Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In a decision dated September 23, 2011, the Court of Appeal of Caen suspended the implementation of a whistleblowing system that had been previously authorized by the French Data Protection Agency (CNIL) because, in the court’s view, the system infringed on the individual and collective rights and liberties of the company’s employees.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

While the European Commission is seeking to update its 15-year-old Directive regarding the protection of personal data, several regulations have been passed to strengthen privacy rights in Europe.

First, the European Union’s Article 29 Working Party has decided to define more clearly what is considered genuine consent for the processing of personal data. According to its opinion issued on July 14, 2011, consent requires the use of mechanisms that leave no doubt on the data subject’s intention to authorize. As such, in the Working Party’s view, only affirmative statements or actions, not mere silence or inaction, are able to constitute a valid consent. It is incumbent upon data controllers to prove that they have obtained genuine consent; the data subject is not required to rebut any presumption of consent in the controller’s favor.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By a decision dated October 14, 2010, and published on December 8, 2010, the French Data Protection Agency (known under the acronym CNIL) revised the deliberation that it issued on December 8, 2005.

At that time, the CNIL had issued a deliberation to reach a compromise between the United States’ Sarbanes-Oxley (“SOX”) requirements and French law.  According to Article 1 of that deliberation, companies were authorized to adopt whistleblowing systems implemented in response to French legislative mandates, regulatory internal control requirements (e.g. regulations governing banking institutions), or the whistleblowing requirements of the SOX Act.  According to Article 3 of the 2005 deliberation, alleged wrongdoings not encompassed within these core areas may be covered by the whistleblowing system only if vital interests of the company or the physical or psychological integrity of its employees were threatened.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as “CNIL”) recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL’s recommendations in these areas. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In an opinion issued on June 22, 2010, the EU Data Protection Authorities (Article 29 Working Party) clarified the legal framework applicable to online behavioral advertising – an activity that is becoming a hot topic for discussion as its popularity grows. Online behavioral advertising is, at its most basic level, the practice of gathering data, generally via cookies, about computer users for the purposes of serving tailored advertising. Some argue that such information gathering constitutes an invasion of people’s privacy. Most of the time, data subjects are not even aware that their personal data are being collected and used to create detailed user profiles and provide them with tailored advertising.

In order to remedy this lack of notice, it is becoming a common practice for advertising network providers to offer “opt-out” mechanisms so that users may, if they so wish, decline to receive targeted advertising.

Until now, the legality of such mechanisms under the EU Directive was questionable. That is no longer the case.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The implementation of codes of conduct and whistleblowing systems is expanding at the international level. Global companies must pay attention to local law requirements when rolling out these codes in foreign countries, in order notably to comply with the rules and regulations provided by the local data protection authorities to govern data processing.

A recent decision rendered on December 8, 2009, by the French Supreme Court provides a good illustration of issues that may be raised by local laws in the implementation of whistleblowing procedures abroad.

For the first time the French Supreme Court addressed the issue of the validity of a Code of Conducts that had been implemented by a listed company (Dassault Systèmes, a French Software company) in order to comply with the Sarbanes Oxley act.

By its decision, The French Supreme Court overruled the decision of the Court of Appeal, which had declared the whistleblowing system implemented by the Code of Conduct of Dassault Systèmes compliant with the French data protection authority (CNIL) and therefore legal.

In a landmark decision rendered in 2005, the CNIL considered that the broad and anonymous whistleblowing procedures of several companies, including the McDonald’s Company, that had been adopted in order to implement the requirements of the Sarbanes-Oxley Act, were contrary to French law and in particular to the French data protection law of January 6, 1978. The CNIL held that it had no fundamental objection to that kind of system, but it expressed the opinion that whistleblowing processes should not be transformed into an organized system of professional denouncement which may jeopardize the employees’ individual rights.

In order to reach a compromise between SOX requirements and French law provisions, the CNIL issued a Deliberation on December 8, 2005. The Deliberation states that the companies are authorized to roll out their whistleblowing systems provided they formally disclose the existence of the system and they comply with the requirements of the CNIL’s Deliberation. In particular, article 1 of the Deliberation provides that only the whistleblowing systems implemented in response to French legislative or regulatory internal control requirements or the whistleblowing requirements of the Sarbanes-Oxley Act in areas such as finance, accounting, banking and anti-bribery, may be covered by this Deliberation. Article 3 of the Deliberation provides that facts which are not included in these cores areas may be covered by the whistleblowing system if the vital interest of the company or the physical or mental integrity of its members is threatened. 

If the scope of the whistleblowing process exceeds the CNIL’s Deliberation, the company is under the obligation to enter into a heavy process with the CNIL consisting in detailing the information collected, their recipients, the end-purpose of the data processing… and to get formal authorization of the CNIL. So far, the CNIL has never given its authorization when the scope of the whistleblowing system exceeds its Deliberation.

In the case at hand, Dassault had implemented a whistleblowing system under the Deliberation and a trade union challenged the validity of the system on the ground that the company should have sought a formal authorization from the CNIL because its scope exceeded the auditing and financial matters.

The Supreme Court ruled that the scope of the Code of conduct was too broad in that employees may report any breach of the Code relating to finance, accounting and anti- corruption areas but also any breach in others matters to the extent that it could threaten the vital interests of Dassault or the physical or moral integrity of an individual employee (intellectual property rights, confidentiality, conflict of interest, discrimination, sexual or psychological harassment).

The Court adopted a very narrow reading of the CNIL Deliberation because it came to the conclusion that the whistleblowing system could not be introduced under the Deliberation for a purpose other than those mentioned under the article 1 of the CNIL Deliberation.

In other words the whistleblowing system that would cover other breaches of the Code of Conduct should be authorized specifically by the CNIL on a case by case basis. Even though these breaches are material and may threaten the vital interest of the company or the physical or mental integrity of its members.

Last but not least the Supreme Court also found that Dassault’s Code of Business Conduct did not expressly mention that the individuals had a right of access to the information reported, and a right of rectification where the information is not correct.  

As from a practical point of view, there is a strong likelihood that the CNIL refuses to grant an authorization for a whistleblowing system exceeding the scope of the CNIL’s Deliberation, it seems that now companies should restrict their whistleblowing systems to the core areas mentioned in the CNIL’s decision of December 8, 2005 to avoid their process be considered as invalid.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

By a decision of October 21, 2009 (n°07-43877), the French Supreme Court ruled that files created by an employee on a computer issued by his employer for work purposes were presumed professional unless the employee identified them clearly as personal. This being said, the Court concluded that the employer was entitled to open these files in the employee’s absence and without having informed the employee in advance.

In this case, the employee was suspected by his employer to have competed unfairly with the employer’s business. To investigate these suspicions, the employer requested a bailiff to seek evidence from the employee’s work computer. In order to prevent the employee from erasing the evidence, the employer did not alert the employee that his work computer would be examined.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In anticipation of the Swine Flu and the consequences that it may have upon the continuity of the business of companies, the French Data Protection Agency (known under the acronym "CNIL") recently issued recommendations regarding employers’ collection of employee data in connection with their swine flu business continuity programs.

The French government has strongly recommended that companies set up a plan for the continuity of their businesses in case of pandemic flu. Indeed, in case of pandemic, the French authorities anticipate significant degrees of absenteeism among employees and a possible paralysis of certain companies if they are not sufficiently prepared. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted by the Working Party, the personal information a user posts online combined with the data outlining the user’s actions and interactions with other people can create a rich profile of that person’s interests and pose major risks such as identity thefts, loss of employment or business opportunities.  In this new era of social networking, no longer are even the most secretive organizations free from the public eye. Just last Sunday, a British tabloid published revealing photos, taken off of a social networking website, of the soon-to-be chief of the country’s foreign intelligence service, MI6.

The opinion focuses on how the operation of social networking sites can meet the requirements of EU data protection legislation, and advises social network service (hereafter “SNS”) providers what measures must be in place to ensure compliance. Companies that make applications for or utilize social networking sites should be mindful of their obligations under EU law, as well.

An SNS is defined as an online communication platform which enables individuals to join or create networks of like-minded users. Usually, these services invite users to provide personal data, post their own material, and interact with other contacts who use the service. Well-known examples would include Facebook, Twitter, and MySpace. Under the EU’s 1995 Data Protection Directive (95/46/EC) (the "Directive), SNS providers are considered data controllers, which are subject to several of the Directive’s provisions, even if their headquarters are outside the European Economic Area. Among their obligations:

Security and Default Privacy Settings – Data controllers must take technical and organizational measures that will maintain the security of the users.  The Working Party recommends that SNS providers offer default privacy settings that restrict viewing the user’s profile to self-selected contacts.

Information to be Provided by SNS – SNS providers must inform users of their identity and their purposes in using personal data. The Working Party recommends that providers inform users of the privacy risks both to users and third parties of uploading information.  If third party information or pictures are uploaded, it should be done with that individual’s consent. They should also provide information and adequate warning to users about privacy risks when uploading data on the SNS.

Sensitive Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health, or sex life may only be published with the explicit consent from the data subject or if he has made the data public himself. It is therefore incumbent upon the SNS to make it clear that answering any questions regarding such sensitive data is completely voluntary.

Processing Data of Non-Members – SNS providers may not use independently gathered information to create profiles for those who are not members of the service.

Third Party Access – When SNS providers offer additional applications on their service by third parties, or make their service available on third party hardware (mobile phones) or software (outside websites), they should ensure that the third parties only have access to necessary personal data and provide a mechanism whereby users can report concerns about applications.

Legal Grounds for Direct Marketing – Marketing activity by SNS providers is permissible, but it must comply with the Data Protection and ePrivacy Directives.

Retention of Data – Personal data of users should not be kept after their accounts are deleted.  When a user is inactive for a period of time, his profile should become invisible to the outside world and eventually the user should be notified that the data will be deleted.

Respecting the Rights of Users – Members and non-members whose information is processed by an SNS should have rights to access, correct, and delete their data. Further, because data is not to exceed the purposes for which it is being collected, SNS providers should consider giving users the choice of using pseudonyms in place of their real names.

Protecting Children – SNS providers should be especially attentive to protecting the data of minors. The Working Party recommends not asking minors for sensitive data in subscription forms, not directly marketing to minors, ensuring the prior consent of parents before subscribing, having suitable degrees of separation between communities of children and adults, and providing adequate age verification software.

Users of social networking sites are considered data subjects rather than data controllers, so they are generally exempt from the above responsibilities. However, this is not always the case. When a user processes personal data for more than purely personal or household activity, he or she is no longer covered by the so-called “household exemption” that excepts him or her from the Directive’s mandates. Examples of non-personal activity are using the SNS on behalf of a company or association, using the SNS mainly as a platform to advance commercial, political, or charitable goals, or having a high number of contacts, some of whom he may not actually know. When this occurs, the user assumes the full responsibilities of a data controller.

Thus, companies that do not operate an SNS may still governed by the Directive merely by virtue of using the service. Where the company is collecting personal information (e.g. through applications or otherwise), it should take heed of the foregoing recommendations, such as getting consent from parties before publishing their personal information and images, only using necessary personal data, deleting personal information after an account has been removed, and having a mechanism users can employ to voice privacy concerns about the application.

Proskauer summer associate Adam Freed contributed to this post.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The European Commission is considering modifying the standard contractual clauses (hereafter “SCCs”) established on December 27, 2001 and used by data controllers to transfer personal data to data processors located outside the EU. The new SCCs may introduce more flexibility in processing services and better reflect new business practices.

Although the European Commission has not yet released the new SCCs, the Working Party adopted an opinion on this topic on March 5, 2009.

As our readers know, the EU Directive of 1995 prohibits the transfer of personal data outside the EU/EEA, in countries which do not offer an adequate level of protection of the data. In the judgment of the EU Commission, the United States does not have an adequate level of protection of personal data for purposes of the EU Directive.

As a consequence, controllers that want to transfer personal data to processors located outside the EU/EEA must use one or more of the following compliance mechanisms: 

• Safe Harbor (which only applies if the processor is located in the US);
• Binding Corporate Rules;
• SCCs. 

Many have pointed out that SCCs may no longer be manageable for the complex onward transfers made not only from controllers to processors (as envisaged by the current SCCs) but also from processors to sub-processors or subsequent sub-sub-processors. This is the reason why the European Commission is considering a new set of SCCs.

The new SCCs are designed to: 

• regulate sub-processing;
• allow multi-layered sub-contracting;
• allow the local Data Protection Authorities to inspect the full chain of sub-processing and make binding decisions;
• function as the law of the Member State in which the data exporter is established. (According to some, such a process would be against normal commercial practices as it would have for effect to apply a foreign law to a sub-processor);
• repeal the current SCCs.

In its opinion about the new SCCs, the Working Party outlines three main issues:

1.      First of all, it draws attention to the fact that the transfer of data between a processor established in the EU/EEA to a sub-processor outside the EU/EEA is not envisaged by the SCCs while it is, in practice, a common processing nowadays. It underlines that there is a discrepancy on the rules applicable depending on the place where the processor is located.

The Working Party urges the European Commission to develop a new set of SCCs that would allow international sub-processing by processors located in the EU/EEA. However, given the time that the development of such a new set may take, the Working Party recommends that national Data Protection Authorities consider as an adequate guarantee the fact that the controller authorizes the transfer by a processor located in the EU/EEA to a sub-processor located outside the EU/EEA as long as it applies by analogy the same guarantees and principles in the SCCs.

2.      Second, the Working Party agrees that multi-layered sub-contracting must be taken into account and that a multi-layered sub-processing clause must be included in the new SCCs. However, it draws the attention of the European Commission to the fact that data transferred in such a case, especially if they contain sensitive data, must be processed in compliance with the EU Directive requirements. Indeed, the Working Party emphasizes that given the various number of sub-contractors that may be involved in the sub-contracting process, the liability of a processor that would not have complied with the controller’s instructions may be difficult to establish. This is the reason why the Working Party recommends that the data exporter keep an updated list of the various processors and sub-processors.

The Working Party also considers that applying new SCCs to all different layers of sub-processing is a good solution provided that the data exporter implements organizational solutions to facilitate the exercise of the data subjects’ rights (for instance putting in place a single corporate contact point for data subjects’ claims).

3.      Third, the Working Party recommends that transitional provisions be included in the new SCCs providing that the previous transfers authorized under the “old” SCCs remain in force as long as the transfer described has not changed. It is only if a change is made to the transfer that the parties would have to comply with the new SCCs.

• Email This
• Print
• Comments
• Trackbacks
• Share Link