Law stated as at: 28 June 2007
The National Commission of Data processing and Freedoms (CNIL) inflicted a fine of € 30.000 on the company Tyco Healthcare France which is the subsidiary of a multinational organization based in US, specialized in the manufacturing of medical material. This company was accused of unlawful cross-border transfers of human resources data.
TYCO notified the CNIL in 2004 that is was operating a human resources database, containing personal information collected for a vague purpose of "managing careers of international employees".
Several times in 2005, the CNIL asked TYCO for further information essential to the investigation of the file, notably the precise description of the purposes sought, the specific situations in which personal data were transferred from France to USA, the accurate location of the servers, the identification of the recipients of the data.
The information given by TYCO was not satisfactory, nor sufficient for the CNIL.
Then TYCO ensured the CNIL that the database was not used anymore.
An inspection in 2006 by the CNIL at TYCO's premises showed the opposite: an actualization and a regular update of the database regarding 450 employees and a use of it more extensive than the company had originally indicated.
The CNIL noted in its decision dated December 14, 2006 that TYCO "obviously did not measure the seriousness of the failures which were reproached to it and which constitute a penal offence of impediment".
Indeed, it is one thing not to want to subject itself to control and another thing to provide erroneous information and thus to behave in an unacceptable manner.
The offence of impediment is envisaged by article 51 of the French data-processing law of January 6, 1978 which lays out that "a penalty of one year of imprisonment and a fine of € 15.000 is applicable to impeding the action of the CNIL : [...] 3° By giving information that does not correspond to the content of the records existing at the time of the request or that does not present the content in a form that is directly accessible". Thus, the penal fine envisaged by the French law is lower than the administrative fine pronounced by the CNIL in the TYCO case.
However, the TYCO sanction is not therefore illegal since article 47 of the same law makes it possible for the CNIL to impose on data controller who does not comply with the law, a financial penalty at a maximum of € 150.000 in case of a first breach and at a maximum of € 300.000 in the event of a second breach within five years from the date of the preceding financial penalty.
Consequently, the CNIL is far from its legal maximum and the sanction with regard to TYCO which appears severe at first sight, is finally rather lenient.
More generally, the TYCO case raises the issue of the export of personal data from the EU to the USA.
Pursuant to the Directive 95/46/EC, a transfer of personal data from UE to a third country may only take place if the third country in question ensures an adequate level of data protection. The US is not classified as one of those countries.
So, US corporations have to be very cautious with the export of personal data linked to their employees from the EU to the US, all the more as the EU data protection laws apply to transfers between two companies of a same corporate group.
US corporations can preserve their cross-border data flows by certifying adherence to the principles outlined in the Safe Harbor Accord of 2002 which provides an adequate level of protection according to European Commission, by signing contracts with the relevant data exporters including the Standard Contractual Clauses published by the European Commission in 2001 and modified in 2004 or by obtaining the express consent of each data subject to the transfer of his personal data to a State not satisfying the conditions of the Directive.
In any case, it is necessary to take precautions in order to comply with the EU Directive. The decision of the CNIL with regard to TYCO reminded it.