Global Data and Cyber Handbook

France

Select a Topic
Start Comparison
Data localization and regulation of non-personal data
Jump to
Data localization and regulation of non-personal data Start Comparison
Are there data localization/data residency or other types of laws that may require the retention and storage of data in the local jurisdiction, or prohibit the transfer of data out of the jurisdiction?

Last review date: January 2025

Yes.

☒       Data localization / data residency laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may also be stored outside of the jurisdiction):

There are several French law provisions that mandate the retention of data and documents in France that may include personal data. Article L.111-7 of the French Heritage Code provides that national treasures must be kept and stored on French territory and can only be exported outside of France temporarily, upon prior authorization of the French Ministry of Culture.

In addition, public archives should also be retained in France. Pursuant to article L.211-4 of the French Heritage Code, public archives are:

  • documents resulting from the activity of the State, local authorities, public institutions, and other public entities.
  • documents resulting from the conduct of public services or the exercises of public services missions by private entities.
  • the registers of public or ministerial officials and the notarial registers of civil unions.

According to article L.111-1 of the same Code, certain public archives are considered to be "national treasures" and may still include personal data if they are of historical or scientifical relevance. Consequently, the French Heritage Code provides that national treasures must be kept and stored on French territory and can only be exported outside of France temporarily, upon prior authorization of the French Ministry of Culture.

The CNIL published a guide on the obligation to make available to the public and re-use public data in October 2019, following the entry in force of the "Open Data Directive" (Directive (EU) 2019/1024) (here). This guide specifies that the national treasures are not subject to the publication obligation.

In the light of the above, public data must be stored and processed in data centers located in France, the management of which must also be carried out in France.

A Senate-appointed commission of inquiry has published, on 1 October 2019, a report on the need to improve digital sovereignty in which the commission calls for the identification of cases where the obligation to localize the data within the French borders could be legitimate regarding the insurance of public safety.

☒        Other laws that may require the retention and storage of personal data (including, for example, where such data is part of another type of record or dataset) in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction:

☒        anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation

☒        tax or financial record laws

 

Pursuant to tax law: paper invoices must be stored on French territory, located in a place immediately accessible to any request from the French tax administration (BOFiP-CF-COM-10-10-30-10-30-10-§ 310-28/05/2014)

The French Blocking Statute of 1968 (law n° 68-678 relating to the communication of documents and information of an economic, commercial, industrial, financial or technical nature to foreign natural or legal persons), reinforced in 1980, prevents, "subject to international treaties or agreements", French citizens and residents in France, as well as managers of companies (or other legal persons) having their headquarters or an establishment in France, from communicating "to foreign public authorities, documents or information of an economic, commercial, industrial, financial or technical nature, the communication of which is likely to affect the sovereignty, security, essential economic interests of France or public order." Since 1 April 2022, French companies receiving foreign requests for documents or information potentially covered by the Blocking Statute will now have to report without delay to a French government body known as the Strategic Information and Economic Security Service ("SISSE"). On 16 March 2022, the SISSE published a guide to help companies determine what information may fall within the scope of the Blocking Statute.

Does law or regulation impose mandatory requirements to share or make accessible non-personal data?

Last review date: January 2025

         Obligation for public sector organizations to share or make accessible non-personal data

         Obligation for private organizations to share or make accessible data generated by connected or "IoT" devices 

         Obligation for private organizations to share or make accessible other non-personal data

What specific obligations do these data-sharing rules impose on private organizations?

Last review date: January 2025

☒         Obligation to share data on request

☒         Obligation to (re)design products or services to facilitate data accessibility

☒         Obligation to standardize products or services to facilitate data portability or interoperability

{{ $store.state.loadingScreen.message }} ...