-DATA PROTECTION AND PRIVACY-
French National Assembly Votes on Amendments to Data Protection Act
A Bill containing several amendments to the French Data Protection Act was adopted by the French National Assembly. If enacted, the Bill would amend several key provisions of the French Data Protection Act. The Bill increases the deterrent effect of the CNIL’s sanctions by explicitly authorizing the CNIL to publish the sanctions it imposes on data controllers.
The State Council ruled that data controllers must be given advance notice of their right to object to an on-site inspection by the CNIL. The State Council also ruled that the CNIL may not conduct surprise inspections without notifying the data controller or obtaining the prior approval of a judge. Further to these rulings, the Bill adds a new provision to the Data Protection Act which would require the CNIL to obtain a court order to conduct an on-site inspection if the relevant data controller objects to such inspection. However, under exigent circumstances (if, for example, there is risk that the data controller might destroy or conceal evidence), a judge may authorize a surprise inspection without advance notice to the data controller.
The Bill also reduces the Chairman’s powers by limiting his involvement in the decision-making process with respect to investigations and sanctions. The power to impose sanctions would lie entirely in the hands of the CNIL’s “restricted committee” (la formation restreinte).
CNIL Exempts Foreign Based Companies From Filing Notifications With Respect to Certain Processing
A “Deliberation” of the CNIL (French Data Protection Authority) published in the February 16, 2011 Official Journal of the Republic of France as “Deliberation No. 2011-023” should ease the burden on companies that have no operations in France, and engage France-based subcontractors (or cloud service providers) in order to process their data on the French territory. This is the case, for example for US based companies that hire French service providers to process their payroll or manage databases of client information, where the concerned individuals (employees or customers) are located outside of France. Under the Deliberation certain categories of data will be exempt from the requirement to request an authorization. The exemption applies specifically to three categories of activities: (i) processing of payroll; (ii) management of workforce; and (iii) management of database of clients and prospects. The exemption is very narrow and very limited. Only the requirement for declaration or request for authorization is lifted. The remainder of the obligations remains. In particular, the Declaration stresses that there must be a written agreement between the foreign data controller and the French based data processor to ensure security and confidentiality of the data, and require the processor not to use data other than as requested by the data controller.
French Data Protection Authority Simplifies Formalities For Non-EU Companies Using Data Processors
In a decision published on 2 March 2011, the French data protection authority (the “CNIL”) announced a simplification of the formalities regarding data processing in France done on behalf of non-EU entities. In consideration of the development of such services in the fields of human resources or client and prospect management, the CNIL, using its regulatory powers for data protection formalities in France, has decided to exempt non-EU companies using service providers located in France to process their human resources and/or their client and prospects data from the completion of formalities. In such cases, the appointment of a local representative is therefore no longer required either.
French Data Protection Authority Increases Compliance Inspections of U.S. Companies
The French Data Protection Authority, La Commission Nationale de l’Informatique et des Libertéswill do more inspections of companies and organizations in order to ensure that the transfer of data internationally complies with French and European Union data privacy regulations-and specifically of U.S. companies enrolled in the U.S.-E.U. Safe Harbor Program. “CNIL wants to ensure that U.S. companies that have joined Safe Harbor respect the principles of data protection for data transfers from the European Union,” said the independent administrative authority in a statement (in French) from April 26. CNIL hopes to complete at least 400 inspections this year, a third more than it attempted in 2010, according to the document.
CNIL Cloud Guidelines Address Controller vs. Processor Issues
The French CNIL’s new guidelines on cloud computing revisit the tricky question of whether a cloud provider is a data processor or a data controller. The CNIL says that a cloud provider will generally be considered the data processor, but that the provider will become joint controller with the customer if the cloud customer lacks any real autonomy in the negotiation of the contract and in defining how the data are processed.
If the cloud customer is not able to give instructions to the cloud provider and must accept the cloud provider’s proposal “as is,” the CNIL will consider the cloud provider as joint controller, jointly liable with the customer for compliance with French data privacy laws.
Manager Hiring Back at 2008 Levels
56% of companies have employed at least one manager in the first quarter of 2011 according to new research from the Association for the Employment of Managers (APEC) and 53% of French companies intend to hire at least one manager in Q2 2011, an increase of +10 points over Q1 2010 and an increase of +17 points over Q1 2009. More than 80% of French employers with hiring intentions are looking for managers with between one and ten years work experience.
Read more (In French)