jfgilbert – Page 5 – Global Privacy Book

CNIL’s Concerned on Contactless Credit Cards

Alain Bensoussan

The French data protection authority, the CNIL issued on May 10, 2012, a press release (read here in French) to express its concerns on the security of contactless credit cards.

It also announced that it was currently carrying out technical investigations to identify any security gap and analyze their impacts on privacy.

Contactless credit cards are using the NFC (Near Field Communication) technology. NFC is a wireless short-range and high-frequency technology allowing to exchange information between a smart card and a terminal. (more…)

CNIL’s Reminder on Personal Data Contained in Public Records

Alain Bensoussan

The CNIL issued in May 2012 a press release to provide a quick reminder of the personal data that could be contained public records published online.

The French data protection authority, the CNIL issued in May 2012 a press release (read here in French) on the personal data that could be contained public records published online.

In France, the different services of the Public Records Office (such as the records of towns or of the Ministry of Defense) can post online archived documents, such as birth, marriage and death certificates that contain personal data, i.e. documents relating to individuals potentially still alive and/or individuals who are deceased but whose data may have consequences on the privacy of their heirs. (more…)

French Court Says Employee Folder Entitled “My Documents” is not Personal

Alain Bensoussan

French Supreme Court recently ruled that a folder entitled “My Documents” contained in an employee workstation was not presumed to contain personal files.

On May 10, 2012, the social chamber of the French Supreme Court (“Cour de cassation”) ruled that an employee’s computer folder named “My documents” could not be regarded as a private folder.

In that case, in 2006, an employee had stored on his workstation in a folder titled ‘”My Documents” phonographic pictures and videos showing other employees, recorded without their consent. The employer opened the folder and dismissed the employee for serious misconduct in 2006. The employee then sued the employer for unfair dismissal on the grounds that his “My Documents” folder was personal and that the employer did not have the right to open it and, therefore, to use the documents contained therein to justify his dismissal. (more…)

Facebook and Privacy

Lance Michalson

The CCMA has made two interesting decisions about whether it is unfair for an employer to dismiss an employee for posting intentionally offensive statements about their employer on a social networking website, like Facebook. The decisions are reported under Sedick & another / Krisray (Pty) Ltd [2011] JOL 27445 (CCMA) and Fredericks / Jo Barkett Fashions (2011) 20 CCMA 8.24.3.

The employees in each case were fairly dismissed, because the Arbitrators held that their privacy had not been infringed when their employers accessed their Facebook posts. The employees had published the statements in the public domain by not restricting their Facebook privacy settings. The CCMA took the view that, their employers were entitled to intercept the posts in terms of South African monitoring law.

These decisions raise the question, “How can organisations manage the use of social networking websites by their employees properly?”

(more…)

What the January 25, 2012 Draft of the Proposed EU Data Protection Reform Means for Companies Doing Business with or in the EU

January 27, 2012 – Francoise Gilbert

The comprehensive proposed data protection package that the European Commission unveiled on January 25, 2012 provides a sneak preview of the plans for the European Commission for the reform of the data protection rules in the European Union. It the draft legislative texts are adopted in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States. In addition, much of the administrative burden that are currently costing billions of Euros to companies will have been removed. The savings would allow companies to allocate their data protection budget to more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21^st century way of life.

(more…)

EU Data Protection Overhaul – New Draft Regulation

Francoise Gilbert

Note: This post is superseded by the post above, due to the publication of a new draft of the proposed legislative texts.

The European Commission has just published drafts of the two documents that will form the new legal framework for the protection of personal data throughout the European Economic Area. The draft documents are intended to provide a last opportunity for comments. The final version is expected to be published during the first quarter of 2012, and will come into force two years after publication. Thus, the new rules are currently not expected to be effective before the middle of 2014.

The proposed new legal framework consists of two legislative proposals: a proposal for a General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which will supersede Directive 95/46/EC; and a proposal for a Police and Criminal Justice Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. This article discusses only the Regulation.

(more…)

France – Protection of Personal Data and Cloud Computing

Alain Bensoussan

In order to consider all potential solutions, both from a legal and technical standpoint, and to guarantee a high level of personal data protection, the French data protection authority, the CNIL, recently launched a Call for Contributions from all stakeholders (clients, providers, consultants) on cloud computing.

The CNIL’s Call for Contributions dealt with many issues related to cloud computing, including:

– Definition of cloud computing;

– Role of stakeholders;

– Applicable law;

– Regulation of data transfers;

– Security of data.

(more…)

Meet the New CNIL Chairwoman

Alain Bensoussan

The CNIL’s new Chairwoman, Isabelle Falque-Pierrotin, presents her priorities, both in French and in English in a video posted online, that can be viewed here.

Ms. Falque-Pierrotin was elected on September 21^st, 2011, after CNIL’s previous Chairman, Mr. Alex Türk, who was also a member of the French Senate, proactively resigned to comply with a recent legal provision that will soon prohibit the CNIL’s Chairman from holding any other elected office or public position.

In the video, the new boss of the French data protection regulator stresses that in an evolving and global environment, CNIL must innovate and become more open to resolutely step into the digital world. She firmly believes that cooperation with the private sector is important and thinks “the EU revision [of the data protection framework] will be a wonderful occasion to demonstrate that we are able to have a competitive protection but also a modernized protection” of personal data.

(more…)

Upcoming New, Streamlined BCR Regime to be Unveiled in Early 2012

Francoise Gilbert

Very exciting news were provided at the IAPP EU Conference in Paris, which I have the pleasure of attending.

While we had hoped that Viviane Reding, the EU Vice President, would give an overview of the upcoming new EU Data Privacy Regulation, in her keynote address, she focused on what is being planned for the overhaul of the BCR regime.

After noting that, as result of the use of cloud computing services, data are being moved everywhere in the world.   Ms. Reding encouraged companies to adopt global binding rules that govern the protection of personal information throughout the global enterprise, and to file applications for the approval of BCRs reflecting these global privacy rules.

When talking about the upcoming publication of the new Data Privacy Regulation in early 2012, Ms. Reding stated: "My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved."  

(more…)

French Court Suspends US Company’s Whistleblowing System

Alain Bensoussan

Whistleblowing systems have been a hot issue in France for several years. In a ruling dated September 23, 2011, the Court of Appeals of Caen confirmed a lower court’s decision to suspend the whistleblowing system of a U.S. company on the grounds that it did not comply with French whistleblowing law. In light of this ruling, U.S companies are advised to audit the compliance of their whistleblowing systems with French data protection law.

France’s whistleblowing rules

Normally, companies have to apply for the authorization of the French data protection authority, the CNIL, before setting up a whistleblowing system in France. But obtaining the CNIL’s authorization may be a long process.

In an effort to ease the burden on companies and cut through red tape, the CNIL adopted in 2005 a document, known as the Single Authorization No. AU-004. If a whistleblowing system meets all the requirements laid down in the Single Authorization, a company can avoid going through the standard, cumbersome authorization process and is eligible for a simplified procedure: it only has to submit a declaration of conformity to certify that its system complies with the Single Authorization.

(more…)