French Presidential Candidates Seek Tougher Data Privacy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell

It is unclear how the two candidates vying to lead France would implement the data privacy issues included in their campaign platforms.

French presidential candidate Emmanuel Macron has said he would seek to renegotiate a crucial European Union-U.S. data transfer agreement. The other candidate, Marine Le Pen, has vowed to require that companies store French personal data within the country. Beyond that, the campaigns have said little about privacy and data security issues.

Multinationals doing business in France may not be able to glean much from the candidates’ campaign platform pledges about what to expect in terms of government privacy and data security policy or enforcement priorities from whomever wins the election.

In their online campaign documents, independent candidate Macron—former minister of economy, industry and the digital economy under President Francois Hollande—offers more detailed proposals on data protection than Le Pen, the National Front candidate, Gabriel Voisin, an international privacy and data protection partner at Bird & Bird LLP in London, told Bloomberg BNA May 5.

“Macron has more ideas on the subject, thanks to having Mounir Mahjoubi as his campaign’s digital adviser,” Voisin said. Mahjoubi is a former head of the French National Digital Council, a government advisory body on digital issues.

Yann Padova, former secretary-general of France’s data protection authority (CNIL), told Bloomberg BNA May 5 that Macron likely wouldn’t bring a “drastic change from what’s going on right now” in regard to privacy and security priorities.

According to Voisin, neither candidate has addressed the EU’s new privacy regime under the General Data Protection Regulation, which is set to take effect in May 2018.

Data Transfers to U.S

Macron has proposed renegotiating the EU-U.S. Privacy Shield data transfer framework in 2018, but France can’t do that on its own, Voisin said. Macron would to have wait for the first-year review of the agreement in September and then convince the European Commission, the EU’s executive arm, to seek a renegotiation, he said.

The Privacy Shield allows U.S. companies that certify their compliance with EU-approved privacy and security principles to transfer personal data from the EU to the U.S. Over 2,000 U.S. companies are certified under the scheme, including Facebook Inc., Alphabet Inc.’s Google and Microsoft Corp. Tens of thousands of EU companies also rely on the program to legally transfer data to certified U.S. companies.

Padova said that Macron wants to seek a “higher standard of data protection” under the Privacy Shield. That would put Macron in line with the official advisory group of privacy officials from the 28 EU countries and the European Parliament, which have said the pact is insufficient to ensure that data transferred to the U.S. is safe from government surveillance.

In-Country Data Storage

Le Pen’s platform states her support for requiring companies to store French citizens’ electronic personal data on servers within the country, a policy known as data localization. Such a requirement would be burdensome for many companies, including cloud service providers that store data outside of France, Padova said.

“It is technically possible to do, but it would cost a lot,” he said.

Le Pen’s platform says she would seek a constitutional amendment to protect personal privacy but provides no details.

The “absence of further details makes it hard to understand what it could entail,” Voisin said.

To contact the reporter on this story: Rick Mitchell in Paris at correspondents@bna.com

To contact the editor responsible for this story: Donald Aplin in Washington at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security