![Default Article Featured Image_laptop-newspaper-global-article-090623[95].jpg](https://images.contentstack.io/v3/assets/bltd4dd5b2d705252bc/blt61f52659e86e1227/64ff207a8606a815d1c86182/laptop-newspaper-global-article-090623[95].jpg?width=3840&quality=75&format=pjpg&auto=webp)
The issue has been up in the air for a few years but none dared mentioning it too loudly for fear that it could come true.
Now that the CNIL has released its Decision n°2011-023 of January 20, 2011, it is live.
The decision provides that the French Data Protection Act must be interpreted as applying to data controllers located outside of the EU who elect to use a supplier based in France to process data coming from their country of origin. They are considered as using data processing means on the French territory (article 5 of the DP Act).
This interpretation leads to surprising consequences for a company that has no link whatsoever with France or the EU, e.g. a group from South East Asia that uses a French IT service provider who can access and process its clients or employees database. This group, just because of its outsourcing choice, will suddenly fall within the realm of legislation totally strange to it and will be bound by obligations it wouldn’t have had to follow had it resorted to a supplier based anywhere else in the world. For instance, as absurd as it can seem, it will have to
- provide data protection notice to its employees and clients;
- give them access to their data if they make a request and grant them;
- rights they would not have had under their own country regulation;
- notify the processing to the CNIL;
- request from the CNIL an authorization to transfer back to Asia the clients’ and employees’ data.
In order to lighten the burden upon companies in this situation, the CNIL came up with an interesting solution to exempt them from notification formalities and to consider that they could benefit from one of the data transfer exceptions provided in the Data Protection Act, as the processing presents little risk to the privacy of individuals.
The CNIL issued a general exemption for processing carried out for payroll purposes, HR management purposes and customer and prospect management purposes, providing that they meet some criteria laid down in the January 20 decision. Besides, the decision reminds that the privacy notice does not have to be given when it requires disproportionate efforts in application of article 32 III of the DP Act
The decision also reminds one of the provisions of the French DP Act applying to non-EU data controllers, who are required to appoint a representative in France.
Let us specify that on this issue, the French Data Protection Act does not differ from the EC Directive. The other EU Member States should therefore be led to the same conclusions as France. It will be interesting to see what solutions are found to give its full sense to the text of the directive and the implementation of national laws, while at the same time preserving the economic interests of European countries.
