Amid fresh fears about data protection, on November 14th, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertes (CNIL) published a checklist of recommended actions travellers should take to secure phones, computers and tablets when travelling outside the European Union.

On April 30, 2020, the French data protection authority, the CNIL, published a guidance surrounding considerations behind what it calls “commercial prospecting,” meaning scraping publicly available website data to obtain individuals’ contact info for purposes of selling such data to third parties for direct marketing purposes.  The guidance is significant in two respects.  First, it speaks to the CNIL’s view of this activity in the context of the GDPR and privacy concerns.  Second, beyond the context of direct marketing related privacy issues, the guidance lays out some guiding principles for companies that conduct screen scraping activities or hire outside vendors to collect and package such data.

This alert focuses on the ongoing and developing privacy issues that have arisen for employers and healthcare providers communicating about the 2019 novel coronavirus (COVID-19).  Specifically, we will discuss the steps that employers and healthcare companies need to consider when communicating to its employees, the media and general public, and government officials when an individual has been diagnosed with the coronavirus or may have been exposed to the coronavirus.

In late March, the French Data Protection Authority, Commission Nationale de l’Informatique et des Libertés (“CNIL”) released a model regulation (the “Model Regulation”) governing the use of biometric access controls in the workplace.  Unlike many items of personal information, biometric data (such as a person’s face or fingerprints) is unique and, if stolen or otherwise compromised, cannot be changed to avoid misuse.  Under Article 9 of the GDPR, biometric data collected “for the purpose of uniquely identifying a natural person” is considered “sensitive” and warrants additional protections.  The GDPR authorizes Member States to implement such additional protections.  As such, the French Data Protection Act 78-17 of 6 January 1978, as amended, now provides that employers – whether public or private – wishing to use biometric access controls must comply with binding model regulations adopted by the CNIL, the first of which is the Model Regulation.

The French Supreme Court sanctions a company for having produced complete employee pay slips in a litigation.

It is not news that the rules of evidence and data privacy laws may be conflicting. A recent decision of the French Supreme Court[1] illustrates this tension and highlights the need for litigators to take into account data privacy principles before producing evidence containing personal information.