On November 6, 2009, French Senators Détraigne and Escoffier introduced a bill that would impose new data breach obligations, as well as strengthen the sanctioning power of the French data protection authority, the CNIL. Senators Détraigne and Escoffier delivered last May a report on privacy in the digital age on behalf of the Senate’s committee on legislation, and the new bill is a follow-up on the measures recommended in the May report.
The proposed new bill would:
- State that "any address or number identifying terminal equipment connected to a communications network" is personal data. This provision is intended to end the debate in France on whether IP addresses are personal data. Unfortunately, the effect of the proposed provision could be that in the future IP addresses of any device or object connected to the Internet, even a box of cereal, will be viewed as personal data;
- Require that government agencies and certain companies appoint a data protection officer;
- Increase notification obligations of data controllers before they process personal data;
- Impose an opt-in regime for cookies unless they are strictly needed for communication purposes or to permit access to an online service;
- Impose a broad security obligation on data controllers and an obligation to inform the CNIL of any data breaches. The proposed language contains no minimum threshold after which a breach would be deemed significant enough to warrant a notification;
- Facilitate data subjects’ ability to request deletion of personal data; and
- Increase the CNIL’s sanctioning powers, and allow victims of privacy violations to bring suit before their own local court instead of being obligated to sue in the court where the data controller is located.
The provisions facilitating data subjects’ ability to access and delete personal data are part of a broader French government campaign to create a citizen’s "right to be forgotten" on digital networks. French Digital Minister Nathalie Kosciusko-Morizet organized a roundtable on the "right to be forgotten" on November 12, 2009, and indicated that the French government would raise the issue in Sharm El-Sheikh and the Internet Governance Forum.
Debates on the text will begin in March 2010. It is not clear whether the proposed bill will be supported by the French government, which may prefer to defer legislation on some of the issues until final adoption of the revised ePrivacy Directive. Given the recent statements of Digital Minister Nathalie Koscuisko-Morizet on the "right to be forgotten" on the Internet, it is likely that the provisions facilitating a citizen’s right to access and delete personal information on the Internet will receive the immediate support of the French government, and this could result in legislation fairly soon.