On August 19, 2009, the French Data Protection Agency (also known as the “CNIL”) released a new opinion (the “Opinion”) on the transfer of personal data from France to a jurisdiction outside of Europe. The Opinion is noteworthy for describing how personal data can be transferred from France to the United States pursuant to U.S. discovery proceedings. The Opinion stresses that it does not cover proceedings originating from U.S. governmental requests, such as requests by the Security Exchange Commission (SEC) or the Federal Trade Commission (FTC). The issue of international discovery transfers has been a particularly thorny and complex one, as it has often pitted the legal obligations of an entity in the United States to comply with U.S. discovery requirements against its obligations to comply with EU data protection laws, where it holds personal data on individuals located within the EU.
At the outset, the Opinion notes that an entity transferring personal data abroad must comply with the French Data Protection Act. Usually, an organization that creates a database in France containing personal data must “declare” the database to the CNIL; however, the Opinion noted that no new declarations to the CNIL should be needed to transfer personal data to the U.S. for discovery proceedings, because no new databases should be created for the sole purpose of transferring information pursuant to such U.S. proceedings.
The Opinion also notes that a general, clear and complete disclosure must be given to the data subjects before their data is transferred out of the EU in the context of a judicial procedure (whether or not such transfer is performed electronically). The disclosure must inform the data subject of the identity of the entity in charge of the transfer, the facts of the U.S. case at issue and the reason why it is necessary to transfer the data subject’s personal data out of Europe, as well as the consequence to the data subject if he or she disagrees; which service providers are in charge of processing the data; and finally, an explanation of the data subject’s rights of access, opposition to the transfer and rectification, and how data subjects’ complaints about the transfer will be resolved. Fortunately, the Opinion provides exceptions to mandatory notifications in certain circumstances, such as when the disclosure would jeopardize a pending investigation and where there is a risk that disclosure could lead to the destruction of evidence. In both cases, the disclosure must be made later, after the risk has subsided.
As communication of information does not always require the communication of personal data, the Opinion suggests that wherever possible, large amounts of personal data should be anonymized. Furthermore, keyword searches should be performed in order to filter personal data in order to comply with the principle of proportionality — i.e. ensuring that only the personal data which is necessary for the proceeding should be transferred. This filtering process should be performed in France. The CNIL also recommends that a “third party” (such as, presumably, a trusted independent third party) be involved in the process. When the personal data is transferred abroad, it should only be sent to those recipients whose receipt of the data is necessary. When sensitive data (e.g. health, sex, race, or labor union related data) is at issue, specific and informed consent of the data subject first must be obtained.
The Opinion also divides the international transfer of personal data into two categories: (1) a “unique and non-massive transfer”; and (2) a “massive and repeated” transfer. With regard to “unique and non-massive transfer” of personal data, the Opinion notes that there is an exception provided under Article 69-3° of the Data Protection Act, whereby the transfer does not need to be approved by CNIL, because the transfer is for the protection or defense of a party’s rights before a court. On the other hand, with respect to “massive and repeated” transfer of personal data, large amounts of personal data may be transferred repeatedly only if (i) the data exporter and importer have signed model contractual clauses (pre-formulated data transfer contracts drafted by the European Commission); (ii) where the data importer is a U.S. entity, the data importer has self-certified under the EU/US Safe Harbor Program (wherein the U.S. entity agrees to abide by the “Safe Harbor Principles” which mirror EU data protection law requirements); or (iii) the entity has adopted and implemented intra-organizational “binding corporate rules.”
The CNIL also noted that organizations transferring personal data to the U.S. in the context of discovery proceedings must still comply with other applicable laws, such as the Hague Convention and the French criminal “blocking” statute which prohibits the disclosure of certain information for use in foreign proceedings.
Although there is no official translation of the CNIL’s Opinion, members of Proskauer’s Privacy and Data Security Practice Group from Proskauer’s Paris Office have generally translated the Opinion. It is believed to be the only publicly available English translation of the Opinion.