data protection

Subscribe to data protection via RSS

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal the identity of its users in France who posted racist tweets.  In Germany, on the other hand, an administrative court held that Facebook, also based in California, was not subject to a German law that would have prohibited Facebook from requiring users to register under their real names. 

By a decision dated October 14, 2010, and published on December 8, 2010, the French Data Protection Agency (known under the acronym CNIL) revised the deliberation that it issued on December 8, 2005.
At that time, the CNIL had issued a deliberation to reach a compromise between the United States’ Sarbanes-Oxley (“SOX”) requirements and French law. According to Article 1 of that deliberation, companies were authorized to adopt whistleblowing systems implemented in response to French legislative mandates, regulatory internal control requirements (e.g. regulations governing banking institutions), or the whistleblowing requirements of the SOX Act. According to Article 3 of the 2005 deliberation, alleged wrongdoings not encompassed within these core areas may be covered by the whistleblowing system only if vital interests of the company or the physical or psychological integrity of its employees were threatened.

To assist companies to comply with European data protection laws, in particular those implemented in France, the French Data Protection Agency (known as “CNIL”) recently issued a set of guidelines organized by topic which provide elementary precautions to be taken by data controllers in several subject areas, including what types of conduct are prohibited as well as the CNIL’s recommendations in these areas.

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted

The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.

According to a proposed settlement announced by the Federal Trade Commission (“FTC”) on March 27, 2008, discount retailer TJX will be required to implement a comprehensive information security program to remedy deficiencies in protecting sensitive consumer information. If approved, the settlement will resolve allegations that the company engaged in practices that failed to provide reasonable and appropriate security for consumer information. In addition to implementing a comprehensive security program, TJX will be required to obtain periodic security audits to provide reasonable assurances that personal information is being adequately protected.