Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional Framework

The right of privacy is not explicitly included in the French Constitution of 1958. The Constitutional Council ruled in 1995 that the right of privacy was implicit in the Constitution,1 and confirmed this in 1999, by stating that the freedom proclaimed in Article 2 of the 1789 Declaration of the Rights of Man and the Citizen ("Déclaration des droits de l'homme et du citoyen de 1789") implies the respect of privacy.2

The Legislative Committee of the Senate issued on 3 June 2009 a report on the right to privacy in the digital age ("La vie privée à l'heure des mémoires numériques").3 Among the 15 recommendations made in the report to better guarantee privacy against digital threats, one is to include the right to privacy in the French Constitution."4 Neither the President of the French Republic nor the Members of Parliament, who have the initiative of a revision of the Constitution under its Article 89, have followed up on this recommendation.5 The CNIL's President confirmed on 10 June 20096 that it is unlikely that the constitution be modified in the coming years to this purpose.7

Privacy and data protection laws and regulations

Comprehensive law

The tort of privacy was first recognized in France as far back as 18588 and was added to the Civil Code in 1970.9

The Data Protection Act, enacted in 1978 and amended in 2004, covers personal information held by government agencies and private entities.10 It is supplemented by a Decree adopted in 2005 and amended on 25 March 2007.11 These rules provide that any individual must be informed of the reasons for the collection of information and may object to its processing either before or after it is collected. Individuals have the right to access information being kept about them and to demand the correction and, in some cases, the deletion of this data. Fines and imprisonment can be imposed for violations.

It is worth noting that the Data Protection Act does not apply to data controllers outside the European Community who do not use data processing means in France.12

Sector-based laws

There are additional specific laws which relate to the protection of data such as laws on administrative documents,13 archives,14 video surveillance,15 employment16 and consumer protection.17 There are also protections incorporated in the Penal Code.18

Data protection authority

The data protection authority is the Commission nationale de l'informatique et des libertés (CNIL), an independent agency that interprets and enforces the Data Protection Act.19 The Commission takes complaints, issues rulings, sets rules, conducts audits, makes reports, and ensures the public access to information by being a registrar of data controllers' processing activities. In addition, the 2004 amendments to the Data Protection Act allow the CNIL to investigate data processes, issue warnings, order data processing to stop, and impose sanctions (fines of up to 150.000 EUR). In 2006 the CNIL issued its first financial sanction against the bank Crédit Lyonnais (45.000 EUR) for violating its customers' right of access to their personal data.20 The highest published sanction ordered so far is 75.000 euros.

The CNIL has more limited powers over large government information systems known as "sovereignty files".21 Sovereignty file systems, defined to include files relating to the safety of the State, defense, public security or penal repression, or those that use the NIR (social security number), do not require CNIL approval but mere prior advice.

In 2009, the CNIL received 68.185 new notifications of data processing, leading to a total amount of 1.356.579 files notified since 1978.22 The Authority received 4.265 complaints and issued 719 decisions including 91 cease and desist orders, 5 financial sanctions and 4 warnings. The CNIL also carried out 270 on-site investigations.

Key issues addressed by the CNIL in 2009 were the investigation of a police database called "STIC", targeted online advertising, social networks and the right to be forgotten, online voting and immigration records.

The CNIL declared that on-site investigations (that are a posteriori controls) will remain a priority. It suffered a setback in its strategy with two decisions of the Conseil d'Etat (of 6 November 2009)23 that cancelled sanctions the CNIL had ordered against two companies following on site investigations. The Conseil considered that the CNIL ought to remind the data controller, prior to the investigation, of its right to object to the investigation. In case of an objection, the investigation occurs under the control of the President of the court, as that is part of due process. As a result of this decision, the CNIL modified its practices. It is also seeking a change of the Data Protection Act to create the possibility to obtain a prior authorization of the judge in certain circumstances. On a procedural standpoint it is worth stressing that the CNIL, as it has the power to issue sanctions, has been characterized by the Conseil d'Etat24 as being like a tribunal in the meaning of the Article 6-1 of the Convention for the Protection of Human Rights and Fundamental Freedoms. As a consequence the sanction procedure must comply with the rights of fair trial and due process.

In June 2010, the CNIL opened a new service on its website to provide Internet users with the possibility to file claims online for non-compliance with their rights of access and objection to direct marketing.25

The Authority is also preparing to issue data protection seals in the first half of 2011 to data protection training and audits and to expand this scope at a later stage. Under the Data Protection Act, a company sponsored by a professional association or an institution can submit to the Authority a product or process that it believes is compliant with the data protection principles to obtain a data protection seal ("label").26

At the 31st International Conference of Data Protection Commissioners, the CNIL voted along with almost 80 other data protection authorities a resolution ("The Madrid Resolution")27 in order to adopt international standards for the protection of personal data and privacy.

Major privacy and data protection case law

In April 2008, a Paris Tribunal condemned different French websites for linking to another website containing gossip information on the French actor Olivier Martinez. Although the site allowed the users to enter links and rate news, the court decided that the website owner had an editorial responsibility and awarded damages for infringing the actor's privacy. Another site posted a link to Yahoo-based news on the same topic and faced a similar outcome.28

Facebook was ordered on 13 April 2010 by the Court of first instance of Paris to remove the photograph of an individual that had been posted on the social network without his consent.29 Facebook users had created a group called "Running naked in the church after the bishop" on which several insulting and hateful comments had been posted. The bishop had asked Facebook several times without success to remove his photograph. Facebook submitted that it was not the publisher of the photograph but a mere host and therefore had no responsibility. The Court decided otherwise.