On 19 November 2015, the French data protection authority (“CNIL”) published a set of guidelines and FAQs providing guidance to French businesses currently transferring, or planning to transfer, personal data from the EU to the U.S.
What Options Are Available For Transferring Personal Data From France To the U.S.?
CNIL expressly states that transferring personal data from France to the U.S. on the basis of Safe Harbor is no longer an option. It further confirms that, while the national data protection authorities (“DPAs”) will continue to assess the impact of the Schrems ruling on alternative transfer mechanisms, companies may rely on Binding Corporate Rules (BCRs) and European Commission Model Clauses at least until 31 January 2016. That said, CNIL also reminds businesses that the implementation of alternative transfer mechanisms does not prevent DPAs from investigating particular transfers, notably in the event of a complaint. In this regard it should be noted that certain privacy watchdog groups are encouraging individuals to file complaints with the CNIL (e.g., see example of a template letter of complaint on a privacy group's site). The CNIL has already received several complaints on the basis of such letters.
It is also worth noting that CNIL does not mention any of the transfer derogations which may work in other EU countries such as consent or performance of a contract. These are not recognized in France except in exceptional circumstances and on a case-by-case basis.
Are Existing Transfer Declarations Based On Safe Harbor Still Valid?
The CNIL no longer recognizes existing transfer declarations filed before the Schrems ruling on the basis of Safe Harbor. The CNIL accordingly requests businesses to amend such transfer declarations by specifying either that their data transfers have ceased or that transfers are now carried out on the basis of BCRs or EU Model Clauses. However, since the implementation of BCRs may take several months, CNIL recommends to use Model Clauses as the most immediate and efficient solution. Once the alternative mechanisms are in place (most likely, EU Model Clauses for many organizations given timing and other constraints), then the existing transfer declarations may be amended by completing a new data transfer exhibit and sending it to CNIL by mail (preferably registered) or filing it online.
Do Transfers To The U.S. Require CNIL’s Authorization?
As a general rule, data transfers to the U.S. need to be formally authorized by CNIL before they may take place. The authorization process usually takes about two months with longer periods to be currently expected. As an exception to the general rule, data transfers to the U.S. will not need to be authorized by CNIL if the transfer declaration is a simplified declaration based on the so-called Simplified Norms. In its FAQs, CNIL makes express reference to Norm n°46 (for HR management data processing) and Norm n°48 (for clients and prospects data management).
By filing simplified declarations, a company represents that it complies with the requirements laid down in the Simplified Norms n°46 or n° 48 (which require data controllers to adhere to BCRs or EU Model Clauses) and CNIL's authorization is presumed to be granted.
While the use of these Simplified norms would be an attractive option in practice as it removes the need for a formal authorization of data transfers to the U.S., businesses need to carefully assess whether they can lawfully rely on them in each case.
What will happen after 31 January 2016?
If EU and U.S. authorities do not manage to implement a satisfactory solution (such as a Safe Harbor 2.0 and related provisions on government surveillance) by the end of January, 2016, and depending on the assessment of the alternative transfer tools by the Art. 29 Working Party, the CNIL will start to take all necessary and appropriate actions, which may include actions such as suspending or prohibiting data transfers to the U.S. It seems that such suspensions/ prohibitions may be limited in scope and subject to a case-by-case analysis which analysis will take into account the risks associated with, and safeguards implemented in relation to, a particular transfer.
The CNIL’s actions may also include coordinated enforcement actions. In that case, companies will have to consider technical solutions allowing them to retain data on EU territory.