France has extensive requirements for declaring personal data processing to the data protection authority, and in some cases for obtaining authorization for transfers outside the EU. Controllers that have transferred data pursuant to Safe Harbor will now need to update their declarations, and may need to obtain authorizations.
Following the European Court of Justice’s invalidation of the EU-US Safe Harbor mechanism, which allowed the transfer of personal data to U.S. companies certified under the Safe Harbor Program, the French data protection authority (CNIL) has started sending notices to data controllers having declared to the CNIL that they transfer data to the U.S. based on Safe Harbor.
The CNIL’s notice serves to remind controllers that it is no longer possible to transfer data to the U.S. based on the Safe Harbor and that pending a new legal framework to support such transfers, the transfer of personal data to the U.S. remains possible pursuant to standard contractual clauses or binding corporate rules (BCR), or other exceptions to the prohibition on transfer of personal data outside the EU.
The CNIL is specifically requesting that data controllers consider making simplified declarations, which include automatic authorization of certain types of transfers to the U.S., pursuant to the CNIL’s Simplified Standards No. 46 and No. 48 applying to the processing of employee and customer/prospect data, respectively. Such declarations entail the controller’s certifying its compliance with the requirements set forth in those Simplified Standards.
The CNIL has also stated that if no alternative basis for transfer is declared to the CNIL by the end of January, the CNIL will assume that transfers of personal data to the U.S. have stopped.
Finally, the CNIL is reminding controllers that as from January 31, 2016, the CNIL reserves the right to take appropriate measures, including repressive measures, if the conditions for transfer of personal data do not comply with the French Data Protection Law.