The newly adopted French data protection law is already challenged by Senators who requested a constitutional review the day after the new law’s adoption.
This had been announced: at least 60 Senators have referred the new French data protection law to the French Constitutional Council.
Despite the accelerated procedure initiated by the Government in December 2017, it is unlikely that the law will be promulgated on time for the entry into application of the EU General Data Protection Regulation (GDPR) on May 25, as the constitutional watchdog has up to one month to rule on this issue (which could be reduced to 8 days upon the Government’s request if it considers the matter urgent).
Of course, this (expected) setback will not prevent the GDPR to apply in France as of May 25, as a result of the direct applicability of EU regulations (unlike EU directives, regulations apply across all member states without the need for each country to transpose it into national law).
What’s going to happen on May 25 if the law is not promulgated on time?
- GDPR or French law? The legal framework in France will not be aligned with the GDPR, which could create uncertainty for businesses operating in France. What rules should you follow: the French existing legal framework, the GDPR or both? Both should apply to the extent that the provisions are supplementary, but in case of contradiction, the GDPR should prevail as it is of higher normative value. And the CNIL is unlikely to blame you for complying with GDPR requirements anyway.
In any case, since the principles and rationale underpinning both sets of rules are very close, the risk of contradiction should be rather limited. Of course, some elements need to be repealed or fleshed out in the French law to be aligned with the GDPR, but there is no fundamental contradictions between the two.
- Formalities or no formalities? As you know, GDPR marks the end of prior formalities (bar a few exceptions, in particular with respect to the processing of health data that will continue to be subject either to a declarations of conformity to specific requirements defined by the CNIL or a CNIL authorization). But until the promulgation of the law, these filing requirements remain in theory applicable in France. In practice however, the CNIL has informed the public that it will not be able to process in due time all the filings already received and suggested that data controllers focus their action on implementing GDPR compliance measures and conducting DPIAs where necessary, instead of making filings (or updating existing filings) that will eventually disappear. One thing less to worry about!
- What about sanctions? The CNIL will be in a difficult position, as it will not be properly equipped to enforce the GDPR and cooperate with its EU counterparts in case of cross-border proceedings. So while this may actually give a little respite to carry on with your GDPR compliance program, you need to remain cautious since the CNIL has already communicated on its website that it will continue to carry out its investigations as usual on the ground of all the requirements that already existed before the GDPR.
What to expect from this constitutional review?
It is hard to tell for now as the details of the referral are not known yet (the referral will be published at the same time as the Constitutional Council’s decision, or before if the Senators who initiated the referral decide to make it public). But the disagreements between the Senate and the National Assembly were numerous, so many provisions could have been challenged by the Senators.
In any case, there are 3 possible outcomes:
- The Constitutional Council declares the law constitutional and it can be promulgated as is;
- It declares the law unconstitutional in its entirety and the law cannot be promulgated and in that case, the all legislative process would have been for nothing (that’s very unlikely to happen);
- It finds that certain provisions only are unconstitutional, in which case the law can be promulgated without the provisions concerned.
At the end of the day, the operational impacts of this event will be rather limited, but it certainly sends a confusing signal to the market: if even EU Member States cannot get ready on time, why should we? However, it allows you to transform it as an opportunity to convey a marketing message: because it’s right, and your customers will be happy to know that you are indeed taking their privacy seriously, so carry on no matter what!
And to businesses in other parts of the world, who may get acquainted with EU data protection laws (thanks GDPR broad extra-territorial reach!): be patient. It may look very confusing (and scary) at the moment, with most EU countries not ready yet, but harmonization will eventually be achieved and you will have an incredible playground in Europe.