Last review date: January 2025

☒ omnibus – all personal data

☒ sector-specific — e.g., financial institutions, governmental bodies

☒ constitutional

Last review date: January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• EU General Data Protection Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR")
• Privacy and Electronic Communications 2002/58/EC Regulations of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ("ePrivacy Directive")
• Data Protection Act n° 78-17 of 6 January 1978 as modified by Act n° 2018-493 and by Order n° 2018-1125 of 12 December 2018 and modified by Law n° 2022-52 of 24 January 2022 (together "Data Protection Act")
• Law on Confidence in the Digital Economy, n° 2004-575 of 21 June 2004 ("LCEN")
• Decree n° 2005-1309 of 20 October 2005 as modified by Decree n° 2018-687 of 1 August 2018 and by Decree 2019-536 of 29 May 2019, available here
• Digital Republic Act n° 2016-1321 of 7 October 2016, as modified, available here
• Decree n°2018-1117 of 10 December 2018 on administrative documentation that may be available to the public without anonymization, available here
• Decree n°2019-536 of 29 May 2019 taken for the application of the Data Protection Act n°78-17 of 6 January 1978 available here
• Decree n°.2021-1362 of 20 October 2021 on the conservation and communication of data identifying any person who has contributed to the creation of online content, available here
• French Act No. 2022-52 of 24 January 2022 on criminal liability and internal security^[1], available here
• Law No. 2024-449 of 21 May 2024 which aims at securing and regulating the digital space ("SREN Law”) (available here). The SREN Law covers multiple legal aspects including in privacy, cybersecurity, and in relation with non-personal data. It modifies inter alia the Data Protection Act, and transposes several provisions of the EU Digital Services Act, the EU Data Governance Act and the EU Data Act (with several provisions coming into law retroactively on 17 February 2024).

[1] This act introduced a new CNIL sanction mechanism through a new article 22-1 inserted into the existing data protection act, to meet the increase in the number of complaints received by the CNIL. This provision modifies the powers of the Chairman of the "restricted panel" ("formation restreinte") for cases considered to be of minor concern. The Chairman will be able to rule alone and take three types of measures: (1) to order the production of the requested elements in case of failure to respond to a previous formal notice, (2) to impose a penalty-payment of EUR 100 per day of delay, and (3) to impose an administrative fine up to EUR 20,000.

Last review date: January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

• Military programming Act n° 2013-1168 of 18 December 2013 ("French Defense Code"), available here
• French Act No. 2018-133 of 26 August 2018 adapting the directive NIS in the field of security, available here ;
• Decree No. 2018-384 of 23 May 2018 and Order of 13 June 2018, both taken for the application of the French Act No. 2018-133, available here and here
• French Act No. 2022-309 of 3 March 2022 for the introduction of cybersecurity certification of digital platforms for the general public, available here
• Decree No. 2022-513 of 8 April 2022 relating to the digital security of the information and communication system of the State and public entities, available here ;
• Prime Minister's guidelines No. 6282 of 5 July 2021, available here
• French cybersecurity framework for cloud ("SecNumCloud"), available here
• French orientation and programming law n°2023-22 of 24 January 2023 of the Ministry of interior, introducing a new article in the code of insurance, available here.
• Order of 17 April 2023 setting out the security rules and reporting procedures for vitally important information systems and security incidents relating to the vitally important sub-sector of "healthcare establishments" and issued pursuant to articles R. 1332-41-1, R. 1332-41-2 and R. 1332-41-10 of the French Defense Code, available here.
• Draft law of 15 October 2024 on critical infrastructure resilience and enhancing cybersecurity, aiming to transpose the EU NIS 2 Directive (available here).

Last review date: January 2025

The SREN Law (available here). Under the SREN Law, the CNIL is designated as the competent authority in matters of "data altruism". The CNIL is given new monitoring/investigative powers, such as the power to seize documents under judicial supervision and record interview responses. It can also impose corrective measures, including fines, similar to those in the Data Protection Act.

Last review date: January 2025

Data privacy

Recently, France enacted Law n° 2023-451 (available here) that regulates the commercial activity of influencers on social networks. An "influencer" is a person (individual or legal entity) using her/his/its reputation among their audience to communicate content to the public by electronic means in order to promote, directly or indirectly, goods, services or any cause whatsoever, with compensation. This law creates notably new obligations and sanctions for influencers, and other stakeholders such as service providers or platforms. The government is currently working on a new bill that will modify the law, inter alia to anticipate compliance with the Digital Service Act.

From a French perspective, the SREN Law contains provisions related to the interoperability obligation between cloud service providers.

Cybersecurity

A new Draft law dated of 15 October 2024 on critical infrastructure resilience and enhancing cybersecurity, aiming to transpose the EU NIS 2 Directive (available here), is currently being discussed in the French Parliament.

Data Security

• On 7 July 2023, the CNIL published a Recommendation regarding "use of APIs for secure sharing of personal data" (available here). It covers all categories of applications used by organizations to share personal data (available here). The CNIL specifies the applicable measures which must be completed such as a data protection impact assessment. Also, the CNIL provides few concrete use cases to put these recommendations into practice.
• The framework of health data hosting ("HDH"), the legal regime of which is set out in Article L. 1111-8 of the French Code of Public Health has been restructured. The CNIL recently approved the new conditions to be met to be HDH-certified and the draft decrees implementation the certification process are expected to be soon published (available here).
• The scheme enacted by the French Act No. 2022-309 of 3 March 2022 for the introduction of cybersecurity certification of digital platforms for the general public will enter into force on 1 October 2023. A decree will list the platforms, social networks and videoconferencing sites concerned (according to the importance of their activity) and a decree will specify the criteria to be taken into account by the security audit. Dates of publication of such texts are not yet known. Link to the Act. The implementing decree and the order specifying its terms and conditions are awaiting publication.
• The French law n° 2023-703 of 1 August 2023 on military programming for the years 2024 to 2030, gives new competences to ANSSI in the domain of information systems security, available here.
• On 9 February 2024, the CNIL has issued formal notices on a number of healthcare establishments to take measures to ensure the security of their computerized patient files, reminding them that patient data should only be accessible to those with a justified need to know (link here).
• On 24 September 2024, the CNIL published Guidelines related to mobile applications (link here). It specifies the obligations applicable to each stakeholder operating in the field of mobile applications (application editors, application developers, software development kit suppliers, operating system suppliers and application store providers). These guidelines aim to determine whether the GDPR is applicable and how it applies to each actor.