CNIL Says French Consumer Law Brings Its Inspection Powers ‘Into the Digital Age'

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell  

March 19 --France has published a broad new consumer protection law that, among other things, modifies the country's 1978 data protection act to give the data protection authority (CNIL) the power to conduct online inspections, the CNIL said in a March 18 statement.

This brings French data protection “into the digital age,” the Paris-based authority said.

The French government March 18 published the Hamon Consumer Law (Law No. 2014-344 of March 17, 2014), which, among other things, updates the consumer code to take the Internet economy into account.

Grants Online Audits Authority

In its statement, the CNIL said that France's framework data protection statute, the 1978 Law on Information Technology and Liberties (78-17 of 1978), empowered it to conduct on-site inspections, obtain documents and files on request and hold hearings at its headquarters, but not to conduct online audits.

The authority said the new law updates the 1978 law to give the DPA the ability to conduct inspections through the Internet.

This will enable the CNIL to rapidly detect and react to data breaches on the Internet and to verify that information contained in online forms or methods that online advertisers use to obtain users' prior consent comply with the 1978 law, the authority said.

“This new provision opens up the CNIL's enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the activities of major Internet companies,” Olivier Proust, of counsel at Field Fisher Waterhouse in Brussels, said in a March 18 blog post.

Most Audits On-Site

Most of the 444 audits the CNIL conducted in 2013 to verify that companies and other organizations that process personal data comply with the law were on-site, the authority said. During such audits, CNIL inspectors can access servers, computers, programs and other equipment where files are stored.

The 1978 law also empowered the CNIL to conduct audits based on documents or files it obtains by written request and to hold hearings on its own premises to gather information from data controllers or their representatives.

The new law modifies the 1978 law to allow the CNIL to use a computer connected to the Internet to look for infractions. These infractions will be reported on an official form to the audited companies or organizations and will be enforceable, it said.

“This modification creates the legal conditions that allow adapting the CNIL's investigatory powers to the digital economy,” the CNIL said. “It gives it the opportunity to be more effective and reactive in a context that is constantly changing.”

However, the CNIL will be able to access only data that are freely accessible or made accessible online. The law “of course does not give the CNIL the power to hack companies' IT systems in order to access information on them,” the authority said.

“This new provision opens up the CNIL's enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the activities of major Internet companies.”  


Olivier Proust, Of Counsel,
Field Fisher Waterhouse

In France, laws typically take effect on publication, but most laws also require application decrees to update the legal codes. The new law has different measures that will require separate decrees.

Credit Database Rejected

The French Parliament adopted the consumer law Feb. 13, after which a group of opposition lawmakers challenged it on constitutional grounds. The Constitutional Council March 13 approved the majority of measures in the law, in particular a mechanism giving certain advocacy groups the ability to launch collective actions on behalf of consumers in civil courts.

However, the council, which vets the constitutionality of laws passed by Parliament, rejected a measure in the law that would have created a national database to track citizens' use of credit, aimed at preventing high levels of indebtedness.

The council said the database would have collected the personal data of more than 12 million people, storing those data for several years and allowing many types of access by potentially many thousands of officials at banks and other credit establishments.

Because the database lacked sufficient guarantees that personal data would be protected, it wouldn't serve a purpose that merited the risks it creates, the council said.


To contact the reporter on this story: Rick Mitchell in Paris at

To contact the editor responsible for this story: Katie W. Johnson at

The published text of the Hamon Consumer Law is available at The Constitutional Council's decision is available at

Request Bloomberg Law Privacy and Data Security