Data Privacy & Transfer in Investigations

Last verified on Thursday 30th September 2021

Data Privacy & Transfer in Investigations: France

Dan Benguigui and Laurie-Anne Ancenys

Allen & Overy LLP

SCOPE OF DATA PROTECTION LAWS RELEVANT TO CROSS-BORDER INVESTIGATIONS

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

France

The following laws and regulations provide rules governing the collection and processing of personal data:

  • The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction; and
  • Act No. 78-17 dated 6 January 1978 on information technology, data files and civil liberties (the French Data Protection Act) (as modified).

A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation. 

Regarding cross-border investigations, the GDPR provides for a cooperation mechanism named “one-stop shop” between the European Supervisory Authorities in the context of cross-border cases, whereby the Supervisory Authority for the main establishment of the controller in the EU, would be the sole authority for monitoring and ensuring compliance by that controller throughout the EU.

More particularly, if during an investigation or the examination of a complaint, the personal data processing is identified as being a cross-border one, European cooperation is instigated. In this regard, processing is considered a cross-border if one of the following situations exists:

  • data processing is carried out by an organisation with several undertakings in two or more European states; or
  • data processing is carried out by a company established in a single state, but substantially affects individuals in more than one member state.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

France

Under French law, data sharing in the context of investigation may be restricted, principally, by four other statutes, the violation of which may be subject to criminal or regulatory sanctions, and may result in civil litigation risks:

  • Laws relating to banking secrecy (eg, article L511-33 of the French Monetary and Financial Code);
  • Law No. 68-678 dated 26 July 1968, as amended, governing the request, research or disclosure of information of an economic, commercial, industrial, financial or technical nature, with a view to establishing evidence in foreign judicial or administrative proceedings or in relation thereto (the Blocking Statute);
  • Law No. 2018-670 dated 30 July 2018, dealing with the protection of business secrecies; and
  • Law No. 71-1130 dated 31 December 1971 where article 66-5 establishes a professional secrecy covering legal advice, meeting notes and any correspondence between a French lawyer and his client, including emails. 

In addition, from an employment law stance, using data of an employee (emails, files) marked as “personal” or “private” is prohibited in principle. 

For files, an exception exists where (i) this access is performed with the employee present or duly convened; (ii) in the case of "particular risk or event". However, this exception only covers exceptional circumstances and French courts construe it very narrowly, in consideration of an absolute emergency for the employer to access information.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

3. What constitutes personal data for the purposes of data protection laws?

France

The GDPR defines “personal data” as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person.

Data that is irreversibly anonymised will not be “personal data" for the purposes of the GDPR, as it does not identify the individual. Data is not truly anonymised if a re-identification of the individuals to which the data relates by reasonably available means remains possible. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR.

The GDPR only applies to natural living persons. It does not cover legal persons.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

France

The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed. 

However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

The GDPR applies to “processing”, which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

The territorial scope of the GDPR is set out at article 3, which provides that it applies to:

  • data controllers and data processors that process personal data in the context of the activities of an EU establishment, regardless of whether the data processing takes place in the EU;
  • non-EU data controllers and data processors with no EU establishment that either (i) offer goods or services to individuals in the EU, regardless of whether they receive payment; or (ii) monitor their behaviour that takes place in the EU; and
  • data controllers not established in the EU but where the national law of an EU member state applies because of international law.

In addition to the GDPR, the French Data Protection Act shall apply to the automatic processing of personal data as well as to the non-automatic processing of personal data that are or may be contained in a personal data filing system, with the exception of processing carried out for the exercise of exclusively private activities, where the data controller meets the following territorial conditions:

  • the personal data processing is carried out as part of the activities of an establishment of a data controller or a data processor on the French territory, whether or not the data processing takes place in France; and
  • in circumstances where the GDPR refers to national law to adapt or complete the rights and obligations of the GDPR, the French Data Protection Act applies when the data subject lives in France, including when the data controller is not established in France.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

France

The GDPR provides a number of obligations, which must be complied with, whether in the context of investigations, or not.

Notably, the controller must consider the following key principles when processing personal data:

  • inform the data subjects about how their personal data is being used (transparency);
  • make sure that the use of personal data is proportionate with the purposes of the investigation (data minimisation); 
  • establish the appropriate legal basis for the processing of personal data (lawful basis);
  • if relevant, determine whether the processing covers a “special category” of personal data (ie, sensitive personal data that may require taking additional measures);
  • if personal data is transferred to a third party, ensure such transfers are governed by an agreement that includes all the requirements set forth in article 28 of the GDPR; and
  • if personal data is transferred to a third country outside the European Economic Area (EEA), ensure the third country offers an adequate level of protection or otherwise take appropriate safeguards (eg, standard contractual clauses).

In the event data controllers are asked to answer requests by authorities because they are required to do so by law, they must ensure they still fully comply with the GDPR requirements. In this case, the ‘legal obligation’ basis for processing personal data may be relevant when providing data to authorities. However, such disclosure should only occur to the extent necessary to comply with the legal obligation, and can only be established where a clear and binding legal obligation exists, under EU law or French law.

Further, in the specific case of investigations led by authorities, article 23 GDPR provides the right for member states to derogate to the transparency obligation and data subject rights where it is for the purposes of an investigation of criminal offences or breaches of ethics in regulated professions. EU law or a member state law allowing authorities to have access to personal data must provide specific provisions to this effect. In particular, it must set out, among other elements, the purposes of the processing and the scope of the restrictions to the GDPR, which are introduced by the measure, the safeguards introduced to prevent abuse, the unlawful access or transfer, and the controllers who may rely on the restrictions.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

France

A company may carry out an internal investigation and therefore process personal data if it can primarily establish the investigation is based on a lawful basis as required under the GDPR (article 6). More particularly, processing can lawfully occur if it is based on one of the following legal bases: (i) consent; (ii) contract; (iii) legal obligation; (iv) vital interests; (v) public task and (vi) legitimate interests.

The appropriate legal basis may vary depending on the objective of the investigation, the categories of data subjects affected and the nature of the data at stake. For instance, the company could likely base such processing on the existence of a legal obligation or the pursuance of legitimate interests. Consent would unlikely be a valid ground as requiring consent in the employment context would create an imbalance between the employee and the employer.

Further, if the internal investigation also concerns special categories of personal data (eg, health data, race, political opinions), additional curtailments apply, as a company may only process sensitive data if it can rely, along with the appropriate legal basis, on one of the exemptions provided for by the GDPR (article 9(2)). For example, a company may process sensitive data to the extent necessary for the establishment, exercise or defence of legal claims.

In addition to establishing a proper legal basis, a company carrying out an internal investigation must comply with other GDPR requirements, ie, the general principles of data processing (eg, lawfulness, fairness and transparency, purpose limitation, data minimisation) and it should attentively assess whether the processing carried out is limited and necessary, adequate and relevant. The company must also, as a data controller, comply with the related obligations (ie, provide proper information of data subjects, conduct a data protection impact assessment where necessary, establish appropriate records of processing activities, ensure compliance with data protection by design and by default principles and set up appropriate technical and organisational measures).

In undertaking the internal investigation, the company must make sure to comply, at all steps, with the accountability principle and be able to prove that the internal investigation was performed in compliance with the GDPR requirements. The company must comprehensively document the legal considerations and technical and organisational safeguards implemented for conducting the investigation.

In the event a third party assists a company in conducting an internal investigation, ie, if personal data is transferred to a third party outside the company in furtherance of the investigation, the third party must also comply with the requirements of the GDPR.

If the third party is an external provider acting as a processor on behalf and under the instructions of the company (ie, the controller), the personal data may be shared provided the parties have entered into a data processing agreement or other legal act under European Union or member state law reflecting the requirements of the GDPR (article 28). Such agreement must set out, among other information, the subject matter, duration, nature and purpose of the processing, as well as the type of personal data and categories of data subjects concerned, the rights of the controller and certain specific contractual obligations.

If the third party is acting as a controller, the company must carefully assess whether and on what basis the personal data can be shared, as well as the appropriate safeguards that have to be implemented. Additionally, if the transfer of personal data involves an international transfer to a third country outside the EEA, the parties must take adequate measures to ensure an adequate level of protection exists in the third country or otherwise implement safeguards (eg, standard contractual clauses).

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

RIGHTS OF INDIVIDUALS

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

France

The consent of the data subject is one legal basis for the processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis exists.

There is no prescribed form for consent, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit. Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

Consent can be obtained through a website or other electronic means.

In the case of sensitive data, where consent is relied upon to provide a legal basis under article 9 GDPR, it must also be explicit. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

France

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data solely in reliance of this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right that it is not possible to contract out of, which would be difficult to manage in the context of the investigation).

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

France

In the vast majority of processing operations carried out in the workplace, the employee’s consent cannot serve as a legal basis for the processing carried out as it is not freely given because of the inherent imbalance between the parties resulting from the subordination relationship between the employee and the employer.

Therefore, in most cases, the employer will likely not be able to rely on the employee’s consent to use their data, including in investigations carried out by employers.

However, this may be different where the processing grants a legal or economic advantage to the employee, where both the employee and the employer have similar interests in the processing operations or where it is in the interest of the wider community (eg, attempting to prevent criminal activities or fraud, upholding legal duties, etc). In these situations, consent may not be required, as the processing would be based on legitimate interest rather than consent. The employer should carry out and document a balancing assessment of the interests at stake if processing is performed on this ground. 

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

France

The way through which the data subject can give consent can vary, as long as the consent request is presented in a clear and concise way, using language that is easy to understand, and be intelligibly distinguishable from other information.

In any case, the consent request must set forth four cumulative criteria for consent to be validly given. The consent must be:

  • free, ie, consent cannot be coerced of influenced. The data subject must be offered a real choice, without having to suffer negative consequences in the event of refusal;
  • specific (ie, consent must correspond to a single processing operation, for a specific purpose);
  • informed (ie, consent must be accompanied by a certain number of information communicated to the data subject before he or she consents), including:
    • the identity of the controller;
    • the purposes for which the data are being processed;
    • the categories of data collected;
    • the existence of a right to withdraw consent which must be as easy as to give it; and depending on the case;
    • the fact that the data will be used for automated individual decisions or that it will be transferred to a third country outside the EEA; and
  • unambiguous (ie, consent must be given by a statement or other clear positive act).

Whether consent given in advance such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject. Consent is not freely given (and is therefore invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid for this reason.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject. Similarly, pre-checked or pre-activated boxes, or inaction from the data subject are not valid methods for obtaining consent.

The controller should also consider the requirement for consent to the processing for sensitive data to be explicit.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

France

Right of access

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request. The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject when requested to do so by the concerned data subject.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of the GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, it must also inform the data subjects of the reason why, that they have a right to lodge a complaint before the relevant supervisory authority and enforce their rights through judicial remedy.

Right of access

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate and that the controller completes any incomplete data, including by way of a supplementary statement. There is an obligation on the controller under the GDPR to ensure the personal data it keeps is accurate.

Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes situations in which the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

Right to object

Data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings.

Data subjects also have a right to obtain a restriction of processing from the controller where they believe the relevant personal data are inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the concerned data subject can require the controller to limit the processing to what is required in the context of legal proceedings.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

EXTRACTION, LEGAL REVIEW AND ANALYSIS BY THIRD PARTIES, INTERNATIONAL TRANSFER

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

France

Organisations sometimes rely on third parties to assist with investigations, who need to have access to personal data to be able to perform their mission.

In this event, and where they are established in the EU or when they process EU data subjects’ personal data, third parties are usually data processors when they act on behalf and under the authority of the organisations acting as data controllers. In that respect, they must enter into a data processing agreement or other legal act as part of the EU law or member state law, setting out each party’s obligations in order to comply with the requirements of the GDPR.

The data processor shall include the following in the contract entered into with the data controller:

  • list in writing the controller’s instructions bearing on the processing of its data to demonstrate that the processing occurs only “on documented instructions from the controller;”
  • ask the controller for written authorisation if the processor engages a sub-processor;
  • provide the controller with all necessary information for demonstrating compliance with the processor’s obligations and for enabling the performance of audits;
  • maintain a record of the processing carried out on behalf of the controller;
  • provide the controller with the necessary guarantees that the processing carried out meets the requirements of the GDPR;
  • guarantee the security of the data processed (eg, notify the controller of any breach of its data, implement appropriate organisational and technical measures, etc);
  • inform the controller if the processor is of the opinion that an instruction from the controller infringes the rules governing data protection;
  • assist the controller, to the extent possible, in responding to data subjects exercising their rights’ requests; and
  • assist the controller in guaranteeing compliance with the obligations regarding security of processing, notification of a data breach and impact assessment concerning data protection.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

France

A transfer of personal data to a third-party law firm of personal data for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the GDPR and the principles relating to the processing of personal data.

Data protection laws do not provide restrictions on individuals for sharing data with law firms in order to obtain legal advice. Hence, clients are allowed to share personal data that is relevant to a particular matter or representation with their lawyer, especially since the information received by the lawyers in furtherance of obtaining legal advice is covered by the professional secrecy rules governing the client-lawyer relationship.

To this extent and as soon as law firms obtain such data from their clients, it is their responsibility to ensure compliance with the requirements of the GDPR as data controllers.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

France

Law firms collect, store and use personal data about their clients or about individuals who work within the firms. More particularly, law firms typically collect different kinds of personal data for various reasons, which can be (i) employee data; (ii) data about prospects and about current clients; (iii) data from third parties that may be relevant to representation and (iv) data received from clients themselves in the context of representation.

The article 29 Working Party has taken the position that a lawyer acts as a data controller if such lawyer plays a leading role in his expertise mission, which would require that lawyer to determine the purpose and means of processing. Similarly, the National Commission for Informatics and Freedoms considers that in the context of the management of litigation cases, lawyers act as data controllers (ie, independently in the exercise of their missions and in implementing processing of personal data accordingly). Law firms also act as data controllers when entering into agreements with processors who process data on their behalf (eg; accountants; software publishers; hosting providers).

Law firms must comply with the following:

  • collect data fairly and lawfully and for a specific, explicit and legitimate purpose. it must also be adequate, relevant and limited to what is necessary;
  • keep data for not longer than necessary for the purposes for which they were collected;
  • inform data subjects on why and how they personal data are being collected either through specific mentions in fee arrangements, on their website, on data collection forms used within the firm on in contracts if they are acting as controllers;
  • inform the individuals whose data are being collected of their rights (right of access, right to erasure, right to portability, etc) and responding to their requests within a month. this period may be extended to two months, taking into account the complexity and number of requests;
  • ensure compliance with security obligations by implementing appropriate technical and organisational measures, especially if they collect special categories of data or data relating to criminal offences or convictions;
  • take appropriate safeguards, such as entering into standard contractual clauses, to ensure a sufficient level of data protection, and informing data subjects in the event of cross-border personal data transfers outside the EU;
  • appoint a data protection officer depending on the size and sector of activity of the law firm, especially in the event the core business activity would require regular and systematic monitoring of data on a large scale or consist in the processing of sensitive data or data relating to convictions or offences on a large scale (which would unlikely be the case for most law firms);
  • keep a register of the data processing carried out when they act as data controllers. This obligation does not apply to law firms with fewer than 250 employees, unless the processing they carry out is likely to involve a risk with regard to the rights and freedoms of the persons concerned;
  • carry out an impact analysis before any implementation of a processing operation when it would likely result in high risk to the rights and freedoms of natural persons (which would unlikely be the case for most law firms); and
  • comply with the accountability principle by demonstrating compliance with each of the abovementioned principles.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

15. What is the position and status of legal process outsourcing firms under data protection laws?

France

Legal process outsourcing firms are generally characterised as data processors of the law firms who are in the position of data controllers because they only follow the specific instructions and are under the control of those law firms in performing their missions.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

France

There are no additional requirements, beyond those specified above, that regulate the disclosure of data to third parties in France.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

France

The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from this jurisdiction to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within the jurisdiction.

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.

The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.  

Alternatively, the controller acting as a transferor could ensure an adequate level of protection through:

  • entering into standard contractual clauses approved by the European Commission; or  
  • for transfers within the same group, the adoption of binding corporate rules.

The European Commission had issued an adequacy decision for recipients registered under the EU-US Privacy Shield framework in respect of their handling of personal data. However, in the Schrems II judgment dated 16 July 2020, the CJEU held the European Commission’s adequacy decision to be invalid and so data transfers could no longer be made to the US on the basis of the EU-US Privacy Shield.

In the same decision, the CJEU held that the standard contractual clauses should be viewed as offering only the basic level of protection and that they may only be used where the protection provided by the contract is not undermined in the particular circumstances. This means that controllers exporting personal data and looking to rely on standard contractual clauses approved by the European Commission must assess on a case-by-case basis whether additional safeguards (supplementary measures) are needed to remedy any identified deficiency and ensure adequate data protection. 

Accordingly, the European Commission issued on 4 June 2021 modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA. These new standard contractual clauses replace the standard contractual clauses adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC and include different modules that parties may select and complete depending on the circumstances of the transfer (controller-to-controller; controller-to-processor; processor-to-processor and processor-to-controller).  

Further, and in light of the Schrems II decision, companies transferring personal data outside of the EU now shall, when implementing an international data transfer mechanism:

  • evaluate the third-country legislation to which the personal data will be transferred ; and
  • if necessary, implement supplementary measures to ensure an adequate level of personal data protection in the third-country.

The European Data Protection Board (EDPB) has published recommendations on measures to supplement transfer tools (including standard contractual clauses) here.

Data can otherwise be transferred if one of the following derogations, among others, applies:

  • the data subject has consented to the transfer (as noted above, consent should be explicit as well as freely given, specific, informed and unambiguous);  
  • the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;  
  • the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;  
  • the transfer is necessary for important reasons of public interest;  
  • the transfer is necessary for the establishment, exercise or defence of legal claims; or  
  • the transfer is necessary to protect the vital interests of the data subject.

Where none of the above is available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14 of the GDPR, shall inform the data subject of the transfer and of the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation. 

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

France

Indeed, article 49 of the GDPR sets a list of derogations under which international transfers of personal data can occur. It notably includes situations where transfers are necessary for important reasons of public interests (article 49 (1) (d)) and where transfers are necessary for the establishment, exercise or defence of legal claims (article 49 (1) (e)), which both provide grounds for international transfers of personal data in connection with investigations.

The guidelines 2/2018 of the EDPB on derogations of article 49 under Regulation 2016/679 underline that the former applies when it can also be inferred from EU law or the law of the member state to which the controller is subject that the data transfers in question are authorised in virtue of public interest purposes “in the spirit of reciprocity of international cooperation”. As such, an international agreement or convention binding the EU or a member state that provides for international cooperation to promote a certain objective can indicate the existence of an existing public interest justifying a transfer of personal data to a third country. The nature of the organisation transferring or receiving data can be either public, private or an international organisation as such element is irrelevant to the determination of the existence of the derogation.

The same guidelines provide that with regards the latter, international transfers can be made only where they are occasional and necessary for the purpose of various activities, for example, a criminal or administrative investigation in a third country, in the context of formal pre-trial discovery procedures in civil litigation; waiver of a fine legally foreseen (eg, in anti-trust investigations); etc. This derogation can also apply to activities carried out by public authorities. At any rate, the international data transfer in question must be closely linked to a specific procedure or investigation and the data controllers and processors must take into account any “blocking statute” forbidding them or restricting them from transferring data to a third country.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

TRANSFER TO REGULATORS OR ENFORCEMENT AUTHORITIES

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

France

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing. In particular, a legal basis must be established under article 6 of the GDPR. 

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

France

The provisions applying to cross-border data transfer generally also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.

Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first data protection principle (including the requirement to establish a legal basis under article 6 of the GDPR) and prohibitions on cross-border transfers of personal data. In particular, the first principle provides that processing of personal data must be fair, lawful and transparent.

Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle on the basis that it is not a purpose about which the data subjects will have been sufficiently informed. The GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.

The cross-border transfer of personal data would additionally require safeguards for the relevant transfer and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

The transfer may lack a legal basis, depending on the circumstances of the processing. The possible legal bases that a controller may rely on in this context include:

  • the consent of each affected data subject to the disclosure and transfer. However, as noted above, this can be problematic to obtain, as consent can be withdrawn at any time and (in the case of sensitive data) consent must be explicit;
  • that the processing is necessary for the establishment, exercise or defence of legal claims, depending on the circumstances;
  • that the processing is in the legitimate interests of the controller; or
  • that the processing is necessary for the performance of a task carried out in the public interests.

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.

Article 48 of the GDPR provides that, without prejudice to other grounds for international transfers, a decision from a third-country authority, court or tribunal does not in itself justify the transfer of personal data to a non-EEA country. This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48: “In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

France

The recipient of such a request may consider taking the following steps, among others:

  • consider if there is a legal obligation to respond to the request and, if so, to what extent;  
  • seek further information in writing from the requesting regulator to evaluate the purpose of the request;  
  • if possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation;  
  • in accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose;  
  • consider whether it is practicable to obtain data subject consent and/or give a further privacy notice;
  • put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor); and
  • consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

ENFORCEMENT AND SANCTIONS

22. What are the sanctions and penalties for non-compliance with data protection laws?

France

Administrative fine

There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement. Furthermore, the decision relating to the amount of this sanction will depend in particular on the degree of cooperation with the supervisory authority, to remedy the infringement and commitments to mitigate the possible adverse effects of the infringements.

Other material sanctions

As part of an inspection revealing infringements of the applicable data protection regulation, the CNIL may also issue (i) a warning; (ii) a formal order to comply with the applicable regulation; (iii) a temporary or definitive restriction to processing; (iv) a suspension of data transfers; and (v) an order to fulfil the requests of a data subject to exercise his or her rights.

In addition, every above-mentioned sanction can be made public and would therefore trigger reputational damage.

Criminal sanctions: for infringing the French data protection legislation, criminal sanctions could also be levied (ie, up to five years imprisonment and up to €1.5 million for a legal entity). In practice, criminal sanctions are rather theoretical. To our best knowledge, there have been very few criminal proceedings based on the French data protection legislation.

Group action: A group action may be brought before a civil court or the competent administrative court, under certain conditions, to (i) put an end to a breach or (ii) to engage the liability of the company that caused the damage to obtain compensation for the material and moral damages suffered or for both purposes.

Civil claim

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

RELEVANT MATERIALS

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

France

France

EU General Data Protection Regulation (2016/679)

https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf.

https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.

Answer contributed by Dan Benguigui and Laurie-Anne Ancenys

Get unlimited access to all Global Investigations Review content