On January 28, the French data protection authority, CNIL, issued Single Authorization Decision No. 46 (AU-46), which governs how certain companies request permission to process personal data for litigation.
The French law governing the processing of personal data for judicial proceedings, the Law on Information Technology and Liberties, requires data controllers to obtain prior authorization for transfers from the CNIL, which can be a time-consuming, burdensome process. Under this law, data controllers must provide a slew of information, including the purpose(s) of the processing, the identity and the address of the data controller, any connections between databases, the personal data processed and the categories of persons affected, the retention period for the data, the department or person(s) in charge of implementing the processing, the recipients or categories of recipients of the personal data, and the security measures taken to protect the data. Then the data controllers must wait for the agency’s approval before transferring the data.
The new standard simplifies the process for qualifying companies to obtain permission to process personal data for disciplinary or court actions that are part of their regular business activities and the enforcement of those actions. To qualify, organizations must meet several conditions set forth in the standard relating to the types of personal data to be processed, the recipients of the data, data retention periods, and security measures. Qualifying companies can file a brief, one-page online self-certification agreeing to comply with the conditions and then quickly proceed with the data processing.
Unfortunately for U.S.-based organizations, AU-46 does not apply to cross-border transfers to countries that the European Commission has found to lack an adequate standard of data protection. AU-46 references neither the defunct Safe Harbor framework nor its replacement, the Privacy Shield. Therefore, many organizations are still relying upon binding corporate rules or standard contractual clauses for transfers of personal data to the United States as stopgaps until the new Privacy Shield is implemented.