What's new in Europe?

Posted on August 16, 2011 by Cecile Martin

While the European Commission is seeking to update its 15-year-old Directive regarding the protection of personal data, several regulations have been passed to strengthen privacy rights in Europe.

First, the European Union’s Article 29 Working Party has decided to define more clearly what is considered genuine consent for the processing of personal data. According to its opinion issued on July 14, 2011, consent requires the use of mechanisms that leave no doubt on the data subject’s intention to authorize. As such, in the Working Party’s view, only affirmative statements or actions, not mere silence or inaction, are able to constitute a valid consent. It is incumbent upon data controllers to prove that they have obtained genuine consent; the data subject is not required to rebut any presumption of consent in the controller’s favor.

In the meantime, in France, the French Data Protection Agency (CNIL) has for the first time authorized two companies to implement a whistleblowing process dedicated to receiving and handling complaints about discrimination. The CNIL has always been reluctant to approve the adoption of whistleblowing programs other than those relating to banking, financial, accounting and anti-corruption matters. Moreover, in response to a December 2009 decision of the French Supreme Court, CNIL had recently decided to narrow the scope of the agency’s “blanket authorization” for whistleblowing programs which affected “vital interests of the business or the physical or moral integrity of employees.” But the CNIL’s recent approval of whistleblowing programs relating to discrimination suggests that it may be possible to obtain approval for programs that fall outside the scope of the blanket authorization. In the instant cases, it is noteworthy that as part of its certification of the whistleblowing systems dedicated to uncovering potential discrimination, the CNIL relied upon the following elements of the programs:

  • anonymous alerts were prohibited;
  • the whistleblowing system was not mandatory for employees;
  • security measures were implemented; and
  • employees’ representatives had been informed.

These observations may offer some insight into the kinds of safeguards required for others to obtain approval of a whistleblower program from the CNIL.

In another recent decision, the CNIL decided to exonerate from certain filing obligations the French suppliers acting on behalf of companies located outside the EU. Prior to the CNIL’s decision, it was understood that both non-EU-based companies processing personal data in France and their French suppliers needed to file paperwork with the agency about the processing of personal data. The CNIL realized, however, that it could be burdensome (and duplicative) for French suppliers acting on behalf of non-EU-based companies to comply also with the relevant filing obligations. As a consequence, the CNIL has decided to exonerate French suppliers from their filing obligations for purposes of data processing related to human resources, clients and prospects performed on behalf of companies based outside the EU.

Finally, by application of a new law dated March 15, 2011, the CNIL has seen its powers of control and sanctions modified. According to this new law, the CNIL must now systematically inform data controllers of their opportunity to object to on-site reviews conducted by the agency. If the data controller objects to a proposed on-site check, the review can only be performed if a court authorizes it. In case of emergency or risk of destruction of documents, however, the CNIL can conduct the on-site check, after authorization of the court, without informing the data controller. In such a case, the latter cannot object to the CNIL’s review. Furthermore, the new law authorizes the CNIL to give publicity to the sanctions that it imposes on data controllers for their data processing violations even if the data controllers have not acted in bad faith.

With all this activity in France, it’s clear that the United States is not the only country trying to adapt its privacy and information security standards to rapidly evolving technologies and marketplaces. Companies with an international presence need to stay alert to stay compliant. We can help!
Tags: , , , ,

French Data Protection Agency Restricts the Scope of the Whistleblowing Procedures: Multinational Companies Need to Make Sure They Are Compliant

Posted on December 15, 2010 by Cecile Martin

By a decision dated October 14, 2010, and published on December 8, 2010, the French Data Protection Agency (known under the acronym CNIL) revised the deliberation that it issued on December 8, 2005.

At that time, the CNIL had issued a deliberation to reach a compromise between the United States’ Sarbanes-Oxley (“SOX”) requirements and French law.  According to Article 1 of that deliberation, companies were authorized to adopt whistleblowing systems implemented in response to French legislative mandates, regulatory internal control requirements (e.g. regulations governing banking institutions), or the whistleblowing requirements of the SOX Act.  According to Article 3 of the 2005 deliberation, alleged wrongdoings not encompassed within these core areas may be covered by the whistleblowing system only if vital interests of the company or the physical or psychological integrity of its employees were threatened.

The French Supreme Court addressed the scope of the CNIL's deliberation in a decision dated December 8, 2009. In that decision, the French Supreme Court was asked to consider the validity of a corporate Code of Conduct that had been implemented by a listed company (Dassault Systèmes) in order to comply with the SOX Act. The French Supreme Court found that the scope of Dassault's code of conduct was too broad, in that it invited employees to report violations relating to more than just finance, accounting and anti-corruption matters, but also intellectual property rights, confidentiality, conflict of interest, discrimination, and sexual or psychological harassment. In the eyes of the Court, the Dassault code of conduct's whistleblowing system was invalid because it permitted whistleblowers to report violations other than those enumerated under Article 1 of the CNIL deliberation.

While companies were already required to obtain approval from CNIL for whistleblowing systems that exceeded the scope of the 2005 deliberation, the French Supreme Court’s decision helped to clarify exactly when such approval is needed. According to the Supreme Court’s decision, any whistleblowing system that allows complaints concerning conduct violations beyond those listed must be specifically authorized by the CNIL on a case-by-case basis, or risk being invalidated.

In order to align its deliberation with the Supreme Court’s decision, the CNIL modified the 2005 deliberation to limit its scope to:

  • accounting;
  • finance;
  • banking;
  • anti-corruption;
  • competition;
  • companies concerned by SOX Act section 301(4) of July 31, 2002;
  • Japanese SOX of June 6, 2006.

It also specified that:

  • alerts outside the scope of the deliberation must be destroyed or archived immediately;
  • when the alert does not give rise to a disciplinary or legal procedure, data related to the alert are destroyed or archived within two months from the end of the inquiry.

So far, 1,605 companies have complied with the CNIL’s deliberation. For companies whose systems are compliant with the new scope of the deliberation, no additional formalities are necessary. But for those others whose systems are not compliant, they have six months to bring their whistleblowing system into compliance or obtain an authorization from the CNIL.

To facilitate reporting of wrongdoings which are not encompassed within the scope of the new deliberation, the CNIL suggests informing employees that they should report them to their managers, unionists or human resources departments.

From a practical point of view, there is a strong likelihood that the CNIL will be very cautious before approving any whistleblowing system that exceeds the scope of its new deliberation, or even refuse to approve such a system. Consequently, multinational companies may want to think about restricting their whistleblowing systems to the core areas specified in the CNIL's new deliberation so as to avoid having their systems invalidated.
Tags: , , , ,

French Employers Can Open Files Located on a Company-Issued Computer Provided That They Are Not Clearly Identified As Personal

Posted on December 10, 2009 by Cecile Martin

By a decision of October 21, 2009 (n°07-43877), the French Supreme Court ruled that files created by an employee on a computer issued by his employer for work purposes were presumed professional unless the employee identified them clearly as personal. This being said, the Court concluded that the employer was entitled to open these files in the employee’s absence and without having informed the employee in advance.

In this case, the employee was suspected by his employer to have competed unfairly with the employer’s business. To investigate these suspicions, the employer requested a bailiff to seek evidence from the employee’s work computer. In order to prevent the employee from erasing the evidence, the employer did not alert the employee that his work computer would be examined.

During his examination of the computer, the bailiff noticed that the computer contained a folder titled with the employee’s initials and, within it, two sub-files, one titled “personal,” the other titled with the name of the employer’s competitor. The bailiff only opened the second sub-file, titled with the name of the competitor, where he found evidence that the employee had engaged in unfair competition against the employer.

Supported by an affidavit of the bailiff, the employee was terminated for gross fault, i.e., without any indemnity. Thereafter, the employee initiated a lawsuit against the employer for violation of his privacy.

The Court of appeals found that the bailiff should not have opened the folder titled with the employee’s initials without first informing the employee or without the employee being present.

Until this case, the case law was unclear on whether folders or files located on an employee’s work computer but titled with the employee’s name or initials would be afforded privacy protection under workplace privacy laws. However in this ruling, the French Supreme Court made clear that all files created by an employee on an employer’s computer belong to the employer unless they are expressly identified as personal. By adopting this position, the French Supreme Court was consistent with the French Data Protection Agency (CNIL) which, since 2002, has advised that employees should be cautious when using their work computers for personal purposes.

This decision is most helpful in that it clearly informed French companies of the privacy rules that apply to folders and files that employees store on their work computers. If the employee has clearly identified the files as personal, the employer has no choice but to either obtain the employee’s prior consent before opening the files, or to go before a Court to get a Court injunction allowing the employer to open the files.
Tags: , , , , ,