Legal framework for international data transfers — CNIL authority, Loi Informatique et Libertés, and GDPR Chapter V
France regulates international transfers of personal data as both an EU Member State subject to the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and under national law, the Loi Informatique et Libertés (French Data Protection Act, as amended). Transfers of personal data outside the European Economic Area (EEA) are primarily governed by Chapter V of the GDPR, which establishes mechanisms such as EU Commission adequacy decisions (Art. 45), Standard Contractual Clauses (Art. 46), Binding Corporate Rules (Art. 47), and derogations for specific situations (Art. 49). These rules apply in France as in all EU Member States.
French law overlays additional administrative and investigatory powers on top of the GDPR framework. Articles 112 to 124 of the Loi Informatique et Libertés transpose and specify national requirements relating to cross-border flows, including specific CNIL (Commission nationale de l’informatique et des libertés) notification obligations for certain categories of processing and risk, and sectoral restrictions in areas like health data. The CNIL is the competent supervisory authority responsible for guidance, investigation, approval of transfer mechanisms that require authorization, and enforcement.
While most international data transfers from France are analyzed under GDPR mechanisms, two points of national specificity are essential for practitioners: (1) Where explicit prior authorization from the CNIL is required (such as when using contractual clauses not pre-approved by the Commission), the French rules in Articles 112 and 123 impose a formal application and review process; and (2) National law supplements with further record-keeping and notification duties in sensitive sectors (illustrated in health data transfer guidance).
In sum, any transfer of personal data from France outside the EEA must satisfy both the requirements of GDPR Chapter V and the overlay of French national law. The CNIL regularly publishes guidance for organizations, and prior authorization remains a live requirement for non-SCC-based transfers.
Source: GDPR Chapter V, Regulation (EU) 2016/679 Source: Loi Informatique et Libertés (Articles 112–124) Source: CNIL Guidance on International Transfers
Standard Contractual Clauses (SCCs), Supplementary Measures, and TIAs — CNIL Guidance for International Transfers from France
Standard Contractual Clauses (SCCs) are the primary mechanism for international transfers of personal data from France to countries without an EU adequacy decision. Article 46(2)(c) GDPR authorizes transfers on the basis of SCCs adopted by the European Commission. No additional pre-approval from the CNIL is required when these clauses are used in their adopted form, but every transfer must strictly comply with SCC obligations, and all annexes (detailing the transfer, technical and organisational measures, and listing the CNIL as the competent authority for French exporters) must be accurately completed and kept up to date. The current SCC modules were adopted by Commission Implementing Decision (EU) 2021/914 on 4 June 2021.
Since the CJEU's Schrems II judgment (C-311/18, 16 July 2020), and as reflected in EDPB Recommendations 01/2020, organizations relying on SCCs must perform a Transfer Impact Assessment (TIA) to determine if the destination country’s law or practices might undermine SCC safeguards, especially regarding public authority access. The CNIL applies the EDPB methodology and published its own TIA guide (final version, 9 July 2024), setting out six recommended steps: (1) map all transfers; (2) identify the transfer tool; (3) assess the relevant local law and practice, especially for surveillance or investigatory powers; (4) identify and implement supplementary measures if needed—technical (e.g., strong encryption with EEA-held keys), organisational, or contractual; (5) complete any necessary formalities with the CNIL as required for some sensitive sectors (for example, health data often requires notification or prior authorisation under French law); (6) continuously monitor and reassess the risk, especially if legal or factual circumstances change.
A TIA is required as a practical matter to demonstrate that data subjects receive a level of protection essentially equivalent to the GDPR, as interpreted in Schrems II and detailed by the EDPB and CNIL. The EDPB Recommendations are not legally binding but are systematically followed by the CNIL in its enforcement and guidance. If a TIA or supplementary measures cannot sufficiently address the risk to data subjects in the recipient country, both the CNIL and EDPB require the exporter to suspend or terminate the transfer. The CNIL further cautions that “generic or incomplete SCC annexes, or failure to document and review TIAs, will result in unlawful transfers.”
Sector-specific CNIL requirements can be found on the CNIL’s website, with detailed health data rules available at https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-secteur-de-la-sante. Practitioners should consult these resources when handling transfers in regulated areas.
Source: Transfert de données : les clauses contractuelles types (CCT) de la Commission européenne Source: Transfer Impact Assessment (TIA): the CNIL publishes the final version of its guide