France has once again taken a proactive approach towards personal data, passing a new bill that will adopt several of the provisions in the GDPR ahead of it coming in Europe-wide in 2018.
A new bill for a ‘digital republic’ was passed by the French National Assembly in January and is expected to be adopted later this year.
The bill, which will amend parts of the French Data Protection Act and the Consumers Code, includes the general right for consumers to retrieve their data partially or entirely and rights over that data, as well as the right to be forgotten.
Aside from demonstrating an enlightened view about the importance of personal data privacy and protection, the sanction powers given to the French Data Protection Authority (CNIL) give it significant teeth to punish breaches.
In a significant hike to its current punitive powers, the CNIL will be able to authorise fines up to EUR 20,000,000 or 4% of a company’s global turnover (whichever is higher) if a data controller fails to comply with the Data Protection Act.
So what does this mean for businesses based elsewhere in Europe, or simply dealing with European clients? Quite simply that they can’t assume they have the two-year grace period many had expected before the GDPR becomes law, and need to start becoming compliant asap.
This is especially relevant for businesses, international or otherwise, that rely heavily on the sale or trade of third party data as they are going to see their current business model destroyed under the new legislation, which provides a range of measures giving individuals greater control over the sharing of their personal data.
And France’s move – which other countries may well follow – is proof once again that innovation never stands still, and those who wait to act face being caught out and penalised heavily for not being at the vanguard of change.