Privacy & Information Security Law Blog

On March 5, 2013, the French Data Protection Authority (the “CNIL”) announced that the French High Council for Statutory Auditors (“H3C”) and the U.S. Public Company Accounting Oversight Board (“PCAOB”) signed a Statement of Protocol (the “Protocol”) on January 31, 2013, to govern the exchange of information, including personal data, between them.

This Protocol was required by the September 1, 2010 decision (the “Decision”) of the European Commission on the adequacy of the competent authorities of Australia and the U.S. pursuant to EU Directive 2006/43/EC on statutory audits of annual accounts and consolidated accounts. The Decision noted that the U.S. authorities (including the PCAOB) comply with the EU requirements for reciprocal access to audit documents. The Decision thus authorized the competent authorities of the EU Member States to conclude bilateral working arrangements with their U.S. counterparts to allow the exchange of audit working papers or other documents held by statutory auditors or audit firms.

The Protocol provides a legal basis for the transfer of information between H3C and PCAOB, and provides that joint inspections may be carried out in France and the U.S. of auditing firms subject to the regulatory jurisdictions of these authorities. The Protocol was accompanied by a specific agreement on the transfer of personal data between H3C and PCAOB in order to ensure compliance with the French Data Protection Act. These transfers of personal data were previously authorized by the CNIL in a decision on November 29, 2012.