Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy

In late 2009 the Secretary of State in charge of the Development of the Digital Economy launched a debate on the topic of the right to be forgotten on the Internet ("le droit à l'oubli"). In May 2010, the Secretary of State, in charge of the Development of the Digital Economy, launched a public consultation on the "right to be forgotten", but considered from a wider angle.1


Consent (opt in) must be obtained before sending an electronic message (email, SMS, MMS,é) of a promotional nature to a consumer.2 There are exceptions to the opt in rule applicable to electronic messages sent to consumers: (i) if the electronic contact details have been obtained directly from the targeted recipient in the framework of a sale of goods or services, (ii) if the solicitation relates to similar goods or services, (iii) if the solicitation is made by the same person, and (iv) if the target has been offered the possibility to opt out and will be given this possibility in any subsequent message sent, easily and free of charge.

The Union Française de Marketing Direct (UFMD) and the Syndicat National de la Communication Directe (SNCD), two direct marketing associations, have issued codes of conduct on email marketing3 to provide guidance to their members (remote selling companies and companies operating email campaigns). These codes were approved by the CNIL in 2005.

To assist individuals in fighting unsolicited communications, private and public sector organizations, including the CNIL, created a non profit organizationcalled "Signal-Spam"4 that develops a tool enabling e-mail recipients to easily report spam.

In addition to the website to report spam and the website for private or commercial dispute on the Internet, the French government has launched a new official website called that offers Internet users the opportunity to report any illegal content or behavior that they might come across on the Internet.5

ISPs and telecom operators' terms and conditions are under the scrutiny of consumer groups or associations whose mission is to prevent the violation of consumers' privacy.The consumer group UFC Que Choisir challenged to court's online terms and conditions. On 28 October 2008, the Court of First Instance of Paris6 found that the site included several "improper or unlawful" clauses that were held unenforceable, some of which related to the processing of personal data, including the provision by which can share personal data with, Inc. and the affiliates controlled by, Inc. The Court considered that this situation created an imbalance between the rights and obligations of the contracting parties as the sharing of personal data with undetermined affiliates was imposed upon the consumer without specification of the contemplated purpose and usefulness of the sharing. Clauses relating to solicitation, data disclosure and co-branding were also criticized. The Court required Amazon to pay to UFC 30.000 EUR in damages and ordered the removal of the illegal clauses from's terms and conditions within a month.

The Data Protection Act allows intellectual property rights societies to create private records of rights infringers through the collection of their IP addresses in P2P networks; however, the use of automatic software for such a collection is subject to CNIL approval. The CNIL decided in October 2005 to reject the introduction of surveillance devices, proposed by Sacem and 3 other author and producer associations, for the automatic tracing of infringements of the Intellectual Property Code. This decision was cancelled by the Conseil d'Etat on 23 May 2007. The court found that the proposed devices are not disproportionate, and are acceptable considering the extent of piracy occurring in France. The author and producer associations resubmitted their request to the CNIL, and obtained the required authorisations in November 2007 and January 2008.7

Copyright holders envisaged a new role for ISPs for addressing online copyright infringement.[92] In November 2007, some French ISPs and music and movie representatives signed the Olivenness Cooperation Agreement. French ISPs would monitor Internet customer's communications to identify peer-to-peer users who may infringe the French copyright law. The agreement includes the "gradual response system" which involves a newly created independent authority, entitled HADOPI (Haute Autorité pour la diffusion des oeuvres et la protection des droits sur Internet) to combat online piracy.[93]

On 10 June 2009, the French Constitutional Council rejected key parts of the enforcement provisions of HADOPI.[94] The Council determined that a three strikes rule, in which HADOPI could cut off users' access to the Internet (for a period of three months to a year) after three warnings (the first two would be sent first by email then by registered mail) to stop their illegal downloads, violated a fundamental human right to freely communicate under the 1789 Declaration of Human Rights (Déclaration des droits de l'homme) The Council ruled that this was contrary to the presumption of innocence and did not provide adequate due process.[95] The Council found that HADOPI could issue the first two warnings but the third warning would have to be issued by a judge.[96] The Council explained that freedom of speech "implies today, considering the development of the Internet, and its importance for the participation in democratic life and the expression of ideas and opinions, the online public's freedom to access these communication services."[97]

A second version of the law has been presented to the Parliament and brought again by some MEPs before the Constitutional Council who, this time, approved most of the text that was enacted on 28 October 2009.8

The principle of "graduated riposte" is maintained but the suspension of Internet access can only be ordered by a judge. Some of the implementation decrees have been submitted to the CNIL for its opinion but have not yet been finalised, while others are still expected.


On 23 March 2010, the Senate voted on a bill9 intended to enhance the protection of personal data, in particular by the creation of a security breach notification obligation upon data controllers. Senators wished to create a two-level notification obligation. At a first level, in case of violation of the processing of personal data, the data controller must inform the data protection correspondent or, in his absence, the CNIL. At a second level, if the violation has impacted the personal data of one or more individuals, the data controller must also inform those individuals, except for some "sovereignty files". This notification obligation would apply regardless of the industry sector; hence would not be limited to the e-communications sector. The French government objected to the introduction of this measure. The bill is still to be reviewed by the National Assembly. In September 2010, it has not been put on the agenda of the competent committee.

Additionally, the Ministry of Economy, Industry and Labor is preparing the implementation of the so-called EU "telecom package",10 including the 2009/136/EC Privacy and E-communications Directive that must be implemented into Member States' laws before 25 May 2011. This Directive provides for a security breach notification obligation to a national authority by providers of electronic communications services. The Ministry conducted a public consultation in May 2010. The bill drafted by the Ministry provides for a notification by providers of electronic communications services on open networks, to both the CNIL and the individuals impacted by a "violation of personal data" (i.e. a violation of security leading accidentally or unlawfully to the destruction, damage, loss or disclosure of personal data).11

Online targeted advertising and search engine privacy

The phenomenon of targeted advertising on the Internet is recent in France; however it has been identified as a potential threat to Internet users' right to data protection, and is closely followed by the CNIL. In this respect, the Authority issued a report at the beginning of 2009 stressing that technological and economical changes in the business model of companies doing business on the Internet are worrisome.12 More and more companies, either by diversification or acquisition (e.g. Yahoo and Google), become content providers, service providers (Internet access, email, search engines etc) and advertising agencies for third parties, and, as a result, have the opportunity to aggregate the data they collect from users through various means.

The concentration of actors and data sources is therefore seen as a potential risk to privacy, in particular as individuals do not realize the impact these dynamics may have on the processing of personal data, especially since the CNIL finds that opt out mechanisms (e.g., opt out cookies) do not work adequately in practice. If advertising agencies were to share data they collect with businesses such as banks, insurance companies or recruiters, selections and assessments of consumers, applicants or job candidates could be made based on assumptions about their health, finances or other sensitive information, without individuals being fully aware of it. This is viewed as a real threat by the Authority.

The CNIL's report underlines the various challenges that online targeted advertising presents to data protection authorities. It indeed opens the debate as to whether a technical identifier (IP address on identifier placed in a tracking cookie) is "personal data", and how to ensure that individuals can exercise their opt-out and opt-in rights efficiently.

On 30 September 2010, the Secretary of State in charge of the development of the Digital Economy, gathered industry associations to sign a Code of Conduct on "targeted advertising and protection of internet users".13

Online social networks and virtual communities

align="left">See updates under sections "Major Privacy & Data Protection Case Law", "Online Youth Safety", and "Workplace Privacy"

Online youth safety

The protection of minors (people under the age of 18) surfing on the Internet is a topical subject in France, in particular because of the success of social networks and the development of direct marketing techniques that target them specifically.

Several direct marketing associations have issued recommendations and guidelines14 in order to encourage providers of Internet services and marketing professionals to carry out protective measures before processing minors' data and proposing them services and products.

A well-known association of IT professionals, that deals with Internet and issues related to new technologies, provides advice to parents15 and minors16 in order to help the former protect their children when they surf the Internet, and help the latter more cautiously use the Internet.

Workplace privacy

Employees have a right to privacy in the workplace.

In 2001, the French high labor court (Chambre sociale de la Cour de Cassation) held in Nikon v. Onof that employees have a right to privacy at the workplace and that an employer cannot access an employee's personal e-mails stored on a work computer without violating the employee's privacy.

Since 2006, case law has determined that emails and files stored on company systems at the workplace are presumed to be work-related, except if they are clearly flagged as "personal" or "private". As a result, the principle is established that the employer can access the employee's emails and files stored in his work computer or his office, except for the ones flagged as "private" or "personal".17 But there are exceptions: the employer can access even the private files of an employee if the employee is present or if the company is facing particular risks.18

The violation of company rules relating to the use of the Internet by an employee are not necessarily a sufficient justification to terminate an employee. The Supreme Court (Cour de cassation) decided such a case where an employee accessed porn websites during working hours. It was considered that this behavior did not negatively affect the employee's work19 .

In November 2009, the recruitment association "A Compétence Egale" presented a code of conduct20 aimed at ensuring the proper use of Internet resources in job selection and recruitment procedures, and in particular of information available on social networks.

Health and genetic privacy

Health privacy

Computerized patient records (dossier médical personnel, or "DMP") were created by law in 2004 for the entire population of France. In its April 2007 study, the CNIL found a serious lack of data protection and many security breaches in the DMP process, and called for reinforced security measures. Furthermore, the Ministry of Health proposed a modification to the law in 2006 that would use individuals' social security numbers (NIR) to identify and link medical records. Civil rights NGOs strongly protested against this project, as it would breach privacy rights by facilitating the interconnection between medical data and other personal data contained in various national files.21 The CNIL proposed in its conclusions the use of a different identifying number, derived through a non-reversible anonymisation process.22

In 2008, the Ministry of Health, asked the National Consultative Ethics Committee (Comité Consultatif National d'Ethique, or CCNCE) for an opinion regarding the blocking factors of the DMP implementation and the possible ways to address them. The Committee's report23 stated that these factors were, among others, the opposition between the right of the patients not to reveal certain elements of their health record to the DMP and the necessity for the healthcare system to trust the information contained in the DMP, also the inability of hospitals and health professionals' current information systems to guarantee the effective operation of the DMP, the important risks of failure in the security and confidentiality of health data, which could result from an interconnexion of several computerized files, and the important cost of implementation of the DMP. The Committee proposed in particular to limit the use of the DMP, on a voluntary basis, to patients who are suffering from serious illness involving long treatments with several healthcare professionals.

In July 2010,24 the Ministry of Health confirmed its plan to re-launch25 the DMP. The objective announced consists of implementing the DMP before the end of 2010. In order to do so, the Minister announced the strengthening of the steering committee, the implementation of technical measures to ensure system interoperability and data security, and the definition of a national identifying number. In the re-launch plan of April 2009, the government had indicated that this number had to be determined in accordance with the CNIL's recommendations.26 Recently the official website of the government mentioned that such number would be calculated on the basis of an algorithm based on several elements of patient identification, among others the NIR (the Social Security Number).27

The law of 2002 concerning the rights of patients and the quality of healthcare (Loi du 4 mars 2002 relative aux droits des malades et à la qualité du système de soins), provides that suppliers of storage services of health data on behalf of healthcare professionals must obtain a licence issued by the Ministry of Health. A Decree of January 2006 sets forth the procedure to request that licence. Their delivery had been interrupted for two years because of organizational difficulties. Reference documents were created to ease the application process and the procedure was re-launched in 2009. In June 2010, 12 suppliers had obtained a licence from ASIP Santé (Agency of the Health Ministry) as a result of the procedure, which also involves a review by the CNIL.28

In parallel, a computerized file of pharmaceutical data ("données pharmaceutiques", or DP) has been created by the Law of 30 January 2007. The aim of the DP is to improve the level of information of pharmacists in order to prevent the risks of dangerous interactions between medicines. The DP contains the history of the pharmaceutical products provided to a person during the last four months. People are not obliged to use it. Access to this file is limited to pharmacists. After a period of experimentation, which started in May 2007, the CNIL has authorized the generalization of its implementation on 2 December 2008. The CNIL published its first authorisation decisions (for pharmacists in hospitals) to carry out the DP processing in May 2010. As for the DMP, the storage of health data contained in the DP is subject to a licence of the Minister of Health and the patients' national identifying number cannot be used. The CNIL has temporarily authorised the National Council of Pharmacists (Conseil National de l'Ordre des Pharmaciens, or CNOP) to use an identifying number based on the personal data available on the each patient's individual health card ("carte vitale").

In 2009, a law called "Hospitals, Patients, Health and Territories" (Loi no 2009-879 du 21 juillet 2009 portant réforme de l'hopital et relative aux patients, à la santé et aux territoires)harmonized all the rules relating to the DMP and the DP into the same code, the Code of Public Health (Code de la santé publique) and stated that access by healthcare professionals to the DMP is subject to patient consent.This law also provides the possibility for HIV screening centers to remove the anonymity of seropositive patients, in the conditions fixed in Minister Order (arrêté ministériel) of 8 July 2010,29 in the cases where there is a therapeutic interest for the patient to do so and provided that the patient has given his express prior consent.

Genetic privacy

Nothing to report under this section.

Financial privacy

In September 2008, the European Court of Human Rights ruled for the second time that French searches and seizures of documents by tax authorities on a suspicion of fraud violated the European Convention on Human Rights.30 The court further observed that such searches were already established as violating the Convention, thus it was unnecessary to consider if it was a violation of the right to privacy.31