What Impact Will the New French Data Processing Standard Have on eDiscovery?

March 24, 2016

Adrian Vasiliu

On January 28, the French data protection authority, CNIL, issued Single Authorization Decision No. 46 (AU-46), which governs how certain companies request permission to process personal data for litigation.

The French law governing the processing of personal data for judicial proceedings, the Law on Information Technology and Liberties, requires data controllers to obtain prior authorization for transfers from the CNIL, which can be a time-consuming, burdensome process. Under this law, data controllers must provide a slew of information, including the purpose(s) of the processing, the identity and the address of the data controller, any connections between databases, the personal data processed and the categories of persons affected, the retention period for the data, the department or person(s) in charge of implementing the processing, the recipients or categories of recipients of the personal data, and the security measures taken to protect the data. Then the data controllers must wait for the agency’s approval before transferring the data.

The new standard simplifies the process for qualifying companies to obtain permission to process personal data for disciplinary or court actions that are part of their regular business activities and the enforcement of those actions. To qualify, organizations must meet several conditions set forth in the standard relating to the types of personal data to be processed, the recipients of the data, data retention periods, and security measures. Qualifying companies can file a brief, one-page online self-certification agreeing to comply with the conditions and then quickly proceed with the data processing.

Unfortunately for U.S.-based organizations, AU-46 does not apply to cross-border transfers to countries that the European Commission has found to lack an adequate standard of data protection. AU-46 references neither the defunct Safe Harbor framework nor its replacement, the Privacy Shield. Therefore, many organizations are still relying upon binding corporate rules or standard contractual clauses for transfers of personal data to the United States as stopgaps until the new Privacy Shield is implemented. We will continue to monitor the status of the implementation and keep you updated.

Brian Allan is vice president, EMEA at Conduent. He can be reached at info@conduent.com.

What Impact Will the New French Data Processing Standard Have on eDiscovery?

Digital transformation of government technology and services enhances constituent experiences

Digital payments: More than just convenient

Creating connections in California: Sharing good news about secure payments for citizens

Adopting digital payments to avoid the “road less traveled”

Four ways digital payments can streamline your financial operations

Earth Day 2023: Reflecting on investing in our planet

Honoring legacies by embracing equity

ConduentCares, India: Sustainability efforts for our environment and communities

Why updating OMB race and ethnicity data standards matters for health equity

Three key strategies for small to mid-sized healthcare payers in the Medicare Advantage market

When Reducing Costs, Cutting Customer Experience Isn’t the Answer

Driving Toward Sustainable Cities: Enhancing accessibility and optimizing passenger flows

For telcos, simplifying convergence is the best way to deliver customer service excellence

Policy, engagement, families take center stage at National Child Support Enforcement Association 2023 Policy Forum

Podcast: Getting Total Rewards Right in an Evolving HR and Benefits Environment

From Bare Minimum to Enthusiastic – Ways to Engage Your Workforce

Engagement and Enthusiasm at NCSEA Policy Forum 2023

Conduent Transportation helps expand campaign to aid and assist vulnerable members of the public

A Season for Children

New Experiences and Familiar Faces at WICSEC 2022