In a decision published on February 16, 2011 (Deliberation No. 2011-023), the French data protection authority (CNIL) exempted non EU-based companies from any prior notification obligation with regard to their payroll, customer and prospects data processed in France. This exemption will be of particular interest for non EU companies engaging cloud service providers with processing facilities in France.
Under the French Data Protection Act (Act No. 78-17), data controllers not established in the EU are nevertheless subject to French law if they make use of processing means in France (unless for mere transit purposes). Thus, in network environments such as cloud computing, customers of data processing vendors with equipments or infrastructure in France have to comply with French law.
The Article 29 Data Protection Working Party identified this difficulty in its December 16, 2010 opinion concerning the application of national law to international data processing activities. The Working Party emphasized that “the application of the Directive to a controller for the whole processing should be supported as long as the link with the EU is effective and not tenuous (such as by almost inadvertent, rather than intentional, use of equipment in a Member State)”.
In what seems to be a response to the Working Party’s opinion, CNIL has now determined that data controllers located outside the EU may engage a data processor in France to process personal data in France without prior registration if (i) the data processed are payroll, customer or prospects data, (ii) such data are collected outside the EU, and (iii) such data are returned to the country of origin after processing in France. The data controller is also exempted from informing data subjects that the data will be exported to France if the controller is able to demonstrate that providing such information would require unreasonable efforts under the circumstances. Finally, the controller is relieved from entering into model contractual clauses for the re-exporting of the personal data to the country of origin based on the assumption that this transfer is required for the performance of an existing or soon-to-exist contract between the controller and the employee, customer and prospect (e.g. employment contract, sale agreement).