France - Data Protection

History of Data Protection in FRANCE

France introduced legislation relating to personal data and computer files as far back as the late
1970s, with law Nr. 79-17 of 6 January 1978. This Act also set up the French Data Protection
Authority, the CNIL. Legislation covering research conducted in the heath sector was introduced in
1994.

Despite this early start in introducing data protection legislation in France, it took 9 years for Directive
95/46/EC to be introduced. In the meantime, the protection of privacy during the processing of
information was covered in a piecemeal fashion, by the Law of 12 April 2000 on the Rights of Citizens
and their Relationship with Administration, and the Law of 4 March 2002 on Patients' Rights.

Following a lengthy legislative process, the Directive was finally incorporated into French law with Law
Nr. 2004-801 of 6 August 2004 relating to the Protection of Data Subjects as Regards the Processing
of Personal Data. This law amended the 1978 law, and the bulk of it came into force immediately.

Summary of Data Protection in FRANCE

Law 2004-801 of 6 August 2004 modifying law 78-17 of 6 January

Title of Data Protection Legislation 1978 relating to the Protection of Data Subjects as Regards the
Processing of Personal Data (in French)

Name of supervisory authority Commission Nationale de l' Informatique et des Libertes (CNIL)

The CNIL's duties are outlined in Article 11 of the new Law. As in the 1978
Act, the CNIL registers notifications, informs on rights, oversees the correct
application of the law (advice and warnings). It also provides opinions on the
legitimacy of the processing (authorization requests), and engages in
jurisdictional recourse in the case of a breach of the law and oversees the
whole procedure. The CNIL also has the power to control the initiation of the
processing (Article 44), as well as the power to impose sanctions, for
example: warnings, injunctions to stop the processing, and financial
sanctions (Articles 45 to 49).
General Powers of supervisory
authority
The CNIL can also carry out on-the-spot audits concerning any file counting
personal data, and issue warning to the controllers if required, or inform the
public prosecutor.

Finally, the CNIL plays the role of intermediary between data subjects and
controllers (through the request to access). At the request of the professional
organizations that represent controllers, the CNIL assesses the ‘professional
rules’ and gives labels to products, or procedures recognized as conforming
to the Law (Article 11-3˚ a, b, c) as provided by Article 27 of the Directive.

Who has standing to notify the

Anybody, provided they can show that their interest in the matter is justified.
supervisory authority of breaches?

Article 45 of the 2004 law sets out the sanctions for breaches of the law.
These include fines, imprisonment, publishing the information of the case in
What are the penalties for data
newspapers or other publications (for which the sanctioned person must
controllers if they breach the law?
pay), ceasing processing operations and removing the controller's
authorisation to process.

Have any provisions been made for the Yes. The processing of identification numbers by private bodies must be
processing of a national identification authorised by the Supervisory Authority. The processing of identification
number or a general identifier, as per numbers by public bodies must be authorised by decree taken by the Conseil
Article 8(7)? d'Etat after opinion given by the CNIL.

Is it necessary to obtain consent It is probably necessary to get consent when is not impracticable or
before processing personal data, or are inappropriate.
alternatives available even when
obtaining consent would not be
impracticable or inappropriate?

Does the Data Protection Legislation No. In French law, the notion of ‘physical persons’ only concerns living
cover the deceased? persons.

Who is able to indirectly identify the

Anybody
data subject?
ACT 78-17 of 6 January 1978
on Data Processing, Data Files and Individual Liberties (*)

The National Assembly and the Senate have adopted,

The President of the Republic promulgates the following Act;

Chapter I (Principles and Definitions)

Section 1

Section 2

Section 3

Section 4

Section 5

Chapter II (The National Data Processing and Liberties Commission)

Section 6

Section 7

Section 8

Section 9

Section 10

Section 11

Section 12

Section 13

Chapter III (Formalities Prior to Commencing Automatic Data Processing)

Section 14
 Section 15

Section 16

Section 17

Section 18

Section 19

Section 20

Section 21

Section 22

Section 23

Section 24

Chapter IV (Collection, Recording and Storage of Personal Data)

Section 25

Section 26

Section 27

Section 28

Section 29

Section 30

Section 31

Section 32

Section 33

Chapter V (Exercise of Right of Access)

Section 34
 Section 35

Section 36

Section 37

Section 38

Section 39

Section 40

Chapter VI (Penal Provisions)

Section 41

Section 42

Section 43

Section 44

Chapter VII (Miscellaneaous)

Section 45

Section 46

Section 47

Section 48

(*) Translation approved by the French Ministry of Justice

CHAPTER I
PRINCIPLES AND DEFINITIONS

SECTION 1.

Data processing shall be at the service of every citizen. It shall develop in the
context of international co-operation. It shall infringe neither human identity,
nor the rights of man, nor privacy, nor individual or public liberties.
 SECTION 2.

No judicial decision involving an appraisal of human conduct may be based on

any automatic processing of data which describes the profile or personality of
the person concerned.

No governmental or private decision involving an appraisal of human conduct

may be based solely on any automatic processing of data which describes the
profile or personnality of the person concerned.

SECTION 3.

Any person shall be entitled to know and to dispute the data and logic used in
automatic processing the results of which are asserted against him.

SECTION 4.

For the purposes of this Act personal data which permit, in any form, directly
or indirectly, the identification of the natural persons to which they relate,
irrespective of whether the processing is done by a natural or legal person.

SECTION 5.

For the purposes of the Act the automatic processing of personal data means
any series of operations effected by automatic means, involving the collection,
recording, preparation, modification, storage and destruction of personal data as
well as any series of such operations relating to the use of files or data bases,
including interconnections or comparisons, the consultation or communication
of personal data.

CHAPTER II
THE NATIONAL DATA PROCESSING AND LIBERTIES COMMISSION

SECTION 6.

A National Processing and Liberties Commission shall be established. It shall

ensure observance of the provisions of this Act, inter alia, by informing all
persons concerned of their rights and duties, co-operating with them and
monitoring the application of data processing to personal data. For this purpose
the Commission shall have authority to make regulations in the cases referred
to in this Act.
SECTION 7.

The appropriations required by the national Commission for its operations shall
be included in the budget of the Ministry of Justice. The provisions of the Audit
Act of 10 August 1922 shall not apply to the administration thereof. The
Commission's accounts shall be audited by the Cour des Comptes.

However, charges may be made to cover the costs of certain formalities

mentioned in Sections 15, 16, 17 and 24 of this Act.

SECTION 8.

The National Data Processing and Liberties Commission shall be an

independant governmental authority.

It shall consist of 17 members designated for five years or the duration of their
term in office:

- two deputies and two senators elected respectivly by the national Assembly
and the Senate;

- two members of the Economic and Social Council, elected by it;

- two members or former members of the Conseil d'Etat, one ranking as

"conseiller" or higher, elected by the general assembly of the Conseil d'Etat;

- two members or former members of the Cour de Cassation, one ranking as

"conseiller" or higher, elected by the general assembly of the Cour de
Cassation;

- two members or former members of the Cour des Comptes, one ranking as
"conseiller-maitre" or higher, elected by the general assembly of the Cour des
Comptes;

- two persons qualified by their knowledge of data processing applications,

appointed by decree on proposals bt the speaker of the National Assembly
and the speaker of the Senate respectivly;

- three persons appointed by decree made in the Council of Ministers on

account of their authority and competence.
The Commission shall elect from its membership a Chairman and two Vice-
Chairmen, for five years.

The Commission shall determine its own rules of procedure.

The Chairman shall have a casting vote.

If the Chairman or a member leaves the Commission before expiration of his

term of office, his successor shall serve the Commission only for the unexpired
part of such term.

The following may not be members of the Commission:

- a member of the government;

- anyone holding office or interest in a firm involved in the manufacture of

equipment used in data processing or telecommunications, or in the provision
of data processing or telecommunications services.

The Commission shall determine in each case such grounds for

disqualifacation. Save for resignation, the term of office of a member may only
be terminated by a finding by the Commission that he is disqualified under the
rules which it has laid down.

SECTION 9.

A government representative appointed by the Prime Minister shall sit on the

Commission.

He may within ten days after a matter has been discussed, call for a further
meeting to reconsider it.

SECTION 10.

The Commission shall have staff under the control of the Chairman or, on
delegation of authority, of a Vice-Chairman.

The Commission may delegate its powers under Sections 16, 17 and 21 (4), (5)
and (6) to the Chairman or Vice-Chairman Delegate.

The employees of the National Commission are appointed by the Chairman or

the Vice-Chairman Delegate.
 SECTION 11.

The Commission may request the senior presiding judges of courts of appeal or
the chief judges of administrative courts to assign a judge of their court, if
necessary assisted by experts, to carry out investigations and inspections under
its supervision.

SECTION 12.

The members and employees of the Commission shall be bound by a duty of

secrecy regarding facts, documents or information with which tey may have
become acquainted in the course of their duties, as provided by Article 75 of
the Criminal Code and, subject to the requirements for preparation of the
annual report referred to below, article 378 of the Criminal Code.

SECTION 13.

The members of the National Data Processing and Liberties Commission shall
take no orders from any authority in the performance of their duties.

Computers specialists called on to provide information to the Commission or to

testify before it shall be relieved insofar as need be from their duty of
confidentiality.

CHAPTER III
FORMALITIES PRIOR TO COMMENCING AUTOMATIC DATA PROCESSING

SECTION 14.

The National Data Processing and Liberties Commission shall ensure that
public or private automatic processing of personal data is carried out in
accordance with this Act.

SECTION 15.

Aside from cases in which it must be authorized by law, the automatic

processing of personal data on behalf of the State, a public establishment or
territorial authorithy, or a private legal entity managing a public service, shall
be authorized by a regulation adopted after obtaining the reasoned opinion of
the National Data Processing and Liberties Commission
If the Commission's opinion is unfavorable, it may be disregarded only by a
decree issued on the favorable opinion of the Conseil d'Etat or, in the case of a
territorial authorithy, by a decision of its governing body approved by decree
issued on the favorable opinion of the Conseil d'Etat.

If the Commission fails to notify its opinion within two months, which time
may be extended for a like period once by the Chairman, such opinion shall be
deemed to be favorable.

SECTION 16.

The automatic processing of a personal data on behalf of parties other than

those who are subject to the provisions of Section 15 must, prior to
commencement of operations, be declared to the national data Processing and
Liberties Commission.

Such declaration shall entail an undertaking that the processing is in accordance

with the law.

Upon receipt of the acknoledgement which the Commission shall issue

forthwith, the applicant may proceed with processing. he shall be relieved of
none of his liabilities or responsabilities.

SECTION 17.

For the most common types of public or private processing, which manifestly
do not infringe privacy or liberties, the Commission shall set and publish
simplified rules based on the characteristics set forth in Section 19.

For processing covered by such rules, only a simplified declaration of

conformity to one of these rules shall be filed with the Commission. Unless
otherwise decided by the Commission, the acknoledgement, the applicant may
proceed with the processing. He shall relieved of none of his liabilities or
responsabilities.

SECTION 18.

Use of the national identification index of natural persons with a view to

processing of personal data may be authorized by order of the Conseil d'Etat
after advice from the Commission.
SECTION 19.

The application for an opinion on the declaration must specify:

- the person making the application and the person empowered to decide on
the processing or, if such a person resides abroad, his representative in
France;

- the characteristics, purpose and, if applicable, name of the processing;

- the department or departments responsible for the processing;

- the department where right of access as defined in Chapter V below is to be

exercised and the steps taken to facilitate exercise of that right;

- the categories of persons who, by reason of their duties or for the needs of
the department, have direct access to the data recorded;

- the personal data processed, their source and the duration of storage, as
well as the addressees or categories of addressees authorized to receive such
data;

- the comparisons, interconnections or any other method of relating such data

as well as their transfer to third parties;

- the steps taken to provide for security of the processing and the data and to
safegards secrets protected by law;

- whether the processing is intended for the dispatch of personal data

between France and another country, in any form, including the case where it
involves operations carried out partly in France on the basis of operations
previously performed outside France.

Any change in the particulars listed above or discontinuance of processing shall

be reported to the Commission.

Some of the particulars listed above may be omitted from applications for
opinions relating to the automatic processing of personal data affecting national
security, defense or public safety.
SECTION 20.

The official decision authorizing processing under Section 15 above shall

specify, inter alia:

- the name and purpose of the processing;

- the department where right of access as defined in Chapter V nelow is to

exercised;

- the categories of personnal data recorded and the recipients or categories of

recipients authorized to receive such data.

Decrees made in the Conseil d'Etat may provide that the regulations relating to
certain processing affecting national security, defense and public safety shall
not be published.

SECTION 21.

For discharge of its supervisory, the Commission:

1. shall issue individual rulings or general regulations in the cases provided for
in this Act;

2. may, be special ruling, instruct one or more of its members or employees,

assisted if need be by experts, to make on-the-spot checks in respect of any
processing and to obtain all information and documents relevant for the
purpose;

3. shall lay down standard rules for systems security as necessary; in

exceptional circumstances it may prescribe security measures including the
destruction of storage media;

4. shall issue warnings to those concerned and report violations to the public
prosecutor, pursuant to Article 40 of the Code of Criminal Procedure;

5. shall ensure that the procedures for giving effect to the right of access and
correction laid down in the regulations and declarations provided for in
Sections 15 and 16 do not hinder the free exercise of such right;
6. shall receive claims, petitions and complaints;

7. shall keep itself informed of industrial and service activities which

contribute to the use of data processing.

Ministers, public authorities, directors of public and private undertakings, heads

of groups and associations and more generally holders or users of personal files
may not oppose action by the Commission or its members for any reason, and
instead shall take any step needed to facilitate its work.

SECTION 22.

The Commission shall make a list of processing activities available to the

public, specifying in each case:

- the Act or official decision authorizing its establishment or the date of the
declaration;

- the name and purpose thereof;

- the department regarding which the right of access provided under Chapter
V below is to be exercised;

- the categories of personal data recorded and the addressees or categories of

addressees authorized to receive such data.

Rulings, opinions or recommendations of the Commission of use in the

application or interpretation of this Act shall be kept available for the public as
provided by decree.

SECTION 23.

The Commission shall submit a yearly report to the President of the Republic
and to parliament on the discharge of its duties. This report shall be published.

The report shall describe, inter alia, the procedures and working methods of the
Commission and shall contain in an appendix any information about the
organization of the Commission and its departments which may facilitate
relations of the public with the Commission.
 SECTION 24.

On the proposal of or as advised by the Commission, the transmission between

France and another country in any form of personal data subjected to automatic
processing covered by Section 16 above may call for prior authorization or be
regulated by decree made in the Conseil d'Etat, to ensure compliance with the
principles laid down in this Act.

CHAPTER IV
COLLECTION, RECORDING AND STORAGE OF PERSONAL DATA

SECTION 25.

Acquisition of data by any fraudulent, dishonest or illegal means is prohibited.

SECTION 26.

Any natural person is entitled to object, for due cause, to the processing of
personal data concerning him.

This right shall not apply to processing limitately, designated in the regulation
provided for in Section 15.

SECTION 27.

Persons from whom personal data are obtained must be informed:

- whether or not they must supply such data;

- of any consequences to them should they fail to do so;

- as to the natural or legal persons for whom the data are intended;

- as to right of access and correction.

When such data are obtained by questionnaires, these must mention the above
requirements.

These provisions shall not apply to the collection of data requed for purposes of
criminal investigation.
SECTION 28.

Unless otherwise provided by law, the data may not be stored in personal form
beyond the period stated in the application for opinion or in the declaration,
unless such storage is authorized by the Commission.

SECTION 29.

Any person processing personal data or ordering such processing thereby shall
undertake, vis-a-vis the persons concerned to see that all necessary precautions
are taken to protect the data and in particular to prevent these from being
distorted, damaged or disdosed to unauthorized third part.

SECTION 30.

Unless otherwise provided by law, only the courts and public authorities acting
within the scope of their legal powers and, on favorable opinion of the National
Commission, legal persons managing a public service may engage in the
automatic processing or personal data relating to criminal offenses, convictions
or security measures.

Until implementation of the file of motor vehicle drivers provided by Act 70-
539 of June 1970, insurance companies shall be authorized, under Commission
supervision, to process themsleves the data mentioned in Section 5 of that Act
relative to the persons covered by the last paragraph of such Section.

SECTION 31.

Without the party's express consent the recording or storage in a computer

memory of personal data which directly or indirectly reflect racial origins or
political, philosophical or religious opinions or union membership shall be
prohibited.

Churches and religious, philosophical, political or union organizations may

however keep records of their members or correspondents in computerized
form. They are not subject to supervision in that connection.

On public policy grounds, other exceptions may be made to such prohibition on

the Commission's proposal or favorable opinion, by decree made in the Conseil
d'Etat.
 SECTION 32.

Access to the voter list is given under identical conditions to candidates and
political parties under the control of campaign commissions.

SECTION 33.

Sections 23, 30 and 31 shall not apply to personal data processed by press or
broadcasting organizations under the laws governing them, if application of
those sections would have the effect of restricting freedom of expression.

CHAPTER V
EXERCISE OF RIGHT OF ACCESS

SECTION 34.

Any person proving his identity shall be entitled to question the departments or
organizations using automatic processing, a list of which shall be available to
the public under Section 22 above, to determine whether such processing
involves personal data concerning him, and if they do, to obtain access thereto.

SECTION 35.

The holder of such a right of access shall be entitled to obtain access to

information concerning him. The information supplied to him shall be in clear
language and shall conform to the contents of the records.

A copy shall be delivered to the holder of such a right of access on application

against payment of a fixed charge varying according to the category of
processing, the amount of which shall be fixed by Commission ruling and
approved by Order of the Minister of Economy and Finance.

However, on application to the Commission with notice to the person

requesting the data, the Commission may grant the person in charge of the file:

- time to respond;

- authorization to disregard certain requests which manifestly are

unreasonably numerous, repetitious or systematic.
When there is reason to feat the concealment or disappearance of data
mentioned in the first paragraph of this section, and even before
commencement of legal proceedings, application may be made to the
competent court to order ny appropriate measures for preventing such
concealment or disappearance.

SECTION 36.

The holder of a right of access may require the correction, addition,

clarification, updating or erasure of data concerning him which are inaccurate,
incomplete, ambiguous, outdated or o which the acquisition, use, disclosure or
storage is prohibited.

Upon request of the person concerned, the department or organization involved

must issue a copy of the altered record without charge.

In the event of dispute, the onus of proof shall be on the department in relation
to which the right of access is exercised, unless it appears that the disputed data
were disclosed by or with the consent of the person concerned.

When the holder oa right of access has a record ??tered, the charge paid
pursuant to Section 35 shall be refunded.

SECTION 37.

A personal file must be supplemented or corrected even ex proprio motu when

the organization keeping it becomes aware of the inaccuracy or incompleteness
of a personal item of data in such a file.

SECTION 38.

If an item of data has been sent to a third party, its correction or deletion must
be notified to such party unless the Commission waives such a proceeding.

SECTION 39.

The regard to processing activities affecting national security, defense or public

safety, the application shall be made to the Commission, which shall nominate
one of its members who is or has been a member of the Conseil d'Etat, Cour de
Cassation or Cour des Comptes, to conduct any appropriate investigations and
order the necessary alterations. Such member may be assisted by a member of
the Commission's staff.
 The applicant shall be advised that checks have been made.

SECTION 40.

When exercise of a right of access applies to medical data, these may be

disclosed to the person concerned only through a doctor designated by him for
this purpose.

CHAPTER VI
PENAL PROVISIONS

SECTION 41.

Whoever engages in the automatic processing of personal data, or has such data
so processed without publication of the official decisions provided for in
Section 15 or without filing the declarations as provided in Section 16 shall be
imprisoned for six months to three years, or fined 2,000 to 200,000 francs, or
both.

The court may also order publication of the judgment in full or in part in one or
more newspapers, and public display thereof as it may determine, at the guilty
party's cost.

SECTION 42.

Whoever records or causes to be recorded, stores or causes to be stored

personal data contrary to Sections 25, 26 and 28-31 shall be imprisoned for one
to five years, fined 20,000 to 2,000,000 francs, or both.

The court may also order publication of the judgment in full or in part in one or
more newspapers and public display thereof as it may determine, at the guilty
party's cost.

SECTION 43.

Any person who, in connection with recording, filing, transmittal or any other
form of processing, obtains personal data, disclosure of whichwould impair
reputation or standing or invade privacy, and who knowingly and without the
authorization of the person concerned discloses such data to any party not
authorized to receive them under this or any other Act, shall be imprisoned for
two to six months, fined 2,000 to 20,000 francs, or both
 Whoever imprudently or negligently discloses or allows disclosures of data
described in the preceding paragraph shall be fined 2,000 to 20,000 francs.

SECTION 44.

Whoever, being in possession of personal data in connection with recording,

filing, transmittal or other processing, uses the same for a purpose other than
that specified in the regulations as provided under Section 15, or in the
declarations made pursuant to Section 16 and 17, or in a statutory provision,
shall be imprisoned for one to five years, and fined 20,000 to 2,000,000 francs.

CHAPTER VII
MISCELLANEOUS

SECTION 45.

The provisions of Sections 25, 27, 29, 30, 31, 32 and 33 relative to the
acquisition, recording and storage of personal data shall apply to non-
automated or mechanized files other than those involving strict exercise of the
right of privacy.

The first paragraph of Section 26 shall apply to same files, except public files
designated by official decision.

Any person providing his identity shall be entitled to question departments or

organizations keeping files mentioned in the first paragraph of this Section to
determine whether such files contain personal data concerning him. The holder
of a right of access shall be entitled to obtain access to such data; he may
require compliance with the first three paragraphs of Section 36 of this Act
relative to the right of correction. Section 37, 38, 39 and 40 shall also apply. A
decree made in the Conseil d'Etat shall fix the conditions of exercise of the
right of access and correction; such decree may provide for the collection of
charges for issuing copies of the data disclosed.

On recommendation of the National Commission for Data Processing and

Liberties, the Government may, by decree made in the Conseil d'Etat, decide
that the other provisions of this Act may, in whole or in part, be applied to a file
or categories of files which are non-automated or mechanized and which, by
themselves or used in combination with a computerized file, threaten civil
liberties.
SECTION 46.

Decrees made in the Conseil d'Etat shall specify arrangements for giving effect
to this Act. They shall be enacted within six months of promulgation hereof.

Such decrees shall fix the time, when the provisions of this Act shall take
effect. Such time shall not exceed two years after the promulgation of this Act.

SECTION 47.

This Act shall apply in Mayotte and the overseas territories.

SECTION 48.

As a transitional measure, processing covered by Section 15 above and already

effective shall only be subject to a declaration to the National Commission for
Data Processing and Liberties as provided in Sections 16 and 17.

The Commission may, however, by special ruling, apply Section 15 and fix the
time within which the regulation covering processing must be adopted.

Two years after the promulgation of this Act, all processing covered by Section
15 shall comply with the requirements of such Section.

This Act shall be enforced as an Act of the State.

Paris, 6 January 1978.

Signed: VALERY GISCARD D'ESTAING

By the President of the Republic:

The Prime Minister, 

RAYMOND BARRE

The Minister of Justice,

ALAIN PEYFEFITTE

The Minister of Interior, 

CHRISTIAN BONNET
The Minister of Defense,

YVON BOURGES

The Deputy Minister of Economy and Finance, 

ROBERT BOULIN

The Minister of Facilities and Territorial Development

FERNAND ICART

The Minister of Education, 

RENE HABY

The Minister of Industry, Trade and Crafts

RENE MONORY

The Minister of Labor, 

CHRISTIAN BEULLAC

The Minister of Health and Social Security,

SIMONE VEIL
 French Data Protection Agency (CNIL) Releases New Guidelines on “Discovery”

August 24, 2009

In Guidelines published on August 19 in the French Official Journal, the French Data Protection
Authority (CNIL) opined on the legal requirements for French/U.S. data transfers in discovery
activities related to litigation or for U.S. investigations.

General
The CNIL states in its detailed “Deliberation 2009-474” (in French only) that the volume and scope of
document discovery in U.S. proceedings has significantly increased. It reiterates that all data flows
out of France for litigation purposes must be in line with the French Data Protection Law of 1978 (as
amended): “Obtaining an authorization from a French judge to send documents to the U.S. (through
a “letter of request” addressed to the French chancellery) does not release a company from the
obligation to respect French [data protection] law, in particular the provisions on data flows out of the
EU....”
Is Prior Consent of the CNIL Required?
One key issue for U.S. litigants is when prior consent of the CNIL is required, irrespective of other
regulations and treaties (such as the 1970 Hague Convention on Obtaining Evidence Abroad that
the U.S. and France have ratified). The CNIL makes the following clarifications:

 The CNIL’s prior consent is NOT required for personal data transfers to the U.S. for litigation
or investigation purposes (SEC, FTC, etc.) if: (i) it is a single data transfer, and (ii) the amount of
information transferred is “not massive.” The CNIL still must be notified of the data transfer.

 Data transfers that go beyond this threshold (i.e.,“massive and repeated data transfers”), are
only allowed if: (i) the receiving party in the U.S. signs the EU/U.S. Safe Harbor Principles, (ii) the
parties use the EU contractual clauses for international data transfers, or (iii) the parties adhere to
the Binding Corporate Rules (a complicated set of rules for corporate groups developed by the EU
that must be individually approved by the national data protection authorities).
 If the data are already located in the U.S., the data processor must ensure that the data are
“adequately protected” by the U.S. authorities, e.g., through a “stipulative court order” [probably a
Protective Order].
Various Additional Privacy Issues
The CNIL addresses a number of privacy requirements for personal data transferred to the U.S., for
instance:

 Prior consent of the individual: Prior consent of the individual can be a legitimate basis for
data transfers under the French data protection laws, provided that there is evidence that it is “free,
clear, specific” consent, in particular the consent must not be given “under pressure,” or merely to
avoid “sanctions.”
 Reducing the amount of data: The CNIL demands that personal data sent from France
must be “proportionate” and “adequate” with the discovery purpose. One method to ensure this is to
filter the data in France for key words to reduce its volume. The CNIL also recommends
anonymizing the data to the maximum extent.
 Data storage: Data sent to the U.S. may only be stored for the “duration of the proceedings.”
 Informing the individuals: Pursuant to French data protection laws, the individuals to whom
the personal data in France refer must be informed about the data transfer (exceptions may apply if
such disclosure “endangers the proceeding”). These individuals must have the right to know what is
sent and to “rectify” false or incomplete information about them.
Preliminary Observations
Many requirements that the CNIL stipulates in the Guidelines are open to interpretation. Given that
the European “Article 29 Working Party” of data protection representatives at the EC is also looking
into this issue on the European level (see Bingham’s e-discovery alerts of 02/23/09 and 02/11/2008),
this is probably not the last word from Europe. It remains to be seen how aggressively the CNIL will
enforce the new Guidelines.
To read the full French CNIL Guidelines, click here.
 Protection of personal data in France

Protection of personal data in France

In France, there has been full protection for personal data since the 1970s.
The 1978 Act on data processing, data files and individual liberties created the French Data
Protection Authority (CNIL – Commission nationale de l’informatique et des libertés), an
independent administrative authority. It was formed to address the problem which arose
with the emergence of data processing and the Internet, allowing simpler and faster
collection of personal data, and the revelation in the 1970s of a government project to
identify every citizen by a number and connect all government databases.
The 17-member CNIL is made up of members of the National Assembly and Senate and the
Economic and Social Council, representatives of France’s highest courts (Conseil d’Etat¹,
Court of Cassation² and Cour des Comptes³] and senior public figures. Appointed or elected
by the assemblies or courts to which they belong, the members receive instructions from no
one and are independent.
The CNIL’s main task is to protect private life and personal and public freedoms. It is
responsible for ensuring compliance with the 1978 Act, which entrusts it with the following
main missions:
Register files: anyone wishing to create a paper or computer file containing personal data
has to inform the CNIL and in some cases obtain permission to do so. Some files are
prohibited (race, religion, etc.) Failure to comply with this requirement can lead to
penalties.
Guarantee the right of access: every citizen has to have right of access to his/her personal
data. The CNIL ensures this right of access.
Inform: the CNIL informs people of their rights and obligations, and proposes to the
government new measures as and when technological developments make this necessary.
Make rules: the CNIL establishes simplified rules so that those governing the most common
and less dangerous files are less strict.
Source: CNIL website (English) www.cnil.fr/index.php?id=4