Blog

USA PATRIOT Act Effect on Cloud Computing Services

Francoise Gilbert

Recent reports and press articles, with attention grabbing headlines, have expressed concern, and at times asserted, that the U.S. government has the unfettered ability to obtain access to data stored outside the United States by U.S. cloud service providers or their foreign subsidiaries. They point to the USA PATRIOT Act (“Patriot Act”) as the magic wand that allows U.S. law enforcement and national security agencies unrestricted access to any data, anywhere, any time. In fact, the actual impact of the Patriot Act in this cloud context is negligible.

(more…)

Read More

CNIL’s Advanced Security and Privacy Risk Management Guides

Alain Bensoussan

The French data protection authority, the CNIL, recently published a translated version of its two new guides “Advanced security and Privacy risk management”.

These guides consist of :

  • A methodology for managing the risks that can affect the individuals ;
  • A catalogue of measures and best practices to treat the risks identified with the methodology.

These documents are primarily intended for use by controllers, data protection officers (DPO) and chief information security officers (CISO). They assist them in creating a rational understanding of the risks arising from the processing of personal data and to choose necessary and sufficient organizational and technical measures to protect privacy.

The two guides are available on the CNIL’s website : http://www.cnil.fr/english/

Read More

Privacy by Design

Alain Bensoussan

The Privacy by Design (PbD) principle means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This in particular means that the protection of data must be at the heart of a company’s internal processes.

Adopting a PbD approach is a very visible trend in international groups and this trend is expected to grow significantly.

Privacy by Design can serve as a new tool to help companies stand out among their competitors and be a further mark of quality and trust for clients. (more…)

Read More

EU Parliament Resolution for Amendment of Rome II Regulation on Law Applicable to Violations of Privacy

Alain Bensoussan

On May 10, 2012, the European Parliament adopted a resolution (available here) with recommendations to the Commission on the amendment of Regulation (EC) No. 864/2007 on the law applicable to non-contractual obligations, known as Rome II. The Parliament first noted that “the Rome II Regulation lacks a provision for the determination of the law applicable to violations of privacy and rights relating to personality”. (more…)

Read More

France: Dismissal for Violation of IT Policy

Alain Bensoussan

A French Court of Appeals recently confirmed the dismissal of an employee who had downloaded software not authorized by his company’s IT policy. The judges rejected the employee’s claims that the employer did not have the right to monitor his PC in his absence, reminding the employee that a professional computer had to be used strictly for professional purposes during the working hours and that an employer was therefore entitled to monitor it even without the presence of the employee.

A technician, who had already received a warning from the HR department after the discovery on his professional hard disk of software not authorized by the company’s IT policy, was dismissed after it appeared that he had subsequently continued to use such software. (more…)

Read More

France: CNIL’s Unveiled its 2011 Annual Report

Alain Bensoussan

Every year, the French data protection authority, the CNIL, issues an annual report containing information and statistics on the past year and outlining its priorities for the next year. CNIL’s recently published its 32nd Annual Report for 2011.

Key figures

In 2011, the CNIL:

  • Conducted nearly 400 controls and audits (+ 25% versus 2010).
  • Received nearly 6,000 complaints (+ 19% versus 2010).

This demonstrates a high increase in the CNIL’s control and sanction activities. (more…)

Read More

Analytics Cookies & Consent Exemption

Alain Bensoussan

Are analytics cookies, i.e., cookies used to measure website audience, subject to the prior consent of Internet users? This article provides insights about the French and European views on this topic.

Background

Directive 2002/58/EC, as amended by Directive 2009/136/EC (known as the
e-Privacy Directive) has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. Article 5.3 of the Directive allows cookies to be exempted from the requirement of informed consent, if they satisfy some criteria.

(more…)

Read More

FTC v. Google 2012 – Misrepresentation of Compliance with NAI Code a Key Element

Francoise Gilbert

Google was hit by a $22.5 million penalty as a result of an investigation by the Federal Trade Commission covering Google’s practices with users of the Safari browser. A very interesting aspect of this new case against Google (Google 2), is that it raises the issue of Google’s violation of the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI Code). This is an interesting evolution in the history of the FTC rulings. At first, the FTC focused on violation of privacy promises made in Privacy Statements, then it went on to pursue violation of the Safe Harbor Principles. In this new iteration, the FTC attacks misrepresentation of compliance with industry standard.

(more…)

Read More

Stringent Requirements by the Swiss Federal Supreme Court for Google Street View

Ursula Widmer

On 8th June 2012 the Swiss Federal Supreme Court published its long and eagerly awaited decision on Google Street View. The court partially upheld the complaint by Google on one important point. The Federal Supreme Court does not consider it necessary for Google to take further steps in addition to the automated anonymization of faces and vehicle number plates to ensure complete anonymization for all images before uploading. This was precisely what the Federal Data Protection and Information Commissioner (FDPIC) had demanded of Google because the software for automated anonymization is not to 100% reliable. The Federal Administrative Court was likewise of this opinion in its decision of April 2011. However, the Federal Supreme Court now considers it reasonable that the automated anonymization does not completely cover all persons and vehicle number plates, provided that the error quota of inadequately anonymized images is not more than approximately 1 per cent. (more…)

Read More