“The (Digital) Republic (Law) proclaims rights and sets duties”. V. Hugo

November 10th 2016

The law no.2016-1321 of October 7, 2016 for a digital Republic, called “The Digital Republic Law” was published in the Official Journal on October 8, 2016.

Here is a synopsis of the new legislation with an impact on companies.

The setup of a system for the web users’ data portability

The Digital Republic Law, in its Articles 48 onwards, is set as an “application” law of Article 20 of the (EU) Regulation 2016/679 of April 27, 2016 on personal data protection (click here for our article on this topic) and inserts provisions into the French Consumer Code related to “data portability”.

The text obliges companies to setup a mechanism enabling the consumer to be able to “recuperate” all his data, including the files posted online by the consumer, except for “significantly reformulated” data, with such term to be specified by decree.

The deadline for companies to comply is May 25, 2018, date of entry into force of these provisions.

Protection of minors

The Digital Republic Law strengthens the protection of minors by stipulating that the information directed at minors must also be sent to the persons exercising parental authority, who may exercise the rights (of access, rectification, portability, etc.) of the minor in question.

The adult may also contact the data controller for his personal data collected when he was a minor in order to have it removed by the latter and by any prospective recipient thereof.

The companies must comply when met with a request for right to oblivion exercised by an adult concerning actions taken when he was a minor.

These legal provisions are a first stage before the application of the aforementioned European Regulation in 2018 which shall extend the application of the right to oblivion to all categories (under certain conditions).

The consolidation of web users’ information concerning the retention period of their data

In accordance with the (EU) Regulation 2016/679 of April 27, 2016 on data protection, the Digital Republic Law sets forth that the person whose personal data is collected, is provided with information on the “retention period” of said data or if this is not possible, the criteria used to define this period.

The drafting of a “Privacy Charter” is all the more necessary in order to comply with this legal obligation and, more generally, with the obligation to provided candid and intelligible information for data processing in accordance with the Law no. 78-17 of January 6, 1978 relating to IT, files and liberties, called “IT and Liberties”, in particular concerning:

1. the data controller’s identity,
2. the purpose of the data processing,
3. whether replies are obligatory or voluntary,
4. the consequences if no response is given,
5. the data recipients or recipient categories,
6. the right of access, rectification, withdrawal, as the case may be, on legitimate grounds,
7. the right to define guidelines for the use of personal data upon demise (see below),
8. intended personal data transfer to a non-member State of the European Community,
9. the period of retention for the categories of the processed data or, if this is not possible, the criteria used to define such period.

Guidance for digital demise

The legislator has focused on digital demise and has strengthened the powers of the CNIL in this regard.

Any person may define guidelines for the retention, withdrawal and communication of his personal data with the data controllers, and such guidelines may also be registered with “a reliable third-party for digital data” certified by the CNIL”.

These guidelines, or type of “digital will”, may appoint a person in charge of its execution; failing that, the heirs shall be appointed.

In the absence of any guidelines, the heirs may contact the data controllers in order to:

  • access data processing for “the organization and settlement of the deceased’s succession”;
  • ​​receive the communication of “digital assets” or “data that is a part of family memories, transmissible to the heirs”;
  • close down the deceased’s user accounts and prevent the continuation of data processing regarding the deceased, unless the data controller can prove the necessity for such continuation.

Generally, any provider of an online communication service to the public shall inform the user of the use that shall be made of his data upon his demise and shall enable him to decide whether he wishes to communicate his data or not to an appointed third party.

The reliability of platforms and consumer information

a)    The general context

The legislator has consolidated the provisions stipulated under the Macron law of August 2015 on the intermediation platforms, by creating the “online platform operator” status defined as follows:

Any individual or legal entity proposing an online communication service to the public, on a professional basis, whether or not in consideration for remuneration, based on:

“1° The ranking or listing of content, assets or services offered or posted online by third parties, on computer based algorithms;

“2° Or the liaison of several parties for the sale of an asset, the provision of a service or the exchange or share of content, an asset or a service.”

This online platform operator is bound to provide the consumer with reliable, candid and genuine information, in particular based on its General Terms and Conditions of Use (GTCs), on:

the means for listing, ranking and delisting content, goods or services accessible through its service;

the existence of a contractual relation, equity-based relation or remuneration for benefit, insofar as they have an impact on the ranking or listing of content, online;

the advertiser’s capacity and the parties rights and obligations for civil and tax issues.

An enforcement decree is expected to specify the conditions for the application of these obligations by taking into account, in particular the nature of the activity of the online platform operators.

Beside these general obligations, specific obligations are likely to be applied to certain operators.

b)    The specific context relating to intermediation platforms for accommodation

Nowadays, any municipality may stipulate that the short term lease of furnished premises be subject to i) a prior declaration (this has already been applied) and ii) an administrative registration with the municipality.

These provisions have a direct impact on any person who carries out or participates in the letting of furnished premises online, in return for remuneration, and who is compelled to publish the declaration number in the announcement for the premises, which may, as the case maybe, have been stipulated by the municipality where the premises are located.

The operator must also ensure that the accommodation is not leased for more than 120 days per year.

c)     The specific context relating to opinion posting websites

The websites that post opinions online derived from consumers are obliged to provide reliable, candid and genuine information, on the means for posting and processing online opinions, by specifying in particular:

  1. Whether these opinions are subject to a control, and if so, which one;
  2. The date of the opinion and any updates.

These websites must also justify the refusal for the online posting of an advertisement and enable professionals to notify a doubtful opinion, as long as this can be substantiated.

Any online platform operator under this law must amend its GTCs and modify the presentation of its website in order to meet these new public policy legal requirements, under penalty of a fine which may not exceed 375,000 euros for a legal entity.

The recognition of the right to secrecy for digital correspondence

Assuming that the current Articles of the French Criminal Code concerning the secrecy of correspondence were not precise enough, the Digital Republic Law has stipulated that this right applies to private email correspondence.

The operators and Internet access providers must guarantee the secrecy of correspondence.

More particularly, “the automated analysis processing, for advertising purposes, statistics or for improving the user’s services, the content of online correspondence, the identity of correspondents as well, as the case may be, as of the title or documents attached (…) is prohibited, unless the user provides his express consent over a period fixed by regulation, for a maximum period of one year. The consent is given for each processing”.

Class action for personal data

In addition to the Digital Republic Law, the Members of Parliament have also voted for the Law to promote Justice in the 21st century, which created a class action that may be initiated before the civil or administrative judge, with the sole objective of ceasing an infringement of a personal data right by a data controller.

This action, which does not enable any compensation for damages, is moreover restricted to certain associations or trade unions subject to restrictive conditions.

An access to public data

Finally, the Digital Republic Law establishes a principle for a reinforced access to certain documents and data from administrations and other public establishments, such as, for example, the maximum authorized speed on motorways, energy consumption data, the real estate values declared upon property sales, etc.

This provision has created new opportunities for companies, whether in terms of data analysis or for posting data on their website.

Jérôme Sujkowski