jfgilbert

Hot Issues in Data Privacy and Security

Francoise Gilbert

Data privacy and security issues, laws and regulations are published, modified and superseded at a rapid pace around the world. The past ten years, in particular, have seen a significant uptake in the number of laws and regulations that address data privacy or security on all continents. On March 1, 2013, a program held at Santa Clara University’s Markkula Center for Applied Ethics, titled “Hot Issues in Global Privacy and Security”, featured attorneys practicing on all continents who provided an update on the privacy, security and data protection laws in their countries.

The second half of the program featured a panel moderated by Francoise Gilbert, where the chief privacy counsel or chief privacy official of McAfee, Symantec and VMWare talked about how to drive a global privacy and security program in multinational organizations.

Videos of the program are available by clicking here.

The program was the second part of a two-day series of events. The first program was held in San Francisco on February 28, 2013, and was sponsored by Box, Inc. and the Cloud Security Alliance. This program focused on Government Access to Cloud Data and started with an overview of the laws that regulate US government access to data, presented by Francoise Gilbert. A panel featuring European and North American attorneys followed; they discussed the equivalent laws in effect in their respective countries. The program concluded with a presentation by the general counsel of Box, Inc., who spoke about the way in which his company responds to government requests to access to data stored by his company.

Videos of this program are available by clicking here.

Read More

Use of Spyware at the Workplace Ruled Inadmissible

Ursula Widmer

In a recent judgment the Swiss Federal Supreme Court ruled that it is inadmissible for an employer to use spy- ware to monitor employees. Evidence obtained in this way may not be used.

The case concerned the commander of a regional civil defense organization in the canton of Ticino. He was suspected of making extensive use of the Internet for private purposes during working hours. The employer therefore secretly monitored the use of the man’s workplace computer for three months using spyware. On the basis of the usage data thus obtained, it was possible to ascertain that the employee was spending a significant proportion of his working time on private matters. This led to his summary dismissal.

This action by the employer was deemed by the Federal Court to be inadmissible and the summary dismissal to be unjustified. The court considered that the employer breached employee protection laws by using spyware. These prohibit the use of surveillance and control systems designed to monitor the behavior of employees at the workplace.

Surveillance systems may be used for other purposes, but must be configured so that they interfere as little as possible with employees. For example, if room surveillance is necessary for security reasons, the field of view must be set so that, where possible, employees, e.g., working at a checkout or counter, are not recorded.

The employer’s action also contravened the requirement for proportionality. Even though it is acknowledged that the employer has a legitimate interest in monitoring work output and preventing the misuse of working time for private activities, the court considers that this can be achieved by less radical means than spyware. One possible method is to block access to certain websites. It is also permissible to log Internet use and to analyze these records with reference to individuals if there are specific reasons to suspect misuse. The Federal Data Protection and Information Commissioner has issued guidelines for this purpose, to which reference was made by the court.

Read More

Online Media are Responsible for Third-Party Content

Ursula Widmer

The Swiss Federal Supreme Court has ruled that a media provider that allows third parties to set up blogs on its website, is jointly responsible for their contents. The case specifically referred to the Geneva newspaper “Tribune de Genève”, which offers readers the facility to keep personal blogs on its website. One of these blogs be- longed to a Geneva politician who, in his articles, had violated the right of personality of a former director of the Cantonal Bank of Geneva. The person concerned consequently initiated legal action against the author of the blog and also against the newspaper, and demanded the deletion of the relevant article from the blog. The cantonal Court upheld the complaint and ordered the author and the newspaper to remove the blog article and to pay legal costs.

The newspaper appealed against this decision to the Federal Court, but without success. The court was not interested in the newspaper’s point that, in certain other countries, operators of websites that allow third parties to set up blogs cannot be held legally responsible for the content of the blog articles. The court referred to the fact that, under Swiss law, anyone who is involved in a violation of personality, and not just the author, may be subject to legal action. The operation of the website by the newspaper was judged by the court as being a relevant factor in the violation of personality.

The ruling of the cantonal court was therefore correct, in the opinion of the Federal Court. The newspaper was ordered to remove the offending blog article and to pay the costs of the proceedings. The court indicated in particular that, unlike in damages and compensation cases, there is no assumption of fault on the part of the respondent in applications for removal and injunction. It there- fore remained unclear whether the newspaper could successfully have been sued for compensation or damages, since the plaintiff had not brought any such claims against the newspaper.

Read More

Comparative Analysis of the Laws Regulating Government Access to Cloud Data

Francoise Gilbert

A program held in conjunction with the RSA San Francisco 2013 Conference and sponsored by the Cloud Security Alliance and Box – a major provider of cloud services – recently featured some of the contributors to the Global Privacy & Security Law treatise, Jean-Francois Henrotte (Philippe & Partners, Belgium), Frederic Forster (Alain Bensoussan Avocats, Paris), Raffaele Zallone (Studio Zallone, Italy) and Francoise Gilbert (IT Law Group, USA). The program presented a discussion of the US and foreign laws that regulate government access to cloud data. (more…)

Read More

Accountability and Protection of Personal Data

Alain Bensoussan

In data privacy matters, “accountability” means an obligation to report and explain, combined with principles of transparency and traceability, with a view to identify and document the measures implemented to comply with data privacy law requirements. It also implies an obligation for the data controller to assume liability and warrant a result, namely the efficacy of the data protection and the verifiability of the measures taken to this end.

Accountability thus implies for the data controller not only the obligation to comply with the applicable rules, but also the obligation to demonstrate to the authorities and/or the data subjects how such compliance is ensured. Laws and other texts will gradually integrate accountability requirements for personal data protection. (more…)

Read More

New FTC COPPA Rule Will Better Protect 21st Century Children

Francoise Gilbert

The Federal Trade Commission final updated COPPA Rule, published this morning (December 19, 2012),  brings child protection online to the 21st century. While most of the high level requirements, which stem directly from the Child Online Privacy Protection Act (COPPA) remain unchanged, the updated Rule contains references to modern technologies such as geolocation, plug-ins and mobile apps, and modern methods of financing websites, such as behavioral targeting.

(more…)

Read More

USA PATRIOT Act Effect on Cloud Computing Services

Francoise Gilbert

Recent reports and press articles, with attention grabbing headlines, have expressed concern, and at times asserted, that the U.S. government has the unfettered ability to obtain access to data stored outside the United States by U.S. cloud service providers or their foreign subsidiaries. They point to the USA PATRIOT Act (“Patriot Act”) as the magic wand that allows U.S. law enforcement and national security agencies unrestricted access to any data, anywhere, any time. In fact, the actual impact of the Patriot Act in this cloud context is negligible.

(more…)

Read More

CNIL’s Advanced Security and Privacy Risk Management Guides

Alain Bensoussan

The French data protection authority, the CNIL, recently published a translated version of its two new guides “Advanced security and Privacy risk management”.

These guides consist of :

  • A methodology for managing the risks that can affect the individuals ;
  • A catalogue of measures and best practices to treat the risks identified with the methodology.

These documents are primarily intended for use by controllers, data protection officers (DPO) and chief information security officers (CISO). They assist them in creating a rational understanding of the risks arising from the processing of personal data and to choose necessary and sufficient organizational and technical measures to protect privacy.

The two guides are available on the CNIL’s website : http://www.cnil.fr/english/

Read More