Author Archive

CNIL announces upcoming “cookies sweep day”

Posted on July 17th, 2014 by

On June 11th, 2014 the French Data Protection Authority (CNIL) announced an upcoming “cookies sweep day”, which aims to verify compliance with the cookies legal requirements. Last year, the CNIL issued guidance on how to comply with cookie requirements in France (published in December 2013) and the CNIL now expects companies to be compliant. This enforcement action will also enable the CNIL to test its new on-line investigatory powers that came into force following a revision of the French Data Protection Act in March 2014 (see our previous blog).

In Europe, other data protection authorities have already begun enforcing cookie rules, as recently illustrated by the fines pronounced by the Spanish DPA earlier this year (see our previous blog).

When will the “cookies sweep data” take place?

The “cookies sweep day” is scheduled to take place between 15 and 19 September 2014.

Who is targeted by the “cookies sweep day”?

Any company (within or outside the EU) that uses cookies or other tracking technologies to collect personal data from users in Europe.

Where will the “cookies sweep day” take place?

The CNIL will take part in a “cookies sweep day” at a European level aimed at verifying compliance with the notice and consent requirements. Eeach data protection authority in Europe will carry out its own compliance program under national law and may potentially conduct enforcement actions on its territory.

What will the CNIL verify?

The CNIL will focus its investigation on:

  • The types of cookies and other tracking technologies that are used (e.g., HTTP, local shared objects (flash cookies), finger printing, etc.)
  • The purposes of the cookies used and whether the owner of the website knows and understands the purposes of all the cookies (including third party cookies) used on his website.

Furthermore, where prior consent is required, the CNIL will verify:

  • The method used to obtain consent from the user
  • The quality, accessibility and clarity of the information provided to users
  • The consequences of a refusal from the user to use cookies. As an example, the CNIL refers to users of a e-commerce website whose only option is to refuse all cookies via the cookie settings of their web browser. As a result, such users may not be able to use the website at all.
  • The possibility to withdraw user consent at any time
  • The duration of cookies.

What are the risks for companies?

The risks of not complying with cookie requirements vary from one EU country to another depending on the enforcement/sanction powers of each data protection authority under national law. In France, the CNIL has the power to conduct on-site and on-line inspections that can be followed by administrative sanctions. In particular, the CNIL can issue a public warning or an enforcement notice asking the company to comply within a given period of time. If the company fails to comply with the terms of this notice, the CNIL may then initiate administrative proceedings which ultimately can lead to a fine or an obligation to cease the processing.

What should companies do in advance of this enforcement action?

As explained in our previous blog, cookie compliance is still very much a hot topic in Europe, with different countries amending their laws and DPAs issuing guidance or conducting enforcement actions. Therefore, companies should not wait until they are being investigated to put their house in order. Some basic steps can be taken to make sure you comply with the cookie requirements:

  • Audit your websites to find out what types of cookies (or other tracking devices) you use
  • Analyse the purposes of the cookies
  • Assess the level of intrusiveness of cookies and verify which cookies require prior consent
  • Publish a clear, understandable and accessible cookie policy on your website
  • Implement an adequate cookie consent mechanism

For more information on the “cookies sweep day”, the CNIL’s press release is available (in French) here.

Article 29 Working Party issues draft model clauses for processor-to-subprocessor data transfers

Posted on April 9th, 2014 by

On 21st March 2014, the Article 29 Working Party (“WP 29″) issued a working document (WP 214) proposing new contractual clauses for cross-border transfers between an EU-based processor and a non-EU-based sub-processor (“draft model clauses”). This document addresses the situation where personal data are initially transferred by a controller to a processor within the European Union (“EU”) and are subsequently transferred by the processor to a sub-processor located outside the EU.

Back in 2010, the EU Commission adopted a revised version of its model clauses for transfers between a controller in the EU and a processor outside the EU, partly to integrate new provisions on sub-processing. However, it deliberately chose not to apply these new model clauses to situations whereby a processor established in the EU and performing the processing of personal data on behalf of a controller established in the EU subcontracts his processing operations to a sub-processor established in a third country (see recital 23 of the EU Commission’s Decision 2010/87/EU).

Absent Binding Corporate Rules, many EU data processors were left with few options for transferring the data outside the EU. This issue is particularly relevant in the context of a growing digital economy where more and more companies are transferring their data to cloud computing service providers who are often based outside the EU. Negotiating ad hoc model clauses on a case-by-case basis with the DPAs seemed to be the only solution available. This is precisely what the Spanish DPA undertook in 2012 when it adopted a specific set of standard contractual clauses for processor–to-sub-processor transfers and put in place a new procedure allowing data processors based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based outside the EU.

This has inspired the WP 29 to use the Spanish model as a basis for preparing draft ad hoc model clauses for transfers from an EU data processor to a non-EU sub-processor that could be used by any processor established in the EU. However, these draft model clauses have yet to be formally adopted by the European Commission before they can be used by companies and it may take a while before the EU Commission adopts a new official set of model clauses for data processors. Meanwhile, companies cannot rely on the draft model clauses to obtain approval from their DPAs to transfer data outside the EU. While the WP 29′s document certainly paves the way in the right direction, it remains to be seen how these draft model clauses will be received by the business sector and whether they can work in practice.

Below is a list of the key provisions under the draft model clauses for data processors:

  • Structure: the overall structure and content of these draft clauses are similar to those that already exist under the controller-to-processor model clauses, but have been adapted to the context of transfers between a processor and sub-processor.
  • Framework Contract: the EU data processor must sign a Framework Contract with its controller, which contains a detailed list of obligations (16 in total) specified in the draft model clauses – including restrictions on onward sub-processing.  The practical effect of this could be to see the service terms between controllers and their EU processors expand to include a substantially greater number of data protection commitments, all with a view to facilitating future extra-EU transfers by the processor to international sub-processors under these model clauses.
  • Sub-processing: the EU processor must obtain its controller’s prior written approval in order to subcontract data processing activities to non-EU processors. It is up to the controller to decide, under the Framework Contract, whether it grants a general consent up front for all sub-processing activities, or whether a specific case-by-case approval is required each time the EU processor intends to subcontract its activities. The same applies to the sub-processing by the importing non-EU sub-processors. Any non-EU sub-processor must be contractually bound by the same obligations (including the technical and organisational security measures) as those that are imposed on the EU processor under the Framework Agreement.
  • List of sub-processing agreements: the EU processor must keep an updated list of all sub-processing agreements concluded and notified to it by its non-EU sub-processor at least once per year and must make this list available to the controller.
  • Third party beneficiary clause: depending on the situation, the data subject has three options to enforce model clause breaches against data processing parties to it – including initially against the exporting EU data processor (where the controller has factually disappeared or has ceased to exist in law), the importing non-EU data processor (where both the controller and the EU data processor have factually disappeared or have ceased to exist in law), or any subsequent sub-processor (where the controller, the exporting EU data processor and the importing non-EU data processor have all factually disappeared or have ceased to exist in law).
  • Audits: the exporting EU data processor must agree, at the request of its controller, to submit its data processing facilities for audit of the processing activities covered by the Framework Contract, which shall be carried out by the controller himself, or alternatively, an independent inspection body selected by the controller. The DPA competent for the controller has the right to conduct an audit of the exporting EU data processor, the importing non-EU data processor, and any subsequent sub-processor under the same conditions as those that would apply to an audit of the controller. The recognition of third party independent audits is especially important for cloud industry businesses who – for security and operational reasons – will often be reluctant to have clients conduct on-site audits but will typically be more comfortable holding themselves to independent third party audits.
  • Disclosure of the Framework Contract: the controller must make available to the data subjects and the competent DPA upon request a copy of the Framework Contract and any sub-processing agreement with the exception of commercially sensitive information which may be removed. In practice, it is questionable how many non-EU suppliers will be willing to sign sub-processing agreements with EU data processors on the understanding that provisions within those agreements could end up being disclosed to regulators and other third parties.
  • Termination of the Framework Contract: where the exporting EU processor, the importing non-EU data processor or any subsequent sub-processor fails to fulfil their model clauses obligations, the controller may suspend the transfer of data and/or terminate the Framework Contract.

Click here to access the WP 29′s working document WP 214 on draft ad hoc contractual clauses “EU data processor to non-EU sub-processor”.

Click here to view the article published in the World Data Protection Report.

CNIL: a regulator to watch in 2014

Posted on March 18th, 2014 by

Over the years, the number of on-site inspections by the French DPA (CNIL) has been on a constant rise. Based on the CNIL’s latest statistics (see CNIL’s 2013 Annual Activity Report), 458 on-site inspections were carried out in 2012, which represents a 19 percent increase compared with 2011. The number of complaints has also risen to 6,000 in 2012, most of which were in relation to telecom/Internet services, at 31 percent. In 2012, the CNIL served 43 formal notices asking data controllers to comply. In total, the CNIL pronounced 13 sanctions, eight of which were made public. In the majority of cases, the sanction pronounced was a simple warning (56 percent), while fines were pronounced in only 25 percent of the cases.

The beginning of 2014 was marked by a landmark decision of the CNIL. On January 3, 2014, the CNIL pronounced a record fine against Google of €150,000 ($204,000) on the grounds that the terms of use available on its website since March 1, 2012, allegedly did not comply with the French Data Protection Act. Google was also required to publish this sanction on the homepage of within eight days of it being pronounced. Google appealed this decision, however, on February 7th, 2014, the State Council (“Conseil d’Etat”) rejected Google’s claim to suspend the publication order.

Several lessons can be learnt from the CNIL’s decision. First, that the CNIL is politically motivated to hit hard on the Internet giants, especially those who claim that their activities do not fall within the remit of the French law. No, says the CNIL. Your activities target French consumers, and thus, you must comply with the French Data Protection Act even if you are based outside the EU. This debate has been going on for years and was recently discussed in Brussels within the EU Council of Ministers’ meeting in the context of the proposal for a Data Protection Regulation. As a result, Article 4 of the Directive 95/46/EC could soon be amended to allow for a broader application of European data protection laws to data controllers located outside the EU.

Second, despite it being the highest sanction ever pronounced by the CNIL, this is hardly a dissuasive financial sanction against a global business with large revenues. Currently, the CNIL cannot pronounce sanctions above €150,000 or €300,000 ($410,000) in case of a second breach within five years from the first sanction pronounced, whereas some of its counterparts in other EU countries can pronounce much heavier sanctions; e.g., last December, the Spanish DPA pronounced a €900,000 ($1,230,000) fine against Google. This could soon change, however, in light of an announcement made by the French government that it intends to introduce this year a bill on “the protection of digital rights and freedoms,” which could significantly increase the CNIL’s enforcement powers.

Furthermore, it seems that the CNIL’s lobbying efforts within the French Parliament are finally beginning to pay off. A new law on consumer rights came into force on 17 March 2014, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections in addition to the existing on-site inspections. This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the activities of major Internet companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing.

Finally, the Google case is a good example of the EU DPAs’ recent efforts to conduct coordinated cross-border enforcement actions against multinational organizations. In the beginning of 2013, a working group was set up in Paris, led by the CNIL, for a simultaneous and coordinated enforcement action against Google in several EU countries. As a result, Google was inspected and sanctioned in multiple jurisdictions, including Spain and The Netherlands. Google is appealing these sanctions.

As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. The CNIL is already very influential within the Article 29 Working Party, as recently illustrated by the Google case, and Isabelle Falque-Pierrotin, the chairwoman of the CNIL, was recently elected chair of the Article 29 Working Party. Thus, companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.

This article was first published in the IAPP’s Privacy Tracker on 27 February 2014 and was updated on 18th March 2014.

CNIL issues new guidelines on the processing of bank card details

Posted on February 27th, 2014 by

On February 25, 2014, the French Data Protection Authority (“CNIL”) issued a press release regarding new guidelines adopted last November on the processing of bank card details relating to the sale of goods and the provision of services at a distance (the “Guidelines”). Due to the increase of on-line transactions and the higher number of complaints received by the CNIL from customers in recent years, the CNIL decided to update and repeal its previous guidelines, which dated from 2003. The new guidelines apply to all types of bank cards including private payment cards and credit cards.

Purposes of processing

The CNIL defines the main purpose of using a bank card number as processing a transaction with a view to delivering goods or providing a service in return for payment. In addition, bank card details may be processed for the following purposes:

  • to reserve a good or service;
  • to create a payment account to facilitate future payments on a merchant’s website;
  • to enable payment service providers to offer dedicated payment solutions at a distance (e.g., virtual cards or wallets, rechargeable accounts, etc.); and
  • to combat fraud.

Types of data collected

As a general rule, the types of data that are strictly necessary to process online payments should be limited to:

  • the bank card number;
  • the expiry date; and
  • the 3 digit cryptogram number on the back of the card.

The cardholder’s identity must not be collected, unless it is necessary for a specific and legitimate purpose, such as to combat fraud.

Period of retention

Bank card details may only be stored for the duration that is necessary to process the transaction, and must be deleted once the payment has taken place (or, where applicable, at the end of the period corresponding to the right of withdrawal). Following this period, the bank card details may be archived and kept for 13 months (or 15 months in the case of a deferred debit card) for evidence purposes (e.g., in case of a dispute over a transaction).

Beyond this period, the bank card details may be kept only if the cardholder’s prior consent is obtained or to prevent fraudulent use of the card. In particular, the merchant must obtain the customer’s prior consent in order to create a payment account that remembers the customer’s bank card details for future payments.

However, the CNIL considers that the 3-digit cryptogram on the card is meant to verify that the cardholder is in possession of his/her card, and thus, it is prohibited to store this number after the end of the transaction, including for future payments.

Security measures

Due to the risk of fraud, controllers must implement appropriate security measures, including preventing unauthorized access to, or use of, the data. These security measures must comply with applicable industry standards and requirements, such as the Payment Card Industry Data Security Standards (PCI DSS), which must be adopted by all organizations with payment card data.

The CNIL recommends that the customer’s bank card details are not stored on his/her terminal equipment (e.g., computer, smartphone) due to the lack of appropriate security measures. Furthermore, bank card numbers cannot be used as a means of customer identification.

For security reasons (including those that are imposed on the cardholder), the controller (or processor) cannot request a copy of the bank card to process a payment.

Finally, the CNIL recommends notifying the cardholder if his/her bank card details are breached in order to limit the risk of fraudulent use of the bank card details (e.g., to ask the bank to block the card if there is a risk of fraud).

Future legislation

In light of the anticipated adoption of the Data Protection Regulation, organizations will face more stringent obligations, including privacy-by-design, privacy impact assessments and more transparent privacy policies.

New law on real-time geolocation creates concerns over right to privacy in France

Posted on February 26th, 2014 by

On February 24, 2014, the French Parliament adopted a new law regulating the real-time geolocation of individuals for law enforcement purposes (the “Law”). This Law was adopted in response to two decisions of the Court of Cassation of October 22nd, 2013, which ruled that the use of real-time geolocation devices in the context of judicial proceedings constitutes an invasion of privacy that must be authorized by a judge on the grounds of an existing law. A similar ruling was handed by the European Court of Human Rights on September 2nd, 2010 (ECRH, Uzun v. Germany).

Essentially, this Law authorizes law enforcement authorities to use technical means to locate an individual in real-time, on the entire French territory, without that individual’s knowledge, or to locate a vehicle or any other object, without the owner or possessor’s consent. These methods may be applied in the course of a preliminary inquiry or a criminal investigation into:

-          felonies and misdemeanours against individuals that are punishable by at least 3 years’ imprisonment, or aiding/concealing a criminal, or a convict’s escape;

-          crimes and felonies (other than those mentioned above) that are punishable by at least 5 years’ imprisonment;

-          the cause of death or disappearance;

-          finding an individual on the run against whom a search warrant has been issued; and

-          investigating and establishing a customs felony punishable by at least 5 years’ imprisonment.

The use of real-time geolocation may only be conducted by a police officer for a maximum period of 15 days (in the case of a preliminary inquiry) or 4 months (in the case of an investigation) and must be authorized respectively by the public prosecutor conducting the inquiry or the judge authorizing the investigation.

However, there are serious concerns within the legal profession that this Law constitutes an invasion of privacy. According to the European Court of Human Rights, a public prosecutor is not an independent judicial authority, and therefore, the use of real-time geolocation in the context of a preliminary inquiry would constitute a violation of the individual’s civil liberties and freedoms. The use of real-time geolocation is considered to be a serious breach of privacy, which as a result, should only be used in exceptional circumstances for serious crimes and felonies, and should remain at all times within the control and authority of a judge. As a consequence, the French Minister of Justice, Christiane Taubira, has asked the Presidents of the French National Assembly and Senate to bring this Law before the Constitutional Council before it comes into force to decide whether it respects the Constitution.

The French Data Protection Authority (“CNIL”) stated in a press release that real-time geolocation of individuals is comparable to the interception of electronic communications, and therefore, identical safeguards to those that apply to the interception of electronic communications (in particular, the conditions for intercepting electronic communications in the course of criminal proceedings) should equally apply to geolocation data. The CNIL also considers that the installation of a geolocation device in an individual’s home, without that individual’s knowledge, should be supervised and authorized by a judge at all times, regardless of whether that operation takes place during the day or at night.

In a previous press release, the CNIL raised similar concerns over the adoption of the Law of December 18th, 2013, on military programming, which authorizes government authorities to request real-time access to any information or documents (including location data) stored by telecoms and data hosting providers on electronic communications networks for purposes of national security.

CNIL amends legal framework for whistleblowing schemes in France

Posted on February 25th, 2014 by

In France, the legal framework for whistleblowing schemes is based on a decision of the French Data Protection Authority (the “CNIL”) of 2005 adopting a “single authorization” AU-004  for the processing of personal data in the context of whistleblowing schemes. In principle, companies must obtain the CNIL’s approval prior to implementing a whistleblowing scheme. The CNIL’s single authorization AU-004 allows companies to do so simply via a self-certification procedure, whereby they make a formal undertaking that their whistleblowing hotline complies with the pre-established conditions set out in the CNIL’s single authorization AU-004.

Initially, companies could only self-certify to the CNIL’s single authorization AU-004 if they were required to adopt a whistleblowing scheme either to comply with legal or regulatory requirements in specific and limited areas (i.e., finance, accounting, banking, fight against corruption), or if they could demonstrate a legitimate purpose, which at the time, was limited to complying with Section 301(4) of the U.S. Sarbanes-Oxley Act. In 2010, the CNIL broadened the scope of its single authorization by expanding the “legitimate purpose” condition to cover two new areas: compliance with the Japanese Financial Instruments Act and the prevention of anti-competitive practices (i.e., anti-trust matters). On January 30th, 2014, the CNIL amended its single authorization AU-004 a second time, essentially to add the following areas to the scope of whistleblowing schemes: the fight against discriminations and work harassment, compliance with health, hygiene and safety measures at the workplace, and the protection of the environment.

These successive amendments show that the CNIL’s view on whistleblowing schemes has evolved over time and it has adopted a more realistic and pragmatic approach given that, in today’s world, many multinational organizations require their affiliates to implement a streamlined and globalized whistleblowing scheme across multiple jurisdictions. Under the revised framework, whistleblowing schemes are still limited to pre-defined areas and cannot be used for general and unlimited purposes. Nevertheless, the broadened scope of whistleblowing schemes allows companies and their employees to act more in line with an organization’s internal code of business conduct and the various areas that it covers. The CNIL’s decision should therefore enable companies to use their whistleblowing schemes more consistently across jurisdictions and to streamline the reporting process in areas that are commonly recognized as fraudulent or unethical.

The CNIL also clarified its position regarding anonymous reporting. Historically, the CNIL considers that anonymous reporting creates a high risk of slanderous reporting and can have a disruptive effect for companies. In its decision of January 30, 2014, the CNIL states that organizations must not encourage individuals to make anonymous reports and, on the contrary, anonymous reporting should remain exceptional. The CNIL also specifies the conditions that apply to anonymous reporting, namely:

- the seriousness of the facts that were reported must be established and the facts must be sufficiently precise; and

- the anonymous report must be handled with specific precautions. For example, the initial receiver of the report should assess whether it is appropriate to disclose the facts within the whistleblowing framework prior to doing so.

The CNIL’s intention here is to limit the risk of slanderous reporting by encouraging companies to establish a clear and transparent system for employees, while ensuring that the appropriate security and confidentiality measures have been implemented, particularly to protect the identity of the whistleblower.

Effectively, the revision of the CNIL’s single authorization AU-004 can also be viewed as a tactical move by the CNIL to funnel companies through the self-certification approval process, rather than to seek ad hoc approval from the CNIL. It also encourages companies to be more transparent regarding the purposes for which their whistleblowing schemes are used and allows the CNIL to enforce compliance with the Data Protection Act more efficiently.

The CNIL’s decision does not specify any date of entry into force. Therefore, these amendments came into force on January 30th, 2014, date of the publication of the decision in the Official Journal. The decision also does not specify any grace period for complying with the new conditions; therefore, companies are required to comply with them immediately.

This article was initially published in the March 2014 edition of the The Privacy Advisor.

European Commission Adopts Technical Implementing Measures for Data Breaches

Posted on September 3rd, 2013 by

On June 24th, 2013, the European Commission adopted a new Regulation No 611/2013 (the “Regulation”) on the measures applicable to the notification of personal data breaches under the Directive 2002/58/EC (the “ePrivacy Directive”). This Regulation came into force on August 25th, 2013.

Since the revision of the ePrivacy Directive in 2009, providers of electronic communications services to the public (mainly telecom providers and ISPs) must notify the competent national authority in Member States when a personal data breach occurs. The Regulation harmonizes the technical measures that apply to data breaches across EU Member States.

Timeline for notifying data breaches

Under article 4-3 of the ePrivacy Directive, service providers are required to notify the regulator “without undue delay”. The Regulation introduces a new obligation for service providers to notify the competent national authority no more than 24 hours after the detection of a data breach, where feasible.

The Regulation specifies that a data breach is considered to be detected when the service provider has sufficient awareness that a security incident leading to personal data being compromised has taken place. At this point it is necessary for the service provider to make a meaningful notification to the competent national authority. This provision illustrates the need for organizations to adopt an internal action plan allowing them to assess and to respond to data breaches effectively.

Where the company handling the data has no direct relationship with the end user (for example where the service provider uses another provider to perform part of the service, e.g. in relation to billing or management functions), the company is not required to issue notifications, but still has a duty to alert and notify its customer (i.e., the electronic communications service provider) when it becomes aware of a data breach. In this respect, providers of electronic communications services must ensure that this obligation exists in their service provider agreements.

Content of the notification to the regulator

The Regulation specifies under Annex 1 the information that must be mentioned in the notification to the national authority, including: the name of the service provider, the name and contact details of the data protection officer (or another contact person within the organization) and the details of the personal data breach (date and time of incident, circumstances surrounding the breach, nature and content of the data concerned).

Two-step notification process

Where the service provider is unable to gather all the required information within 24 hours because the data breach is still being investigated, the Regulation authorizes the company to make an initial notification within 24 hours of the breach being detected, followed by a second notification as soon as possible and no later than three days following the initial notification. This second notification should complete and, if needed, update the initial notification. If the service provider is unable to provide all the information within the subsequent three day period, it must submit a reasoned justification to the national authority for the late provision of the remaining information.

Electronic procedure for notifying data breaches

The Regulation is particularly innovative in that it obliges the competent national authorities to provide a secure electronic means for the notification of personal data breaches. The Regulation mentions that this procedure should be available in a common format (such as XML) and should contain the information set out in Annex 1 in all the relevant languages. The purpose is to enable all service providers in the EU to follow a similar notification procedure, irrespective of their location or where the breach occurs. This provision is likely to pave the way towards a general data breach notification procedure for all data controllers once the proposed EU Data Protection Regulation comes into force.

Notification to individuals and subscribers

The Regulation clarifies the circumstances under which a data breach is likely to adversely affect the personal data or privacy of subscribers or individuals, for example, where the data concerns financial data (e.g., credit card data or bank account details), sensitive data, or certain data specifically relating to the provision of telephony or Internet services (e.g., emails, location data, Internet log files, web browsing history, and itemised call lists).

In principle, the service provider must notify the subscribers and other individuals concerned “without undue delay”. However, in exceptional circumstances the provider may delay this notification, with the national authority’s permission, where the notification may put the investigation of the data breach (e.g., a criminal investigation) at risk.

If the service provider does not possess the contact details of all the individuals who are adversely affected by the data breach, it may mitigate this by making a notification through advertisements in major national or regional media (such as newspapers) until it is able to identify all the individuals affected and send them an individual notification.

Cross-border data breaches

If a data breach affects the personal data of individuals located in several EU member states, the Regulation imposes on the competent national authorities a duty to inform one another and to cooperate. One can only regret, however, that the European Commission did not go one step further by enabling a “lead” authority to act as the single point of contact for organizations that are facing a cross-border data breach. The European legislator perhaps missed a chance here to streamline the notification procedure and to remove some of the administrative burden on companies.

Direct applicability in Member States

The Regulation is legally binding and is directly applicable in all Member States, which means that in the case of a conflict between the Regulation and a national law, the Regulation must prevail.

Finally, it should be noted that the Regulation was drafted to be consistent with the proposed Data Protection Regulation so as to avoid conflicting legal provisions in the future. It is also expected that technical adjustments will be made to the ePrivacy Directive once the Data Protection Regulation comes into force.

Click here for an overview of upcoming legislation on data breaches in Europe.

Employee’s private emails used as evidence to dismiss employee

Posted on August 12th, 2013 by

On June 19, 2013, the French Court of Cassation ruled in favour of a company for having dismissed one of its employee’s (M. X) on the grounds that he was involved in unfair competition. M. X’s wrong-doing was based on email exchanges between him and a competitor that were found on his computer’s hard drive and used against him as evidence in court.  M. X argued that this evidence was inadmissible because it was unlawfully obtained by the company in violation of his right to privacy and to the secrecy of correspondence. M.X claimed that the emails were private and that the company had made a copy of his computer’s hard drive without informing him and not in his presence.

The French Court of Cassation ruled in a landmark decision (the 2001 “Nikon case”) that “an employee has the right to the respect of his private life – including the right to the secrecy of correspondence – on the work premises and during working hours”. Since then, the Court of Cassation has refined its position and progressively balanced the right to privacy of employees against the right of employers to monitor the activities of their employees. Unless marked by the employee as “private”, the documents and files created by an employee on a company-computer for work purposes are presumed to be professional, which means that the company can access those documents and files without the employee’s presence. However, an employer cannot access files marked “private” stored on the hard drive of a company-owned computer without the employee’s presence or informing the employee, unless there is a particular risk or event for the company. It is also presumed that employees use the company’s emailing system for professional purposes. Thus, an employer can access an employee’s email inbox without his/her presence, with the exception of those that are marked “private” in their subject line, or that are stored in a sub-folder of the inbox named “private” or “personal”.

In the given case, M.X challenged the validity of the emails used against him in court on the grounds that those emails originated from his private email inbox, which he had transferred and stored onto his work computer. M.X argued that the company had captured those emails without informing him and that a copy of the hard drive was made in his absence. But for the Court of Cassation, the simple fact that documents or emails, stored on the hard drive of a company-owned computer, originate initially from an employee’s private email inbox does not render those emails private. What really matters is whether there is a clear indication that this email is private, such as the word “private” appearing in the subject line, or the fact that it is stored in a folder marked “private”.

Since the 2001 Nikon case, the Court of Cassation has made a continuous effort to refine and, in some circumstances, narrow the scope of the right to privacy in the workplace with a view to reaching a fair and balanced approach to privacy in the employment context. Following this ruling, employees should be cautious when storing private emails or documents onto their work computers as they will automatically be considered professional, unless there is an unambiguous indication that they are private. Thus, the risk is high that employees may get dismissed when suspected of unlawful actions because their employer has extensive powers to access all the data stored on their work computer and to use any potentially incriminating information as evidence against them. Simultaneously, employers have an obligation under privacy and labor laws to inform employees about the collection and use of their personal data. This decision illustrates the importance of drafting clear and unequivocal privacy policies explaining to employees how to use the IT equipment and devices that the company puts at their disposal in accordance with the company’s internal rules, and how to protect their private data.

Click here to access the Court’s decision (in French).

Click here for more information on the use of technology against the right to privacy under French law.

Use of technology in the workplace: what are the risks?

Posted on July 29th, 2013 by

Technology is omnipresent in the workplace. In recent years, the use of technological tools and equipment by companies has grown exponentially. Various types of electronic equipment, which were previously reserved for military or scientific facilities (such as computers, smartphones, CCTV cameras, GPS systems, or biometric devices) are now commonly used by many private companies and are easy and cheap to install.

Technology undoubtedly provides companies with new opportunities for improving work performance and increasing security on their premises. At the same time, employees’ personal data are more regularly collected and potential threats to their privacy are more commonplace. In some circumstances, the use of advanced technology can pose higher security threats, which outweigh the benefits the technology provides (see our previous blog post on the risks of BYOD).

In Europe, the use of technology in the workplace will almost certainly trigger the application of privacy and labour laws aimed at safeguarding the employees’ right to privacy. In this context, data protection authorities are particularly attentive to the risks to employees that can derive from the use of technology in the workplace and their potential intrusiveness. Earlier this year, the French Data Protection Authority (“CNIL”) reported that 15% of all complaints received were work-related (see our previous blog post on the CNIL’s report). In many cases, employees felt threatened by the invasiveness of video cameras (and other technologies) being used in the work place. For that reason, the CNIL published several practical guidelines instructing employers on how to use technology in the workplace in accordance with the French Data Protection Act and the French rules on privacy.

Employers are faced with the challenge of finding a way to use technology without falling foul of privacy laws. When considering whether to implement a particular technology in the workplace, companies should take appropriate measures to ensure that those technologies are implemented in accordance with applicable privacy and labour laws. As a first step, it is often good practice to carry out a privacy impact assessment that will allow the company to identify any potential threats to employees and the risk of the company breaching privacy and labour laws. Also, the general data protection principles (lawfulness and fairness of processing, purpose limitation, proportionality, transparency, security and confidentiality) should be fully integrated into the decision-making process and privacy-by-design should be an integral part of any new technology that is deployed within the company. In particular, companies should ensure that employees are properly informed, both individually and collectively, prior to the collection of their personal data. Additionally, in many EU jurisdictions, it is often necessary for companies to inform and/or consult the employee representative bodies (such as a Works Council) on such issues. Finally, companies must grant employees access to their personal data in accordance with applicable local laws.

So, are technology and privacy incompatible? Not necessarily. Under European law, there is no general prohibition to use technology in the workplace. However, as is often the case under privacy law, the critical point is to find a fair balance between the organisation’s goals and purposes when using a particular technology and the employees’ privacy rights.

Click here to access my article on the use of technology in the workplace under French privacy law.

Data security breach notification: it’s coming your way!

Posted on July 2nd, 2013 by

Data breach notification laws have existed in the US for several years. California was the first state to introduce a data breach notification law in 2002, followed soon after by forty-five other US states. In 2012, the US Senate introduced a Data Security and Breach Notification Act which, if enacted, would establish a national data security and beach notification standard for the protection of consumer’s electronic personal information across the US.

In Europe, data breach notification has only drawn attention at a political and legislative level following recent press coverage of data breach scandals. Nevertheless, the numerous debates, initiatives and legislative proposals that have appeared in recent months are evidence of Europe’s growing interest in this topic, and recognition of the need to regulate. As an example, the EU Commission’s Directorate General for Communications Network, Content and Technology (DG CONNECT) recently proposed to “explore the extension of security breach notification provisions, as part of the modernisation of the EU personal data protection regulatory framework” in its Digital Agenda for Europe (action 34).

From a legislative perspective, things have been moving forward rather steadily for several years. In 2009, the European legislator adopted a pan-European data breach notification requirement for the first time, under the amended ePrivacy directive 2002/58/EC (“ePrivacy directive”). True, the directive only applies to “providers of publicly available electronic communications services” (mainly telecom operators and ISPs), but in a limited number of EU Member States the ePrivacy directive was implemented with a much broader scope (e.g., Germany). In June 2013, the European Commission released a new regulation explaining the technical implementing measures for data breach notification by telecom operators and ISPs.

Following this first legislative step, the European Commission has recently made two further legislative proposals. The first, which has drawn the most attention, was the European Commission’s proposal of a new regulation to replace the current Data Protection Directive 95/46/EC. If adopted, this Regulation would introduce a general obligation for all data controllers, across business sectors, to notify the regulator in case of a breach without undue delay, and not later than 24 hours after having become aware of it. Companies would also have to report data breaches that could adversely affect individuals without undue delay. This Regulation would apply not only to organizations that are established on the territory of the EU, but also to those that are not established within the EU, but target EU citizens either by offering them goods and services, or by monitoring their behaviour.

Needless to say, in Brussels, stakeholders and lobbyists have been actively campaigning against the proposed data breach provisions for months on the grounds that they are unfriendly to business, cumbersome and impractical. Following the debates at the European Parliament and the Council of Ministers on the proposed Regulation, a less prescriptive, more business-friendly version of the data breach provisions may end up being adopted. Currently, discussions are ongoing in an attempt to limit the scope of the data breach requirements to breaches that are “likely to severely affect the rights and freedoms of individuals”. The deadline for reporting breaches could also be extended to 72 hours. At this point, it is impossible to predict with certainty what will be the final wording of those provisions. However, there does seem to be a consensus among the EU institutions and member states that, one way or another, a data breach notification requirement must be introduced in the Regulation.

Secondly, the European Commission has proposed a directive that aims to impose new measures to ensure a high common level of network and information security across the EU. The Directive concerns public administrations and market operators, namely “providers of information society services” (i.e., e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services, application stores) and “operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health.” The Directive would require them to report significant cyber incidents (e.g., an electricity outage, the unavailability of an online booking engine, or the compromise of air traffic control due to an outage or a cyber attack) to a national competent authority.

So what does this tell companies?

First, that data security in general and data breach notification in particular are drawing more and more attention, and thus cannot be ignored. As was the case a few years ago in the US, data breach notification is bound to become one of the hottest legal issues in Europe in the coming years. The legal framework for data breach notification may still be a work-in-progress, but nevertheless it is becoming a reality in Europe. Second, companies should not wait until data breach laws come into force in Europe to start implementing an action plan for handling data breaches. While data breach notification may not yet be a legal requirement for all companies in Europe, the reputational damage caused by a single data breach should motivate companies to implement robust data breach handling procedures. Finally, data breach notification can be viewed as a competitive advantage that enables companies to be more forthcoming and transparent vis-à-vis clients and customers who entrust them with their personal data.

For more information on data security breach notification rules in France, view my article in English: “Complying with Data Breach Requirements in France” (first published in BNA’s World Data Protection Report); and in French: “La notification des violations de données à caractère personnel: analyse et décryptage” (first published in Lamy Droit de l’Immatériel) .