried out using connected equipment. In any case, if the CNIL, as it announced, will show flexibility in the implementation of its controls, it will be up to the actors concerned to justify de _cc781905-5cde -3194-bb3b-136bad5cf58d_the dynamic undertaken in order to comply with the new requirements related to the protection of personal data.
Juliette Bachelard, student lawyer, ARTLEX Nantes
Carole Couson-Warlop, lawyer, ARTLEX Nantes
Data Protection Act, GDPR, personal data, protection of personal data, law n°78-17 of January 6, 1978 relating to data processing, files and freedoms, LIL 3, law n° 2018/493 relating to the protection of personal data of June 20, 2018, news, legal watch, digital law, data protection, right to the protection of personal data, compliance
https://www.village-justice.com/articles/quelques-reflexions-sur-loi-relative-protection-des-donnees-personnelles,29014.html