Privacy & Cybersecurity Law Blog

On October 11, 2010, the French Data Protection Authority (the “CNIL”) released guidance (the “Guidance”) on data protection issues related to the outsourcing of data processing activities to non-EU countries (Les questions posées pour la protection des données personnelles par l’externalisation hors de l’Union européenne des traitements informatiques).

The Guidance was prepared following interviews held in 2009 by the CNIL’s international affairs department with consultancy groups, law firms advising on outsourcing deals, and companies actively engaged in offshore activities.  The interviews were conducted to provide the CNIL with insight regarding the impact of data protection requirements on outsourcing activities.  The Guidance is part of a broader analysis of the concepts of data controller and data processor carried out by the Article 29 Working Party (see the Working Party’s Opinion on the concepts of controller and processor).

The Guidance provides concrete examples of international data transfers and offers practical solutions to data controllers who transfer personal data to data processors located in non-EU countries.  In particular, the Guidance addresses the following topics:

• Defining the roles of data controllers and data processors
• Applying the legal restrictions on transfers of personal data outside the EU to outsourcing activities
• Determining the responsibilities of data controllers and data processors
• Specifying the registration formalities for data transfers
• Supporting the efforts of countries that have established data protection regimes to help secure an adequacy decision from the EU Commission (e.g., Morocco, Tunisia)