Blog

Upcoming New, Streamlined BCR Regime to be Unveiled in Early 2012

Francoise Gilbert
 
Very exciting news were provided at the IAPP EU Conference in Paris, which I have the pleasure of attending.
 
While we had hoped that Viviane Reding, the EU Vice President, would give an overview of the upcoming new EU Data Privacy Regulation, in her keynote address, she focused on what is being planned for the overhaul of the BCR regime.
After noting that, as result of the use of cloud computing services, data are being moved everywhere in the world. 

Ms. Reding encouraged companies to adopt global binding rules that govern the protection of personal information throughout the global enterprise, and to file applications for the approval of BCRs reflecting these global privacy rules.
 
When talking about the upcoming publication of the new Data Privacy Regulation in early 2012, Ms. Reding stated: "My reform will make binding corporate rules binding within companies, but also with respect to third parties. This implies that the rules provide for the necessary legal mechanisms to apply to all entities involved."

  
 

(more…)

Read More

French Court Suspends US Company’s Whistleblowing System

Alain Bensoussan
 
Whistleblowing systems have been a hot issue in France for several years. In a ruling dated September 23, 2011, the Court of Appeals of Caen confirmed a lower court’s decision to suspend the whistleblowing system of a U.S. company on the grounds that it did not comply with French whistleblowing law. In light of this ruling, U.S companies are advised to audit the compliance of their whistleblowing systems with French data protection law.
 
France’s whistleblowing rules
 
Normally, companies have to apply for the authorization of the French data protection authority, the CNIL, before setting up a whistleblowing system in France. But obtaining the CNIL’s authorization may be a long process.
 
In an effort to ease the burden on companies and cut through red tape, the CNIL adopted in 2005 a document, known as the Single Authorization No. AU-004. If a whistleblowing system meets all the requirements laid down in the Single Authorization, a company can avoid going through the standard, cumbersome authorization process and is eligible for a simplified procedure: it only has to submit a declaration of conformity to certify that its system complies with the Single Authorization.

(more…)

Read More

CNIL’s Data Security Guide Now Available in English!

Alain Bensoussan

The French data protection authority, the CNIL, recently published a translated version of its Guide on Personal Data Security.
 
The Guide is designed to help data controllers meet their obligations under French law regarding the security of the personal data they collect, use and maintain.
 
The French Data Protection Act N°78-17 of January 6,1978, requires data controllers to take “all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorized third parties” (Art. 34 of the Act). Failure to guarantee the security of the data is punished by five years’ imprisonment and a €300,000 fine (Article 226-17-1 of the Penal Code).
 
This Guide should be of interest not only to controllers established in France but more generally, to any entity that directly or indirectly uses IT systems in France.

(more…)

Read More

Child Social Networking Site Settles with FTC

Francoise Gilbert

While the COPPA Rule is going through a facelift – a final draft is expected to be published in 2012 – the FTC continues its enforcement actions against websites with lax COPPA practices. On November 8, 2011, the FTC announced a proposed settlement with the social networking site, www.skidekids.com, which collected personal information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.

(more…)

Read More

How to Build a Winning Privacy Program

Francoise Gilbert

Many companies post on their websites a statement indicating that they care about the privacy of their customers or users, and then describe in general terms their policies with respect to certain categories of personal information. The golden rule for these privacy statements is “Say what you do, and do what you say you do.” Let’s assume that the company actually “said what it does;” that the disclosures in its privacy statement are accurate, complete, and up-to date; and that they clearly describe the company’s commitment to protect personal information. How, then, does it ensure that it “does what it said it does”?

(more…)

Read More

Compliance by Design

Francoise Gilbert

How to build cloud applications that anticipate your customers’ legal constraints?

To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.

(more…)

Read More

CNIL Issues Data Protection Guide for Health Professionals

Alain Bensoussan

French data protection authority, the CNIL, recently published a Guide for Heath Professionals (Guide des professionnels de santé), available online (view here in French).

The first pages of this Guide remind the core principles of the French Data Protection Act, the missions of the CNIL and the role of data protection officers (“CIL”).

The second part is divided into practical, easy-to-read fact sheets designed to give health professionals the basic information and guidelines they need when processing personal and health data.

(more…)

Read More

FTC Proposes Changes to COPPA Rule

Francoise Gilbert

On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment can be found at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Written comments must be received on or before November 28, 2011.

(more…)

Read More

How to Submit a Complaint to the EDPS

Alain Bensoussan

On June 15, 2011, Peter Hustinx, European Data Protection Supervisor (EDPS), and Giovanni Buttarelli, Assistant Supervisor, presented their Annual Report of activities for 2010 (read full report here). This Report covers the sixth full year of activity of the EDPS as a new, independent supervisory body. Peter Hustinx, the EDPS, said it “is fully in line with the need to increase our efforts to ensure a more effective protection of privacy and personal data in a changing world which is increasingly global, Internet driven and dependent on the wide spread use of ICTs in all areas of life.”

This report is a good opportunity to get to know the European guardian of personal data protection. Do you know that you can lodge a complaint to the EDPS? (more…)

Read More