I. Legal framework
The right of privacy is not explicitly included in the French Constitution of 1958. The Constitutional Council ruled in 1995 that the right of privacy was implicit in the Constitution,1 and confirmed this in 1999, by stating that the freedom proclaimed in Article 2 of the 1789 Declaration of the Rights of Man and the Citizen ("Déclaration des droits de l'homme et du citoyen de 1789") implies the respect of privacy.2
The Legislative Committee of the Senate issued on 3 June 2009 a report on the right to privacy in the digital age ("La vie privée à l'heure des mémoires numériques").3 Among the 15 recommendations made in the report to better guarantee privacy against digital threats, one is to include the right to privacy in the French Constitution."4 Neither the President of the French Republic nor the Members of Parliament, who have the initiative of a revision of the Constitution under its Article 89, have followed up on this recommendation.5 The CNIL's President confirmed on 10 June 20096 that it is unlikely that the constitution be modified in the coming years to this purpose.7
Privacy and data protection laws and regulations
The Data Protection Act, enacted in 1978 and amended in 2004, covers personal information held by government agencies and private entities.10 It is supplemented by a Decree adopted in 2005 and amended on 25 March 2007.11 These rules provide that any individual must be informed of the reasons for the collection of information and may object to its processing either before or after it is collected. Individuals have the right to access information being kept about them and to demand the correction and, in some cases, the deletion of this data. Fines and imprisonment can be imposed for violations.
It is worth noting that the Data Protection Act does not apply to data controllers outside the European Community who do not use data processing means in France.12
There are additional specific laws which relate to the protection of data such as laws on administrative documents,13 archives,14 video surveillance,15 employment16 and consumer protection.17 There are also protections incorporated in the Penal Code.18
Data protection authority
The data protection authority is the Commission nationale de l'informatique et des libertés (CNIL), an independent agency that interprets and enforces the Data Protection Act.19 The Commission takes complaints, issues rulings, sets rules, conducts audits, makes reports, and ensures the public access to information by being a registrar of data controllers' processing activities. In addition, the 2004 amendments to the Data Protection Act allow the CNIL to investigate data processes, issue warnings, order data processing to stop, and impose sanctions (fines of up to 150.000 EUR). In 2006 the CNIL issued its first financial sanction against the bank Crédit Lyonnais (45.000 EUR) for violating its customers' right of access to their personal data.20 The highest published sanction ordered so far is 75.000 euros.
The CNIL has more limited powers over large government information systems known as "sovereignty files".21 Sovereignty file systems, defined to include files relating to the safety of the State, defense, public security or penal repression, or those that use the NIR (social security number), do not require CNIL approval but mere prior advice.
In 2009, the CNIL received 68.185 new notifications of data processing, leading to a total amount of 1.356.579 files notified since 1978.22 The Authority received 4.265 complaints and issued 719 decisions including 91 cease and desist orders, 5 financial sanctions and 4 warnings. The CNIL also carried out 270 on-site investigations.
Key issues addressed by the CNIL in 2009 were the investigation of a police database called "STIC", targeted online advertising, social networks and the right to be forgotten, online voting and immigration records.
The CNIL declared that on-site investigations (that are a posteriori controls) will remain a priority. It suffered a setback in its strategy with two decisions of the Conseil d'Etat (of 6 November 2009)23 that cancelled sanctions the CNIL had ordered against two companies following on site investigations. The Conseil considered that the CNIL ought to remind the data controller, prior to the investigation, of its right to object to the investigation. In case of an objection, the investigation occurs under the control of the President of the court, as that is part of due process. As a result of this decision, the CNIL modified its practices. It is also seeking a change of the Data Protection Act to create the possibility to obtain a prior authorization of the judge in certain circumstances. On a procedural standpoint it is worth stressing that the CNIL, as it has the power to issue sanctions, has been characterized by the Conseil d'Etat24 as being like a tribunal in the meaning of the Article 6-1 of the Convention for the Protection of Human Rights and Fundamental Freedoms. As a consequence the sanction procedure must comply with the rights of fair trial and due process.
In June 2010, the CNIL opened a new service on its website to provide Internet users with the possibility to file claims online for non-compliance with their rights of access and objection to direct marketing.25
The Authority is also preparing to issue data protection seals in the first half of 2011 to data protection training and audits and to expand this scope at a later stage. Under the Data Protection Act, a company sponsored by a professional association or an institution can submit to the Authority a product or process that it believes is compliant with the data protection principles to obtain a data protection seal ("label").26
At the 31st International Conference of Data Protection Commissioners, the CNIL voted along with almost 80 other data protection authorities a resolution ("The Madrid Resolution")27 in order to adopt international standards for the protection of personal data and privacy.
Major privacy and data protection case law
In April 2008, a Paris Tribunal condemned different French websites for linking to another website containing gossip information on the French actor Olivier Martinez. Although the site allowed the users to enter links and rate news, the court decided that the website owner had an editorial responsibility and awarded damages for infringing the actor's privacy. Another site posted a link to Yahoo-based news on the same topic and faced a similar outcome.28
Facebook was ordered on 13 April 2010 by the Court of first instance of Paris to remove the photograph of an individual that had been posted on the social network without his consent.29 Facebook users had created a group called "Running naked in the church after the bishop" on which several insulting and hateful comments had been posted. The bishop had asked Facebook several times without success to remove his photograph. Facebook submitted that it was not the publisher of the photograph but a mere host and therefore had no responsibility. The Court decided otherwise.
- 1. Décision 94-352DC du Conseil constitutionnel du 18 Janvier 1995, available at http://www.conseil-constitutionnel.fr/conseil-constitutionnel/francais/les-decisions/depuis-1958/decisions-par-date/1995/94-352-dc/decision-n-94-352-dc-du-18-janvier-1995.10612.html (in French).
- 2. Décision 99-416DC du Conseil constitutionnel du 23 juillet 1999, available at http://www.conseil-constitutionnel.fr/decision/1999/99416/index.htm (in French).
- 3. The report is available at http://www.senat.fr/rap/r08-441/r08-441.html (in French).
- 4. "French Senate Issues report on Right to Privacy in the Digital Age," Privacy and Information Security Law Blog, Hunton & Williams, LLP, 11 June 2009, available at http://www.huntonprivacyblog.com/2009/06/articles/european-union-1/french-senate-issues-report-on-right-to-privacy-in-the-digital-age/ ">http://www.huntonprivacyblog.com/2009/06/articles/european-union-1/french-senate-issues-report-on-right-to-privacy-in-the-digital-age/ .
- 5. Indeed, a Commission, created in April 2008 at the request of the French President, taking into consideration the fact that the right to privacy is already recognized under French law, failed to consider that the inclusion of the right to privacy in the Constitution would significantly enhance individuals' rights, in spite of the new technical challenges faced by society.
- 6. Speech of Alex Türk qt the 5th Assembly of the Correspondents of the AFCDP (French Association of Privacy Correspondents) on 10 June 2009 in Paris.
- 7. In 2008, during the annual report press conference of the Commission nationale de l'informatique et des libertés, Alex Türk, CNIL's President, had indicated his strong wish of introducing data protection rights in the preamble of the French Constitution, as it is the case in 13 out of the 27 European Union Member States. Mr. Türk had justified this proposal by the "worrying generalization of mechanisms tracking individuals" every move from wake up until bedtime. ("La CNIL veut inscrire dans la Constitution la protection des données personnelles," Le Monde, 16 May 2008, available at http://www.lemonde.fr/societe/article/2008/05/16/la-cnil-veut-inscrire-dans-la-constitution-la-protection-des-donnees-personnelles_1046127_3224.html). It had been his credo since then, and he has been partly supported by the Legislative Committee of the Senate in its 3 June 2009 report.
- 8. The Rachel affaire. Judgment of 16 June 1858, Trib. pr. inst. de la Seine, 1858 D.P. III 62. SeeJeanne M. Hauch, Protecting Private Facts in France: The Warren & Brandeis Tort is Alive and Well and Flourishing in Paris, 68 Tul. L. Rev. 1219 (May 1994).
- 9. Civil Code, Article 9, Statute No. 70-643 of 17 July 1970.
- 10. Loi n 78-17 du 6 janvier 1978, Loi relative à l'informatique, aux fichiers et aux libertés, available at http://www.cnil.fr/index.php?id=301 in French; available in English at http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf.
- 11. décret no 2007-451 du 25 mars 2007 modifiant le décret n 2005-1309 du 20 octobre 2005 pris en application de la loi n 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, modifiée par la loi no 2004-801 du 6 aout 2004, available at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000824352&dateTexte=.
- 12. A user of Google groups services such as Usenet discussion, who sued Google Inc. USA, learnt it to her detriment: she did not obtain the removal of her contributions dating back 1998 that were still available through searches on Google tools. The Court of first instance, in an emergency proceeding, concluded that the applicable law was the law of the State of California where the messages were archived. It took into consideration the fact that California's Constitution provides protection of privacy in its Section 1.1. Tribunal de Grande Instance de Paris, Ordonnance de refere, 14 April 2008, available in French at http://www.foruminternet.org/specialistes/veille-juridique/jurisprudence/IMG/pdf/tgi-par20080414.pdf.
- 13. Loi No. 78-753 du 17 juillet 1978 portant diverses mesures d'amélioration des relations entre l'administration et le public et diverses dispositions d'ordre administratif, social et fiscal (Journal officiel, 18 July 1978, at 2851), available at http://www.cnil.fr/textes/text05.htm (in French).
- 14. Loi No. 79-18 du 3 janvier 1979 sur les archives (Journal officiel, 5 January 1979, at 43, erratum at Journal officiel, 6 January 1979, at 55) (in French).
- 15. Loi d'orientation et de programmation n 95-73 du 21 janvier 1995 relative à la sécurité (Journal officiel, 24 January 1995, at 1249), available at http://www.cnil.fr/textes/text054.htm; see also Décret n 96-926 du 17 octobre 1996 relatif à la vidéo-surveillance pris pour l'application de l'article 10 de la loi n 95-73 du 21 janvier 1995 d'orientation et de programmation relative à la sécurité (Journal officiel, 20 October 1996, at 15432), available at http://www.cnil.fr/textes/text055.htm, and Circulaire du 22 octobre 1996 relative à l'application de l'article 10 de la loi n 95-73 du 21 janvier 1995 d'orientation et de programmation relative à la sécurité (décret sur la vidéosurveillance) (Journal officiel, 7 December 1996, at 17835), available at http://www.cnil.fr/textes/text056.htm (in French).
- 16. Articles L.2323-13, L.2323-14 and L4612-9 of the Labor Code. http://www.legifrance.gouv.fr/affichCode.do?idArticle=LEGIARTI000006901943&idSectionTA=LEGISCTA000006198568&cidTexte=LEGITEXT000006072050&dateTexte=20101215 and http://www.legifrance.gouv.fr/affichCode.do?idArticle=LEGIARTI000006903309&idSectionTA=LEGISCTA000006189745&cidTexte=LEGITEXT000006072050&dateTexte=20101215.
- 17. Article L 34-5 of the Post and Electronic Communications Code.
http://www.legifrance.gouv.fr/affichCodeArticle.do?idArticle=LEGIARTI000006465787&cidTexte=LEGITEXT000006070987&dateTexte=20101215&oldAction=rech CodeArticle">http://www.legifrance.gouv.fr/affichCodeArticle.do?idArticle=LEGIARTI000006465787&cidTexte=LEGITEXT000006070987&dateTexte=20101215&oldAction=rech CodeArticle.
- 18. Articles L 226-16 and following of the Penal Code.
- 19. Commission nationale de l'informatique et des libertés Homepage, available at http://www.cnil.fr.
- 20. See"Premiére sanction pécuniaire prononcée par la CNIL," 9 September 2006, available at http://www.cnil.fr/index.php?id=2104.
- 21. Stéphane Foucart, "Les pouvoirs de la CNIL devraient être considérablement amoindris," Le Monde, 14 July 2004, available at http://www.lemonde.fr/cgibin/ACHATS/acheter.cgi?offre=ARCHIVES&type_item=ART_ARCH_30J&objet_id=861279 ">http://www.lemonde.fr/cgibin/ACHATS/acheter.cgi?offre=ARCHIVES&type_item=ART_ARCH_30J&objet_id=861279 and "La nouvelle loi Informatique et libertés autorise le fichage des internaures," Le Monde, 17 July 2004, available at http://www.lemonde.fr/cgibin/ACHATS/acheter.cgi?offre=ARCHIVES&type_item=ART_ARCH_30J&objet_id=861631.
- 22. CNIL, 30e Rapport d'Activité2009 (2010), available in French at http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL-30erapport_2009.pdf.
- 23. http://www.conseil-etat.fr/
Conseil d'Etat, decision no 304301, 6 November 2009, available in French at http://arianeinternet.conseil-etat.fr/arianeinternet/getdoc.asp?id=91269&fonds=DCE&item=1.
- 24. Conseil d'Etat, Ordonnance de référé, 19 February 2008, req. no 311974, available in French at
- 25. CNIL, "Plainte en ligne?" http://www.cnil.fr/vos-libertes/plainte-en-ligne/.
- 26. CNIL, "2011 : Objectif labellisation !", 17 May 2010 http://www.cnil.fr/la-cnil/actu-cnil/article/article/2011-objectif-labellisation/.
- 27. International Standards on the Protection of Personal Data and Privacy à "The Madrid Resolution", 5 November 2009, available at http://www.privacyconference2009.org/dpas_space/space_reserved/documentos_adoptados/common/2009_Madrid/estandares_resolucion_madrid_en.pdf.
- 28. EDRI-gram, Number 6.7, April 2008, "Linking Can Be Damaging to Your Pockets," available at http://www.edri.org/edrigram/number6.7/linking-decison-france. See also 01Net, "A Wave of Condemnations Shakes the French Web 2.0" 27 March 2008, available at
http://www.01net.com/editorial/375750/une-vague-de-condamnations-ebran (in French). See also
Presse Citron, "Case Olivier Martinez vs. Fuzz : Fuzz condemned," 27 March 2008, available at
http://www.presse-citron.net/?2008/03/27/3217-affaire-olivier-martinez. See also Presse Citron, Parts of the Court decision, available at http://www.presse-citron.net/?2008/03/28/3221-extraits-de-l-ordonnance (in French). See also Vivre en Normandie, "The French web passes through black hours," March 2008,
- 29. "Tribunal de grande instance de Paris Ordonnance de référé 13 avril 2010
Hervé G. / Facebook France," available at http://legalis.net/breves-article.php3?id_article=2898 (in French).