On March 24, 2015 France’s Data Protection Authority (CNIL) issued a press release announcing the simplification of its data transfer policy. The new requirement will now allow companies to transfer data outside of the EU after going through just one authorization process. This change could anticipate a new strategy for regulating international data transfers on a global scale.
Under the old process, the CNIL required companies to have binding corporate rules (BCRs) approved by data protection authorities. (BCRs are a set of corporate policies that regulate the internal transfer of personal data outside the EU to ensure they meet an adequate level of data protection.) However, after BCR approval the company would then have to seek authorization for each data transfer out of the EU. The process was redundant and cumbersome because the same authorities reviewing the BCRs of a company would have to then review each and every data transfer by that same company.
With the new process, companies will only need to adopt BCRs, and then the CNIL will provide a single decision (“autorisation unique”) on data transfers which will act as a global authorization. Once approved companies will only need to file a “compliance commitment” for each transfer on the CNIL website. The CNIL has already started to contact companies that have adopted BCRs to begin this new process.
The CNIL’s new streamlined policy will encourage companies to adopt BCRs in order to take advantage of this simplified procedure. This development in France could be part of a larger trend to use BCRs for data protection regulations on a global scale. The same strategy could be implemented in the upcoming EU General Data Protection Regulation, which is expected to bypass the use of existing local data protection authorities. Countries outside of the EU are also looking at whether using the BCR policy could achieve the goals of expediting international data transfers while still maintaining robust data protection. Success in France could indicate a shift from the current U.S.-EU Safe Harbor provisions, which have been viewed as unsuccessful, to implementation of global BCRs.
Given this trend, any company that does business in the EU should start reviewing their BCR policies—especially if involved in litigation or regulatory investigations. Having a BCR policy in place will allow for the transfer of data subject to litigation and investigations out of France, marking a transition in the current EU data privacy laws and lessening the need to have data processed and hosted in the EU. In preparation, now would be a good opportunity for companies to update their BCR policies to meet international standards.
About the Author