Hope for a fast(er) data transfer authorization process
According to the French Data Protection Act, data controllers cannot transfer personal data to a country that is not a member of the European community if that country does not provide a sufficient level of privacy protection.
However, the CNIL can authorize such a transfer where the processing guarantees a sufficient level of protection of individuals’ privacy as well as their liberties and fundamental rights, particularly on account of contractual clauses or internal rules relating to the processing.
Under the current act, requests for transfer authorizations must be examined individually by the CNIL in plenary sessions (17 commissioners), and must be authorized by an express deliberation. The ever-increasing number of applications clogs the CNIL agenda (7,115 requests per year, 395 authorizations granted in 2007). One can wait months to obtain an authorization, even for basic and non-sensitive data transfers.
Hence, a French bill called “simplification and clarification of the law; simplification of procedures,” proposes allowing the CNIL to grant its president the power to authorize data transfers. The basic conditions for allowing such transfers would remain unchanged.
This process, if approved, should relieve the congestion, as a decision of one will be faster to obtain than a decision of 17 who have many other functions to attend in addition to being CNIL commissioners.
The bill has already been adopted by the French National Assembly. It is now before the Sénat (second house of the French Parliament) and should be discussed soon.