France completes the alignment of its national legal frame with European law

Following the entry into force of the GDPR on May 25, 2018, the French Data Protection Act of January 6, 1978 had already been largely amended by a law of June 20, 2018. This law had in fact fundamentally modified French law, in particular the Data Protection Act, and had made use of some of the opening clauses of the GDPR. An Ordinance was then necessary to restore consistency between the amended Data Protection Act and other French laws dealing with data protection.

The purpose of the Ordinance was thus to rewrite the entire Data Protection Act in order to harmonize the state of the law, to remedy any errors and omissions resulting from this law and to repeal provisions that have become obsolete.

This ordinance will come into force no later than June 2019, at the same time as one last Decree implementing the Data Protection Act. In the meantime, the current provisions of the French Data Protection Act, as amended by the law of June 20, 2018, remain solely applicable. 

Data protection in relation with the fight against corruption

The French Data Protection Authority (CNIL) and the recently created Anti-Corruption Agency (AFA) announced the publication in only a few weeks of a joint guide concerning data compliance in the matter of fight against corruption. This document will deal with anti-corruption issues such as the necessity of a privacy impact assessment with regard to the evaluation of the integrity of third parties.

The new guide will also provide guidance on data protection issues in relation with company internal whistleblowing systems. According to the French law of December 9, 2016 on transparency, anticorruption and the modernization of the economy (law known as “Sapin II”), companies of at least 50 employees are required to set up a professional whistle-blowing system allowing to raise an alert.

The joint guide also aims to help companies more generally to implement an anti-corruption compliance program which is in line with data protection laws.

UBER France and BOUYGUES TELECOM fined of €400,000 and €250,000

In November 2017, UBER had revealed that the personal data of 57 million users of its services had been stolen. Following this revelation, the G29 had set up a working group to coordinate the investigation procedures of the different involved data protection authorities.

The investigation had shown that 2 attackers managed to access, via identifiers stored in clear on the collaborative development platform "Github, a server on which the personal data was stored. The attackers could thus download information on 57 million users, including 1.4 million in France.

The French Data Protection Authority (CNIL) considered that this attack could not have been successful if certain basic security measures had been put in place. At the date of the attack, the GDPR had not yet been applicable. The CNIL stated in particular that UBER should have used strong authentication measures and should not have stored in plain text within the source code of the "Github" platform identifiers allowing access to the server.

As to BOUYGUES TELECOM, on March 2, 2018, the CNIL was informed by a third party of the existence of a security vulnerability on Bouygues Telecom’s website bouyguestelecom.fr which made possible for any person to access documents containing customers’ personal. The data breach was notified to the CNIL on March 6, 2018. The CNIL noted that the breach affected more than 2 million customers and lasted for more than 2 years. The CNIL found that that the incident was not based on a human mistake and that the company had failed to implement appropriate security measures that would have enabled it to discover the breach.