Even though the GDPR has been adopted in April and will be applicable from May 2018, France has amended the French Data Protection Act with two laws (Loi n° 2016-1321 du 7 octobre 2016 and LOI n° 2016-1547 du 18 novembre 2016) to enable the Cnil (French Data Protection Authority) to:
serve fines of up to 3 million euros;
allow organisations to start class action;
reinforce the right to be forgotten for young people;
give rights and more control to deceased person and their heirs over their personal data.
The new amount of 3 million euros is ten times the amount of the fine the Cnil could serve until now (300 000 euros). This is a massive change in the current data protection act and will surely give some clues on as to how strictly the Cnil will apply the GDPR.
So far and except Google cases, sanctions have rarely exceeded 10 000 euros. From now on and given the new scale of fine, it will be interesting to see how high the new fine will be especially when it comes to serving fines to big companies such as the ones of the GAFA (e.g. Google, Facebook)
Class action is also possible since november 18 but it will be more restrictive than it is in the US where class actions may be systematic and easy to start. Union, privacy organisations and authorised consumer organisations will be the only one allowed to start proceeding.
Furthermore, right to be forgotten for young people is reinforced as they are given the right to ask for their information to be deleted if it was collected when they were under 18.
New rights and more control for deceased persons and their heirs over the deceased personal data. Deceased persons may now give directions on how their data should be handled once they pass away. Their heirs have a right to access the deceased information where necessary for probate purpose and where no directions were given by the deceased, they may ask for any of the deceased account to be shut down (e.g. Facebook account etc.)
This post is also available in fr_FR.