Earlier this year, the French Data Protection Authority (the “CNIL”) in charge of ensuring that the development of information technology remains at the service of citizens and does not breach human identity, human rights, privacy, or personal or public liberties, voted its annual audit program for 2011. The CNIL’s objective is to conduct 400 audits, including, without limitation, companies that are likely to transfer data of personal essence outside of the European Union, whether located in France (“exporting companies”) or in a third country outside of the European Union (“importing companies”).
The contemplated audits will concern three main areas:
- Audit of “Safe Harbor” companies: U.S. companies can adhere to Safe Harbor principles. These are a set of standards for personal data protection negotiated between the U.S. authorities and the European Commission in 2001. Their adhesion to these standards allows them to receive data originating from the European Union. The purpose of the audit is to check that U.S. companies adhering to Safe Harbor standards effectively comply with these personal data protection standards for data transfers out of the European Union.
- Audit of companies that implement contractual arrangements allowing them to resort to the services of non E.U. companies (e.g. companies that have outsourced their telephone services) and audit of companies that do not implement contractual arrangements, whereas, in all likelihood, they carry out international data transfers.
- Audit of companies that claim exemption as provided for by law, whereas, such claims should be made on an exceptional basis and not involve repeated, mass, or structural transfers of data.
Indeed and as a reminder, transfers of personal data outside of the E.U. to a third country that does not ensure an adequate level of protection, compares to such level granted to the European citizens under the applicable laws and regulations, are prohibited, unless (i) the third country is recognized by a published decision of the European Commission as providing an adequate level of protection, or (ii) the transfer falls within an exemption case listed in the relevant national Data Protection Act, or (iii) the transfer is covered by contractual clauses in keeping with those published by the European Commission, or (iv) the transfer is covered by internal binding corporate rules approved by the Data Protection Authority. Failure to comply with the applicable laws and regulations in France is punished by a maximum of 5-year imprisonment and/or € 300,000 fine.
Nixon Peabody LLP can assist you in determining whether your data transfers outside of the E.U. occur in compliance with the applicable regulations and, where applicable, in securing them from a legal perspective while preserving your business goals. If you would like any assistance in reviewing your benefit plan and policies in light of the new law and other related developments, please do not hesitate to contact us.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.