Privacy Culture

A strong stance on privacy in France is deeply-rooted and historically supported since the French revolution. From the beginning of the 19th century the French Napoleonic code (Code civil des Français) guaranteed and protected the right to private life. Since that time, France has remained one of the pioneers of privacy legislation, setting the foundations of modern privacy policy. French legislation heavily influenced the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (1981), which was the first major international policy on issues of privacy and data protection. 

According to the EuroBarometer Survey on Data Protection issued by the European Commission, the view of French people on data protection is very similar to what most Europeans think. 34 % of French citizens believe they have no control at all over their information provided online, while 72% claim to be concerned about their personal data being used for a different purpose than the one it was collected for. 

Legal History

France was one of the first EU countries to enact a privacy law. The Data Protection and Liberties Act 1978 (Loi informatique et libertés or 'DPA') still remains the basic act regulating data protection & privacy, although it was subject to major amendments in 2004 that implemented the EU Data Protection Directive 95/46/EC.

The collection and use of personal data while providing electronic communication services to the public is also regulated by special rules that can be found in the Postal and Electronics Communications Code (Code des postes et des communications électroniques). Special provisions on privacy and professional secrecy regarding medical data are set out in the Public Health Code (Code de la santé publique) 

Enforcement and Court Action

The primary body responsible for the enforcement of data protection & privacy laws in France is the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés or 'CNIL'). 

The CNIL has powers to: 

Conduct on-site inspections- subject to a prior authorisation by a judge (Juge des Libertés et de la Détention);
Perform remote on-line controls- limited to public and accessible data;
Review documents;
Conduct hearings. 

In addition to the CNIL, the authorities overseeing commercial and competition matters may also consider issues relating to the adherence to personal data regulations when they investigate companies. Subsequently they can report any violations of the data protection law to the CNIL. Authorities allowed to perform investigations include, but are not limited to:

General Directorate for Competition, Consumers and the Prevention of Fraud (Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes ).
Competition investigation inter-regional authorities (Brigades Interrégionales d'Enquêtes de Concurrence) 
Fraud investigation inter-regional authorities (Brigades Interrégionales d'Enquêtes de Répression des Fraudes)

The CNIL has a wide range of enforcement powers. When a data controller fails to comply with data protection laws, the CNIL has the right to issue a warning and decide whether to make it public. Data controllers that seriously violate individuals' rights and liberties may be subject to an emergency procedure which prevents data processing for a maximum period of three months.

Depending on the severity of the violation, a natural person may be subject to a financial penalty up to 150.000,00 EUR for the first breach and up to 300.000,00 EUR for a second breach within five years. Legal entities are subject to fines up to 150.000,0 EUR for the first violation and up to 5% of the entity's gross revenue up to a maximum of 300.000,00 EUR for a second violation within five years. Moreover, if the FCDPA holds an opinion that a criminal offence has been committed the case can be referred to the Public Prosecutor. The French Criminal Code sets out a fine of up to 300.000,00 EUR and/or five years of imprisonment for natural persons and a fine up to 1.500.000,00 EUR and/or other sanctions for legal persons for data protection laws violations. 

Corporate Risk

Over the last few years, the CNIL has gradually been strengthening its controls and levels of fines. According to Axelle Lemaire, the French Minister of State for Digital Affairs, "The approach of the French National Commission on Informatics and Liberty is increasingly about certifying and supporting companies, with stiffer sanctions if they fail to comply with regulations." The CNIL issued 7 warnings in 2014 along with 8 fines, totally amounting to 186.001,00 EUR with an average fine of 23.250,00 EUR.

In 2014 the CNIL Sanctions Committee ordered the maximum financial penalty sanction for the first time. A fine of 150.000,00 EUR was issued against Google Inc. for breaching several DPA provisions with its privacy policy and for not complying in a timely manner with remedial actions ordered by the CNIL. More recently, Google Inc. has rejected a demand by the CNIL to apply the 'Right to be Forgotten' to its worldwide operations. Under the EU law individuals have the right to require data controllers to delete and abstain from further dissemination of their personal data. A data controller is required to act on such request without undue delay. 

IN 2015 the CNIL received a record number of 7,908 complaints - exceeding the number of complaints filed in 2014 by 2000. The inspections and controls carried out by the CNIL have also increased in the past year. 501 data controllers (of which 70% belong to the private sector) were inspected, representing an increase of controls by 20% compared to 2014. According to the CNIL, this increase is partly due to its extended use of online control tools.

Following these inspections, the CNIL issued 93 formal notices, concerning a variety of organisations. The main categories of breaches addressed by these notices were breaches related to cookies, incomplete information of the data subjects, insufficient security measures, and disproportionate or unspecified data retention periods. The majority of the issued formal notices were followed by data controller’s compliance, but 10 sanctions have been pronounced by the CNIL in 2015 and 3 out of those resulted in fines, ranging from 15.000,00 EUR to 50.000,00 EUR.

The X & Y v. Google France case has shown how determined the French authorities can be when seeking to protect the personal data of French citizens. A ruling on this case required Google to de-list links containing personal data on its domain. Google complied with the court order, but kept the links on other domains. Due to Google’s incompliance the CNIL has imposed a 100.000,00 EUR fine on Google Inc. on 10 March 2016.

Similarly, the CNIL also performed on site and online inspections and documentary audit of Facebook in order to determine whether the its practices are in accordance with the DPA. The investigation revealed that Facebook collects excessive amounts of personal information from users who do not have a Facebook account and have not been properly informed. Furthermore, the social network collects personal data (e.g. sexual orientation and the religious and political views) without the explicit consent of account holders, sets cookies that have an advertising purpose without properly informing and obtaining the consent of Internet users, and compiles all the information to display targeted advertising without the ability for the users to disable it. Finally, the investigation also revealed that Facebook is transferring personal data to the United States on the basis of Safe Harbor framework, although the Court of Justice of the European Union declared invalid such transfers in its ruling on October 6, 2015.

The Chair of the French data protection authority therefore issued formal notice, which did not act as a sanction, to Facebook Inc. and Facebook Ireland Ltd. to comply within three months with the French Data Protection Act. This notice was made public due to the seriousness of the violations and the number of individuals concerned by the Facebook service (more than 30 million users in France).

Future Outlook

In the aftermath of Paris terrorist attack in January 2015, France faced a serious dilemma of what measures to implement in order to fight terrorism. In May 2015 the French authorities approved a sweeping surveillance bill that outraged privacy advocates and civil liberty groups.

Privacy activists have argued that the adopted solution violates the fundamental rights of protection of private life and private data, and the independence of the digital economy. In particular, the new law allows bulk collection of Internet metadata from internet service providers, meaning that the government has access to the details of communications (e.g. time and place of communication, but not the content of it) from French citizens. The legislation requires internet service providers and phone companies to give up data upon request, even without prior judicial authorisation or warrant. 

In May 2016 the French Parliament approved a law that gives the police and judicial authorities new powers to detain terrorism suspects, put people under house arrest and use deadly force to stop attacks. This law comes as a direct consequence of attacks in Paris. It gives the police and prosecutors access to electronic eavesdropping technology that had been available only to intelligence agencies. Critics worry that these new surveillance powers go well beyond fighting terrorism and with recent terrorist attack in Nice it is likely to expect that this law will not be amended any time soon. 

France has taken proactive approach towards protection of personal data related to the new General Data Protection Regulation (GPRD), which aims to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU and it enters into application on the 25th of May 2016 after a two-year transition period.

The French Parliament has decided to include the GDPR obligations into national legislation ahead of its application date. On the 30th of June 2016 member of the Parliament reached a common ground on the “Digital Republic Bill”, which is scheduled to be adopted in October 2016. Its aim is to significantly amend various aspects of the French DPA and Consumers Code, taking into account the GDPR and the latest jurisprudence of the Court of Justice of the European Union (CJEU). The amendments include the obligation for companies to inform individuals of the data retention period and it gives the CNIL the power to punish breaches and subsequently authorise fines up to EUR 20,000,000 or 4% of a company’s global turnover (whichever is higher) if a data controller fails to comply with the DPA.


1. Aurélie Barbaux, Emmanuelle Delsol and Charles Foucault, According to Axelle Lemaire, "France needs something to trigger its digital culture", 17/02/2015
2. Pricewaterhouse Coopers Legal LLP, Privacy and Security Enforcement Tracker, 03/2015 

3. European Commission, EROBAROMETER Survey on Data Protection, 28/02/2015 – 09/03/2015 

4. Commission Nationale de l'Informatique et des Libertés, Role and responsibilities, 

5. Marianne Le Moullec, The French Data Protection Authority Fines Google for Breach of French Privacy Laws, 31/01/2014 

6. Adam Waks, Google Declares “Non!” to French Privacy Regulator’s Demands that Google Apply the “Right to be Forgotten” Worldwide, 24/08/2015 

7. DataGuidance, Global Privacy Enforcement Report 2015 [Cecile Park Publishing Ltd.]

8. Commission Nationale de l'Informatique et des Libertés, The French data protection authority publicly issues formal notice to FACEBOOK to comply with the French Data Protection Act within three months,

9. Aurelien Breeden, French Authorities Given Broader Powers to Fight Terrorism,

10. The PHAEDRA project; French Parliament adapts National Law to take into account CJEU ruling and GDPR; 

11. Emma Firth; As France jumps early, clarity that the GDPR will wait for no-one; 

Data Privacy Recruitment Ltd. 

All rights reserved. All opinions expressed to be treated strictly as guidance and not as legal advice. 

September 2016
London, United Kingdom