• French Data Protection Authority Announces Increased Inspections for Compliance with French and European Union Data Privacy Requirements 
  • May 19, 2011
  • Law Firm: Gibson Dunn Crutcher LLP - Los Angeles Office
  • The French Data Protection Authority--La Commission Nationale de l'Informatique et des Libertés ("CNIL")--announced on April 26, 2011, that it intends to increase inspections of companies and organizations transferring data into and out of France to ensure compliance with French and European Union data privacy laws and regulations.  In its press release, CNIL emphasized that the inspections will have a specific focus on verifying that U.S. companies enrolled in the U.S.-EU Safe Harbor Program (who, by virtue of enrolling, have voluntarily committed to comply with EU privacy requirements) are, in fact, compliant. CNIL seeks to complete at least 400 inspections in 2011, which is 100 more than its 2010 goal.

    CNIL, an independent administrative authority tasked with "protecting privacy and personal data," has the legal authority to impose a wide range of sanctions for violations of French data privacy laws, including warnings, legal injunctions, or financial sanctions.  In its April 26 announcement, CNIL unveiled plans to inspect a broad range of data, with special emphasis on international data transfers, electronic tracking and behavioral analysis data, video surveillance, health data, and the practices of debt collectors and private detectives. These inspections will focus on ensuring that the collection and processing of data do not violate the privacy rights of French nationals.  For example, CNIL plans to perform inspections of systems that conduct behavioral analysis to ensure that such tracking does not violate individual privacy rights.

    This announcement is the most recent reflection of a European commitment to promote data privacy.  See e.g. EU Data Protection Directive 95/46/EC, 1995 O.J. (L281) (establishing rules for the European Union regarding "the processing of personal data" and "the free movement of such data").  France in particular has sought to limit the transfer of private information.

    CNIL obtains its authority to regulate data transfers from what is commonly referred to as the French Data Protection Act.  Law No. 78-17 of January, 6, 1978, J.C.P. 1978, III, No. 44692. The Act was originally passed in 1978, but was amended in 2004, following the passage of Directive 95/46/EC.  The 2004 amendments gave CNIL much greater authority to actively enforce French data privacy law, and CNIL has embraced that authority by actively increasing the number of inspections. See e.g. Francesca Bignami, Cooperative Legalism and the Non-Americanization of European Regulatory Styles: The Case of Data Privacy, 59 Am. J. Comp. L., 424-26, 441-44 (2011).  The recent announcement by CNIL to conduct 400 investigations in 2011 appears to be a continuation of that trend.

    Article 48 of the Data Protection Act authorizes CNIL to investigate any data processing operation occurring in France.  This means that even if a company is not regularly doing business in France, if a company is processing data, or is having its data processed in France, then the company is subject to French data privacy requirements.

    CNIL may conduct on-site inspections of "the places, premises, surroundings, equipment or buildings used for the processing of personal data for professional purposes." Art. 44(I).  The public prosecutor in the jurisdiction must be informed in advance. Id. If the individual in control of the premises to be inspected objects to the inspection, then CNIL must receive judicial authorization, by submitting a petition to a judge located in the jurisdiction where the investigation will occur. Art. 44(II).  The judge must engage in a "reasoned ruling," in accordance with Articles 493 through 498 of the New Code of Civil Procedure, to determine if the inspection will be authorized. Id.  If the judge authorizes the inspection, it must take place under the judge's supervision and the judge has the ability to suspend the inspection at any time. Id.

    If CNIL conducts an investigation of an organization and determines that it has violated a provision of the French Data Protection Act, under Article 45 it may issue a notice of the violation and provide the data controller with a specific deadline by which the violation must be remedied.  If the controller does not fix the problem, then CNIL may issue a fine of up to €150,000 for first-time offenders, and €300,000 for subsequent offenders. The largest fine issued to date is €100,000.  CNIL also has the option of issuing an injunction.  These sanctions will only be implemented after a data controller fails to comply with an order issued by CNIL.

    According to the 2009 CNIL Annual Activity Report, released in June 2010, the agency received 4,265 complaints of data privacy violations and conducted 270 investigations. Of these 270 investigations, 91 resulted in administrative orders instructing organizations to comply with data privacy requirements and 5 organizations were fined. See Bignami, supra, at 444.  CNIL has not yet released data for 2010. In 2008, 126 orders requiring that data controllers comply with French law were issued, and 9 fines were issued. Id.  Similarly, in 2007, 101 orders and 9 fines were issued. Id.

    Companies and individuals should exercise caution in transferring data out of France and other EU nations.  Sound compliance programs and attention to data privacy issues are important to avoid violations of applicable laws and regulations.