Archive for February, 2011

The IAPP quotes my article in its Daily Dashboard

Posted by fgilbert on February 17th, 2011

My commentary on the French CNIL’s new deliberation is referenced in the International Association of Privacy Professionals’ February 17 Daily Dashboard.
Click on the title for the link.

CNIL Exempts Foreign Based Companies From Filing Notifications With Respect to Certain Processing

Posted by fgilbert on February 16th, 2011

A “Deliberation” of the CNIL (French Data Protection Authority) published in the February 16, 2011 Official Journal of the Republic of France as “Deliberation No. 2011-023” should ease the burden on companies that have no operations in France, and engage France-based subcontractors (or cloud service providers) in order to process their data on the French territory. This is the case, for example for US based companies that hire French service providers to process their payroll or manage databases of client information, where the concerned individuals (employees or customers) are located outside of France.

Under the French Data Protection law, companies that are intend to process personal data on the French territory must file with the French Data Protection Authority a “declaration” (i.e. notification) regarding their proposed processing of these data. In some cases, a company must obtain preliminary authorization to perform this processing. This obligation creates a significant burden for companies that otherwise are not established and do not have a physical presence on the French territory.

Under the Deliberation published on February 16, 2011, certain categories of data will be exempt from the requirement to file a “declaration” or request an authorization. The exemption applies specifically to three categories of activities:  (i) processing of payroll; (ii) management of workforce; and (iii) management of database of clients and prospects.

Only specific data and specific activities are exempt. The exemption covers only specific categories of personal data that are data collected out of France, and that are used for the purposes above. The exemption applies only when data are returned to the data controller, or other specified recipient and the transfer to these third parties is for the benefit of the data subject and in connection with the purposes listed above (payroll, workforce management, etc.).

The exemption is very narrow and very limited. Only the requirement for declaration or request for authorization is lifted. The remainder of the obligations remains. In particular, the Declaration stresses that there must be a written agreement between the foreign data controller and the French based data processor to ensure security and confidentiality of the data, and require the processor not to use data other than as requested by the data controller.

Click here for the text of the Deliberation as published in the Journal Officiel (pdf).

Israel Data Protection Law found to provide “adequate protection”

Posted by fgilbert on February 1st, 2011

In a decision made public on February 1, 2011, the European Commission has determined that the data protection regime in Israel is adequate under the 1995 EU Data Protection Directive. The adequacy determination applies to only to data in automated databases. The data protection law of Israel Data does not apply to data in manual databases. Thus, for these data, the data protection law of Israel will be deemed adequate only to the extent that data in manual databases are transferred to automated databases in Israel.

The Commission decision is available at (pdf download):

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:027:0039:0042:EN:PDF