jfgilbert

Facebook and Privacy

Lance Michalson

The CCMA has made two interesting decisions about whether it is unfair for an employer to dismiss an employee for posting intentionally offensive statements about their employer on a social networking website, like Facebook. The decisions are reported under Sedick & another / Krisray (Pty) Ltd [2011] JOL 27445 (CCMA) and Fredericks / Jo Barkett Fashions (2011) 20 CCMA 8.24.3.

The employees in each case were fairly dismissed, because the Arbitrators held that their privacy had not been infringed when their employers accessed their Facebook posts. The employees had published the statements in the public domain by not restricting their Facebook privacy settings. The CCMA took the view that, their employers were entitled to intercept the posts in terms of South African monitoring law.

These decisions raise the question, “How can organisations manage the use of social networking websites by their employees properly?”

(more…)

Read More

What the January 25, 2012 Draft of the Proposed EU Data Protection Reform Means for Companies Doing Business with or in the EU

January 27, 2012 – Francoise Gilbert

The comprehensive proposed data protection package that the European Commission unveiled on January 25, 2012 provides a sneak preview of the plans for the European Commission for the reform of the data protection rules in the European Union. It the draft legislative texts are adopted in a form substantially similar to that which was presented in the package, by 2015, the European Union will be operating under a single data protection law that applies directly to all entities and individuals in the Member States. In addition, much of the administrative burden that are currently costing billions of Euros to companies will have been removed. The savings would allow companies to allocate their data protection budget to more meaningful, efficient, data protection practices that are better adapted to the uses of personal data, the new technologies and the 21st century way of life.

(more…)

Read More

EU Data Protection Overhaul – New Draft Regulation

Francoise Gilbert

Note: This post is superseded by the post above, due to the publication of a new draft of the proposed legislative texts.

The European Commission has just published drafts of the two documents that will form the new legal framework for the protection of personal data throughout the European Economic Area. The draft documents are intended to provide a last opportunity for comments. The final version is expected to be published during the first quarter of 2012, and will come into force two years after publication. Thus, the new rules are currently not expected to be effective before the middle of 2014.

The proposed new legal framework consists of two legislative proposals: a proposal for a General Data Protection Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which will supersede Directive 95/46/EC; and a proposal for a Police and Criminal Justice Data Protection Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. This article discusses only the Regulation.

(more…)

Read More

France – Protection of Personal Data and Cloud Computing

Alain Bensoussan
 
In order to consider all potential solutions, both from a legal and technical standpoint, and to guarantee a high level of personal data protection, the French data protection authority, the CNIL, recently launched a Call for Contributions from all stakeholders (clients, providers, consultants) on cloud computing.
 
The CNIL’s Call for Contributions dealt with many issues related to cloud computing, including:
 
      Definition of cloud computing;
      Role of stakeholders;
      Applicable law;
      Regulation of data transfers;
      Security of data.

(more…)

Read More

Meet the New CNIL Chairwoman

Alain Bensoussan
 
The CNIL’s new Chairwoman, Isabelle Falque-Pierrotin, presents her priorities, both in French and in English in a video posted online, that can be viewed here.
 
Ms. Falque-Pierrotin was elected on September 21st, 2011, after CNIL’s previous Chairman, Mr. Alex Türk, who was also a member of the French Senate, proactively resigned to comply with a recent legal provision that will soon prohibit the CNIL’s Chairman from holding any other elected office or public position.
 
In the video, the new boss of the French data protection regulator stresses that in an evolving and global environment, CNIL must innovate and become more open to resolutely step into the digital world. She firmly believes that cooperation with the private sector is important and thinks “the EU revision [of the data protection framework] will be a wonderful occasion to demonstrate that we are able to have a competitive protection but also a modernized protection” of personal data.

(more…)

Read More

Upcoming New, Streamlined BCR Regime to be Unveiled in Early 2012

Francoise Gilbert
 
Very exciting news were provided at the IAPP EU Conference in Paris, which I have the pleasure of attending.
 
While we had hoped that Viviane Reding, the EU Vice President, would give an overview of the upcoming new EU Data Privacy Regulation, in her keynote address, she focused on what is being planned for the overhaul of the BCR regime.
After noting that, as result of the use of cloud computing services, data are being moved everywhere in the world. 

Ms. Reding encouraged companies to adopt global binding rules that govern the protection of personal information throughout the global enterprise, and to file applications for the approval of BCRs reflecting these global privacy rules.
 
When talking about the upcoming publication of the new Data Privacy Regulation in early 2012, Ms. Reding stated: "My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved."

  
 

(more…)

Read More

French Court Suspends US Company’s Whistleblowing System

Alain Bensoussan
 
Whistleblowing systems have been a hot issue in France for several years. In a ruling dated September 23, 2011, the Court of Appeals of Caen confirmed a lower court’s decision to suspend the whistleblowing system of a U.S. company on the grounds that it did not comply with French whistleblowing law. In light of this ruling, U.S companies are advised to audit the compliance of their whistleblowing systems with French data protection law.
 
France’s whistleblowing rules
 
Normally, companies have to apply for the authorization of the French data protection authority, the CNIL, before setting up a whistleblowing system in France. But obtaining the CNIL’s authorization may be a long process.
 
In an effort to ease the burden on companies and cut through red tape, the CNIL adopted in 2005 a document, known as the Single Authorization No. AU-004. If a whistleblowing system meets all the requirements laid down in the Single Authorization, a company can avoid going through the standard, cumbersome authorization process and is eligible for a simplified procedure: it only has to submit a declaration of conformity to certify that its system complies with the Single Authorization.

(more…)

Read More

CNIL’s Data Security Guide Now Available in English!

Alain Bensoussan

The French data protection authority, the CNIL, recently published a translated version of its Guide on Personal Data Security.
 
The Guide is designed to help data controllers meet their obligations under French law regarding the security of the personal data they collect, use and maintain.
 
The French Data Protection Act N°78-17 of January 6,1978, requires data controllers to take “all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties” (Art. 34 of the Act). Failure to guarantee the security of the data is punished by five years’ imprisonment and a €300,000 fine (Article 226-17-1 of the Penal Code).
 
This Guide should be of interest not only to controllers established in France but more generally, to any entity that directly or indirectly uses IT systems in France.

(more…)

Read More

Child Social Networking Site Settles with FTC

Francoise Gilbert

While the COPPA Rule is going through a facelift – a final draft is expected to be published in 2012 – the FTC continues its enforcement actions against websites with lax COPPA practices. On November 8, 2011, the FTC announced a proposed settlement with the social networking site, www.skidekids.com, which collected personal information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.

(more…)

Read More