New bill on the protection of personal data

On December 13, 2017, a new draft of the law relating to computers, files and civil liberty (Law 78-17 of 6 January 1978, commonly referred to in France as LIL) was published and is currently under review by the French Parliamant.

It aims to bring French law into accordance with the new General Data Protection Regulation (GDPR EU-2016/679) , as well as the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

The purpose of our article is to present the potential impact of this new law on data access for scientific research. The author does not claim to have legal qualifications and will, therefore, leave their remarks to the discretion of more expert jurists.

Access to data for scientific research

In Article 5.1 (b), the GDPR states the following: data collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’); further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered in accordance with Article 89 (1) as incompatible with the original purposes (purpose limitation). Due to this, Article 6 of the LIL has not been changed, which we consider to be very positive.

Archiving data for research: Better awareness needed

General principle

The general principle, already established in Article 36 of the LIL authorizing the archiving of data beyond the required retention period by the CNIL, is preserved to a large extent, including those containing the NIR (French Social Security Number).

This principle is also present in the GDPR in Article 5.1 (e): kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).

The encryption of the NIR will keep the concerned data for many years, thus opening up possibilities for making unprecedented retrospective matches.

The NIR Haché (Article 22 and 27 modified by Article 9)

The current version of the LIL, in the process of being modified, specified that the use of an NIR Haché (a new number derived from the NIR after irreversible encryption) for matchings were exempted from the need of a decree in Council of State, yet required strict processes for :

  • declarations for public statistics (without sensitive data in Article 8.1 and 9)
  • applications for authorization for research purposes

These provisions are largely retained in the bill currently being adopted ; the research process is in line with that of public statistics which will improve the readability for researchers of the steps to be carried out.

These provisions are collated in the new version of Article 22 of the amended LIL, which will be wholly dedicated to the subject of the NIR (although it is referred to in other articles, in particular Article 55 for health data).

Sensitive data for research purposes (Article 8 amended by Article 7)

Access to sensitive data for researchers and public statistics is an important issue for statistical surveys, studies or research.

For public statistics, this provision is retained in the draft law and provides for the possibility of a waiver after consultation with the CNIS.

However, such an exemption is not provided for in the amended Article 8 of the LIL, with regard to scientific research, even though it would be necessary. In its absence, files produced by public statistics cannot be reused for research purposes In contrast, the GDPR in its article 9.2 j) indicates precisely that such treatments should be possible.

There is a legal point to clarify whether exemptions from the GDPR outweigh a national list of exemptions, when this is established.

Research using Justice Data

The amended Article 9 of the LIL does not provide for exemptions for judicial data processed for the purposes of scientific research. Regardless, access to crime data remains a major scientific issue and is the subject of recurring requests for access by researchers.

It should be noted, however, that researchers requesting access to personal databases have no interest in revealing aspects of the private life of each of the persons concerned ; it is the exploitation of the whole of the information contained in the database that interests them. It is easy to understand that access to the database must be accompanied by precautions designed to prevent any dissemination of personal information, whether accidentally or intentionally. These precautions are all the more necessary as the information contained in the administrative databases is very sensitive.

There is, nevertheless, a distinction to be made between the raw and therefore nominative data on one side, and the data for the production of statistics and research on the other, which are not nominative and can be directly made available to researchers.

While the raw data in certain cases requires special attention from judicial services before they are made available for research, data for statistical production are already adapted to ensure security for research, which has been the case for tax and health data.

The GDPR is open regarding this access, particularly in Article 10, which specifies that treatment is possible, if the law of the Member State so allows.

Express consent for health data research

The amended Article 57 indicates that in cases where the research requires the collection of identifiable biological samples, the informed and express consent of the persons concerned must be obtained prior to the implementation of the data processing. This seems a priori to significantly reduce the potential for research that can be done in the field of health. There is no mention of the restriction described in II (2) of amended Article 8 that states “but to which the data subject can not give his consent as a result of a legal incapacity or material impossibility”, which would have been useful for certains forms of research.

Transitory Measures for previously established authorizations

Clause 22 of the bill suggests, without being perfectly clear on this point, that there may be extended validity for traditional authorizations for a publication period of 10 years.
Article 22 of the draft law states “for the treatment that has been the subject of formalities prior to the entry into force of this law, the list mentioned in article 31 of the aforementioned law n ° 78-17, this date, is made available to the public, in an open format and easily reusable for a period of ten years. “