Despite the irrefutable importance of protecting personal data, there are situations in which applying the law strictly can be counterproductive.
This has particularly been the case where data that does not originate in France, or even within the EU, is processed in France and then immediately sent back to its country of origin: before this exemption came into force, this type of data-processing was still subject to filing with the CNIL (the French data protection authority).
This is based on article 5 of the French Data Protection Regulation which itself directly derives from article 4 (c) of the Directive 95/46. The national law shall apply where “the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.”
There are two typical scenarios where this arises: an international group which has centralized its data processing in France, or a company based outside Europe which uses a French service provider to process its “non-European” data.
It is companies falling within this second category that are feeling a real “breach of fresh air” thanks to notification exemption (dispense de declaration) n° 15, published by the CNIL in February 2011 (decision n° 2011-23 dated 20 January 2011 grants an exemption for automated data processing carried out in France by service providers acting on behalf of a data controller established outside the EU and concerning personal data collected outside the EU).
The aim is to stop French service providers from being subject to an unnecessary burden. Under French legislation, non-European companies wishing to outsource certain non-European data processing were required to notify this to the CNIL, or even file an authorisation request, simply because their service provider was based in France. Such an obligation was, naturally, off-putting to many companies. The issue became even more sensitive with the advent of cloud computing and the use of servers in France.
From now on, data processing carried out in France by a service provider based in France (the text does not exclude the possibility that the service provider may be a member of the same group, as long as it is not a “joint-data controller” as, for example, parent companies can sometimes be) is exempt from the requirement to notify the CNIL if the following requirements are met:
• the data controller must established outside the EU;
• the purpose of the data processing must be either:
– to manage salaries, payroll and relations with bodies such as social security, as set out in exemptions 1 and 2;
– to manage human resources asset out in simplified notification norm (norme simplifiée) n° 46;
– to manage files for clients and potential clients as set out in simplified notification norm n° 48;
• the processing must not include data other than data listed in the must be that contained in the above-mentioned exemptions norms and simplified notification norms, subject however to any requirement by the law of the country of origin / destination;
• there may be no other data recipient than the following :
– date controller who has initially transferred the data to France;
– the service provider; and
– persons authorised by the data controller, provided that the data transfer is in the interests of the data subject.
Likewise, the transfer back of processed data by the service provider to the non-EU “country of origin” does not require prior authorisation. There are, however, some grey areas within the text, for example where the country of origin/destination is not the same as that of the data controller, and where it maybe be difficult to consider, at least under French law, that the transfer is made in the interest of the data subject.
• The information notice that required to be provided under French law to the data subjects (employees and clients), need not be provided “if this would require disproportionate efforts”.
• EU model clauses are not required. However, the text provides (i) that there must be a signed contract imposing obligations concerning the security and confidentiality of the data, and that (ii) the service provider to act as a data processor (i.e. only following the data controller’s instructions).
• Despite the exemption, the law nevertheless requires the data controller to appoint a legal representative in France.
In conclusion, even though the text provides a significant amount of flexibility, it is not meant to rule out French law. The exemption is strictly limited to certain types of processing, and it clearly indicates that French law remains applicable to the processing (for example: the requirement to appoint a representative in France). This seems consistent with the group’s views on article 29 on applicable law (opinion n° 8/2010 dated 16 December 2010), which has indicated that It is “there is a need to prevent situations where a legal gap would allow the EU being used as a data haven, for instance when processing activity entails inadmissible ethical issues” “ even if it is acknowledged that there should be scope for greater flexibility in “borderline cases” where data subjects and data controllers have “no link with EU”)