Paradoxically, while France was the first EU Member State to adopt a data protection act, it is one of the latest EU countries to adapt to GDPR, well behind Germany and Austria.
One important characteristic of the GDPR, which is often underestimated, is that the EU Member States are free to adapt some of the GDPR provisions called “Opening clauses”, such as children’s age of consent for access to internet services. France decided to set the age for children to give their consent independently at 15 years old; for children below 15 years old, consent must be obtained from a parent. Other countries made different choices: Germany kept the age of consent to 16 years old, while Ireland, Poland and Spain chose to lower the age of consent to 13 years old. According to other “opening clauses”, EU Member States were also allowed to impose additional conditions for special categories of personal data, in particular health data.
A major change brought about by the new law is that data controllers no longer have to file declarations with CNIL (the French Data Protection Authority). The GDPR philosophy is to make controllers more accountable. Thus, they will have to maintain a record of processing.
This new law also provides the ability for data protection organizations to exercise “group actions” and claim damages when the privacy rights of individuals are violated. The GDPR did not require member states to create this kind of recourse. In France, there was already the ability to exercise group actions, but without any possibility to claim damages. (These French “group actions” are specific and quite different from US style class actions.)
The law as voted may not yet be final, since a few senators have expressed the view that certain provisions of the law are contrary to the French Constitution and threatened to file a recourse before the Constitutional Council. As a consequence, France may fail to finalize its changes before the GDPR goes into effect on May 25.