CNIL – French Companies Must Be Compliant in Securing Transfer of Personal Data by End of January 2016

Following the recent Court of Justice of the European Union (CJEU) decision that invalidated Safe Harbor, the French data protection authority (CNIL) published an article entitled “Safe Harbor: What Should Businesses Do?” as well as a series of frequently asked questions. The article and the frequently asked questions acknowledge that the CJEU decision invalidated the European Commission’s decision on the adequacy protection provided by Safe Harbor and that the CNIL met with other data protection authorities within the Article 29 Working Party (29 WP) to (i) discuss the consequences of the CJEU ruling and (ii) draw up a joint action plan as a result of the invalidation.

In the meantime, it agreed with 29 WP that data controllers impacted by the decision must find an alternative means of securing the transfer of personal data by the end of January 2016, such as Binding Corporate Rules or EU Model Clauses. However, the CNIL pointed out that EU Model Clauses remain the most appropriate mechanism for those transferring personal data to the United States.

TIP: Companies engaged in the importation of personal information from France or exportation of personal information from France out of the EU should take note of this recent advice from the CNIL.