Wednesday, August 26, 2009

French Data Protection Authority Issues Guidelines on Personal Data Transfers Pursuant to U.S. Discovery Obligations [France]

On August 19, 2009, the Official Journal published guidelines issued by the French Data Protection Authority (Commission nationale de l’informatique et des libertés (the “CNIL”)) regarding transfers of personal data carried out in the context of U.S. discovery proceedings (the “Guidelines”). The CNIL’s publication comes in the wake of a recent increase in the volume of requests made to French-based companies involved in U.S. litigation to disclose information or documents for the purposes of civil pre-trial discovery.

According to the Guidelines, disclosure of personal data pursuant to foreign court proceedings must comply with applicable laws and treaties ratified by France, including the Hague Convention of March 19, 1970, which enables a contracting State to declare that it will not execute letters of request issued for the purpose of obtaining pre-trial discovery. In France, any judge receiving a letter of request from a foreign authority must verify that such a request is admissible under French law and, in particular, must refuse the request if it poses a threat to State sovereignty or security. In this respect, a French blocking statute (the July 27, 1968 Act) prohibits disclosure of any information of economic, commercial, industrial, financial or technical nature as part of foreign legal proceedings unless the disclosure complies with applicable treaties and laws. Any breach of this statute is punishable by imprisonment of six months and a fine of €18,000.
In addition, companies based in France that disclose documents containing personal data must also comply with the requirements of the French Data Protection Act of January 6, 1978, or risk heavy criminal sanctions for failing to do so. Data controllers are not required to file a specific “discovery” notification as long as their data processing activities have been regularly filed with the CNIL. Nevertheless, there must be a legal basis for any transfer of personal data to the U.S., and companies must notify the CNIL of such transfers. In some cases, the data controller may rely on the “establishment, exercise or defense of a legal claim” exception contained in Article 69.3 of the French Data Protection Act as a legal basis for a single and limited transfer of all relevant information relating to a particular litigation. Otherwise, the CNIL’s authorization is required for sizeable and frequent transfers of personal data that are based on an adequate safeguard (i.e., Safe Harbor, model clauses or binding corporate rules). Further, adequate safeguards must be put in place to cover onward transfers, such as when transferred data being stored in the U.S. are further disclosed to a judicial authority (i.e., court order) or to other third parties (e.g., model clauses or a letter of engagement to abide by the Safe Harbor principles).
More information on these Guidelines can be found (in French) at

No comments: