Law Library Stacks

Back to Online Privacy Law

*A 2017 updated version of this report is available

France’s data protection law dates back to 1978 with the enactment of Law 78-17 on Information Technologies, Data Files and Civil Liberties. This Law is said to have inspired the drafting of European Union Directive 95/46/EC on personal data protection. The 1978 Law has been amended on several occasions to comply with more recent European Union Directives. Personal data must be collected and processed fairly and lawfully for specified, explicit, and legitimate purposes, and with the consent of the data subject. In addition to the right to consent, data subjects have been given the following rights: right to be informed, right to object, right of access, right to correct and delete information, and right to be forgotten.

The 1978 Law does not explicitly mention the privacy rights of minors. France favors informing parents and children about responsible Internet use by way of major communication campaigns and education in school. Electronic communications providers must erase or render anonymous electronic communications traffic and location data. There are, however, several exceptions to this rule for purposes of the investigation and prosecution of criminal offenses and for protecting intellectual property. In such cases data may be kept for a maximum of one year. Violations of the 1978 Law may result in criminal, civil, or administrative sanctions.

The 1978 Law also created an independent data protection commission whose powers were further increased in 2004. The primary mission of the commission is to inform data subjects and controllers of their rights and obligations and to monitor compliance with the 1978 Law. To perform its mission, the commission may act by way of recommendations, guidance, individual or regulatory decisions, and on-site inspections. It also has the power to impose administrative sanctions and fines. A draft law further strengthening personal data protection has been pending before Parliament since March 2010. The adoption by the EU of the new data protection regulation currently under consideration may render this draft law obsolete.

I. Legal Framework

There is no specific personal data protection guarantee in the 1958 Constitution. The primary text on data protection is Law 78-17 of January 6, 1978, on Information Technologies, Data Files and Civil Liberties, as amended (1978 Law).[1] Its first article sets forth the principle that information technology is at the service of each citizen and cannot violate human identity, human rights, privacy, or individual or public liberties.[2]

France, together with Sweden and the German State of Hessen, was one of the first countries in Europe to adopt a data protection law. The 1978 Law is said to have inspired the drafting of Directive 95/46/EC on personal data protection.[3] The 1995 Directive intended to harmonize the protection of the right to the privacy of individuals with respect to the processing of personal data among Member States.[4]

France transposed this Directive by Law 2004-801 of August 6, 2004 (2004 Law).[5] As the 1978 Law was largely compatible with the 1995 Directive, most of its articles remained unchanged and it has kept its original number and is generally referred to as Law 1978 of January 6, 1978, as amended by Law 2004-801 of August 6, 2004. Law 2004-801 also transposed parts of Directive 2002/58/EC on privacy and electronic communications, notably its provisions on cookies.[6] The remaining portions of the Directive were directly transposed in France’s Post Offices and Electronic Communications Code.

The 1978 Law was also implemented by Decree 2005-1309 of October 2005, as amended by Decree 2007-451 of March 25, 2007.[7] The Law was further modified in 2009,[8] 2010,[9] and 2011.[10] The latest modification resulted from the transposition of two EU directives referred to as the “Telecom Package” by Ordinance 2011-1012.[11] These directives reform the EU framework on electronic communications.

In addition, France has signed and ratified the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, signed in Strasbourg in January 1981.[12]

Back to Top

II.  Current Law

The 1978 Law provides for procedures ensuring the confidentiality of personal information held by government agencies and private entities. It also created an independent data protection authority, the National Data Processing and Liberties Commission (Commission Nationale de l’Informatique et des Libertés, CNIL). The CNIL’s primary mission is to ensure that the development of information technology remains at the service of each citizen and does not infringe upon human identity, the rights of man, or individual or public liberties.

The 1978 Law does not contain any specific rules regarding its application to the Internet. The CNIL,  however,  has  provided  extensive  information on  several  matters related to  the Internet in a series of articles published on its website. The articles include “Ten Recommendations on PC Security,” “The Duties of Bloggers,” “Targeted Marketing on the Internet,” “Search Engines and Privacy,” “Street View: CNIL Review,” “The Status of IP Addresses”, and “Social Networks.”[13] The CNIL has also published a study on security regarding the latest generation of smartphones, providing ten recommendations on how to protect personal data, including one’s geographic position.[14] Its recommendations  include avoiding the recording of confidential information in a smartphone, choosing a complicated code, adding an automatic lock to the code, installing antivirus software, and turning off the GPS or Wi-Fi feature when not using a location-based application.[15] In addition, the CNIL recently reissued guidance on cookies.[16]

A.  Scope of Application

The 1978 Law applies to the processing, automated or not, of personal data contained or intended to be part of a personal data filing system. It applies to the processing of personal data (automated or not) from the private and public sectors carried out by a natural person or legal entity.[17] Processing undertaken exclusively for private (personal or household) activities is excluded. The Law also expressly excludes “cache” copies, described as

temporary copies made in the context of technical operations of transmission and access provision to a digital network for the purpose of automatic, intermediate and transitory storage of data and with the sole aim of allowing other recipients of the service to benefit from the best access possible to the transmitted information.[18]

B.   Territorial Application of French Law

The 1978 Law applies to the processing of personal data where the data controller is established on French territory. The data controller who carries out his activity on French territory within an establishment, whatever its legal form, is considered  established  on French territory.[19] The Law also applies where the data controller, although not established on French territory or in any other Member State of the European Union, uses means of processing located on French territory, with the exception of processing used only for the purposes of transit through the territory or that of any other Member State of the European Union.[20]

In addition, the question of under what circumstances French law applies to the Internet where the data controller is not on French territory, but the personal data are posted online by an Internet user located in France has been raised in several cases. Some partial answers were provided by the Tribunal de Grande Instance de Paris (ordinary court of general jurisdiction for Paris), as discussed in Section IV, “Courts,” below.

C.   Definition of Personal Data

Personal data are defined as “any information relating to a natural person who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to him.”[21] The definition is very broad. In addition to data permitting the identification of a person directly (name, photography, sex) or indirectly (date and place of birth, address, email address, social security number, etc.), the term also includes medical and genetic data and all of an individual’s biometric characteristics (digital prints, voice, iris, retina, etc.).[22]

There has been some discussion as to whether an IP address constitutes personal data. IP addresses are regarded as personal data by all European data protection authorities.[23] French courts have been divided on the issue, however (see Section IV, “Courts,” below).

D.    Rights Granted to Data Subjects

The following rights are conferred on data subjects:

Right to Consent

Any data subject must consent to the processing of personal data unless the data controller meets one of the following conditions:

  • Compliance with any legal obligation to which the data controller is subject
  • Protection of the individual’s life
  • Performance  of  a  public  service  mission  entrusted  to  the  data  controller  or  the data recipient
  • Performance of either a contract to which the data subject is a party or steps taken at the request of the data subject prior to entering into a contract
  • Pursuit of the data controller’s or the data recipient’s legitimate interest, provided this is not incompatible with the interests or the fundamental rights and liberties of the data subject[24]

 The 1978 Law does not include a definition of consent. In general, this issue is resolved by looking at what constitutes consent under the Civil Code.[25] A definition of consent has been added to the Post Offices and Electronic Communications Code in relation to direct marketing by electronic means. It is defined as a freely given manifestation of wishes, specific and informed, by which a person accepts that personal data relating to him/her will be used for direct prospecting. This definition is similar to the definition of consent found in Directive 95/46/EC.[26]

Right to Be Informed

A data subject must be informed of the following: identity of the data controller and of his representative; the purposes of the processing for which the data are intended; whether replies to the questions are compulsory or optional; the possible consequences for the individual of the absence of a reply; the recipients or categories of recipients of the data; the rights granted him by Section 2 of Chapter V (right  to object,  right of access,  and right to  correct); and, when applicable, the intended transfer of personal data to a State that is not a Member State of the European Union.[27]

Users of electronic communications services such as telephone, fax, e-mail, SMS (Short Message Service) or MMS (Multimedia Messaging Service) must be informed “in a clear and complete manner” of the processing of their data.[28] The 1978 Law also requires that any subscriber or user of an electronic communications service be informed by the data controller before its installation if the controller intends to install a cookie on his/her computer. The subscriber must expressly consent to such installation.[29]

Right to Object

Data subjects may object on legitimate grounds to the processing of their personal data.[30] Legitimate reasons are those reasons related to the particular situation of the individual and having priority over the interest of the data controller.   In case of disagreement, the judge generally gives greater weight to the protection of the individual when deciding whether a reason is legitimate.[31]

Data subjects may also object to having their personal data used for advertising or marketing, or disclosed or transferred to any third parties for such purposes. The right to oppose the disclosure of data to third parties must be available at the time the data are collected. The use of automated calling robots, faxes, or e-mails for advertising purposes is prohibited unless prior express consent has been granted by the individual.[32]

Right of Access

A data subject is entitled to interrogate the data controller to obtain the following:

  • Confirmation as to whether the personal data relating to him are part of the processing
  • Information on the purposes of the processing, the categories of processed personal data, and the recipients or categories of recipients to whom the data are disclosed
  • Information on the intended transfer of personal data to a State that is not a Member State of the European Union, if applicable
  • Communication, in an accessible form, of the personal data relating to him as well as any available information on the origin of the data

  • Information allowing him to learn of and object to the reason for automatic processing, in the case of a decision taken based on automatic processing and producing legal effects in relation to the individual[33]

Any data subject may also obtain a copy of such data in paying a fee or duplication costs against payment of a fee or duplication costs.[34]

Right of Indirect Access

There is also a right of indirect access where the data processing is related to the security of the state, defense, or public security. In this case, the data subject may request that the CNIL check his/her information. The CNIL verifies the relevance and accuracy of the data, and may demand their correction or deletion. If the data controller agrees, the data may be disclosed to the data subject by the CNIL.[35]

Right to Correct and Delete

Any data subject may ask the data controller to correct, complete, update, block, or delete personal data relating to him that are inaccurate, incomplete, equivocal, or obsolete, or whose collection, use, disclosure, or storage is prohibited.[36]

Right to Be Forgotten

Personal data may not be stored beyond the period necessary for the purposes for which they are obtained and processed.[37] On July 12, 2011, for example, the CNIL  issued  an injunction to cease processing against the association LEXEEK and imposed a €10,000 fine. This association publishes court cases on its Internet site that include the names of the parties. One of the plaintiffs complained to the CNIL that he was refused a position after the potential employer found a twelve-year-old case concerning a minor offense on the website of the association. The CNIL grounded its decision on one of its recommendations on the dissemination of personal data dated November 29, 2001. In this recommendation, the CNIL advised that publishers of legal databases that are freely accessible on the Internet should not include the names of parties or witnesses. The sanction is said to show the firm will of the CNIL to guarantee a true right to be forgotten (droit à l’oubli).[38]

E.  Obligations of Data Controllers

1.  Prior Notifications

Data controllers must notify the CNIL of the processing of personal data except as exempted by law or the CNIL, or where the data controller has appointed a data protection officer (correspondent à la protection des données personnelles). The 2004 Law introduced this new institution. This officer is charged with ensuring, in an independent manner, compliance with the obligations set forth in the 1978 Law. Data controllers who appointed such an officer are exempted from the formalities of notification or simplified notification, except where a transfer of personal data to a State that is not a Member State of the European Union is envisaged.[39]

Prior notification is necessary for all processing that is not subject to any other specific regime. For the most common categories of processing of personal data, which are not likely to be a violation of privacy or liberties, only a simplified form of notification is required.[40]

The following three categories of processing do not require prior notifications:

  • Processing intended exclusively for public information and open for public consultation or by any person demonstrating a legitimate interest
  • Processing carried out by an association or any other not-for-profit religious, philosophical, political, or trade union body only for the data corresponding to the object of that association or body, and concerning their members or individuals who keep regular contact
  • Processing for which the data controller has appointed a personal data protection officer, as noted above[41]

2.    Authorizations

Collecting and processing personal data that reveal, directly or indirectly, the racial and ethnic origins; the political, philosophical, or religious opinions; or the trade union affiliations of persons, or that concern their health or sexual life, is prohibited unless specifically authorized due to the special purpose of the processing—for example, the processing of personal data for the purpose of medical research or processing necessary for the protection of human life.[42]

The CNIL’s authorization is also required in collecting and processing the following data:

  • Sensitive data that are to become anonymous in a very short time after being processed
  • Genetic data, unless the processing is carried out by physicians or biologists and necessary for preventive medicine, medical diagnosis, or the administration of care or treatment
  • Data comprising assessments of the social difficulties of natural persons
  • Biometric data necessary for the verification of an individual’s identity
  • Data relating to offenses, convictions, or security measures, except for those carried out by representatives of justice when necessary to accomplish their task of defending data subjects[43]

The above list is not exhaustive. The CNIL maintains a publicly available registry that lists the automatic processing that satisfies the formalities above, concerning notification, simplified notification, or authorizations. For each processing the list specifies the document containing the decision to create a data processing procedure, the denomination and the purpose of the processing; and the identity and address of the data controller.[44]

3.  General Obligations

Data controllers must obtain and process data fairly and lawfully for specified, explicit, and legitimate purposes. They must respect these purposes. Data collected must be adequate, relevant, and not excessive in relation to the purposes for which they are obtained and their processing. Data must be accurate, complete, and, where necessary, updated. Data must be stored in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they were obtained and processed.[45] Finally, data controllers must preserve data security, avoiding data modification, damage, or access by unauthorized third parties.[46]

F.  Protection of Minors

The 1978 Law does not explicitly mention privacy rights of minors. According to its wording it applies to any “natural person,” therefore including minors. Only one of its articles specifically mentions minors, under Chapter IX: Processing of Personal Data for the Purpose of Medical Research. It provides that the holders of parental rights for minors are the recipients of the information and exercise the rights provided for in articles 56 (right to object to the lifting of the duty of confidentiality) and 57 (rights of information, access, and correction).

France favors informing parents and children about responsible Internet use. In 2010 the CNIL organized a major communication campaign for minors, and has invested €500,000 in privacy awareness programs for children, parents, and teachers by sending guidelines to schools.[47] It has also created a special website for minors.[48] In addition, the Education Code provides that during civic education classes students must be taught how to develop a critical and reflective approach to the use of online communications.   The Code further provides that students must be informed of all their rights under the 1978 Law.[49]

France is also a member of the Safer Internet Program supported by the European Commission.[50] The Safer Internet Program France comprises Internet Sans Crainte, an awareness project; Net Ecoute Famille, a telephone assistance program; and Point de contact, an online service to notify the authorities of illegal websites.[51] Internet Sans Crainte aims both at reaching children and teenagers directly and at addressing their parents and educators. It provides awareness kits to help educators, teachers, and other professionals organize workshops in schools, in educational and leisure centers, and at shows and exhibits.[52]

A recent report published by the National Assembly states that “the protection of minors in the digital universe is particularly difficult to ensure.”[53] It cites a 2010 study financed by the Safer Internet Program showing that 40% of minors between the ages of nine and sixteen who use the Internet have been exposed to at least one of the following risks: pornography, harassment, sexual messages, contact with unknown persons, messages containing dangerous information, and the diversion of their personal data.[54] The report further states that the lack of parental supervision over children’s use of the Internet is the weak link in the protection of minors and that additional campaigns to sensitize these parents are paramount.[55]

Finally, the report addresses the agreement for the protection of minors signed by seventeen social networking sites including Facebook at the request of the European Union Commission. The report notes that despite this agreement, social sites do not sufficiently check the age of minors who join. The report in particular cites Facebook. It says that although Marc Zuckerberg, president and founder of Facebook has agreed to keep the minimum age to join Facebook at thirteen for the time being, he has not ruled out lowering that age in the future. In addition, the report notes that Facebook has shown as little diligence to protect children as it has in answering questions from the National Assembly.[56]

G.  Transfer of Personal Data to Non-EU Member States

Data controllers cannot transfer personal data to a non-EU Member State unless that State provides for a sufficient level of protection of individuals’ privacy. The sufficient nature of the protection is assessed by taking account in particular the laws in force in the State; the security measures it applies; the specific characteristics of the processing, such as its purposes and duration; and the nature, origin, and destination of the processed data.[57] The CNIL is required to publish a list of the Member States providing an adequate level of protection established by the EU Commission.[58]

Data controllers, however, may transfer personal data to a non-EU Member State that does not provide an adequate level of protection if the data subject has expressly consented to the data transfer or where the transfer is necessary for any one of the following:

  • The protection of the data subject’s life
  • The protection of the public interest
  • To meet obligations ensuring the establishment, exercise, or defense of legal rights
  • The consultation of a public register intended for public information and open for public consultation
  • The conclusion or performance of a contract between the data controller and the data subject
  • The conclusion of a contract, or the performance of a contract that has either been concluded or is to be concluded, in the interest of the data subject between the data controller and a third party[59]

In addition, when filing their prior notification with the CNIL, data controllers must specify whether the processing will result in the transfer of data to a foreign country. In such case, the CNIL verifies that the data transferred will receive a level of protection similar to that provided by French law. The CNIL may request specific guarantees, limit, or prohibit the transfer of information to countries that do not have data protection laws or have not signed the Council of Europe  Convention for the  Protection of Individuals with regard to Automatic Processing of Personal Data.[60]

Finally, data subjects whose personal data are transferred abroad may be protected by a contract compelling the data recipients to use caution in their use of the data and guaranteeing recourse for data subjects.[61] The European Commission has approved standard contractual provisions to that effect. “Binding corporate rules” are another form of protection. The rules are designed to allow multinational companies to transfer personal data in compliance with the protection principles set forth in Directive 95/46/EC to their affiliates located in countries outside the EU that do not provide an adequate level of protection.[62] Transfers to the United States are authorized if the receiving company adheres to the Safe Harbor Privacy Principles negotiated between US authorities (the Commerce Department) and the European Commission in 2001.[63]

H.  Sanctions

1.  Sanctions Imposed by the CNIL

The Select Committee of the CNIL, which comprises six of its members, may, after hearing  from  all  parties,  issue  a  warning  to  a  data  controller  failing  to  comply  with  the obligations set forth in the 1978 Law. Such a warning is regarded as a sanction.[64] The Chairman of the CNIL may also serve a formal notice to comply on said data controller to cease the noncompliance by a given deadline. In the case of an emergency, this deadline may be limited to five days. The Select Committee may impose one of the following sanctions: an injunction to cease processing; the withdrawal of an authorization, if applicable; or a fine.[65]

Where the processing or the use of processed data leads to a violation of the rights listed in article 1 of the 1978 Law (human identity, human rights, privacy, or individual or public liberties), the Select Committee may issue a warning, initiate an emergency procedure in order to stop the processing for a maximum period of three months, or decide to lock up some of the processed personal data for a maximum period of three months.[66]

In the case of a serious and imminent violation of the rights listed above, the CNIL’s Chairman, in summary proceedings, may request the competent jurisdiction to order a daily penalty and/or any security measure necessary for the protection of these rights and liberties.[67]

The amount of a fine imposed by the CNIL must be proportional to the severity of the violation committed and to the profits derived from such violation. In the case of a first violation, the fine may not exceed €150,000. In the event of a second violation within five years from the date on which the preceding fine became final, the fine may not exceed €300,000 or, in the case of a legal entity, 5% of its gross revenue for the latest financial year, to a maximum of €300,000.[68] Where the Select Committee issues a fine that is final before a criminal court has definitively ruled on the same or related facts, the criminal court judge may order that the amount of the CNIL fine be deducted from the fine he imposes.[69]

Fines Levied on Google

On March 17, 2011, the CNIL used its enforcement authority to fine Google €100,000 for violating France’s data privacy laws.[70] A press release issued by the CNIL stated that for many years Google has been collecting technical data over unsecured Wi-Fi networks and recording personal data (IDs, passwords, login details, and email exchanges revealing information on health and sexual orientation) without the knowledge of the data subjects.[71]

The press release further provided that inspections carried out by the CNIL in late 2009 and early 2010 demonstrated that vehicles (Google Street View cars used for Google Maps services) deployed on the French territory collected and recorded not only photographs but also data transmitted by individuals’ wireless Wi-Fi networks without their knowledge. The collection of tens of thousands of Wi-Fi access points via Google cars apparently allowed the company to develop a database of geo-locations that is extremely competitive, and thus to acquire a dominant position in the field of location-based services.[72]

In May 2006 the CNIL requested that Google stop collecting such data and provide a copy of all the data collected on French territory. Google claimed that the data were collected by mistake, that it was seeking assistance in deleting them, and that it had grounded its Street View cars. The CNIL, however, found that Google continued its data collection through its geo- location service Latitude.[73]

2.   Criminal Sanctions

The provisions dealing with infringements  upon  personal  rights  resulting from data processing contained in the 1978 Law have been incorporated into the Penal Code. Articles 226- 16 through 226-24 define several offenses:

  • Collecting automated data without complying with the prerequisite formalities or after receiving an injunction to stop the processing
  • Collecting data indicating a person’s registration number in the National Register of National Persons unless specifically authorized
  • Collecting automated data without taking all the necessary precautions to preserve the security of such data
  • Collecting information by fraudulent, unfair, or unlawful means or collecting data concerning a person despite the person’s reasonable objections
  • Processing data for direct marketing purposes in spite of the person’s objection
  • Collecting health data without informing the data subject of his/her right of access, correction, and objection, or despite their objection
  • Storing data that directly or indirectly discloses the racial origins or the political, philosophic, or religious opinions; trade union membership; or morals principles of a data subject without the explicit agreement of such person
  • Storing automated data without the authorization of the CNIL beyond the period originally authorized
  • Diverting automated data from its intended use
  • Making automated data available to a third person not qualified to receive such data without the consent of the affected person
  • Transferring personal data to a State that does not belong to the European Union in violation of measures taken by either the European Union or the CNIL[74]

These offenses are punished by a maximum term of imprisonment of five years and a maximum fine of €300,000, with the exception of making automated data available to a third person not qualified to receive them where such offense is committed by negligence or a lack of prudence. In such cases, the penalty is a maximum term of imprisonment of three years and a fine of €100,000.[75]

3.  Civil Sanctions

An individual whose right to privacy is violated may request that a court order such measures to be taken as necessary to end the violation of this right.[76] In addition, the individual may be entitled to damages under article 1382 of the Civil Code, which provides that “[a]ny act whatever of man, which causes damage to another, obliges the one by whose fault it occurred, to compensate it.”[77]

I. Retention of Data

Directive 2006/24/EC, known as the Data Retention Directive, requires Member States to compel electronic communications providers to retain traffic and location data for between six months and two years for the purpose of the investigation, detection, and prosecution of serious crime.[78] France transposed Directive 2006/24/EC through several provisions  contained  in various laws. It added a provision to the Post Offices and Electronic Communication Code providing for the retention of certain types of technical data for a maximum period of one year for research purposes, the detection and prosecution of criminal offenses, and the protection of intellectual property.[79]

Law 2006-64 of January 23, 2006, on the Fight Against Terrorism, specifically empowered police officers to require the communication of certain data from Internet providers without any authorization from the Public Prosecutor.[80] This provision was also incorporated into the Post Offices and Electronic Communications Code.[81] Internet providers may also be required by these police officers to keep the data for one year.[82] The police officers must state the grounds for their requests in writing. These requests are reviewed by a qualified person appointed for three years by the National Commission for the Monitoring of Security Interceptions (Commission nationale de contrôle des interceptions de sécurité). The Commission may verify the officer’s requests at any time and notify the Ministry of Interior of any violation of individuals’ rights and liberties.[83]

The list of the types of data that must be retained was published in an implementing decree.[84] It includes data that identify the user and his or her terminal equipment; the recipient of the communication; the date, time, and duration of the communication; the additional services used and the suppliers; and, for telephone services, the origin and location of the communication.[85]

Law 2009-669 of June 12, 2009, on Favoring the Dissemination and the Protection of Creation on the Internet, authorizes sworn agents investigating copyright infringements on behalf of the High Authority for the Distribution of Works and the Protection of Rights on the Internet (HADOPI) to request data revealing the identity of an Internet user.[86] These agents may request information from electronic communications providers that are necessary to establish evidence of a copyright infringement including but not limited to the identity, postal address, electronic address, and telephone number of the subscriber.[87]

Back to Top

III. Role of Data Protection Agencies

The CNIL was established by the 1978 Law.[88] Its powers were further increased by the 2004 Law. It is an independent administrative authority. Its budget is allocated from the State budget. Its decisions may be appealed before the administrative courts. The CNIL’s primary mission is to inform individuals and data controllers of their rights and obligations and to monitor the observance of the 1978 Law. It does not receive any instructions from any other authorities. Ministers, public authorities, and the heads of private or public enterprises cannot oppose the CNIL’s actions and must take steps to facilitate the implementation of its missions.[89]

A.  Composition

The CNIL comprises seventeen members: two senators; two members from the National Assembly; two members from the Economic Social and Environmental Council; two members from the Cour de Cassation, France’s Supreme Court for civil and criminal matters; two members from the Conseil d’Etat, France’s Supreme Court for administrative matters; two members from the Cour des Comptes, France’s national audit Court; and five eminent personalities chosen for their knowledge of information technology or questions related to individual liberties, who are appointed by the Cabinet of Ministers (3), the President of the Senate (1), and the President of the National Assembly (1). In addition, the Commission includes the Défenseur des Droits (Civil Rights Ombudsman) or his/her representative, who casts a consultative vote. The CNIL elects its chairman from among its members.[90]

B.  Missions and Powers of the CNIL

The CNIL has the following mission and powers:

  • To inform all persons or entities concerned of their rights and obligations under the 1978 Law
  • To ensure that the processing of personal data is carried out in conformity with the provisions of the 1978 Law
  • To establish and publish simplified standards and impose, when necessary, standard regulations bearing on the security of systems
  • To receive claims, petitions, and complaints relating to the carrying  out  of  the processing of personal data and inform the initiators of these actions of the decisions taken regarding them
  • To respond to requests from public authorities and courts for an opinion and advise individuals and bodies that set up or intend to set up automatic processing  of personal data
  • To immediately inform the Public Prosecutor, in accordance with article 40 of the Criminal Procedure Code, of offenses of which it has knowledge and eventually present its remarks in criminal proceedings
  • To entrust by a special authorization one or several of its members or its General Secretary to undertake or have undertaken by staff members verifications relating to all processing and, if necessary, to obtain copies of all documents or any medium that are useful to its tasks
  • To answer requests for access concerning processing that involve state security, defense, or public safety, and public processing in relation to offenses and taxation
  • To give an opinion on the conformity with the 1978 Law of draft professional rules, products, and procedures intended to protect data subjects if requested by professional organizations or institutions having mainly data controllers for their members
  • To assess the guarantees provided by the professional rules that it has previously recognized to be in conformity with the provisions of the 1978 Law, with respect to the fundamental rights of individuals
  • To provide a quality label for  products  or  procedures  intended  to  protect data subjects
  • To keep itself informed of developments in information technologies and make public its assessments of the consequences of these developments for the exercise of rights and liberties
  • To be consulted on any draft law or decree relating to the protection of data subjects
  • To propose legislative or regulatory measures to the government in order to adapt the protection of liberties to developments in computer processes and techniques
  • To provide assistance with regard to data protection at the request of other independent administrative authorities
  • To contribute, at the request of the Prime Minister, to the preparation and definition of  France’s  position  in  international  negotiations   in   the   field   of   personal data protection[91]

To perform its mission, the CNIL may act by way of recommendations, guidance, and individual or regulatory decisions.[92] The CNIL also carries out on-site inspections.[93] It intends to carry out about 450 inspections related to personal data protection in 2012.[94] It prepares and presents annually a public report on the performance of its mission to the President of the French Republic, the Prime Minister, and Parliament.[95]

In addition, as mentioned above, the Select Committee of the CNIL, which comprises six members, may issue administrative and pecuniary sanctions ranging from warnings to maximum fines of €300,000 against data controllers who fail to comply with the law.[96]

C.  Statistics

The 2010 CNIL activity report shows that it received 4,821 complaints alleging disrespect of the 1978 Law, an increase of 13% compared to 2009. Complaints primarily concerned the following sectors: banking and credit, marketing, the Internet and telecommunications, and labor. The CNIL processed 1,877 requests for indirect access. It conducted 308 inspections, gave three warnings, issued 111 notices to comply, and imposed five financial sanctions. It received notification of 71,410 processing operations by data controllers.[97]

Back to Top

IV.  Court Decisions

A.  Application of French Law to the Internet

On April 14, 2008, the Tribunal de Grande Instance of Paris addressed the issue of whether French law applies to the Internet where the data controller is not on French territory, but the personal data are posted online by an Internet user located in France. The plaintiff in the case was a user of Google messaging services who challenged Google USA and Google France, claiming that Google Groups archiving of messages published on the Usenet forums  was contrary to articles 6 (data protection principles) and 7 (consent) of the 1978 Law. To decide the plaintiff’s claims, the court first had to consider whether French law was applicable. It found that the plaintiff did not show that Google USA used for the archiving means, materials, or human beings from the company Google France or any other entity located on French territory other than for transit. As a result, the data contained in the archived message that permitted the direct or indirect identification of the plaintiff could not be regarded as having been processed in France, the court said.[98]

B.    IP Addresses

The legal status of IP addresses remains uncertain, as the courts have rendered opposing decisions. In two separate decisions rendered in April and May 2007, the Court of Appeal of Paris ruled that IP addresses that were collected during searches and findings related to acts of Internet-based counterfeiting did not enable, even indirectly, any identification of physical persons, and as a result did not constitute personal data.[99]

These two decisions were strongly criticized and the Article 29 Working Party (a group of European data protection authorities) stated in an opinion dated June 20, 2007, that  it considers IP addresses to be personal data. The European Court of Justice followed this opinion in a decision rendered on January 29, 2008, in the Promusicae case.[100] This position was also confirmed by article 2 of EU Directive 2006/24/EC of March 15, 2006, on the Retention of Data.[101]

The situation in France, however, remains confused. In a decision dated January 13, 2009, the Cour de Cassation, which could have ruled on the issue, chose to bypass it by focusing instead on the definition of data processing activity.[102] In that case, SACEM, a body representing authors and composers, asked one of its sworn agents to collect evidence of copyright infringement on a peer-to-peer network. After selecting a network, the agent typed the title of a song and searched for all files corresponding to the song. He then selected one of the files and saved information related to that file (IP address, name of the Internet service provider, country of origin, etc.) on a CD-Rom to be used as evidence of infringement. The main issue raised was whether such activity constituted data processing under the 1978 Law and therefore required the prior authorization of the CNIL. Article 9(4) of the 1978 Law authorizes personal data processing relating to offenses, convictions, and security measures by persons listed in articles L321-1 and L331-1 of the Intellectual Property Code, who act on behalf of victims of infringements. Article 25 of the 1978 Law requires that this processing be authorized by the CNIL. The Court found that collecting an IP address manually without using an automatic monitoring device in order to obtain an individual’s identity via his Internet service provider falls within the powers of a sworn agent and does not constitute a data processing activity within the meaning of articles 2, 9, and 25 of the 1978 Law. The Court did not address the status of the IP address.[103]

Back to Top

V. Public and Scholarly Opinion

According to a poll taken in October 2008, a few days before the 30th International Conference of Data Protection and Privacy Commissioners held in Strasbourg, France, 71% of French people find privacy protection on the Internet to be insufficient, and 37% of them find it not at all satisfactory.  Persons age eighteen to twenty-four who use the Internet on a larger scale are even more concerned, with the percentage of unsatisfied users increasing to 78% among this age group.[104]

During the Conference the Commissioners noted that,

[a]t present, there is very little protection against copying any kind of personal data from users’ profiles (by other network members, or by unauthorized third parties from outside the network) and using them for building personal profiles, or republishing the data elsewhere. It can be very hard, and sometimes even impossible, to thoroughly remove information from the Internet once it is published: Even after deletion from the original site (e.g. the social network), copies may be kept by third parties or the social network service providers. Personal data from profiles may also “leak” outside the network when they are indexed by search engines. In addition, some social network service providers make user data available to third parties via application programming interfaces, which are then under the control of these third parties . . . . Among other specific [privacy and security] risks already identified are the increased risks of identity fraud fostered by the wide availability of personal data in user profiles, and by the possible hijacking of profiles by unauthorized third parties.[105]

This lack of protection was fully evidenced by an experiment conducted at the end of 2008 by one of the journalists of the French magazine Le Tigre. The journalist was able to recreate a great part of the public and private life of an individual he had never encountered through the sole use of data found on Google. The extent of the information found was such that the CNIL decided to include the journalist’s article in its 2008 public report as a warning, without of course naming the individual.[106]

Finally, in a recent interview given to the French newspaper Le Monde, Isabelle Falque- Pierrotin, President of the CNIL, reminded citizens of the vital importance of personal data for large Internet companies and social networks and how committed they are to fighting for the continued use of such data. She stated that lobbying against new EU regulations on personal data protection by these groups is fierce, as “personal data are the fuel of the digital world.”[107]

Back to Top

VI. Pending Reforms

Following a 2007 Report on Private Life and Digital Memories prepared by the French Senate,[108] a draft law was prepared by a few Senators taking into account some of the report recommendations. The draft law was adopted by the Senate on March 2010.[109] The text, however, has never been reviewed by the National Assembly. If adopted by both chambers, the draft law would classify IP addresses as personal data. In addition, the use of a data protection officer would be mandatory where a public authority or private entity processes personal data and more than fifty persons have direct access to these data.[110]

The draft law seeks to rewrite parts of article 32 of the 1978 Law. This article deals with the information a data controller must provide to the data subject. The new article would first require the data controller to provide, before any processing takes place, “specific, clear and accessible” information regarding the length of storage of personal data and the data subject’s ability to exercise his rights of access, correction, or deletion by electronic means where the data controller has an Internet site. Second, it would mandate that the data controller have an Internet site to clearly and permanently post all the mandatory rights listed in article 32I (See Right to Be Informed, Section II(D), above, for a list of these rights). Finally, the article would reinforce the data controller’s notification obligation regarding cookies and the processing of data not collected directly from the data subject.[111]

The draft law would further clarify the obligation of data controllers to preserve data security and require that the CNIL be notified of security breaches. In addition, it would increase the sanctions power of the CNIL.  The maximum fine would be increased to €600,000 instead of

€300,000. Through this proposed change, the legislature hopes to encourage the CNIL to show greater firmness. It notes that the Spanish data protection agency imposed fines for a total amount of €22.6 million in 2008 while the CNIL, since its creation to the date of the parliamentary report, had only imposed fines totaling €520,400.[112]

Finally, the proposed measure would strengthen the “right to be forgotten” through several new provisions, while two additional provisions would guarantee better traceability of data transfers and make it easier for data subjects to object to the dissemination of their data by obligating a data controller to clearly and permanently list the data recipients or categories of data recipients on its Internet site, and providing data subjects with the possibility of gaining access to the origin of the personal data. Today only access to the data is provided.[113] The adoption by the EU of the new data protection regulation currently under consideration may, however, render this draft law obsolete.

Back to Top

Prepared by Nicole Atwill
Senior Foreign Law Specialist
June 2012

[1] Loi 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés (version consolidée au 27 août 2011) [Law 78-17 of January 6, 1978, on Information Technologies, Data Files and Civil Liberties (consolidated version as of Aug. 27, 2011)], LEGIFRANCE,, unofficial English version available on the CNIL website, at

[2] Id. art. 1.

[3] CELINE CASTETS-RENARD, DROIT DE L’INTERNET § 26 (Ed. Montchrestien, 2009).

[4] Directive 95/46/EC of the European Parliament and of the Council of October 24,1995, on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31,

[5] Loi 2004-801 du 6 août 2004 relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel et modifiant la loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés [Law 2004-801 of August 6, 2004, on protection of natural persons with respect to the processing of personal data and amending Law 78-17 of January 6, 1978, on Information Technologies, Data Files and Civil Liberties], LEGIFRANCE,;jsessionid=46284B7113DCD877F7481BE7C32348A2.tpdjo10v_1?cidTexte=JORFTEXT000000441676&categorieLien=id.

[6] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, 2002 O.J. (L 201) 37,

[7] Décret 2007-451 du 25 mars 2007 modifiant le décret 2005-1309 du 20 octobre 2005 pris pour l'application de la loi 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés, modifiée par la loi 2004-801 du 6 août 2004 [Decree 2007-451 amending decree 2005-1309 of October 20, 2005, implementing law 78-17 on Information Technologies, Data Files and Civil Liberties], LEGIFRANCE,;jsessionid=17C1695456DDEE360E99261A83CC2812.tpdjo02v_3?cidTexte=JORFTEXT000000824352&categorieLien=id.

[8] Loi 2009-526 du 12 mai 2009 de simplification et de clarification du droit et d’allègement des procédures [Law 2009-526 on the simplification and clarification of the law and procedures], LEGIFRANCE,;jsessionid=FB83D8D1AA5FB46FCB0F1DC8228DA4DF.tpdjo10v_1?cidTexte=JORFTEXT000020604162&categorieLien=id.

[9] Loi organique 2010-704 du 28 juin 2010 relative au Conseil économique, social et environnemental [Organic Law 2010-704 of June 28, 2010, relating to the Economic, Social and Environmental Council], LEGIFRANCE,

[10] Loi 2011-334 du 29 mars 2011 relative au Défenseur des droits [Law 2011-334 of March 29, 2011 relating to the Defender of Rights], LEGIFRANCE,

[11] Ordonnance 2011-1012 du 24 août 2011 relative aux communications électroniques [Ordinance 2011-1012 of August 24, 2011, on Electronic Communications], LEGIFRANCE,

[12] Décret 85-1203 du 15 novembre 1985 portant publication de la convention pour la protection des personnes à l’égard du traitement automatisé des données à caractère personnel, faite à Strasbourg le 28/01/1981 [Decree 85-1203 of November 15, 1985, publishing the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data signed in Strasbourg on January 1981], LEGIFRANCE,

[13]  Internet-Téléphonie, Que dit la CNIL sur … [Internet-Telephone, What the CNIL is Saying …], CNIL, (last visited May 30, 2012) (scroll to Que dit la CNIL sur...).

[14]  See Smartphone and Privacy: Best Friends Forever?, CNIL (Jan. 3, 2012),

[15] Id.

[16] Ce que le “Paquet Télécom” change pour les cookies [What the Telecom Package Changes for Cookies], CNIL (Apr. 26, 2012),

[17] Loi 78-17 du 6 janvier 1978, supra note 1, art. 2.

[18] Id. (all translations in this report are by the author).

[19] Id. art. 5.

[20] Id.

[21]  Id. art. 2.

[22] CASTETS-RENARD, supra note 3, § 102.

[23] L’adresse IP est une donnée à caractère personnel pour l’ensemble des CNIL européennes [The IP Address is Personal Data for All the European Data Protection Agencies], CNIL (Aug. 2, 2007),

[24] Loi 78-17 du 6 janvier 1978, supra note 1, art. 7.



[27] Loi 78-17 du 6 janvier 1978, supra note 1, art. 32 I.

[28] Id. art. 32 II.

[29] IdSee also, What the Telecoms Package Changes for Cookies, CNIL (Dec. 20, 2011),

[30] Loi 78-17 du 6 janvier 1978, supra note 1, art. 38.

[31] CASTETS-RENARD, supra note 3, § 108.

[32] Id.

[33] Loi 78-17 du 6 janvier 1978, supra note 1, art. 39.

[34] Id.

[35] Id. art. 41.

[36] Id. art. 40.

[37] Id. art. 6.

[38] Droit à l’oubli sur Internet: injonction de cesser le traitement et amende de 10,000 euros pour LEXEEK [The Right to be Forgotten on the Internet: Injunction to Cease Processing and a €10,000 Fine for LEXEEK], CNIL (Oct. 10, 2011),

[39] Loi 78-17 du 6 janvier 1978, supra note 1, art. 29(III)(1).

[40] Id. arts. 23, 24.

[41] Id.

[42] Id. art. 25.

[43] Id. arts. 8, 25.

[44] Id. art. 31.

[45] Id. art. 6.

[46] Id. art. 34.

[48] CNIL, ESPACE JEUNES, (last visited May 28, 2012).

[50] Safer Internet Programme: Empowering and Protecting Children Online, EUROPEAN COMMISSION, INFORMATION SOCIETY, (last visited May 28, 2012).

[51] INTERNET SANS CRAINTE, (last visited May 28, 2012).

[52] Id.


[54] Id. at 211, 212.

[55] Id. at 224–229.

[56] Id. at 234.

[57] Loi 78-17 du 6 janvier 1978, supra note 1, art. 68.

[58] Id. art. 31.

[59] Id. art. 69.

[60] CASTETS-RENARD, supra note 3, § 197.

[61] Id. § 199.

[62] Id.

[63] Le transfert des données à l’étranger [The Transfer of Personal Data to Other States], CNIL, (last visited on May 29, 2012).

[64] Loi 78-17 du 6 janvier 1978, supra note 1, arts. 45, 46.

[65] Id.

[66] Id.

[67] Id.

[68] Id. art. 47.

[69] Id.

[70] CNIL, Délibération No 2011-035 de la formation restreinte prononçant une sanction pécuniaire à l'encontre de la société GOOGLE Inc. [Deliberation Nº2011-035 of the Select Committee Imposing a Fine Against Google],

[71] Google Street View: CNIL Pronounces a Fine of 100,000 Euros, CNIL (Mar. 21, 2011),

[72] Id.

[73] Id.

[75] Id.

[77] Id. art. 1382.


[78] Directive 2006/24/EC on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks, 2006 O.J. (L 105) 54,


[80] Loi 2006-64 du 23 janvier 2006 relative à la lutte contre le terrorisme et portant dispositions diverses relatives à la sécurité et aux contrôles frontaliers [Law 2006-64 on Combating Terrorism and on Various Provisions Concerning Security and Borders Controls] art. 7, LEGIFRANCE,


[82] Id.

[83] Id.

[84] Décret 2006-358 du 24 mars 2006 relatif à la conservation des données des communications électroniques [Decree 2006-358 of March 24, 2006, on the Retention of Telecommunication Data], LEGIFRANCE,

[85] Id. art. 1.

[86] Loi 2009-669 du 12 juin 2009 favorisant la diffusion et la protection de la création sur internet [Law 2009-669 of June 12, 2009, on Favoring the Dissemination and the Protection of Creation on the Internet] art. 5, LEGIFRANCE,

[87] Id.

[88] Loi 78-17 du 6 janvier 1978, supra note 1, art. 11.

[90] Loi 78-17 du 6 janvier 1978, supra note 1, art. 13.

[91] Id. arts. 11, 12.

[92] Id. art. 11.

[93] Id. art. 44.

[94] Quel programme des contrôles pour 2012 [What is the Program of On-site Inspections for 2012], CNIL (Apr. 19, 2012),

[95] Loi 78-17 du 6 janvier 1978, supra note 1, art. 11.

[96] Id. art. 49.

[98] CASTETS-RENARD, supra note 3, § 101.

[99] CNIL, supra note 23.

[101] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54,

[102] Cour de Cassation [Cass.] crim., Arrêt 3530 du 16 juin 2009 (n° 08-88.560),

[103] Id.

[104] 71% des Français jugent la protection de la vie privée sur Internet insuffisante [71% of French People Find the Protection of Private Life Insufficient on Internet], CNIL (Oct. 13, 2008),


[106] Portrait Marc L. paru dans le volume 28 du Tigre (novembre-decembre 2008) [Portrait of Marc L. Published in Volume 28 of the Tigre (November-December)], in CNIL, 29E RAPPORT D’ACTIVITÉ 2008 at 123,

[107] Laure Bélot, Les données privées sont le carburant du numérique [Private Data is Digital Fuel], LEMONDE.FR (May 21, 2012), (last visited 05/29/2012).

[108] SENAT, RAPPORT DU SENAT 441, supra note 105.

[109] Proposition de loi visant à mieux garantir le droit à la vie privée à l'heure du numérique [Draft Law to Better Guarantee the Right to Privacy in the Digital Age] No. 93, Sénat Session Ordinaire de 2009–2010,

[110] Id. art. 3.

[111] Id. art. 6.

[112] Id. art. 12.

[113] Id. art. 8.

Back to Top



Last Updated: 12/30/2020