Data Privacy Laws

Subscribe to Data Privacy Laws via RSS

US employers are sometimes required for diversity purposes to collect data regarding the race and ethnicity of their employees.  However, collection of such “sensitive” data may infringe EU data protection laws under Article 8 of the EU Data Protection Directive.  This blog post is designed to provide some basic information about Article 8 and its exceptions.  It relates only to the collection of sensitive data from EU-based employees and does not address cross-border data transfer issues.

 

 

Earlier this year, CNIL, the French Data Protection Agency, issued a ruling that changed the confidentiality treatment accorded to employee evaluations under French law. CNIL ruled that employees must be able to review any evaluations written about them by their employers. The CNIL issued the ruling after receiving several complaints from employees of an (anonymous) multinational company, which refused to divulge the employees’ evaluations to employees upon request.

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements.  In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779.  That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers.  The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.