On November 19, 2015, the French Data Protection Authority (“CNIL”) published guidance, including a set of frequently asked questions, to assist companies that are transferring personal data to the U.S. pursuant to the Safe Harbor framework.
In the guidance, the CNIL stated that the October 6, 2015 decision of the Court of Justice of the European Union (“CJEU”) invalidated the European Commission’s decision on the adequacy of the protection provided by Safe Harbor. Consequently, companies can no longer rely on Safe Harbor to transfer personal data to the U.S. The CNIL then stated that, on October 15, 2015, it met with other European data protection authorities (“DPAs”) within the Article 29 Working Party (the “Working Party”) to draw up a joint action plan that would allow stakeholders to adapt to the new legal circumstances. During that meeting, the Working Party called upon the EU institutions and Member States to adopt a new legal framework allowing the transfer of personal data from the EU to the U.S. in accordance with the requirements set out by the CJEU by January 31, 2016. Until January 31, 2016, the Working Party confirmed that companies may use Binding Corporate Rules (“BCRs”) or EU Model Clauses to legitimize their data transfers to Safe Harbor certified companies. The CNIL explained that the DPAs are still analyzing the impact of the CJEU ruling on BCRs and EU Model Clauses, but have decided to allow companies to rely on them temporarily. The CNIL also pointed out that EU Model Clauses are the most suitable mechanism, since the implementation of BCRs takes several months. Therefore, the CNIL has called upon companies to implement EU Model Clauses if they wish to continue transferring personal data to U.S. Safe Harbor certified companies. The guidance makes no reference to other data transfer mechanisms, or in particular, to derogations (such as data subject consent). Such derogations have always been narrowly interpreted by the CNIL and may not legitimize repeated, mass or structural data transfers to the U.S.
In terms of registration formalities, the CNIL made it clear that companies must amend their existing notifications by the end of January 2016 to either declare that their data transfers to the U.S. have ceased, or to indicate that the data transfers will be based on another data transfer mechanism (in practice, EU Model Clauses). Data transfers based on EU Model Clauses require the CNIL’s prior ad hoc authorization. To speed up the registration process, the CNIL recommends filing new and simplified notifications in which companies commit to complying with the requirements laid down by the CNIL in its “Simplified Norm No. 46” and/or “Simplified Norm No. 48,” relating respectively to the processing of employees’ personal data and the processing of customers’ personal data. These Simplified Norms authorize data transfers outside of the EU. This assumes, however, that the data processing activities or transfers fall within the scope of the CNIL’s Simplified Norms. If not, companies must amend their existing notifications and obtain the CNIL’s ad hoc authorization for their transfers.
Finally, the CNIL stated that, beyond January 31, 2016, and in the absence of a Safe Harbor 2.0, the European DPAs will examine the possibility of using their enforcement powers to suspend or forbid data transfers to the U.S.