Law 1.353: a major evolution in the protection of personal data in the Principality

BF 2009-2010 p54-ccin large

During the Plenary Session that took place on November 26, 2008, the National Council unanimously adopted Law 1353.

During this Plenary Session, the National Council – after having approved the ratification by the Principality of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, referred to as Convention 108, as well as its additional protocol related to the control authorities and trans-border flows of data – unanimously adopted this Law, the terms of which extensively amend those of Law 1.165 of December 23, 1993, which governed the processing of personal data up until that time.
Faced with the serious problems caused by the opposition between two fundamental areas of the law, freedom of information and the right to privacy, which results from the major role played by information technologies, the Government had undertook a series of studies starting in 1983 that led to Law 1.165.
In light of the rapid and major progress in the field of information technologies over recent decades, the original law rapidly became obsolete.

A law corresponding to the Principality joining the Council of Europe

It is in this context that new studies were initiated, which were to result in the Law of December 4, 2008 and whose terms also correspond to the requirements arising from the Principality joining the Council of Europe.
This law, which took effect on April 1st, first entrenches the independence of the Commission, the composition of which has also been amended, increasing the number of its members from three to six.
Furthermore, the Commission has also been granted the ability to directly initiate legal proceedings and seize the public prosecutor for any act that may constitute a breach which it becomes aware of in the conduct of its missions.
It is also worth noting that the annual report prepared by the C.C.I.N. will now be made public.

Law 1.353 distinguishes the processing of information that must be declared or not

After reiterating the fundamental principles that govern the collection and processing of personal information, the new Law indicates that the measures it contains apply to this information, regardless of the form in which the information is presented.
Additionally, Law 1.353 distinguishes the processing of information that must be declared, whether via a simplified declaration or not, and information subject to a prior authorization scheme: this latter type of information includes, in particular, processing of information on suspected illegal activities, offences, security measures and information that includes biometric data required to control the identity of individuals or that is used for surveillance purposes. This scheme also applies to flows of personal data towards states that do not have an adequate level of protection within the meaning of the law of Monaco.

A definition of personal information

Also, the new Law provides a certain number of details of crucial importance related in particular to the definition of personal information presented as information that allows for the identification of a specific or determinable individual, as well as the identification of individuals the subject of the protection of said information, whether the person responsible for the processing of the information or the person receiving it.
In this regard, it is worth noting that in the case of processing in Monaco by an individual established abroad, said individual must appoint a local representative who is fully responsible for all legal obligations.
Finally, it is crucial to underline the fact that Law 1.353 extends the missions and considerably increases the powers of the Commission who now has greater control powers, whether a priori or a posteriori, and a concomitant right to impose penalties.
Furthermore, the rights of the individuals involved in terms of their privacy are reinforced, in particular via the creation of a new indirect access right.