French Data Protection Agency Restricts the Scope of the Whistleblowing Procedures: Multinational Companies Need to Make Sure They Are Compliant

Posted on December 15, 2010 by Cecile Martin

By a decision dated October 14, 2010, and published on December 8, 2010, the French Data Protection Agency (known under the acronym CNIL) revised the deliberation that it issued on December 8, 2005.

At that time, the CNIL had issued a deliberation to reach a compromise between the United States’ Sarbanes-Oxley (“SOX”) requirements and French law.  According to Article 1 of that deliberation, companies were authorized to adopt whistleblowing systems implemented in response to French legislative mandates, regulatory internal control requirements (e.g. regulations governing banking institutions), or the whistleblowing requirements of the SOX Act.  According to Article 3 of the 2005 deliberation, alleged wrongdoings not encompassed within these core areas may be covered by the whistleblowing system only if vital interests of the company or the physical or psychological integrity of its employees were threatened.

The French Supreme Court addressed the scope of the CNIL's deliberation in a decision dated December 8, 2009. In that decision, the French Supreme Court was asked to consider the validity of a corporate Code of Conduct that had been implemented by a listed company (Dassault Systèmes) in order to comply with the SOX Act. The French Supreme Court found that the scope of Dassault's code of conduct was too broad, in that it invited employees to report violations relating to more than just finance, accounting and anti-corruption matters, but also intellectual property rights, confidentiality, conflict of interest, discrimination, and sexual or psychological harassment. In the eyes of the Court, the Dassault code of conduct's whistleblowing system was invalid because it permitted whistleblowers to report violations other than those enumerated under Article 1 of the CNIL deliberation.

While companies were already required to obtain approval from CNIL for whistleblowing systems that exceeded the scope of the 2005 deliberation, the French Supreme Court’s decision helped to clarify exactly when such approval is needed. According to the Supreme Court’s decision, any whistleblowing system that allows complaints concerning conduct violations beyond those listed must be specifically authorized by the CNIL on a case-by-case basis, or risk being invalidated.

In order to align its deliberation with the Supreme Court’s decision, the CNIL modified the 2005 deliberation to limit its scope to:

  • accounting;
  • finance;
  • banking;
  • anti-corruption;
  • competition;
  • companies concerned by SOX Act section 301(4) of July 31, 2002;
  • Japanese SOX of June 6, 2006.

It also specified that:

  • alerts outside the scope of the deliberation must be destroyed or archived immediately;
  • when the alert does not give rise to a disciplinary or legal procedure, data related to the alert are destroyed or archived within two months from the end of the inquiry.

So far, 1,605 companies have complied with the CNIL’s deliberation. For companies whose systems are compliant with the new scope of the deliberation, no additional formalities are necessary. But for those others whose systems are not compliant, they have six months to bring their whistleblowing system into compliance or obtain an authorization from the CNIL.

To facilitate reporting of wrongdoings which are not encompassed within the scope of the new deliberation, the CNIL suggests informing employees that they should report them to their managers, unionists or human resources departments.

From a practical point of view, there is a strong likelihood that the CNIL will be very cautious before approving any whistleblowing system that exceeds the scope of its new deliberation, or even refuse to approve such a system. Consequently, multinational companies may want to think about restricting their whistleblowing systems to the core areas specified in the CNIL's new deliberation so as to avoid having their systems invalidated.
Tags: , , , ,

French Data Protection Agency Issues Guidelines to Help Companies Strengthen the Security of their Data Processing

Posted on October 25, 2010 by Cecile Martin

To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as “CNIL”) recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL’s recommendations in these areas. 

According to article 34 of the French Data Protection Act of January 6, 1978 (as later amended, the “Act”), data controllers must take all useful precautions, depending on the nature of the data and the risks involved in processing it, to preserve the security of the data and, in particular, to prevent its alteration and damage, or access by non-authorized third parties.

Failure to do so is punishable by five years' imprisonment and a fine of €300,000.

This duty to ensure the security of data continues throughout all stages of data processing, i.e. from the data’s creation, to its use, back-up, filing and through to its eventual destruction.

In its recently issued guidelines, the CNIL particularly recommends that companies:

1.  Manage/Restrict access to data:

  • Give a user-ID to each data processor in order to authenticate such user by means of a password, smartcard, digital fingerprint…and make sure that in cases where a password is used, it is modified every 3 months. The CNIL also recommends that companies remind their employees never to give their passwords to anyone, never to use the same password for different accesses, and not to configure their software so that passwords are recorded;
  • Implement a permission management system to determine which category of employees may have access to each database. The CNIL considers that that each user should only have access to the data s/he needs for carrying out his/her duties. In order to have an effective permission management system, it is, for instance, advised to delete users’ access permissions as soon they are no longer authorized to have such access or processing rights as well as when they are terminated.

2.  Log/Register the actions made by users on the system during a defined period of time:

  • According to Article 6 of the Act, processing may only be performed on personal data that meets the following conditions: the data shall be obtained and processed fairly and lawfully; it shall be obtained for specified, explicit and legitimate purposes; and it shall not subsequently be processed in a manner that is incompatible with those purposes.
  • The CNIL recommends that any logs of user data should be stored for a maximum of 6 months.
  • The data components to be stored are: the user number, the log-in date and time, and the log-out date and time.

3.  Guarantee the integrity of the data:

  • Article 6 of the Act provides that data shall be accurate, complete and, where necessary, kept up-to-date;
  • The CNIL recommends implementing measures to avoid viruses and fraudulent intrusions of company computers, and to secure remote access via Internet. To this end, the following protective measures may be introduced: limiting the number of access log-in attempts, implementing firewalls and automatic lock sessions, and using up-to-date antivirus programs.

4.  Implement processes enabling the deletion, archiving or anonymization of the data:

  • Article 6 of the Act also provides that data shall be stored in a form that allows the identification of data subjects for a period no longer than is necessary for the purposes for which such data was obtained and processed
  • Two types of anonymization exist, the first is irreversible, i.e., there is no ability to make the data identifiable to an individual again. The second is reversible and allows for the anonymized data to be reconverted into a format where the personal data is maintained. Regarding reversible anonymization, the CNIL specifies that the re-identification process must be very secure.

In order to guide companies to self-assess the level of security of their data processing, the CNIL has issued a questionnaire that focuses on the following points:

  • Analysis of the risks;
  • Authentication of the users;
  • Permissions management;
  • Work stations security;
  • Mobile IT security;
  • Back-ups;
  • Maintenance security;
  • Log files access security;
  • Protection of the premises;
  • Protection of the internal IT network;
  • Servers and applications security;
  • Managing subcontracting;
  • Archiving; and
  • Security of data exchanges with other companies.

To continue to strengthen companies’ security with regard to data processing, the CNIL has announced that a more elaborated document is being prepared.
Tags: , , , , , , , , ,

European Privacy Law And Social Networking

Posted on July 7, 2009 by Cecile Martin

 

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted by the Working Party, the personal information a user posts online combined with the data outlining the user’s actions and interactions with other people can create a rich profile of that person’s interests and pose major risks such as identity thefts, loss of employment or business opportunities.  In this new era of social networking, no longer are even the most secretive organizations free from the public eye. Just last Sunday, a British tabloid published revealing photos, taken off of a social networking website, of the soon-to-be chief of the country’s foreign intelligence service, MI6.

 

The opinion focuses on how the operation of social networking sites can meet the requirements of EU data protection legislation, and advises social network service (hereafter “SNS”) providers what measures must be in place to ensure compliance. Companies that make applications for or utilize social networking sites should be mindful of their obligations under EU law, as well.

 

An SNS is defined as an online communication platform which enables individuals to join or create networks of like-minded users. Usually, these services invite users to provide personal data, post their own material, and interact with other contacts who use the service. Well-known examples would include Facebook, Twitter, and MySpace. Under the EU’s 1995 Data Protection Directive (95/46/EC) (the "Directive), SNS providers are considered data controllers, which are subject to several of the Directive’s provisions, even if their headquarters are outside the European Economic Area. Among their obligations:

 

Security and Default Privacy Settings – Data controllers must take technical and organizational measures that will maintain the security of the users.  The Working Party recommends that SNS providers offer default privacy settings that restrict viewing the user’s profile to self-selected contacts.

 

Information to be Provided by SNS – SNS providers must inform users of their identity and their purposes in using personal data. The Working Party recommends that providers inform users of the privacy risks both to users and third parties of uploading information.  If third party information or pictures are uploaded, it should be done with that individual’s consent. They should also provide information and adequate warning to users about privacy risks when uploading data on the SNS.

 

Sensitive Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health, or sex life may only be published with the explicit consent from the data subject or if he has made the data public himself. It is therefore incumbent upon the SNS to make it clear that answering any questions regarding such sensitive data is completely voluntary.

 

Processing Data of Non-Members – SNS providers may not use independently gathered information to create profiles for those who are not members of the service.

 

Third Party Access – When SNS providers offer additional applications on their service by third parties, or make their service available on third party hardware (mobile phones) or software (outside websites), they should ensure that the third parties only have access to necessary personal data and provide a mechanism whereby users can report concerns about applications.

 

Legal Grounds for Direct Marketing – Marketing activity by SNS providers is permissible, but it must comply with the Data Protection and ePrivacy Directives.

 

Retention of Data – Personal data of users should not be kept after their accounts are deleted.  When a user is inactive for a period of time, his profile should become invisible to the outside world and eventually the user should be notified that the data will be deleted.

 

Respecting the Rights of Users – Members and non-members whose information is processed by an SNS should have rights to access, correct, and delete their data. Further, because data is not to exceed the purposes for which it is being collected, SNS providers should consider giving users the choice of using pseudonyms in place of their real names.

 

Protecting Children – SNS providers should be especially attentive to protecting the data of minors. The Working Party recommends not asking minors for sensitive data in subscription forms, not directly marketing to minors, ensuring the prior consent of parents before subscribing, having suitable degrees of separation between communities of children and adults, and providing adequate age verification software.

 

Users of social networking sites are considered data subjects rather than data controllers, so they are generally exempt from the above responsibilities. However, this is not always the case. When a user processes personal data for more than purely personal or household activity, he or she is no longer covered by the so-called “household exemption” that excepts him or her from the Directive’s mandates. Examples of non-personal activity are using the SNS on behalf of a company or association, using the SNS mainly as a platform to advance commercial, political, or charitable goals, or having a high number of contacts, some of whom he may not actually know. When this occurs, the user assumes the full responsibilities of a data controller.

 

Thus, companies that do not operate an SNS may still governed by the Directive merely by virtue of using the service. Where the company is collecting personal information (e.g. through applications or otherwise), it should take heed of the foregoing recommendations, such as getting consent from parties before publishing their personal information and images, only using necessary personal data, deleting personal information after an account has been removed, and having a mechanism users can employ to voice privacy concerns about the application.

 

Proskauer summer associate Adam Freed contributed to this post.

Tags: , , , , , , ,

UK Data Protection Authority Publishes Draft Guidelines for Implementing Privacy Policies

Posted on February 19, 2009 by Cecile Martin

The UK Information Commissioner Office ("ICO", the UK data privacy agency) has recently issued an informative code of practice to assist companies collecting personal data so that they can better draft clear privacy notices to data subjects about how the company intends to use personal data, and especially when such data is considered to be of a confidential or sensitive nature. The published guidelines are subject to a consultation period and will be finalized after the consultation period ends, on April 3, 2009.

In issuing the guidelines, the ICO made clear that privacy polices were essential to reassure companies’ potential and existing customers that that the privacy of their data is taken seriously.

The principal purpose of the guidelines is to remind companies that they must inform all data subjects about:

  • the transfer of data to other companies and overseas;
  • the duration of storage;
  • the measures taken to ensure the security of the personal data;
  • the possibility to object to direct marketing;
  • who to contact if there is a complaint.

In promulgating the guidelines, the ICO reminded the companies of their obligations under the EU Data Protection Directive of 1995, which provides that all personal data must be processed "fairly and lawfully."

At a time when data breaches and online marketing have become increasingly common, it is essential that UK companies issue transparent policies about the collection, use, sharing, and security of personal data.

Jeremy Mittman in Proskauer's Los Angeles office contributed to this post.

Tags: , ,

European Commission Data Protection Working Party Issues Opinion on Search Engine Data Protection

Posted on April 22, 2008 by S. Montaye Sigmon
The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

  • Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;
  • Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights

The Working Party found that users of search engines have the right to inspect and correct, where inaccurate or unnecessary, all their personal data collected by search engine providers.
Tags: , , , , , , , , , , , , , ,

Federal Trade Commission Announces Settlement with TJX Over Inadequate Security Practices

Posted on April 15, 2008 by Brendon Tavelli

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.

In the FTC’s action against TJX, the Commission alleged that TJX failed to prevent unauthorized access to personal information on its computer networks. These failures allowed a hacker to exploit vulnerabilities and obtain tens of millions of credit and debit payment cards used at the retailer’s stores along with personal information about approximately 455,000 consumers that returned merchandise without receipts. The FTC alleged that TJX:

  • Created an unnecessary risk to personal information by storing it on and transmitting it between various computer networks in clear text;
  • Did not use readily available security measures to limit wireless access to its networks, thereby allowing an intruder to connect wirelessly to its networks without authorization;
  • Did not require the use of strong passwords or different passwords to access different programs, computers, and networks;
  • Failed to use readily available security measures, such as firewalls, to limit access among its computers and the Internet; and
  • Failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as patching or updating anti-virus software. 

The FTC’s settlement with TJX requires the retailer to implement and maintain a comprehensive information security program that is designed to protect the security, confidentiality and integrity of personal information collected from or about consumers. The program must include certain administrative, technical and physical safeguards that are appropriate to the company’s size, the nature of its activities, and the sensitivity of the personal information it collects. In particular, TJX must:

  • Designate an employee or employees to coordinate the information security program;
  • Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place;
  • Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness;
  • Develop reasonable steps to select and oversee service providers that handle the personal information they receive from the companies; and
  • Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs.

In addition, TJX must retain an independent, third party security auditor to assess the sufficiency of its information security program at least once every two years for the next 20 years. This security auditor will be required to certify that the company’s security program satisfies the requirements of the consent agreement and is operating with sufficient effectiveness to provide reasonable assurance that consumers’ personal information is being protected. The FTC is not seeking any financial penalty to resolve the charges.

The proposed agreement is subject to public comment until April 28, 2008, after which the FTC will decide whether to make it final.
Tags: , , , , , , ,

In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States

Posted on May 29, 2007 by Proskauer Rose LLP

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Minnesota’s New Law

The Minnesota law, H.F. 1758, amends Minnesota’s data breach notification law and contains security and liability components. The security requirements take effect August 1, 2007 and apply to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards or similar cards “issued by a financial institution.” Such companies are prohibited from retaining the following card data after authorization of a transaction:

  • “the full contents of a track of magnetic stripe data” (which encompasses the “card verification value” or CVV – a unique authentication code embedded on the magnetic stripe);
  •  the three to four digit security code on the back of the card by the signature block (also known as CVV2); and
  • any PIN verification code number. If a debit card with PIN is used, a company is prohibited from retaining the data more than 48 hours after authorization of the transaction. 

The liability provision of H.F. 1758 applies to data breaches occurring after August 1, 2008. It requires companies to reimburse card-issuing financial institution for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after a breach. The reimbursement would cover costs related to providing cardholders with notification of the breach, cancellation and reissuance of cards, closing or reopening of accounts and stop payments, and cardholder refunds for unauthorized transactions charged to their accounts. A financial institution may also bring an action to recover for the costs of damages it pays to cardholders resulting from a breach.         

The Five Pending Bills

The April 27, 2007 blog entry posted here discussed in detail California’s A.B. 779 as introduced. Since that posting, A.B. 779 has been amended in various California Assembly Committees and now resides with the Appropriations Committee. The amended bill extended the scope of the bill beyond just retailers to all persons or businesses conducting business in California that own or license computerized data containing personal information. The 90-day record destruction requirement in the original bill has been deleted, but the amended bill now has a host of other restrictions on storing payment card data. Among its requirements, the bill requires:

  • account numbers retained by businesses be “indecipherable” to unauthorized persons;
  • that payment related data sent across a network be encrypted;
  • that companies have role-based restrictions for employee access to such data; and
  • the bill also adds a provision that is broader than Minnesota’s financial institution reimbursement provision, requiring vendors that maintain, but do not own or license breached personal information, to reimburse data owners and licensees for “reasonable and actual costs” of providing data breach notification.                   

  

In the Texas legislature, the House passed H.B. 3222, which would require companies that accept, process or maintain credit card, debit card and other financial institution-issued cards to follow the Payment Card Industry’s Data Security Standard (“PCI DSS”). The PCI DSS are extensive industry security standards designed to prevent identity theft that the major credit card issuers impose on merchants that store, process or transmit cardholder data. While H.B. 3222 excludes financial institutions from the security standards, it empowers them, subject to certain conditions, with a right of action for actual damages against other companies they believe have violated the provision. 

The other pending bills, Connecticut S.B. 1089, Illinois S.B. 1675 and Massachusetts H. 213 all contain provisions similar to Minnesota’s liability provision making companies liable to banks or financial institutions that incur costs arising from a breach. It should be noted that the liability provisions of Massachusetts’ H. 213 were not included in omnibus versions of data breach notification, credit freeze and data security and disposal bills that have recently passed the Massachusetts House and Senate, and which await action by conference committee to resolve differences between the two versions.   
Tags: , , , , , , , , , , , , ,

First Subsidiary of a U.S. Based Multinational Company Fined for Data Protection Violations in France

Posted on May 29, 2007 by Jeremy Mittman

Last month the French subsidiary of the U.S. based company, Tyco Healthcare, became the first local branch of a U.S. company to be fined for data protection violations. France’s data protection agency, La Commission Nationale de L'informatique et des Libertes (CNIL) levied a fine of 30,000 euro (or about $40,350) against the company after it both ignored CNIL’s requests for clarification about one of its human resource databases and then made misrepresentations concerning the database to the regulatory agency.

In order to comply with French data protection laws, any company operating a database in France must register its database with CNIL.  In the registration, it must (among other things) specify the nature of the database and whether the information contained in the database will be sent overseas to another country that lacks an adequate level of data protection (such as the United States, according to the EU).

When Tyco Healthcare sought to register the database in question in 2004, it represented to CNIL that its purpose was to assist human resources in processing employee data relating to salary information. CNIL, however, requested further information about transborder data flow, the nature of the data base, its functions, and security features. The company failed to respond to the agency’s repeated requests for clarification, and then finally represented to CNIL that the database had been suspended.  The data protection agency then launched an investigation, and uncovered that not only was the relevant database still active but moreover, its use was much more important and widespread than the company had earlier represented. 

The Tyco Healthcare case should provide a strong wake-up call to US multinationals with operations in Europe (and particularly France) underscoring the importance of compliance with European data protection laws, which may be unfamiliar to U.S. based companies.  Moreover, any multinational with a global HRIS (Human Resources Information System) that transfers data from Europe to countries other than Switzerland, Argentina, and Canada – those countries that have been anointed by the EU as possessing laws that provide an adequate level of data protection -- should ensure that it sends data overseas pursuant to an EU-sanctioned method. 

Currently, the EU recognizes three such transborder data flow vehicles:  a company can self-certify with the U.S. Department of Commerce that it adheres to data protection principles (known as the "safe harbor" system), or it can enter into "model contracts" with its European subsidiaries, agreeing to abide by mandatory data protection provisions.  Additionally, it can develop a set of "binding corporate rules"-- company-drafted data protection regulations that apply throughout the company and which must be ratified by each EU member states' data protection authorities.   Failure to implement at least one of the above three methods could result in significant liability and negative exposure.

 
Tags: , , , , ,

Dubai Becomes First Arab Nation to Enact Data Protection Law

Posted on April 19, 2007 by Jeremy Mittman

Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens.  In a statement announcing the new law, Dubai called the enactment "pioneering in the region" and an examination of the law reveals that the description is rightly deserved.   The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.    

 

 

Following a period of public consultation, Dubai (the Dubai International Financial Center, or DIFC) strengthened its previous data protection law of 2004, giving it some extra teeth and enhanced enforcement powers by a newly created independent Office of Commissioner of Data Protection.   The law protects all "personal information", which is broadly defined as "any information relating to an identifiable natural person."  The law also protects "sensitive data" such as information about a person's political affiliation or racial identity.  

Arguably the most significant aspect of the new law is its international transfer provisions, codified at Articles 11 and 12, which govern the transfer of personal data out of the DIFC to third countries.  Like the European data directive, the Dubai law allows for the transfer of personal information to countries that offer an "adequate level of protection."  Transfer of information to countries that fall short of providing the adequacy requirement (such as, presumably, the United States) is permitted-- provided, however, the newly appointed data protection Commission gives its consent to the transfer.  

The new law's regulations specify that a data controller (e.g. an employer) must apply to the Commissioner of Data Protection for a permit to transfer the data to a country with less than adequate protection.  Unfortunately, however, the regulations do not specify which countries qualify as those that do offer an adequate level of protection-- although one would not be surprised if Dubai simply adopted the EU's list of "certified" countries, such as Argentina, Switzerland, Canada, and the Isle of Man.  

Fortunately, the application process is greatly simplified by a well-drafted and user-friendly application that may be filled out by the data controller and sent to the Commissioner (there is no fee for the application to seek a permit to transfer data; nor is there a fee to apply for a permit to process sensitive data, also required under the Act).    

While it remains to be seen how strictly the new data protection law is enforced, employers operating in Dubai would be well-advised to comply with its provisions.   Based on the text of the law and its similarities to the EU model, one would not be surprised to find the EU soon anointing Dubai as the first Arab nation to have a data protection law that offers substantially similar protections, allowing for the free transfer of data.
Tags: , , , , ,