The French data protection authority (the CNIL) published guidelines on outsourcing on 11 October 2010. These new guidelines clarify, in particular, the position on transfers to countries which are not considered as having an adequate level of protection (which we will refer to in this analysis as "ex-EEA countries"), and also on the distinction between data controllers and data processors.
The CNIL also indicates that further guidelines will follow on cloud computing.
The guidelines are helpful in understanding the use of the European Commission approved model contracts, including the new model contract published by the European Commission on 15 May 2010 for transfers of European economic Area (EEA) based data controllers to non-EEA data processors. The guidelines consider the following scenarios:
Transfer of data from a French data controller to an ex-EEA data controller and further transfer from the ex-EEA data controller to an ex-EEA sub-contractor
The CNIL indicates that either (i) a model contract must be entered into between the two data controllers, and the ex-EEA data controller must then enter into a model contract including the main obligations of the contract entered into between the two data controllers (in particular as regards instructions and security measures), or (ii) the French data controller enters into two separate model contracts with the ex-EEA data controller and the ex-EEA sub-contractor. In practice, it is difficult to see how the second option will work particularly where the EEA based data controller does not necessarily have any contractual relationship with the ex-EEA sub-contractor to the ex-EEA data controller and nor may it want to.
Transfer of data from a French data controller to an ex-EEA data processor and further transfer from the first ex-EEA data processor to another ex-EEA data processor
The French data controller must enter into a model contract with the first ex-EEA data processor expressly authorising it to transfer data to another ex-EEA data processor, and the two ex-EEA data processors must enter into a contract including the same obligations as those provided in the contract entered into between the French data controller and the first ex-EEA data processor. This in effect echoes the guidance in the pre-amble to the European Commissions newest model contract issued on 15 May 2010.
Transfer of data from a French data controller to an ex-EEA data processor and transfer by the ex-EEA data processor to another ex-EEA data controller (e.g. a French data controller transferring data to an Indian data sub-contractor then itself transferring such data to a US parent company, which has not Safe Harbour self-certified)
The CNIL considers that the French data controller must enter into two separate model contracts - one with the ex-EEA data processor and another with the ex-EEA data controller.
On the question of the distinction between a data controller and a data processor, the CNIL indicates that the following criteria should be taken into account:
- the level of instructions given by the client to the service provider,
- the level of control exercised by the client over the services and the data transferred to the service provider,
- whether the service provider acts under the client's name or its own name and/or re-uses the data for its own purposes,
- the level of expertise of the service provider (e.g. whether the tools to provide the service are imposed by the service provider).
The Article 29 working party (the European Commission data protection committee) also issued an opinion clarifying the distinction between data controllers and data processors, on 16 February 2010.
The CNIL issued its first guidelines on the security of personal data on 7 October 2010. The purpose of these guidelines is to assist data controllers in evaluating the risks relating to the security of personal data and the measures to be taken in order to protect such data.
The CNIL prepared 17 guidance notes, regarding in particular the definition of the risks, the management of users, security of hardware and mobile hardware (including telephones), back-up and continuity plans, maintenance, management of incidents, security of the premises, sub-contracting, archives, exchanges of information with other entities, anonymisation and encryption.
The CNIL recommends putting in place: authentication (user name), appropriate management of data access authorisation levels, audit trails of the actions of users on the system for a defined duration and systems for deletion, archiving or anonymising of the data on expiry of statutory retention periods.