Digital (reform) : Opinion of the APDP on bill no. 1093 (Deliberation no. 2025-006 of 6 April 2025)

Deliberation No. 2025-006 of 9 April 2025 of the Personal Data Protection Authority (APDP) provides an opinion by way of self-referral on Bill no. 1093 amending various provisions relating to digital matters, submitted to the Office of the Parliament on 22 May 2024 (JDM No. 8744 of 25 April 2025). It is inspired by European Union legislation on trust services (eIDAS 2.0 Regulation), digital services (Digital Services Act (DSA)) and data governance (Data Governance Act (DGA)).

* * *

Self-referral by the APDP

The APDP's self-referral is based on the former article 2, paragraph 2 of Law no. 1.165 of 23 December 1993 in force at the time Bill no. 1093 was tabled and on article 38, paragraph 2 of Law no. 1.565 of 3 December 2024 in force, which provides that it shall be consulted by the Minister of State when drafting legislative measures relating to the protection of personal data.

In the absence of prior consultation, the APDP informed the Government of its decision to refer the matter to itself, noting that the concept of personal data is mentioned 16 times in Bill no. 1093.

Purpose of the APDP Opinion

The APDP's Opinion focuses on the following proposed amendments, in view of their implications for the rights and freedoms of data subjects in terms of the protection of personal data:

→ Amendment to Law no. 1.383 of 2 August 2011 for a Digital Principality (largely amended by Law no. 1482 of 17 December 2019):

• blockchain technology, digital assets, tokens,
• metavers and avatars,
• digital service providers,
• electronic attestation of attributes,
• publication of individual acts,
• data governance and access to administrative documents,
• data exchanges between public sector bodies,
• digital identity portfolios.

→ Amendment to Law no. 1.483 of 17 December 2019 on Digital Identity:

• purpose of the digital identity portfolio and the digital identity consented to,
• interoperability and territoriality of the system.

* * *

The APDP Opinion in detail

I. Amendment to Law no. 1.383 for a Digital Principality

a) Blockchain technology, digital assets, tokens

The APDP points out that blockchain technology, depending on its implementation, may make it technically difficult or even impossible to delete the personal data used.

In its Deliberation no. 2021-063 of 2 April 2021 giving its opinion on the Sovereign Order applying Law no. 1.491 of 23 June 2020 to token offerings, the CCIN pointed out the gaps in the explanation of the blockchain technologies used and the differentiation between ICOs and STOs, the definition of a token which does not indicate "that it can be traced directly or indirectly to its owner", and their consequences on the personal data used.

Also drawing on reminders from French CNIL regarding the challenges of blockchain and the categories of personal data it may contain (identifiers of participants and minors; additional data recorded in a transaction), the APDP deplores the fact that Bill no. 1093 makes no "link between the technologies supported by the text and the necessary protection of personal data, whether on digital assets, tokens or electronic registers."

b) Metavers and avatars

The APDP notes that Law no. 1.383 and draft law no. 1093 provide a definition of avatars and metavers in interaction with the notion of "digital identity", the meaning of which is ambiguous (cf. the digital identity issued by the State), and stresses the absence of any specific framework, including the fate of the "digital double" on a "persistent platform" in the event of death.

c) Liability of technical providers of intermediary services (articles 7, 9, 10)

Bill no. 1093 partially incorporates into Title IV of Law no. 1.383 elements of Regulation (EU) 2022/2065 on digital services (DSA), which subjects providers (regardless of their place of establishment) offering online intermediary services in the EU to obligations aimed at curbing the distribution of illegal or harmful content and products, combating disinformation and regulating targeted advertising.

It amends the provisions relating to hosting service providers ("natural or legal persons who provide an online public communication service, whether or not on an exclusive basis, consisting of the storage of signals, text, images, sounds or messages of any kind supplied by a recipient of the service") and simple transport service providers ("persons whose activity is to offer access to online public communication services").

It does not include in Monegasque law the caching service providers referred to in article 5 DSA ("service, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information's onward transmission to other recipients upon their request").

The APDP considers that the differences in terminology with EU law (and neighbouring countries) for the designation of service providers are likely to make the text less readable for cross-border players, and recommends "adopting a common lexical field".

In addition, the failure to amend the provisions relating to online platforms (article 34-1 Law no. 1. 383) "creates a discrepancy with the new definition of “online platform” applicable within the European Union" ("a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation").

The APDP identifies other drafting discrepancies and notes that essential elements of the DSA are not dealt with in Bill no. 1093: "in particular the mechanisms for action by hosts following notification of unlawful content (deadlines, responses, etc.), the provisions relating to general terms and conditions, transparency reports, and the provisions relating to injunctions (to act against unlawful content or to provide information) issued by judicial and administrative authorities, etc."

d) Electronic attestations of attributes (article 12)

Bill no. 1093 introduces electronic attestations of attributes, based on the eIDAS 2.0 Regulation. The APDP notes a discrepancy with the wording of article 45c of the Regulation, which states that for access to an online service provided by a public sector body, "personal identification data in the electronic attestation of attributes shall not replace electronic identification (...) unless specifically allowed by the Member State". The Monegasque text does not include this possibility of derogation. However, the APDP suggests that a one-off derogation for targeted processing could sometimes reduce the amount of personal data collected compared with "classic" authentication.

The APDP also recommends that the law specify that the attestations of attributes issued by a public body responsible for an authentic source have a level of reliability equivalent to that of qualified trust service providers.

e) Publication of individual acts (article 14)

The APDP recalls the two decisions handed down by the CCIN • Application of the right to be forgotten (dereferencing) and the right to privacy to publications in the Journal de Monaco (Deliberations n° 2024-71 and 2024-72 of 20 March 2024). The CCIN took the view that the "nature, automaticity and permanence" of the publication in the Journal de Monaco of Sovereign Orders and Municipal Decrees concerning retirement on grounds of invalidity, and of certain disciplinary sanctions for public sector employees "seriously infringe the rights of the persons concerned".

Bill no. 1093 guarantees that individual acts "in particular relating to the status and nationality of persons" published by Sovereign Order will not be indexed by search engines, which appears to address the issues raised by the CCIN. Despite the term "in particular", the APDP suggests extending this measure to the automatic publication of sanctions ("publication must be an autonomous sanction measure"), to acts published by Ministerial or Municipal Orders.

On the issue of the publication of health data, the APDP points out that the Minister of State undertook in a letter dated 25 July 2024 to no longer mention in Sovereign Orders the fact that retirement was due to invalidity, and draws attention to the "need to de-index all individual acts relating to persons retired on grounds of invalidity, published before" this date.

f) Data governance and access to administrative documents (article 16)

As a preliminary point, the APDP notes that Law no. 1.565 does not provide for any derogation from the principle of public access to administrative documents, unlike article 86 of the GDPR. Consequently, the current framework based solely on Sovereign Order no. 3.413, which is lower in the hierarchy of norms than the legislation on the protection of personal data, gives rise to legal uncertainty, as the CCIN has already pointed out.

The provisions of Bill no. 1093 are explicitly in line with the Data Governance Act (DGA) (EU Regulation 2022/868), which provides a framework for the re-use of protected data held by public sector bodies (personal data, business secrets, intellectual property rights, statistics, etc.) while excluding certain categories of data (in particular: national defence and security, public service broadcasting, data held by public undertakings, cultural and educational establishments, data outside the public service remit).

However, the APDP notes that, in addition, Directive (EU) 2019/1024 of 20 June 2019 on open data and the re-use of public sector information (recast) also covers the re-use of public sector information (in particular: geographical, cadastral and statistical information held by public sector bodies or public undertakings, as well as data resulting from publicly funded research). And refers to its transposition in France (Livre III: L'ACCÈS AUX DOCUMENTS ADMINISTRATIFS ET LA RÉUTILISATION DES INFORMATIONS PUBLIQUES (Articles L300-1 à L351-1) of the Code des relations entre le public et l'administration).

The APDP identifies several points to watch out for:

• Extensive scope of re-use: "the principle of re-use of data under licence and/or subject to acceptance by the Administration, as proposed in Article 16, encompasses all data, regardless of its quality and sensitivity (for example, the DGA concerns confidential or competitive data)". The APDP warns of the associated risks (lowering of the level of protection of personal data guaranteed by Law no. 1.565) and consequences for open data (the generalisation of a licensing or authorisation system for any re-use raises the question of compatibility with the current free availability of certain data on the administration's websites. The APDP calls for clarification of the boundaries between freely accessible and not freely accessible data).
• Re-use subject to compliance with the provisions in force on the protection of personal data: The APDP stresses that "the possible re-use of data, and therefore the draft text, must not be analysed as an autonomous legal basis allowing the re-use of personal data. The entities concerned will therefore have to comply with the provisions of article 5 of Law no. 1.565 of 3 December 2024 relating to the lawfulness of processing and all the conditions of transparency and foreseeability attached to the use of personal data for further processing, as provided for in article 11 of the same text".
• Framework for anonymisation: The APDP believes that the clause allowing anonymisation to be waived "provided that this does not entail disproportionate effort" is contrary to Law no. 1.565. Anonymisation cannot be limited to concealing identity, but implies the impossibility of re-identification, even indirectly. However, "making non-anonymised data available would allow it to be re-used, which could have consequences for the rights and freedoms of the data subject, particularly in terms of transparency and the exercise of rights".
• Role of the interministerial portal manager ("responsable du portail interministériel"), who ensures "that the reference data is made available in compliance with the legislative and regulatory provisions in force": according to the APDP, the portal manager cannot be equated with a supervisory body, but must be qualified as a data controller.
• Independent control: unlike other countries with independent authorities overseeing the right of administrative access and the regime for re-use of public data (CADA in France, in which the CNIL participates), Monaco stands out in that "in the event of litigation relating to the refusal of a request for access to administrative documents, the Minister of State is both judge and party in assessing the refusal. The situation is therefore unsatisfactory."

g) Data exchanges between public bodies (article 13)

Bill no. 1093 is based on the French Code of Relations between the Public and the Administration, with the aim of simplifying procedures for citizens.

The APDP "considers it appropriate to refocus exchanges within the Administration by excluding private players [invested with a mission of general interest or concessionaires of a public service] from this system, as the Monegasque public sector has specific features linked to residence permits and monopolies that the French Administration does not have, which are the inspiration for the draft texts".

It also points out that it will have to be consulted on the draft Ministerial Decree(s) for implementation, and considers that they should only govern "the fate of data during exchanges’ (in particular: security, list of Administrations authorised to carry out exchanges, categories of data to be collected or excluded), which ‘could be part of an application programming interface (API) compatible with the digital portfolio so that users can check access and flows relating to their personal data".

II. Amendment to Law no. 1.483 on Digital Identity

a) Purpose of the digital identity wallet and consented digital identity (article 18-1)

Bill no. 1093 introduces the concept of a digital identity wallet, following the example of the eIDAS 2 Regulation. This system enables the secure storage, management and validation of personal identification data and electronic attestations of attributes, as well as the use of qualified electronic signatures and seals.

It is intended to be cross-border (subject to an agreement with the European Union) and must also be interoperable with Monegasque means of identification, currently those linked to the Monegasque identity card and the residents' residence permit.

However, the APDP notes the ambiguity of the text regarding the coexistence or merger of the current systems with the wallet. The lack of a clear division of roles between identity providers and wallet providers adds to this uncertainty. It also deplores the lack of analysis of national needs, technical arrangements and legal impact.

It points out that the purpose of digital identity is to secure interactions in the digital space, by preventing attacks on the integrity of identity and facilitating access to online services. While its allocation is mandatory for certain categories (residents, nationals, persons entered in certain public registers), use of the wallet remains voluntary, which introduces an essential distinction.

The APDP insists on the need to preserve this voluntary nature, by refusing to allow the wallet to become an imposed extension of the digital identity.

Finally, it warns of the risks of excessive centralisation: traceability of users' actions and the use of permanent unique identifiers could compromise privacy and the resilience of the system in the event of a compromise.

b) Interoperability and territoriality of the system

The APDP questions the compatibility and mutual recognition between the Monegasque digital identity wallet and the European digital identity wallet, given the difference in eligible persons.

It points out that the automatic granting of a digital identity to any person entered in an eligible register (Law no. 1.383, art. 5) does not provide for any prior verification of the accuracy of the data, and that registers with inadequate information could require additional data to be collected which, "unrelated to the purpose of the register, would be contrary to the provisions of Law no. 1.565".

In the event of eventual interoperability, the APDP points to an imbalance: a cross-border worker could be subject to a compulsory digital identity in Monaco, whereas it would be optional in his or her own country. It calls on the legislator to clarify the cases in which digital identity is compulsory, the timetable, and the logic underlying the imposition of digital identity on any person "present in a public register".

The APDP also points out that Article 35 of Law no. 1.565 requires an impact assessment to be carried out when a processing operation allows a digital identifier to be used on a large scale.

Finally, with regard to territoriality, the provisions provide for the possibility of "notifying a user party" when a "request for data that is presumed to be illegal or suspicious is received", which anchors the control of personal data protection territorially in Monaco. However, the status of "user party" is not regulated and there is no requirement for it to be established in Monaco, and the APDP asks whether, for example, a French company could apply to be a "user party".

c) Other comments relating to the digital identity wallet

• The APDP "advocates a digital identity of choice in which the individual controls the flow of personal data".
• Individuals should be able to choose how they access a service, with use of the wallet being voluntary.
• The APDP recommends that "the mandatory use of a strong digital identity should be justified and limited".
• The data subject should be able to "choose not to be subject to a biometric tool".
• Finally, the APDP recommends dissociating personal digital identity from professional activities.

* * *