Transfer of PII

Under the Law on Computer Technology and Freedom of 6 January 1978 (LIL) regime, any person that processes PII on behalf of the data controller is regarded as a processor. The processor may only process PII under the data controller’s instructions.

When a data controller outsources some of its processing or transfers PII concerning such processing to a sub-contractor (ie, a data processor), it must establish an agreement with that processor.

This agreement shall specify the obligations incumbent upon the processor as regards the obligation of protection of the security and confidentiality of the data and provide that the processor may act only upon the instruction of the data controller.

Restrictions on disclosure

Generally, there are no specific restrictions on the disclosure of PII other than the general data protection principles provided by the LIL.

Moreover, in the case of data covered by professional secrecy, the person in charge must ensure, before any disclosure, that it is possible to transfer such data (authorisation, organisation benefiting from a specific legislative provision).

Nevertheless, disclosure of sensitive PII such as health data is limited to certain institutions and professionals, unless the data controller has obtained a specific and express consent of the data subject for the disclosure of such PII.

Cross-border transfer

PII can be transferred freely to other countries within the European Economic Area, as well as to countries recognised by the European Commission as providing an ‘adequate level of data protection’.

Such transfers of PII from France are permitted to Canada (under certain conditions), Andorra, Argentina, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, Switzerland, Uruguay and New Zealand.

A controller or processor may transfer PII to other countries only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The appropriate safeguards may be provided for by:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules approved by the National Commission for Data Protection and Liberties (CNIL);
  • standard data protection clauses model clauses designed by the European Commission to facilitate transfers of personal data from the European Union to all third countries, while providing sufficient safeguards for the protection of individuals’ privacy;
  • a code of conduct approved by the CNIL, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
  • a certification mechanism approved by the CNIL together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

Subject to CNIL authorisation, the appropriate safeguards may also be provided for, in particular, by:

  • contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • provisions to be inserted into administrative arrangements between public authorities or bodies, which include enforceable and effective data subject rights.

However, in the absence of an adequacy decision or of appropriate safeguards as mentioned earlier, a transfer of personal data to a third country or an international organisation shall take place if:

  • the data subject has explicitly consented to its transfer after having been informed of the possible risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or
  • the transfer is necessary under one of the following conditions:
  • protection of the data subject’s life;
  • protection of the public interest;
  • to meet obligations ensuring the establishment, exercise or defence of legal claims;
  • consultation of a public register that is intended for public information and is open for public consultation or by any person demonstrating a legitimate interest;
  • performance of a contract between the data controller and the data subject, or pre-contractual measures taken in response to the data subject’s request; or
  • conclusion or performance of a contract, either concluded or to be concluded in the interest of the data subject between the data controller and a third party.

Data controllers must inform data subjects of the data transfer and provide the following information:

  • the country where the data recipient is established;
  • the nature of the data transferred;
  • the purpose of the transfer;
  • categories of the recipients; and
  • the level of protection of the state concerned or adopted alterna- tive measures.

On 16 July 2020, the Court of Justice of the European Union invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU–US Data Privacy Shield framework (Case C-311/18). There is no transitional period.

The Privacy Shield was implemented to provide companies on both sides of the Atlantic with a mechanism to comply with data protec- tion requirements when transferring personal data from the European Union to the United States.

As a result, all internationally active companies in the European Union should closely review their data transfers to the US and examine whether they can carry out their data transfers to the US based on other mechanisms, such as the EU’s standard contractual clauses (SCCs).

Notification of cross-border transfer

The cross-border transfer must be approved by the CNIL when it is based on:

  • specific contractual clauses compared to the models established by the Commission concluded between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
  • provisions inserted into administrative arrangements between public authorities or public bodies, which include enforceable and effective data subject rights.
Further transfer

Restrictions on cross-border transfers apply to transfers from the PII owner based in France to a data processor outside the European Economic Area. Onward transfers are in principle subject to the restric- tions in force in the recipient’s jurisdiction. By exception, SCCs contain specific requirements for onward transfers.