In a decision published on February 16, 2011 (Deliberation No. 2011-023), the French data protection authority (CNIL) exempted non EU-based companies from any prior notification obligation with regard to their payroll, customer and prospects data processed in France.  This exemption will be of particular interest for non EU companies engaging cloud service providers with processing facilities in France.

Under the French Data Protection Act (Act No. 78-17), data controllers not established in the EU are nevertheless subject to French law if they make use of processing means in France (unless for mere transit purposes).  Thus, in network environments such as cloud computing, customers of data processing vendors with equipments or infrastructure in France have to comply with French law.

The Article 29 Data Protection Working Party identified this difficulty in its December 16, 2010 opinion concerning the application of national law to international data processing activities.  The Working Party emphasized that “the application of the Directive to a controller for the whole processing should be supported as long as the link with the EU is effective and not tenuous (such as by almost inadvertent, rather than intentional, use of equipment in a Member State)”.

In what seems to be a response to the Working Party’s opinion, CNIL has now determined that data controllers located outside the EU may engage a data processor in France to process personal data in France without prior registration if (i) the data processed are payroll, customer or prospects data, (ii) such data are collected outside the EU, and (iii) such data are returned to the country of origin after processing in France.  The data controller is also exempted from informing data subjects that the data will be exported to France if the controller is able to demonstrate that providing such information would require unreasonable efforts under the circumstances.  Finally, the controller is relieved from entering into model contractual clauses for the re-exporting of the personal data to the country of origin based on the assumption that this transfer is required for the performance of an existing or soon-to-exist contract between the controller and the employee, customer and prospect (e.g. employment contract, sale agreement).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Myria Saarinen Myria Saarinen

Myria Saarinen is a partner in the Litigation & Trial Department of Latham & Watkins’ Paris office. Her practice focuses on complex commercial litigation, data privacy, and compliance. She is the Global Co-Chair of the Technology Industry Group. Ms. Saarinen’s practice focuses on…

Myria Saarinen is a partner in the Litigation & Trial Department of Latham & Watkins’ Paris office. Her practice focuses on complex commercial litigation, data privacy, and compliance. She is the Global Co-Chair of the Technology Industry Group. Ms. Saarinen’s practice focuses on resolving a broad range of complex disputes through litigation proceedings, mostly in an international context and in various areas of business (healthcare, aeronautics, information technology, construction works, insurance, etc.). She is very active in litigation relating to major industrial operations and is involved in a broad range of general commercial disputes (contract and liability) and corporate litigation. Ms. Saarinen has expertise on cross-border issues raised in connection with Discovery and similar requests in France. In addition, she has developed specific expertise, for 20 years now, in the privacy/personal data area, advising international clients. She supports her clients in their compliance program regarding the GDPR. She is also active in the corporate governance and compliance area and assists clients in drafting and implementing grant of powers, delegation of liability, and other compliance schemes.