France

France Image
LEG-01:

Legislation enacted specifically for data privacy?
– Law No. 78 17 of 6 January 1978 on ‘Information Technology, Data Files and Civil Liberty’ (IDC)

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Law No. 2004-575 of June 21 2004 for confidence in the digital economy (SPAM)
– Penal Code 1994 (AKA Criminal Code 1994)
– Postal and Electronic Communications Code 1952 (PECC)
– Telecommunications Act of 1996
– The Privacy and Electronic Communications Regulations 2003 (PEC)
– Code of Homeland Security (CHS)
Notes: Code of Homeland Security – Book VIII – Title V relates to monitoring of electronic communications.

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
– EU Data Protection Directive 1995/46/EC (DPD)
– EU Privacy and Electronic Communications Directive 2002/58/EC (EUPEC)
– EU Regulation 45/2001/EC (CIB).
Notes: “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ” is full title of DPD.
“Regulation (Ec) No 45/2001 of the European Parliament and of the Council Of 18 December2000
On the Protection of Individuals With Regard to the Processing of Personal Data by the Community
Institutions and Bodies and on the Free Movement of Such Data” is the full title of CIB.

LEG-04:

Local government has any Bills going through the legislative process.
– Gerneral Data Protection Regulation .
– Intelligence Bill.
Notes: This will be a replacement for the current DPD (From 25 May 2018).

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Convention on Cybercrime 2001.
Notes: Signed but not implemented.

LEG-06:

Has other state laws related to privacy.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.
– IDC Article 11, 13.
Notes: Establishes The Commission Nationale De L’informatique Et Des Libertes (CNIL).
Article 13 describes the makeup of the commission.

PRI-02:

There is a requirement to establish a privacy commissioner.
– IDC Article 18.

PRI-03:

The functions of the authority clearly set out.
– IDC Article 11.
– CIB Article 46.

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
Notes :Not as yet. It has been drafted in the updated EU Data Protection Framework (still to be adopted).
There is currently no requirement to setup Data Privacy Officers. However, an organisation is exempt from making prior declarations to the CNIL if the organisation has appointed a DPO.

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– IDC Article 2.
– DPD Article 2 (a).
Notes: Personal data.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– IDC Article 7.
– CIB Article 5 (d).

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
– IDC Article 38.

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– IDC Article 32.

PRO-01:

Individual has the ability to access their data by request.
– IDC Article 39 – 5.
– CIB Article 13.

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– IDC Article 40.
– CIB Article 14.

PRO-03:

Data can be sent to a third party for processing.
– IDC Article 68, 69.
– CIB Article 9 1, 6.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
– IDC Article 32.
– CIB Article 6 1.

PRO-05:

Encryption used for processing of data to ensure anonymity
– IDC Article 34.
Notes: Although encryption is not specified, encryption may be used if it is seen as a useful precaution.

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with.
– IDC Article 34, 34 – I.
– CIB Article 22 2.

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– IDC Article 50,51.
– Criminal Code 1994 Article-226-16 to 226-24.
Notes: Article 50 advises offences are set out in the criminal code.

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– IDC Artilce 11 c.

STO-01:

All data is stored with at least a “reasonable” level of security.
– CIB Article 22 1.

STO-02:

Encryption techniques used to store data.
– IDC Article 34.
– CIB Article 4 1 (e).
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

STO-03:

Data can be transferred to third-parties to use.
– IDC Article 68, 69.
– IDC Article 31 6 III.
– CIB Articles 7 – 9.
Notes: Article 31, 6, III – “The CNIL shall publish the list of the countries that the Commission of the European Union considers provide an adequate level of protection in relation to the transfer or a category of transfers of personal data.”

STO-04:

Data can be stored off shore in different Country.
– IDC Article 34.
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off shore if it is seen as a useful precaution.

STO-05:

Data can be stored off site but in same Country.
– IDC Article 34.
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off site if it is seen as a useful precaution.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– IDC Article 6 5, 24 II, 64.
– PEC Section 26.
– CIB Article 4 1 (e).
Notes: The CNIL can define the retention period outlined in Article 24 and 64, however Article 6 5 states “…a period no longer than is necessary.”

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– IDC Article 40.
Notes: The Act and the CIB both refer to “processing” which covers a variety of operations, including erasing or destroying data.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– IDC Article 50,51.
– Criminal Code 1994 Article – 226-16 to 226-24.
Notes: Article 50 advises offences are set out in the criminal code.

STO-09:

Notification has to be given to individuals in case of a data breach.
– IDC Article 34 – II.
Notes: However not be required if the CNIL has found that appropriate protection measures have been implemented.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
– PECC Article L34-5.
Notes: Not clear but gives the recipient the option to refuse.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– SPAM Article 19.

SPM-03:

Subject line to be clear and not misleading.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– PECC Article L34-5.

SPM-05:

A form of a “Do Not Call” register is in place.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
– PECC Article L34-5.

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.

INT-05:

External countries have the ability to intercept data with permission from the host country.