Privacy & Cybersecurity Law Blog

A new French law containing several key amendments to the French Data Protection Act and creating a new public authority referred to as the “Defender of Rights” (Loi n°2011-334 du 29 mars 2011 relative au Défenseur des droits, or the “Law”) came into effect on March 30, 2011.  The Defender of Rights, whose role is to defend civil rights and liberties, to promote children’s rights and to fight against discrimination, also will serve as a member of the CNIL’s plenary committee.

Pursuant to the Law, the CNIL’s investigative and sanction powers are separated such that only the restricted committee (la formation restreinte) has the power to impose sanctions, and the CNIL’s Chairman and Vice-Chairmen will no longer serve as members of the restricted committee.  The Law further provides that holding the position of Chairman of the CNIL is incompatible with any professional activity, elected mandate or other public service, as well as any direct or indirect involvement in a company in the electronic communications or technology sector.  This provision enters into force on September 1, 2012, at which time a new CNIL Chairman will be elected.

The Law also strengthens the deterrent effect of the CNIL’s sanctions by explicitly authorizing the CNIL’s restricted committee to publish its sanctions against data controllers.  In the event of a violation of the Data Protection Act, the CNIL’s Chairman may request that the Executive Committee (composed of the Chairman and two Vice-Chairmen) publish the Chairman’s formal notice to the data controller identifying the breach and mandating compliance with the Law.