France: The Gauvain Report And Other Recent Legal Developments Reaffirm The Importance Of The French Blocking Statute


Evidence gathering differs greatly between common law and civil law jurisdictions. For example, while a U.S. judge may in many instances allow extensive pretrial discovery, a French judge would generally consider nearly any discovery to be improperly invasive. In this context, French Law No. 68-678 of July 26, 1968, relating to the transfer of documents and information of an economic, commercial, industrial, financial or technical nature to foreign natural or legal persons, amended by Law No. 80-538 of July 16, 1980 (the French Blocking Statute), is among the most well-known laws aimed at limiting — and in some instances restricting — cross-border discovery.

The French Blocking Statute has long been criticized for presenting French companies with a dilemma: either choose to comply with the request for disclosure and possibly expose the company or its employees to prosecution in France, or comply with the provisions of the French Blocking Statute and risk jeopardizing the company’s or individual’s legal positions or interests in proceedings abroad. Despite these tensions, the statute appears to have only been strengthened and revitalized by certain developments in France, the EU and the U.S. — all of which present new extraterritoriality issues and increase the complexities of complying with or resisting foreign discovery:

  1. French Law No. 2016-1691 (Sapin II Law), which, among other things, entrusts the Agence française anticorruption (AFA) with ensuring compliance with the French Blocking Statute by companies under investigation by foreign authorities that have entered into agreements requiring the appointment of a corporate monitor
  2. The new EU General Data Protection Regulation (GDPR),1 and in particular Article 48 thereof, which notably regulates the transfer of data outside of the EU, including to foreign courts and regulatory or administrative authorities
  3. The U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act),2 which establishes new procedures allowing the U.S. government to seek data from providers of electronic communication services across borders

These statutory developments reaffirm the centrality of the French Blocking Statute. French MP Raphaël Gauvain emphasized this impact in a recent report to the French prime minister on the challenges posed by extraterritorial legislation and the mechanisms available to protect French companies (the Gauvain Report). The Gauvain Report, which has not been formally made public, (i) emphasizes the role of the Service de l’information stratégique et de la sécurité économiques (SISSE, a service under the supervision of the Ministry of Finance) as watchdog in the context of foreign requests for documents and information, (ii) recommends the strict enforcement of the French Blocking Statute through the increased penalties provided by the statute and (iii) calls for the establishment of a legal privilege covering communications of in-house legal counsel to French companies.

The French Blocking Statute

The French Blocking Statute primarily imposes criminal sanctions on parties that export certain categories of documents, or respond to discovery requests, without going through the proper legal and administrative channels. The law consists of four articles.

Article 1 provides that “subject to treaties or international agreements it is prohibited for any individual of French nationality or who usually resides on French territory and for any officer, representative, agent or employee of an entity having a head office or establishment in France to communicate to foreign public authorities, in writing, orally or by any other means, anywhere, documents or information relating to economic, commercial, industrial, financial or technical matters, the communication of which is capable of harming the sovereignty, security or essential economic interests of France or contravening public policy, specified by the administrative authorities as necessary emphasis added.” This provision becomes relevant, for example, in the context of international investigations of French nationals or companies conducted by foreign authorities — including, for instance, the U.S. Department of Justice, the U.S. Securities & Exchange Commission, the U.S. Federal Trade Commission and the British Serious Fraud Office — on issues such as anti-corruption, anti-money laundering, antitrust, etc.

Relatedly, Article 1bis provides that “subject to any treaties or international agreements and the laws and regulations in force, it is prohibited for any person to request, to investigate or to communicate in writing, orally or by any other means, documents or information relating to economic, commercial, industrial, financial or technical matters leading to the establishment of proof in light of foreign administrative or judicial proceedings or as a part of such proceedings emphasis added.” The scope of this provision of Article 1bis is very broad, and the information requested or disclosed need not necessarily involve the sovereignty, security or essential economic interests of France.

However, under the French Blocking Statute, foreign disclosures remain possible due to mechanisms afforded by international agreements or treaties, such as Mutual Legal Assistance Treaties (MLAT) or the Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters of March 18, 1970 (the Hague Evidence Convention), both in the civil and criminal context.3 Notably, in the civil and commercial context, the French Blocking Statute essentially points to the Hague Evidence Convention, which provides a specific framework for the cross-border communication of documents, specifically through letters rogatory sent by a court in the requesting state.4 For regulators or litigants seeking information that might otherwise be protected by the French Blocking Statute, these treaties provide a mechanism for reaching information or documents.

Article 2 requires that any request for information or document production falling within the scope of Articles 1 and 1bis be addressed without delay by the Minister of Foreign Affairs.

And finally, Article 3 provides that any violations of the French Blocking Statute are criminally punishable with fines up to €18.000 for individuals and €90.000 for legal entities and/or up to six months’ imprisonment. On penalties, the Gauvain Report has been reported to recommend an increase of the fines up to €2 million for individuals and €10 million for legal entities and/or up to two years’ imprisonment. These fines are more in line with the penalties now available under the GDPR, which can be as high as 4 percent of global revenue. For French companies seeking to export data or information outside of France, an increase in penalties may not necessarily be welcome.

Recent Legal Developments Reaffirming the Centrality of the French Blocking Statute

Sapin II Law

The Sapin II Law is aimed at bringing French legislation in line with European and international standards in the fight against corruption.

Article 3.5 of the Sapin II Law has entrusted the AFA,5 at the request of the French prime minister, with filtering the documents to be transmitted to foreign authorities on the basis of the criteria set forth in Article 1 of the French Blocking Statute, “in the context of the execution of a decision of foreign authorities imposing on a company with registered office in France an obligation to undergo a process aimed at improving its internal procedures of prevention and detection of corruption." The importance of this provision is twofold.

First, it responds to critiques that the French Blocking Statute is seldom, if ever, enforced. Indeed, in a large number of decisions concerning the taking of discovery from French companies, American6 and English7 courts have ordered the discovery, finding that there is no significant criminal risk in France of prosecution under the French Blocking Statute, despite the penalties for which it ostensibly provides.

The fact that a publicly designated body like the AFA is entrusted with ensuring the observance of Article 1 of the French Blocking Statute when a final decision of the foreign authority has been adopted (be that a criminal settlement or a judgment) shows a renewed commitment to the French Blocking Statute, as well as the clear intention of the French legislature and authorities to promote its enforcement. One outcome may be the increased use of letters rogatory in U.S. litigations to reach French information and documents when courts determine that the French Blocking Statute presents serious risk of penalty if violated.

Second, the authority vested in the AFA also appears to send a message to French companies that they have government support in resisting foreign discovery on the basis of the French Blocking Statute if foreign authorities make broad and uncircumscribed requests for documents or information. By acting as a point of contact between French companies and foreign authorities, the AFA may provide a “shielding effect” over French companies vis-à-vis foreign authorities, and help these companies ensure that foreign authorities are not engaged in improperly overbroad discovery or regulatory investigation.

As mentioned, the Sapin II Law limits the AFA's mission of filtering documents to be transmitted abroad to the situation in which the final decision of the foreign authority has already been adopted. Nothing is provided for the case in which documents must be transmitted during the investigation conducted by such an authority. By not specifying how the necessary filtering must be done during an investigation, the Sapin II Law does not exclude the application of the French Blocking Statute, but leaves it to the relevant companies to organize their compliance internally.

In this respect, the Gauvain Report appears to suggest that a French authority regulate the control process over the observance of the French Blocking Statute during an investigation as well. Indeed, the Gauvain Report appears to envision making it mandatory for companies to contact the SISSE when foreign requests are made. While this suggestion may be welcomed by some companies, it may set up a conflict between the SISSE and other French authorities in the course of multijurisdictional investigations. It also may invoke a level of regulatory oversight that is unwanted where companies would prefer to cooperate with the foreign disclosure.

Article 48 of the GDPR

Like blocking statutes, data privacy legislation may affect the transfer of data and information in the context of litigations and international investigations.

In a 2009 decision,8 the French National Commission of Data Protection (CNIL) noted that France had made a reservation to the Hague Evidence Convention allowing it to refuse to execute letters rogatory issued solely for the purpose of obtaining pretrial discovery if the documents sought were not specifically identified and did not have a direct and specific connection with the subject matter of the dispute. In its decision, the CNIL highlighted a close relationship, almost a parallelism, between data protection and the French Blocking Statute, which it defined as the “shield law adopted for the defense of French economic interests, for the protection of strategic business data, against abusive actions of foreign authorities to collect information of economic nature.”

It is in this context that the European legislature introduced a specific provision in the GDPR concerning the transfer of personal data to foreign courts and administrative authorities.

According to Article 48 of the GDPR, “any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter emphasis added.”

Just like Articles 1 and 1bis of the French Blocking Statute, Article 48 of the GDPR requires the use of international agreements or treaties like MLATs and the Hague Evidence Convention to request and obtain personal data in the context of a litigation or investigation. In other words, just like the French Blocking Statute, Article 48 of the GDPR was introduced to address concerns of member states and data protection authorities in the context of discovery and pretrial discovery requests concerning large amounts of not specifically identified data.

Indeed, one objective of Article 48 of the GDPR was to address a perceived aggressive extraterritoriality by foreign authorities in bringing certain proceedings against European entities. In this respect, recital 115 of the GDPR explains that “some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.”

To that end, the French Blocking Statute and Article 48 of the GDPR share the following attributes or goals:

  1. Limiting certain proceedings brought against European entities by foreign authorities
  2. Providing tools to achieve this goal, that is, the recourse to international agreements or treaties like MLATs or the Hague Evidence Convention
  3. Providing a basic approach to the collection and sharing of data and information, or what the GDPR calls “minimization” — the fact that collection and transfer of data must be strictly necessary and proportionate to the purpose pursued corresponds to the French reservation during the ratification of the Hague Evidence Convention to limit the disclosure of evidence under pretrial discovery to documents strictly related to the specific subject of the dispute.

The “success” of the GDPR abroad will depend on the credibility of the European legislation and on the powers vested in national courts and the ECJ to impose penalties on violators. To advance that objective, EU-level guidance to national data protection authorities on Article 48 enforcement would be helpful.

The GDPR does present significant impediments to companies that desire to transfer data outside of France for use in legal or regulatory proceedings, because it imposes significant restrictions on the transfer of data, requiring, among other things, the use of standard contractual clauses and, in the case of certain data types, consents from the data owner. Guidance in these situations for the legal transfer of data extraterritorially would be welcome.

The U.S. CLOUD Act

The 2018 Consolidated Appropriations Act included a revision of the 1986 Stored Communications Act (SCA) allowing the U.S. government to access communications stored abroad by service providers subject to U.S. jurisdiction. This mechanism for reaching information and documents overseas is not available to civil litigants, but only to law enforcement. In particular, among other things, the CLOUD Act9 now establishes that the SCA provisions concerning the production of electronic communications extend to those held abroad.

Previously, the SCA was silent as to whether the U.S. government could require the production of electronic communications stored outside the U.S. Within this framework, in the well-known case Microsoft Corp. v. United States,10 the Supreme Court was asked to determine whether the U.S. government could use an SCA warrant to access records held by an affiliate of Microsoft on servers located in Ireland. In 2014, the U.S. District Court for the S.D.N.Y. declined to quash the government’s warrant, but on appeal, the Second Circuit reversed that decision. The government thereafter petitioned for a writ of certiorari, allowing for Supreme Court review of the decisions below, which was granted in October 2017. In the interim, the U.S. legislature passed the CLOUD Act into law, and the U.S. Supreme Court ruled that the matter had become moot.

As relates to the French Blocking Statute and Article 48 of the GDPR, the major changes to the SCA framework are the following.

  1. Extraterritoriality: Section 103 of the CLOUD Act amends the SCA by adding a new section expressly stating that the SCA applies extraterritorially. In particular, the CLOUD Act also includes Section 2713, which requires service providers to disclose communications even if they are “located outside of the United States.”
  2. Possibility to Challenge a SCA Warrant: Section 103 of the CLOUD Act also provides a mechanism for service providers to challenge SCA warrants. A court may quash a SCA warrant if it finds that (a) the disclosure would cause the provider to violate foreign laws; (b) “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed; and” (c) “the customer is not a United States person and does not reside in the United States.” Moreover, under the CLOUD Act, a court is required to undertake a comity analysis,11 taking into account, for example, “the interests of the United States, including the investigative interests of the governmental entity seeking to require the disclosure” and “the interests of the qualifying foreign government in preventing any prohibited disclosure.”
  3. International Agreement: Section 105 introduces a new provision defining criteria for the U.S. and other governments to sign executive agreements regulating cross-border requests for information, and authorizing service providers to respond to requests by foreign governments pursuant to such agreements.

In this context, there are at least two reasons why the French Blocking Statute may be implicated by enforcement of the CLOUD Act.

First, while the CLOUD Act is sometimes interpreted as a blocking statute in that the U.S. legislator has the right to establish conditions for international cooperation on cross-border access to digital data,12 the provision of data under the CLOUD Act can be challenged before U.S. courts and is subject to international agreements. Because these international agreements should result in negotiation by the two countries, in the case of France, drafting will likely take into account the French Blocking Statute, Article 48 of the GDPR and other French data protection laws.

Second, by introducing a procedure for pre-enforcement challenges to SCA warrants and requiring a comity analysis, the CLOUD Act effectively follows the approach stemming from the well-known Supreme Court decision in Société Nationale Industrielle Aérospatiale v. U.S. District Court, 482 U.S. 522 (1987), which requires a U.S. federal court to carry out a balancing analysis to decide whether to compel production of information from litigants or nonparties outside the U.S. Based on this precedent, in the case of companies based in France, U.S. courts have previously compelled production of information based on the fact that the French Blocking Statute was generally not enforced. In the interest of French companies and individuals seeking to resist production of their communications under the CLOUD Act, it may be helpful for the Ministry of Justice to issue guidance underlining the need for French prosecutors to strictly enforce the French Blocking Statute. Companies with an interest in the production of communications stored in France to U.S. regulators, however, may not share those interests.


Cross-border discovery — in civil, criminal and regulatory contexts — remains difficult. Issues abound, only complicated by the passage of the GDPR and the uncertainties that remain around its terms and enforcement. The Gauvain Report may help alleviate some confusion in this area.


1 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2 Clarifying Lawful Overseas Use of Data Act, H.R. 4943, Feb. 6, 2018.

3 See Treaty on Mutual Legal Assistance in Criminal Matters Between United States of America and France signed on Dec. 10, 1998.

4 France has made a reservation to the Hague Evidence Convention that allows it to refuse to execute letters rogatory (also referred to as letters of request) issued for the purpose of obtaining pretrial discovery of documents as known in common law countries, if the scope of the letters of request is overly broad and insufficiently defined.

5 The AFA assists the French government in its efforts to detect and prevent all forms of corruption, including influence-peddling, favoritism and misappropriation of public funds. In addition, the AFA assesses the efficacy of mandatory corporate compliance programs and oversees any corporate monitorships. The agency does not, however, have the authority to conduct independent investigations. That responsibility is reserved to the Parquet National Financier, which carries out the most serious criminal investigations related to economic and financial offenses.

See, e.g., U.S. Supreme Court decision Société nationale industrielle Aérospatiale, 482 U.S. 522 (1987).

See, e.g., High Court of England and Wales, HC08C03243 National Grid Électricity, April 11, 2013.

8 Decision No. 2009-474 of July 23, 2009, concerning recommendations for the transfer of personal data in the context of American court proceedings known as Discovery, at

9 Clarifying Lawful Overseas Use of Data Act, H.R. 4943, Feb. 6, 2018.

10 No. 17-2, 584 U.S. ___ (2018).

11 The principle of comity entails that political entities such as states, nations and courts from different jurisdictions recognize each other’s legislative, executive and judicial acts.

12 See P. Jacob, Quand les nuages ne s'arrêtent pas aux frontières, Remarques sur l'application du droit dans l'espace numérique à la lumière du CLOUD Act, Cahiers de droit de l'entreprise n° 4, July 2018, dossier 28.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions