Earlier, we reported on the passage of a sweeping new data protection law in Mexico. Recently, the law went into effect earlier this month. The new law drastically expands the powers of Mexico's data protection authority, which has now been renamed the "Federal Institute of Access to Information and Data Protection."
Continue Reading...On April 27, 2010, a sweeping new law on data protection was passed by the Mexican Senate, clearing the way for the President to sign the landmark legislation, which provides for penalties up to an astounding $1.5 million for violations under the law. The new Federal Law for the Protection of Personal data (la Ley Federal de Protección de Datos Personales en posesión de los particulares), prescribes, among other things, the manner with which both private and public entities must treat the collection, use, and disclosure of personal data relating to Mexican citizens.
Continue Reading...On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of “data controller” and “data processor” as those designations are used within the European Data Protection Directive (the “Directive”). The Working Party’s opinion is welcome guidance, not only because the designations determine who is responsible for compliance with data protection rules and how data subjects can exercise their rights, but also because the European Commission recently updated its Standard Contractual Clauses (which we blogged about here). Additionally, such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies.
Continue Reading...After years of negotiations, on February 5, 2010, the European Commission (EC) updated its Standard Contractual Clauses (SCCs), which set forth contract terms that govern the protection of personal data transferred from data exporters within the European Union (EU) to data processors outside the EU. On June 8, 2009, we wrote that the EC was considering implementing new SCCs. On May 15, 2010, the new SCCs, promulgated under 2010/87/EU, will go into effect, replacing the old SCCs, promulgated under 2002/16/EC.
The implementation of codes of conduct and whistleblowing systems is expanding at the international level. Global companies must pay attention to local law requirements when rolling out these codes in foreign countries, in order notably to comply with the rules and regulations provided by the local data protection authorities to govern data processing.
A recent decision rendered on December 8, 2009, by the French Supreme Court provides a good illustration of issues that may be raised by local laws in the implementation of whistleblowing procedures abroad.
For the first time the French Supreme Court addressed the issue of the validity of a Code of Conducts that had been implemented by a listed company (Dassault Systèmes, a French Software company) in order to comply with the Sarbanes Oxley act.
By its decision, The French Supreme Court overruled the decision of the Court of Appeal, which had declared the whistleblowing system implemented by the Code of Conduct of Dassault Systèmes compliant with the French data protection authority (CNIL) and therefore legal.
In a landmark decision rendered in 2005, the CNIL considered that the broad and anonymous whistleblowing procedures of several companies, including the McDonald’s Company, that had been adopted in order to implement the requirements of the Sarbanes-Oxley Act, were contrary to French law and in particular to the French data protection law of January 6, 1978. The CNIL held that it had no fundamental objection to that kind of system, but it expressed the opinion that whistleblowing processes should not be transformed into an organized system of professional denouncement which may jeopardize the employees’ individual rights.
In order to reach a compromise between SOX requirements and French law provisions, the CNIL issued a Deliberation on December 8, 2005. The Deliberation states that the companies are authorized to roll out their whistleblowing systems provided they formally disclose the existence of the system and they comply with the requirements of the CNIL’s Deliberation. In particular, article 1 of the Deliberation provides that only the whistleblowing systems implemented in response to French legislative or regulatory internal control requirements or the whistleblowing requirements of the Sarbanes-Oxley Act in areas such as finance, accounting, banking and anti-bribery, may be covered by this Deliberation. Article 3 of the Deliberation provides that facts which are not included in these cores areas may be covered by the whistleblowing system if the vital interest of the company or the physical or mental integrity of its members is threatened.
If the scope of the whistleblowing process exceeds the CNIL’s Deliberation, the company is under the obligation to enter into a heavy process with the CNIL consisting in detailing the information collected, their recipients, the end-purpose of the data processing… and to get formal authorization of the CNIL. So far, the CNIL has never given its authorization when the scope of the whistleblowing system exceeds its Deliberation.
In the case at hand, Dassault had implemented a whistleblowing system under the Deliberation and a trade union challenged the validity of the system on the ground that the company should have sought a formal authorization from the CNIL because its scope exceeded the auditing and financial matters.
The Supreme Court ruled that the scope of the Code of conduct was too broad in that employees may report any breach of the Code relating to finance, accounting and anti- corruption areas but also any breach in others matters to the extent that it could threaten the vital interests of Dassault or the physical or moral integrity of an individual employee (intellectual property rights, confidentiality, conflict of interest, discrimination, sexual or psychological harassment).
The Court adopted a very narrow reading of the CNIL Deliberation because it came to the conclusion that the whistleblowing system could not be introduced under the Deliberation for a purpose other than those mentioned under the article 1 of the CNIL Deliberation.
In other words the whistleblowing system that would cover other breaches of the Code of Conduct should be authorized specifically by the CNIL on a case by case basis. Even though these breaches are material and may threaten the vital interest of the company or the physical or mental integrity of its members.
Last but not least the Supreme Court also found that Dassault’s Code of Business Conduct did not expressly mention that the individuals had a right of access to the information reported, and a right of rectification where the information is not correct.
As from a practical point of view, there is a strong likelihood that the CNIL refuses to grant an authorization for a whistleblowing system exceeding the scope of the CNIL’s Deliberation, it seems that now companies should restrict their whistleblowing systems to the core areas mentioned in the CNIL’s decision of December 8, 2005 to avoid their process be considered as invalid.
The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.
Although the European Commission has not yet released the new SCCs, the Working Party adopted an opinion on this topic on March 5, 2009.
As our readers know, the EU Directive of 1995 prohibits the transfer of personal data outside the EU/EEA, in countries which do not offer an adequate level of protection of the data. In the judgment of the EU Commission, the United States does not have an adequate level of protection of personal data for purposes of the EU Directive.
As a consequence, controllers that want to transfer personal data to processors located outside the EU/EEA must use one or more of the following compliance mechanisms:
Many have pointed out that SCCs may no longer be manageable for the complex onward transfers made not only from controllers to processors (as envisaged by the current SCCs) but also from processors to sub-processors or subsequent sub-sub-processors. This is the reason why the European Commission is considering a new set of SCCs.
The new SCCs are designed to:
In its opinion about the new SCCs, the Working Party outlines three main issues:
1. First of all, it draws attention to the fact that the transfer of data between a processor established in the EU/EEA to a sub-processor outside the EU/EEA is not envisaged by the SCCs while it is, in practice, a common processing nowadays. It underlines that there is a discrepancy on the rules applicable depending on the place where the processor is located.
The Working Party urges the European Commission to develop a new set of SCCs that would allow international sub-processing by processors located in the EU/EEA. However, given the time that the development of such a new set may take, the Working Party recommends that national Data Protection Authorities consider as an adequate guarantee the fact that the controller authorizes the transfer by a processor located in the EU/EEA to a sub-processor located outside the EU/EEA as long as it applies by analogy the same guarantees and principles in the SCCs.
2. Second, the Working Party agrees that multi-layered sub-contracting must be taken into account and that a multi-layered sub-processing clause must be included in the new SCCs. However, it draws the attention of the European Commission to the fact that data transferred in such a case, especially if they contain sensitive data, must be processed in compliance with the EU Directive requirements. Indeed, the Working Party emphasizes that given the various number of sub-contractors that may be involved in the sub-contracting process, the liability of a processor that would not have complied with the controller’s instructions may be difficult to establish. This is the reason why the Working Party recommends that the data exporter keep an updated list of the various processors and sub-processors.
The Working Party also considers that applying new SCCs to all different layers of sub-processing is a good solution provided that the data exporter implements organizational solutions to facilitate the exercise of the data subjects’ rights (for instance putting in place a single corporate contact point for data subjects’ claims).
3. Third, the Working Party recommends that transitional provisions be included in the new SCCs providing that the previous transfers authorized under the “old” SCCs remain in force as long as the transfer described has not changed. It is only if a change is made to the transfer that the parties would have to comply with the new SCCs.
On March 10, 2009, the European Court of Human Rights held that the British Internet publication rule does not violate the right to free expression guaranteed by Article 10 of the European Convention. The case has profound implications for those bringing privacy- or disclosure-related tort claims based on materials available on the Internet – where U.K. law applies.
Continue Reading...Several Google executives, including the Company’s global privacy counsel, Peter Fleischer, will face criminal charges in Italian court stemming from Italian authorities’ two-year investigation of a video posted on Google Video showing a disabled teen being taunted by classmates. The video, posted in 2006, depicts four high school boys in a Turin classroom taunting a classmate with Down syndrome and ultimately hitting the young man over the head with a box of tissues. Google removed the video on November 7, 2006, less than twenty-four hours after receiving multiple complaints about the video. Nonetheless, Fleischer and his Google colleagues face criminal charges of defamation and failure to exercise control over personal information that carry a maximum sentence of three (3) years.
Continue Reading...When a company is considering using cloud computing in its IT infrastructure, there are some privacy issues that need to be addressed.
While the value of cloud computing certainly holds much promise, companies wishing to make the leap into the cloud would be well advised to consider the potential privacy issues. Cloud computing, in its essence, is the migration or outsourcing of computing, hardware and storage functions to a third-party service provider, which hosts applications on the Internet through linked servers located worldwide. Cloud computing has captured the attention of IT professionals because it offers the appealing option of reducing a company’s computer infrastructure and placing it in the hands of a vendor who can perform a company’s computing needs more cheaply and efficiently than the company can itself.
On October 9, in the case R v. S and A [2008] EWCA Crim 2177, the Criminal Division of the England and Wales Court of Appeal held that requiring criminal defendants to disclose an encryption key allegedly protecting criminal materials does not violate the privilege against self-incrimination under U.K. law or Article 6 of the European Convention of Human Rights. The U.K. court’s ruling is at odds with Magistrate Judge Jerome J. Niedermeier’s ruling on a similar issue in the District of Vermont, In re Boucher, No. 06-mj-91, 2007 WL 4246473 (D. Vt. Nov. 29, 2007).
Continue Reading...Proskauer Rose LLP has just released "Proskauer on International Litigation and Arbitration: Managing, Resolving, and Avoiding Cross-Border Business and Regulatory Disputes." The online guide is a practical reference work for businesses and practitioners; it explores best practices and creative yet practical approaches to manage, resolve, and avoid controversies affecting multiple jurisdictions.
The 28-chapter guide is available free in e-Book format at www.proskauerguide.com. It includes a thorough chapter on international privacy law.
Continue Reading...Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens. In a statement announcing the new law, Dubai called the enactment "pioneering in the region" and an examination of the law reveals that the description is rightly deserved. The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.
Continue Reading...
Kristen J. Mathews is head of the Privacy and Data Security Group and a member of the Technology, Media and Communications Group. Kri...More...
Jeff Neuburger is a partner in the New York office and Co-Chair of the Technology, Media and Communications Practice Group at Proskau...More...
Clifford S. Davidson is an Associate in the Litigation & Dispute Resolution Department, resident in the Los Angeles office. Although...More...
Scott J. Carpenter is an associate in the Litigation and Dispute Resolution Department of Proskauer Rose LLP’s Washington, DC office....More...
Amy Crafts is an associate in the Litigation Department, and focuses on commercial litigation, including intellectual property, anti-...More...
Nolan M. Goldberg is an IP & Technology Counsel in Proskauer's Litigation & Dispute Resolution Department and a member of the Patent...More...
Andrew L. Hoffman is an Associate in the Litigation & Dispute Resolution Department, resident in the Boca Raton office. Andrew has wo...More...
Sara Krauss practices with the Health Care Department at Proskauer Rose LLP. She has represented not-for-profit hospitals, physician...More...
Charley Lozada is an Associate in the Corporate Department of Proskauer Rose LLP's New York office and a member of the Privacy and Da...More...
Cécile Martin is an associate in the Labor and Employment Law Department in the Paris office of the Firm. She has experience in all e...More...
Jeremy Mittman is an associate in the Los Angeles office of Proskauer Rose LLP. Prior to joining the Los Angeles office in October 20...More...
Natalie Newman is an associate in Proskauer Rose LLP’s Corporate Department and is a member of the Intellectual Property and Privacy...More...
Brendon Tavelli is an associate in the Litigation and Dispute Resolution Department and a member of the firm’s Privacy and Data Secur...More...
Robert D. Forbes is an Associate in the Litigation & Dispute Resolution Department in the Los Angeles office. He has experience in a...More...Interested in regularly receiving this blog?
You may add this blog to your feeds by clicking here. 
Or to subscribe by email, enter your email address in the grey box below and hit "GO."