France’s GDPR implementation law

3. August 2018

In June, France enacted the French Data Protection Act 2 (FDPA2), which implements the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 – and the Directive (EU) 2016/680.

The French government decided not to repeal the French Data Protection Act of 1978 (FDPA). FDA2 amends the former FDPA. FDPA2 replaces the logic of prior formalities with the philosophy introduced by the GDPR of enhanced accountability of stakeholders.

The FDPA2 does not take full advantage of all the opening clauses provided by the GDPR. In November 2017, when the draft bill was published, the CNIL considered that this selection was judiciously made. It includes the following provisions:

  • The clarification of the scope of application of national law (Art. 10)
  • An open data approach for judicial decisions (Art. 13)
  • The definition of the age for “digital majority” (Art. 20)
  • The broadening of class-action’s scope to compensation (Art. 25)
  • The possibility for the Conseil d’Etat to temporarily suspend international data transfer at the request of the CNIL (Art. 27)

Article 32 of the FDPA2 empowers the government to proceed by ordinance to a general rewriting of the FDPA in order to improve the intelligibility and consistency with all legislation relating to the protection of personal data. It is therefore to be expected that the FDPA2 will undergo major changes in the near future but without any debate before the Parliament.