Francoise Gilbert
The Federal Trade Commission has published a proposed settlement with Compete, Inc. a web analytics company, for violation of Section 5 of the FTC in connection with its collection, use, and lack of protection of personal information (including some highly sensitive information). Compete uses tracking software to collect data on the browsing behavior of millions of consumers.
Alain Bensoussan
The Privacy by Design (PbD) principle means that privacy and data protection are embedded throughout the entire life cycle of technologies, from the early design stage to their deployment, use and ultimate disposal. This in particular means that the protection of data must be at the heart of a company’s internal processes.
Adopting a PbD approach is a very visible trend in international groups and this trend is expected to grow significantly.
Privacy by Design can serve as a new tool to help companies stand out among their competitors and be a further mark of quality and trust for clients. (more…)
Alain Bensoussan
On May 10, 2012, the European Parliament adopted a resolution (available here) with recommendations to the Commission on the amendment of Regulation (EC) No. 864/2007 on the law applicable to non-contractual obligations, known as Rome II. The Parliament first noted that “the Rome II Regulation lacks a provision for the determination of the law applicable to violations of privacy and rights relating to personality”. (more…)
Alain Bensoussan
A French Court of Appeals recently confirmed the dismissal of an employee who had downloaded software not authorized by his company’s IT policy. The judges rejected the employee’s claims that the employer did not have the right to monitor his PC in his absence, reminding the employee that a professional computer had to be used strictly for professional purposes during the working hours and that an employer was therefore entitled to monitor it even without the presence of the employee.
A technician, who had already received a warning from the HR department after the discovery on his professional hard disk of software not authorized by the company’s IT policy, was dismissed after it appeared that he had subsequently continued to use such software. (more…)
Alain Bensoussan
Every year, the French data protection authority, the CNIL, issues an annual report containing information and statistics on the past year and outlining its priorities for the next year. CNIL’s recently published its 32nd Annual Report for 2011.
Key figures
In 2011, the CNIL:
This demonstrates a high increase in the CNIL’s control and sanction activities. (more…)
Alain Bensoussan
Are analytics cookies, i.e., cookies used to measure website audience, subject to the prior consent of Internet users? This article provides insights about the French and European views on this topic.
Background
Directive 2002/58/EC, as amended by Directive 2009/136/EC (known as the
e-Privacy Directive) has reinforced the protection of users of electronic communication networks and services by requiring informed consent before information is stored or accessed in the user’s (or subscriber’s) terminal device. Article 5.3 of the Directive allows cookies to be exempted from the requirement of informed consent, if they satisfy some criteria.
Francoise Gilbert
Google was hit by a $22.5 million penalty as a result of an investigation by the Federal Trade Commission covering Google’s practices with users of the Safari browser. A very interesting aspect of this new case against Google (Google 2), is that it raises the issue of Google’s violation of the Self-Regulatory Code of Conduct of the Network Advertising Initiative (NAI Code). This is an interesting evolution in the history of the FTC rulings. At first, the FTC focused on violation of privacy promises made in Privacy Statements, then it went on to pursue violation of the Safe Harbor Principles. In this new iteration, the FTC attacks misrepresentation of compliance with industry standard.
Ursula Widmer
On 8th June 2012 the Swiss Federal Supreme Court published its long and eagerly awaited decision on Google Street View. The court partially upheld the complaint by Google on one important point. The Federal Supreme Court does not consider it necessary for Google to take further steps in addition to the automated anonymization of faces and vehicle number plates to ensure complete anonymization for all images before uploading. This was precisely what the Federal Data Protection and Information Commissioner (FDPIC) had demanded of Google because the software for automated anonymization is not to 100% reliable. The Federal Administrative Court was likewise of this opinion in its decision of April 2011. However, the Federal Supreme Court now considers it reasonable that the automated anonymization does not completely cover all persons and vehicle number plates, provided that the error quota of inadequately anonymized images is not more than approximately 1 per cent. (more…)
Francoise Gilbert
In its Opinion 05/2012 on Cloud Computing published as document WP 196 in early July 2012, the Article 29 Working Party identifies the data protection risks that are likely to result from the use of cloud computing services, such as the lack of control over personal data and lack of information about how, where and by whom the data are being processed or sub-processed in the cloud. It expressly deems the Safe Harbor regime insufficient to meet the requirements of the national data protection laws.