May 11, 2011
The French Data Protection Authority–La Commission Nationale de l’Informatique et des Libertés ("CNIL")–announced on April 26, 2011, that it intends to increase inspections of companies and organizations transferring data into and out of France to ensure compliance with French and European Union data privacy laws and regulations. In its press release, CNIL emphasized that the inspections will have a specific focus on verifying that U.S. companies enrolled in the U.S.-EU Safe Harbor Program (who, by virtue of enrolling, have voluntarily committed to comply with EU privacy requirements) are, in fact, compliant. The press release, setting forth the goals of the inspections, is available here (in French). CNIL seeks to complete at least 400 inspections in 2011, which is 100 more than its 2010 goal.
CNIL, an independent administrative authority tasked with "protecting privacy and personal data," has the legal authority to impose a wide range of sanctions for violations of French data privacy laws, including warnings, legal injunctions, or financial sanctions. In its April 26 announcement, CNIL unveiled plans to inspect a broad range of data, with special emphasis on international data transfers, electronic tracking and behavioral analysis data, video surveillance, health data, and the practices of debt collectors and private detectives. These inspections will focus on ensuring that the collection and processing of data do not violate the privacy rights of French nationals. For example, CNIL plans to perform inspections of systems that conduct behavioral analysis to ensure that such tracking does not violate individual privacy rights.
This announcement is the most recent reflection of a European commitment to promote data privacy. See e.g. EU Data Protection Directive 95/46/EC, 1995 O.J. (L281) (establishing rules for the European Union regarding "the processing of personal data" and "the free movement of such data"). France in particular has sought to limit the transfer of private information. (For a discussion of how the French courts have addressed data privacy concerns related to U.S. litigation, please see an earlier Gibson Dunn client alert, available here.)
CNIL obtains its authority to regulate data transfers from what is commonly referred to as the French Data Protection Act. Law No. 78-17 of January, 6, 1978, J.C.P. 1978, III, No. 44692. The full statutory text is available here. The Act was originally passed in 1978, but was amended in 2004, following the passage of Directive 95/46/EC. The 2004 amendments gave CNIL much greater authority to actively enforce French data privacy law, and CNIL has embraced that authority by actively increasing the number of inspections. See e.g. Francesca Bignami, Cooperative Legalism and the Non-Americanization of European Regulatory Styles: The Case of Data Privacy, 59 Am. J. Comp. L., 424-26, 441-44 (2011). The recent announcement by CNIL to conduct 400 investigations in 2011 appears to be a continuation of that trend.
Article 48 of the Data Protection Act authorizes CNIL to investigate any data processing operation occurring in France. This means that even if a company is not regularly doing business in France, if a company is processing data, or is having its data processed in France, then the company is subject to French data privacy requirements.
CNIL may conduct on-site inspections of "the places, premises, surroundings, equipment or buildings used for the processing of personal data for professional purposes." Art. 44(I). The public prosecutor in the jurisdiction must be informed in advance. Id. If the individual in control of the premises to be inspected objects to the inspection, then CNIL must receive judicial authorization, by submitting a petition to a judge located in the jurisdiction where the investigation will occur. Art. 44(II). The judge must engage in a "reasoned ruling," in accordance with Articles 493 through 498 of the New Code of Civil Procedure, to determine if the inspection will be authorized. Id. If the judge authorizes the inspection, it must take place under the judge’s supervision and the judge has the ability to suspend the inspection at any time. Id.
If CNIL conducts an investigation of an organization and determines that it has violated a provision of the French Data Protection Act, under Article 45 it may issue a notice of the violation and provide the data controller with a specific deadline by which the violation must be remedied. If the controller does not fix the problem, then CNIL may issue a fine of up to €150,000 for first-time offenders, and €300,000 for subsequent offenders. The largest fine issued to date is €100,000. CNIL also has the option of issuing an injunction. These sanctions will only be implemented after a data controller fails to comply with an order issued by CNIL.
According to the 2009 CNIL Annual Activity Report, released in June 2010, the agency received 4,265 complaints of data privacy violations and conducted 270 investigations. Of these 270 investigations, 91 resulted in administrative orders instructing organizations to comply with data privacy requirements and 5 organizations were fined. See Bignami, supra, at 444. CNIL has not yet released data for 2010. In 2008, 126 orders requiring that data controllers comply with French law were issued, and 9 fines were issued. Id. Similarly, in 2007, 101 orders and 9 fines were issued. Id.
Companies and individuals should exercise caution in transferring data out of France and other EU nations. Sound compliance programs and attention to data privacy issues are important to avoid violations of applicable laws and regulations. Gibson Dunn’s practice groups in Electronic Discovery and Information Law, and Information Technology and Data Privacy, advise clients regarding these issues. In particular, our European attorneys advise on EU-wide data privacy issues on a range of matters including advice at the EU policy level. The practice groups include attorneys in Germany, France, Belgium and the UK who have expertise not only on relevant data protection national laws in their home states, but who also experience in coordinating pan-European advice projects where it is necessary for clients to understand the differences between the legislation implemented in each EU member state and the differing attitudes of national regulators towards enforcement.
Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you work, any of the following, or any member of the firm’s Electronic Discovery and Information Law Practice Group or Information Technology and Data Privacy Practice Group.
S. Ashlie Beringer – Palo Alto (650-849-5219, email@example.com)
Gareth T. Evans – Los Angeles/Orange County (213-229-7734, firstname.lastname@example.org)
G. Charles Nierlich – San Francisco (415-393-8239, email@example.com)
Jennifer H. Rearden – New York (212-351-4057, firstname.lastname@example.org)
M. Sean Royall – Dallas (214-698-3256; email@example.com)
Alexander H. Southwell – New York (212-351-3981, firstname.lastname@example.org)
Debra Wong Yang – Los Angeles (213-229-7472, email@example.com)
James Barabas – London (+44 20 7071 4253, firstname.lastname@example.org)
James A. Cox – London (+44 207 071 4250, email@example.com)
Andrés Font Galarza – Brussels (+32 2 554 7230, firstname.lastname@example.org)
Bernard Grinspan – Paris (+33 1 56 43 13 00, email@example.com)
Daniel E. Pollard – London (+44 207 071 4257, firstname.lastname@example.org)
Michael Walther – Munich (+49 89 189 33-180, email@example.com)
Mark Zimmer – Munich (+49 89 189 33-130, firstname.lastname@example.org)
© 2011 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice