Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In the case at hand, the French subsidiary of a U.S. group had, in 2008, implemented a whistleblowing system to comply with SOX requirements in the United States. After various modifications, the CNIL authorized the French subsidiary to implement the system because the program complied with the CNIL’s simplified filing procedure for whistleblowing systems.

Our readers will remember that pursuant to rules in existence since 2010, see our post of December 15, 2010, companies are able to take advantage of the CNIL’s simplified filing procedure for whistleblowing systems as long as the whistleblowing system does not encourage whistleblowers to remain anonymous and is limited in scope to conduct violations in the following areas:

• accounting;
• finance;
• banking;
• anti-corruption;
• competition;
• companies concerned by SOX Act section 301 (4) of July 31, 2002;
• Japanese SOX of June 6, 2006.

Here, despite the CNIL’s approval of the French subsidiary’s whistleblowing system, the employees’ representatives brought a lawsuit against the subsidiary in the Caen Tribunal of First Instance because they believed the system to be flawed in a number of ways, including the following:

• the scope of complaints which could be made through the whistleblowing system was too broad: employees could file complaints on any kind of wrongdoings or problems;
• any Internet user could report wrongdoings about a French employee of that company even if those wrongdoings were outside the scope of the CNIL’s simplified filing procedure;
• contrary to the simplified filing procedure issued by the CNIL, the whistleblowing system encouraged the whistleblower to remain anonymous; and
• employees were not sufficiently informed about their access and rectification rights with respect to the data about them.

The Court of Appeal of Caen ruled that the claims made by the employees’ representatives were well-founded for the following reasons:

• the whistleblowing system was outside the scope defined by the French Data Protection Agency, in large part because it permitted complaints of all kinds;
• the whistleblowing system had been modified unilaterally by the company without the works council and the health and safety committees being informed and consulted prior to any changes being made.

In light of this new decision, companies implementing whistleblowing systems in France need to make sure that (i) the scope of their whistleblowing systems does not exceed the scope defined by the CNIL in its simplified filing procedure and (ii) they inform and consult employees’ representative bodies prior to making any changes to such systems. Failure to do so may lead to challenges by employees or their representative bodies that will halt the implementation of the offending whistleblowing system in France. This, in turn, may raise various issues in the United States, in particular with respect to SOX compliance, that could have significant legal consequences, since according to Section 301 of SOX, audit committees of listed multinationals have to launch hotlines for the confidential, anonymous submission of employees’ complaints or concerns regarding questionable auditing or accounting matters.

In the meantime, in France, the French Data Protection Agency (CNIL) has for the first time authorized two companies to implement a whistleblowing process dedicated to receiving and handling complaints about discrimination. The CNIL has always been reluctant to approve the adoption of whistleblowing programs other than those relating to banking, financial, accounting and anti-corruption matters. Moreover, in response to a December 2009 decision of the French Supreme Court, CNIL had recently decided to narrow the scope of the agency’s “blanket authorization” for whistleblowing programs which affected “vital interests of the business or the physical or moral integrity of employees.” But the CNIL’s recent approval of whistleblowing programs relating to discrimination suggests that it may be possible to obtain approval for programs that fall outside the scope of the blanket authorization. In the instant cases, it is noteworthy that as part of its certification of the whistleblowing systems dedicated to uncovering potential discrimination, the CNIL relied upon the following elements of the programs:

• anonymous alerts were prohibited;
• the whistleblowing system was not mandatory for employees;
• security measures were implemented; and
• employees’ representatives had been informed.

These observations may offer some insight into the kinds of safeguards required for others to obtain approval of a whistleblower program from the CNIL.

In another recent decision, the CNIL decided to exonerate from certain filing obligations the French suppliers acting on behalf of companies located outside the EU. Prior to the CNIL’s decision, it was understood that both non-EU-based companies processing personal data in France and their French suppliers needed to file paperwork with the agency about the processing of personal data. The CNIL realized, however, that it could be burdensome (and duplicative) for French suppliers acting on behalf of non-EU-based companies to comply also with the relevant filing obligations. As a consequence, the CNIL has decided to exonerate French suppliers from their filing obligations for purposes of data processing related to human resources, clients and prospects performed on behalf of companies based outside the EU.

Finally, by application of a new law dated March 15, 2011, the CNIL has seen its powers of control and sanctions modified. According to this new law, the CNIL must now systematically inform data controllers of their opportunity to object to on-site reviews conducted by the agency. If the data controller objects to a proposed on-site check, the review can only be performed if a court authorizes it. In case of emergency or risk of destruction of documents, however, the CNIL can conduct the on-site check, after authorization of the court, without informing the data controller. In such a case, the latter cannot object to the CNIL’s review. Furthermore, the new law authorizes the CNIL to give publicity to the sanctions that it imposes on data controllers for their data processing violations even if the data controllers have not acted in bad faith.

With all this activity in France, it’s clear that the United States is not the only country trying to adapt its privacy and information security standards to rapidly evolving technologies and marketplaces. Companies with an international presence need to stay alert to stay compliant. We can help!

The French Supreme Court addressed the scope of the CNIL's deliberation in a decision dated December 8, 2009. In that decision, the French Supreme Court was asked to consider the validity of a corporate Code of Conduct that had been implemented by a listed company (Dassault Systèmes) in order to comply with the SOX Act. The French Supreme Court found that the scope of Dassault's code of conduct was too broad, in that it invited employees to report violations relating to more than just finance, accounting and anti-corruption matters, but also intellectual property rights, confidentiality, conflict of interest, discrimination, and sexual or psychological harassment. In the eyes of the Court, the Dassault code of conduct's whistleblowing system was invalid because it permitted whistleblowers to report violations other than those enumerated under Article 1 of the CNIL deliberation.

While companies were already required to obtain approval from CNIL for whistleblowing systems that exceeded the scope of the 2005 deliberation, the French Supreme Court’s decision helped to clarify exactly when such approval is needed. According to the Supreme Court’s decision, any whistleblowing system that allows complaints concerning conduct violations beyond those listed must be specifically authorized by the CNIL on a case-by-case basis, or risk being invalidated.

In order to align its deliberation with the Supreme Court’s decision, the CNIL modified the 2005 deliberation to limit its scope to:

• accounting;
• finance;
• banking;
• anti-corruption;
• competition;
• companies concerned by SOX Act section 301(4) of July 31, 2002;
• Japanese SOX of June 6, 2006.

It also specified that:

• alerts outside the scope of the deliberation must be destroyed or archived immediately;
• when the alert does not give rise to a disciplinary or legal procedure, data related to the alert are destroyed or archived within two months from the end of the inquiry.

So far, 1,605 companies have complied with the CNIL’s deliberation. For companies whose systems are compliant with the new scope of the deliberation, no additional formalities are necessary. But for those others whose systems are not compliant, they have six months to bring their whistleblowing system into compliance or obtain an authorization from the CNIL.

To facilitate reporting of wrongdoings which are not encompassed within the scope of the new deliberation, the CNIL suggests informing employees that they should report them to their managers, unionists or human resources departments.

From a practical point of view, there is a strong likelihood that the CNIL will be very cautious before approving any whistleblowing system that exceeds the scope of its new deliberation, or even refuse to approve such a system. Consequently, multinational companies may want to think about restricting their whistleblowing systems to the core areas specified in the CNIL's new deliberation so as to avoid having their systems invalidated.

According to article 34 of the French Data Protection Act of January 6, 1978 (as later amended, the “Act”), data controllers must take all useful precautions, depending on the nature of the data and the risks involved in processing it, to preserve the security of the data and, in particular, to prevent its alteration and damage, or access by non-authorized third parties.

Failure to do so is punishable by five years' imprisonment and a fine of €300,000.

This duty to ensure the security of data continues throughout all stages of data processing, i.e. from the data’s creation, to its use, back-up, filing and through to its eventual destruction.

In its recently issued guidelines, the CNIL particularly recommends that companies:

1.  Manage/Restrict access to data:

• Give a user-ID to each data processor in order to authenticate such user by means of a password, smartcard, digital fingerprint…and make sure that in cases where a password is used, it is modified every 3 months. The CNIL also recommends that companies remind their employees never to give their passwords to anyone, never to use the same password for different accesses, and not to configure their software so that passwords are recorded;
• Implement a permission management system to determine which category of employees may have access to each database. The CNIL considers that that each user should only have access to the data s/he needs for carrying out his/her duties. In order to have an effective permission management system, it is, for instance, advised to delete users’ access permissions as soon they are no longer authorized to have such access or processing rights as well as when they are terminated.

2.  Log/Register the actions made by users on the system during a defined period of time:

• According to Article 6 of the Act, processing may only be performed on personal data that meets the following conditions: the data shall be obtained and processed fairly and lawfully; it shall be obtained for specified, explicit and legitimate purposes; and it shall not subsequently be processed in a manner that is incompatible with those purposes.
• The CNIL recommends that any logs of user data should be stored for a maximum of 6 months.
• The data components to be stored are: the user number, the log-in date and time, and the log-out date and time.

3.  Guarantee the integrity of the data:

• Article 6 of the Act provides that data shall be accurate, complete and, where necessary, kept up-to-date;
• The CNIL recommends implementing measures to avoid viruses and fraudulent intrusions of company computers, and to secure remote access via Internet. To this end, the following protective measures may be introduced: limiting the number of access log-in attempts, implementing firewalls and automatic lock sessions, and using up-to-date antivirus programs.

4.  Implement processes enabling the deletion, archiving or anonymization of the data:

• Article 6 of the Act also provides that data shall be stored in a form that allows the identification of data subjects for a period no longer than is necessary for the purposes for which such data was obtained and processed
• Two types of anonymization exist, the first is irreversible, i.e., there is no ability to make the data identifiable to an individual again. The second is reversible and allows for the anonymized data to be reconverted into a format where the personal data is maintained. Regarding reversible anonymization, the CNIL specifies that the re-identification process must be very secure.

In order to guide companies to self-assess the level of security of their data processing, the CNIL has issued a questionnaire that focuses on the following points:

• Analysis of the risks;
• Authentication of the users;
• Permissions management;
• Work stations security;
• Mobile IT security;
• Back-ups;
• Maintenance security;
• Log files access security;
• Protection of the premises;
• Protection of the internal IT network;
• Servers and applications security;
• Managing subcontracting;
• Archiving; and
• Security of data exchanges with other companies.

To continue to strengthen companies’ security with regard to data processing, the CNIL has announced that a more elaborated document is being prepared.

In its June 22 opinion, the Article 29 Working Party (the group responsible for overseeing the EU data protection regime) stated that, even if opt-out mechanisms were welcomed and should be encouraged, such mechanisms could not be regarded as complying with the EU Directive’s requirements regarding the necessity to deliver prior sufficient and effective notice to users and obtain the data subjects’ express consent before processing their personal data.

The Article 29 Working Party clearly took the position that it is incumbent upon advertising network providers to “create prior opt-in mechanisms requiring an affirmative action by the users indicating their willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of serving tailored advertising.”

According to Article 5(3) of the ePrivacy Directive, advertising network providers must obtain the informed consent of users to lawfully store information or to gain access to information stored in a user’s computer. According to the Article 29 Working Party, this means that prior to placing cookies or similar devices, advertising network providers must obtain the informed consent of the users.

Informed consent requires that users be informed about the identity of the advertising network provider, the purpose of the processing and the fact that the cookie will allow the advertiser to collect information about visits to other websites. Such information can be provided directly on the screen and it is recommended that it not be hidden in general terms and conditions or privacy statements. (see also our discussion of the Sears case here.)

However, the EU Data Protection Authorities are conscious that in practice it could be burdensome to obtain consent every time a cookie is read for the purposes of delivering targeted advertising. As such, they recommend:

• limiting the time and the scope of the consent
• offering the possibility to revoke it easily
• creating visible tools to be displayed where the monitoring takes place.

Furthermore, when placing cookies or similar devices, advertising network providers must also abide by the principles of the EU Directive of 1995 relating to the processing and free movement of personal data if the data being collected are considered personal.

Consequently, advertising network providers may be considered data controllers and thus need to:
 

• inform users beforehand of the purposes of the processing
• guarantee to data subjects their rights of access, rectification, erasure, limitation of retention, confidentiality, and security
• inform the appropriate Data Protection Agency of the processing to the extent necessary

The Opinion invites industry to suggest technical and other means to comply with the aforesaid legal obligations.

As far as France is concerned, it should be noted that in 2009 the French Data Protection Agency (CNIL) reminded everyone that:

• online behavioral advertising systems were subject to the data protection regulations given that they enable collection of personal data;
• the analysis of behaviors on the Internet was possible only if the Internet user had been duly informed of such a practice and could easily and quickly oppose it;
• professionals of that sector were highly encouraged to issue codes of conduct
   

In order to comply with French data protection laws, any company operating a database in France must register its database with CNIL.  In the registration, it must (among other things) specify the nature of the database and whether the information contained in the database will be sent overseas to another country that lacks an adequate level of data protection (such as the United States, according to the EU).

When Tyco Healthcare sought to register the database in question in 2004, it represented to CNIL that its purpose was to assist human resources in processing employee data relating to salary information. CNIL, however, requested further information about transborder data flow, the nature of the data base, its functions, and security features. The company failed to respond to the agency’s repeated requests for clarification, and then finally represented to CNIL that the database had been suspended.  The data protection agency then launched an investigation, and uncovered that not only was the relevant database still active but moreover, its use was much more important and widespread than the company had earlier represented. 

The Tyco Healthcare case should provide a strong wake-up call to US multinationals with operations in Europe (and particularly France) underscoring the importance of compliance with European data protection laws, which may be unfamiliar to U.S. based companies.  Moreover, any multinational with a global HRIS (Human Resources Information System) that transfers data from Europe to countries other than Switzerland, Argentina, and Canada – those countries that have been anointed by the EU as possessing laws that provide an adequate level of data protection -- should ensure that it sends data overseas pursuant to an EU-sanctioned method. 

Currently, the EU recognizes three such transborder data flow vehicles:  a company can self-certify with the U.S. Department of Commerce that it adheres to data protection principles (known as the "safe harbor" system), or it can enter into "model contracts" with its European subsidiaries, agreeing to abide by mandatory data protection provisions.  Additionally, it can develop a set of "binding corporate rules"-- company-drafted data protection regulations that apply throughout the company and which must be ratified by each EU member states' data protection authorities.   Failure to implement at least one of the above three methods could result in significant liability and negative exposure.