DataGuidance spoke with Cécile Martin, Special International Counsel at Proskauer Rose LLP, at the International Association of Privacy Professionals’ Conference in Brussels in November 2016. Cécile discussed the passing of the Digital Republic Bill and its implications for organizations, as well as the latest developments regarding employee monitoring in France and the upcoming changes with the GDPR.

Co-authored by Geoffrey Roche

On March 10, 2016, the French data protection agency (« CNIL ») pronounced a €100.000 ($111,715) fine against Google Inc. for failure to comply with its formal injunction of May, 2015 ordering the company to extend delisting to all the search engine’s extensions.

In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL).

There are two possible ways to notify the CNIL of a whistleblowing system:

  1. request a formal authorization from the CNIL (this is quite burdensome and difficult to obtain), or
  2. opt for the standard whistleblowing authorization (AU-004).

In a recent decision (deliberation CNIL May 30, 2013 n°2013-139), the French Data Protection Agency (CNIL) sanctioned a company for implementing a CCTV system without informing employees and because the CCTV enabled the constant monitoring of one employee making the recording disproportionate to the goal pursued.  The CNIL also sanctioned the company because it failed to implement an adequate level of security of the data housed on its systems.

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal the identity of its users in France who posted racist tweets.  In Germany, on the other hand, an administrative court held that Facebook, also based in California, was not subject to a German law that would have prohibited Facebook from requiring users to register under their real names. 

It may seem obvious to a lay person that employees should refrain from insulting their companies on social media due to the threat of termination for cause; however, there are contradictory legal principles that apply to the use of social media by employees which can be used both for and against employees (i.e. freedom of speech, right to privacy, data protection laws, an employer’s right to take disciplinary action, public insult offense, etc.) As a consequence, there is uncertainty as to whether an employer can use its employees’ postings made on social media websites to sanction them.

While the European Commission is seeking to update its 15-year-old Directive regarding the protection of personal data, several regulations have been passed to strengthen privacy rights in Europe. With all this activity, it’s clear that the United States is not the only country trying to adapt its privacy and information security standards to rapidly evolving technologies and marketplaces. Companies with an international presence need to stay alert to stay compliant. We can help!