A Bill containing several amendments to the French Data Protection Act was adopted by the French National Assembly. If enacted, the Bill would amend several key provisions of the French Data Protection Act. The Bill increases the deterrent effect of the CNIL’s sanctions by explicitly authorizing the CNIL to publish the sanctions it imposes on data controllers.
The State Council ruled that data controllers must be given advance notice of their right to object to an on-site inspection by the CNIL. The State Council also ruled that the CNIL may not conduct surprise inspections without notifying the data controller or obtaining the prior approval of a judge. Further to these rulings, the Bill adds a new provision to the Data Protection Act which would require the CNIL to obtain a court order to conduct an on-site inspection if the relevant data controller objects to such inspection. However, under exigent circumstances (if, for example, there is risk that the data controller might destroy or conceal evidence), a judge may authorize a surprise inspection without advance notice to the data controller.
The Bill also reduces the Chairman’s powers by limiting his involvement in the decision-making process with respect to investigations and sanctions. The power to impose sanctions would lie entirely in the hands of the CNIL’s “restricted committee” (la formation restreinte).