Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: France

Posted in International/EU Privacy

French Surveillance Law Permits Data Mining, Drawing Criticism from Privacy Advocates

Adopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015. France’s Constitutional Court Court reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles. However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats. To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision.

Posted in International/EU Privacy

CNIL Releases BYOD Guidelines

Security concerns and the need to increase cyber security measures have recently boosted the use of Bring Your Own Device policies in France. Recent events have exacerbated fears of data breaches and hacking for IT managers who were not overly concerned before. As a consequence, IT security teams are seeking to apply the same security and device management systems that apply to their own company’s equipment to employees’ devices when employees use their devices for work purposes. The expansion of an employer’s control over its employees’ devices raises concerns for the privacy and protection of employees’ personal data. The CNIL has published new guidelines on BYOD. An unofficial English translation of the guidelines appear in this post.

Posted in International/EU Privacy

French Consumer Protection Panel Flags Unfair Privacy Practices

Like the United States, France has a broadly-worded consumer protection statute prohibiting unfair clauses in consumer contracts (the French term is “clauses abusives”). What constitutes an “unfair” clause is in some cases fixed by regulation. But in many cases, the term is left to the interpretation of the courts and France’s consumer protection agency, the DGCCRF. France created an advisory panel to issue guidance on what constitutes an unfair clause in various circumstances. On December 3, 2014, the panel published a lengthy opinion identifying 46 clauses in social media terms of use and privacy policies that the panel considers unfair.

Posted in Consumer Privacy, Cybersecurity & Data Breaches, International/EU Privacy

France Enacts Law to Facilitate Real-Time Collection of Metadata

France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs) while the second, more controversial provision permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers in real time.

Posted in International/EU Privacy

French Associations Trigger Criminal Investigation over PRISM

In the wake of information disclosed by Edward Snowden regarding the U.S. National Security Agency’s and Federal Bureau of Investigation’s actions through the PRISM program, two French individual liberties defense associations have filed a motion to open a criminal investigation regarding these actions which contains, in addition to claims against U.S. law enforcement entities, allegations against U.S.-based companies that provide Internet services.

Posted in Consumer Privacy, International/EU Privacy, Social Media

IAPP Piece Explores Jurisdictional Implications of French Court’s Privacy/Hate Speech Dilemma

On June 12, a French Court of Appeals upheld a decision ordering Twitter to divulge the identities of the authors of anti-Semitic tweets, which are illegal under French law. In a detailed analysis of the court’s order for the IAPP Privacy Perspectives blog, Winston Maxwell and Christopher Wolf describe how the order, issued directly by the French court to California-based Twitter, which does not have a French establishment, implicates jurisdictional issues and calls into question the use of anonymity as a privacy shield to post hate speech online.

Posted in Consumer Privacy, International/EU Privacy

French Government Has Serious Reservations About the Draft EU Regulation, Putting its Adoption in Doubt

On June 11, the French Minister for Digital Economy indicated during questioning by a French Member of Parliament about the status of the draft data protection regulation that the Minister of Justice had rejected, during the meeting of the European Council held last week, the latest version of the draft regulation.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA, International/EU Privacy

Journalist Uncovers Data Breaches at French Hospitals

A February 4, 2013 article published by the specialized healthcare news site “Actusoins” revealed data breaches at several French hospitals and clinics, demonstrating that such incidents can occur even in a highly-regulated jurisdiction. The journalist was researching another article, and entered the name of a physician into Google. The journalist was astonished to find at […]

Posted in International/EU Privacy

French report recommends privacy tax

The French government released on January 18, 2013 a 200-page study prepared by Pierre Collin and Nicolas Colin proposing changes to international tax rules to take better account of value creation by digital firms. As a shorter term step, the report proposes that France create a tax that would affect all firms that create value […]

Posted in Cybersecurity & Data Breaches, International/EU Privacy

French CNIL Publishes English Language Compliance Guides

France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), released on November 14, 2012 English-language versions of its compliance guides for businesses. The first guide, “Methodology for Privacy Risk Management”, provides a step-by-step guide for identifying risks and prioritising remedial actions. The second guide, “Measures for the Privacy Risk Treatment“, provides practical guidance on […]

Posted in International/EU Privacy

French Data Protection Authority launches public consultation on cloud computing

The French Data Protection Authority (the Commission Nationale de l’Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: “already €6 billion at the European level, with a yearly growth of approximately 20%”. The CNIL is focusing on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security. Public input into the issue is sought by the CNIL, as explained in this blog entry.

Posted in Employment Privacy, International/EU Privacy

French Court of Appeals reject company’s whistleblower system despite CNIL approval

A French Court of Appeals in Caen recently confirmed a lower court’s order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the “CNIL”).

Posted in International/EU Privacy, News & Events

Upcoming EU Cloud Strategy Announced: Application of Local Privacy Laws Remain an Issue, To Be Explored at IAPP Navigate on September 14

An announcement came this week from EC Digital Agenda VP Neelie Kroes of an EU Cloud Strategy (described in this blog entry), for which the former US CIO Vivek Kundra will be an advisor, and it once again raises questions about the application of the EU Directive in the cloud. This is an issue that will be explored through a Moot Court problem at IAPP’s Navigate in Dallas on September 14, also described and shared in this entry.

Posted in International/EU Privacy

France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers

On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.