French Privacy Office to Offer Multinationals Simpler, Faster Data Transfer Approval Plan

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell

March 26 — The French data protection authority (CNIL) plans to contact some 65 multinational companies to offer them a simpler, faster procedure for routine transfers of personal data outside the European Union using binding corporate rules (BCRs), a CNIL spokeswoman told Bloomberg BNA March 26.

Under France's 1978 Law on Information Technology and Liberties (78-17 of 1978 , updated in 2014), companies can transfer personal data outside the EU and European Economic Area (EEA) if the destination country is recognized by the EU as having adequate data protection or if the recipient is a U.S. company participating in the U.S.-EU Safe Harbor Program.

Such cross-border transfers are also permitted if governed by European Commission-approved model contractual clauses or CNIL-approved BCRs, which are binding internal privacy commitments that apply to data transfers within a multinational entity.

The Paris-based authority provided a link to a list of multinationals—including several major U.S. groups—that have already adopted BCRs in France and other EU member countries and that it plans to contact “in the coming weeks.”

For each participating multinational, the authority will define the content of single authorizations that will allow the simplification of formalities for transferring personal data outside the EU using BCRs, the spokeswoman said.

The French move to ease the use of BCRs comes about a year after the Article 29 Working Party of data protection officials from the 28 EU member states set out a plan for such a move.

‘Compliance Commitment Required.'

Once contacted by the CNIL, the multinational will have to fill in a “compliance commitment” form on CNIL's website declaring that its international data flows framed by the BCR comply with the single authorization granted to the group.

After that, the company's data controller will have to maintain an up-to-date list of each transfer, to be communicated to CNIL upon request, containing the:

• general purpose of each transfer;

• categories of data subjects affected by the data transfer;

• categories of personal data transferred;

• information on each data recipient, including company name, company group to which it belongs and type of BCR adopted; and

• country of establishment, categories of recipients and nature of the processing operated by the recipient.


The time it takes for the first single authorization to be granted will depend on how long the multinationals take to respond to the CNIL, the spokeswoman said, adding that companies could contact the CNIL by telephone if necessary.

About Two Months for Approval

Once the request is made, it will take about two months total for the authorization to take effect, including the time it takes for the CNIL plenary board to approve it and for it to be published in the Journal Officiel, she said.

She said that “previously, the organization had to wait about two months for approval for each transfer” via BCR. “Today, that's how long it will take to get approval for all transfers, including for human resources, suppliers and customers.”

“This is a real easing of formalities that is being offered to companies,” she added.

The spokeswoman said that during the approval phase, the BCRs can be in English, but once approved they must be available in French.

In a March 24 statement about the BCRs measure, the CNIL said noncompliance with French rules regarding transfers of personal data outside the EU risks fines up 300,000 euros ($327,578) and five years imprisonment.

Safe Harbor in Question

BCRs, and other alternative means of moving data from the EU, are important to U.S. companies because the European Commission, the EU's administrative arm, doesn't consider U.S. laws adequate to independently protect the privacy of personal data.

The use of BCRs to transfer data from the EU has taken on renewed interest in an environment where viability of the most-used transfer alternative, the U.S.-EU Safe Harbor Program, is being questioned by EU lawmakers over alleged abuses of its self-certification scheme.

The U.S.-EU Safe Harbor Program allows companies to transfer personal data outside the EEA if they self-certify their compliance with privacy principles similar to those found in the 1995 Data Protection Directive (95/46/EC).

The program is also under scrutiny at the European Court of Justice, the EU's top court.

To contact the reporter on this story: Rick Mitchell in Paris at

To contact the editor responsible for this story: Katie W. Johnson at

The list of multinationals that CNIL plans to contact is available at

The CNIL's French Web page about BCRs is at