In an April 15, 2016 report, the French Data Protection Authority, the CNIL, provided details about its little-known responsibility as overseer of the French police’s website-blocking powers. The French legislature gave the CNIL this new role in a November 13, 2014 law designed to enhance French police powers against terrorism. The 2014 law increased French police and intelligence agencies’ powers to collect data without a court order. A lesser-known aspect of the November 2014 law is the provision that allows the French police to order ISPs to block websites that either provoke terrorist acts or support (provide an “apologia” or defense for) terrorism. When the French police identify online content that violates these rules, they may order ISPs to block access. The police also have this power with regard to child pornography. Search engines can also be ordered to delist content from search results.
A bill, passed by the French National Assembly on 26th January 2016, and now before the French Senate, would amend Article 47 of the French Data Protection Act to give the French Data Protection Authority (the CNIL) the power to impose penalties for breaches of data protection law of up to 20 million euros or up to 4% of an organization’s total worldwide annual turnover (the Digital Republic Bill). Up until now, the CNIL could only issue penalties of up to 150 000 euros.
In a recent column for The New York Times, Nils Muiznieks, the top human rights official for the Council of Europe, warned that recent surveillance laws in Europe undermine fundamental rights for European citizens. Plus, an October 29, 2015, resolution of the European Parliament complains of an “obvious downward spiral” resulting from mass surveillance laws in the U.S. and Europe. That certain European countries have laws permitting mass surveillance is not news to lawyers who follow the matter. In a 2012 whitepaper, we highlighted the broad and sometimes unsupervised powers of intelligence agencies of certain European governments. As Muiznieks’s column states, intelligence agencies are getting more surveillance power, not less. France’s July 2015 surveillance law permits intelligence agencies to scan metadata of all citizens in order to detect suspicious patterns. Other European countries are also broadening surveillance powers to protect against terrorism.
Speaking at a recent conference organized jointly by AmCham and EY on “the Internet of Things, Opportunities and Challenges for the Protection of Personal Data”, Sophie Nerbonne, Head of Compliance at the French data protection authority explained how the CNIL views the opportunities and risks raised by connected devices, focusing particularly on smart meters as a scheme that may apply to other devices.
Adopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015. France’s Constitutional Court Court reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles. However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats. To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision.
Security concerns and the need to increase cyber security measures have recently boosted the use of Bring Your Own Device policies in France. Recent events have exacerbated fears of data breaches and hacking for IT managers who were not overly concerned before. As a consequence, IT security teams are seeking to apply the same security and device management systems that apply to their own company’s equipment to employees’ devices when employees use their devices for work purposes. The expansion of an employer’s control over its employees’ devices raises concerns for the privacy and protection of employees’ personal data. The CNIL has published new guidelines on BYOD. An unofficial English translation of the guidelines appear in this post.
Three weeks after the FTC’s seminar on Consumer Generated and Controlled Health Data, the French data protection authority, the CNIL, held its own workshop on connected health and wellness devices. This blog post summarizes the results of the CNIL workshop.
France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs) while the second, more controversial provision permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers in real time.
Price discrimination based on tracking of Internet Protocol addresses – numerical identifiers assigned to devices that are connected to the Internet – was in the news again this week after a Belgian Member of the European Parliament, Marc Tarabella, called for action from the European Commission to investigate the practice.
In the wake of information disclosed by Edward Snowden regarding the U.S. National Security Agency’s and Federal Bureau of Investigation’s actions through the PRISM program, two French individual liberties defense associations have filed a motion to open a criminal investigation regarding these actions which contains, in addition to claims against U.S. law enforcement entities, allegations against U.S.-based companies that provide Internet services.
On June 12, a French Court of Appeals upheld a decision ordering Twitter to divulge the identities of the authors of anti-Semitic tweets, which are illegal under French law. In a detailed analysis of the court’s order for the IAPP Privacy Perspectives blog, Winston Maxwell and Christopher Wolf describe how the order, issued directly by the French court to California-based Twitter, which does not have a French establishment, implicates jurisdictional issues and calls into question the use of anonymity as a privacy shield to post hate speech online.
On June 11, the French Minister for Digital Economy indicated during questioning by a French Member of Parliament about the status of the draft data protection regulation that the Minister of Justice had rejected, during the meeting of the European Council held last week, the latest version of the draft regulation.
A February 4, 2013 article published by the specialized healthcare news site “Actusoins” revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly-regulated jurisdiction. The journalist was researching another article, and entered the name of a physician into Google. The journalist was astonished to find at […]
Nicolas Colin, one of the authors of the report proposing a “privacy tax” in France that we blogged about on January 22nd, just explained his report in more detail in this Forbes blog entry. Readers interested in this issue may find the Forbes blog post of interest.
The French government released on January 18, 2013 a 200-page study prepared by Pierre Collin and Nicolas Colin proposing changes to international tax rules to take better account of value creation by digital firms. As a shorter term step, the report proposes that France create a tax that would affect all firms that create value […]
France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), released on November 14, 2012 English-language versions of its compliance guides for businesses. The first guide, “Methodology for Privacy Risk Management”, provides a step-by-step guide for identifying risks and prioritising remedial actions. The second guide, “Measures for the Privacy Risk Treatment“, provides practical guidance on […]
Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong.
The French Data Protection Authority (the Commission Nationale de l’Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: “already €6 billion at the European level, with a yearly growth of approximately 20%”. The CNIL is focusing on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security. Public input into the issue is sought by the CNIL, as explained in this blog entry.
A French Court of Appeals in Caen recently confirmed a lower court’s order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the “CNIL”).
The French CNIL found the French provider of universal telephone directory services “Pages Jaunes” guilty of violating several provisions of the French data protection law due to Pages Jaunes’ collection of personal data in social media sites.
An announcement came this week from EC Digital Agenda VP Neelie Kroes of an EU Cloud Strategy (described in this blog entry), for which the former US CIO Vivek Kundra will be an advisor, and it once again raises questions about the application of the EU Directive in the cloud. This is an issue that will be explored through a Moot Court problem at IAPP’s Navigate in Dallas on September 14, also described and shared in this entry.
On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.
The French data protection authority (CNIL) recently simplified the formalities imposed on non-EU companies using data processors in France. While limited in scope as it only relates to processes in the fields of human resources and client and prospects management, the simplification can only be welcomed.