Blog

How to Build a Winning Privacy Program

Francoise Gilbert

Many companies post on their websites a statement indicating that they care about the privacy of their customers or users, and then describe in general terms their policies with respect to certain categories of personal information. The golden rule for these privacy statements is “Say what you do, and do what you say you do.” Let’s assume that the company actually “said what it does;” that the disclosures in its privacy statement are accurate, complete, and up-to date; and that they clearly describe the company’s commitment to protect personal information. How, then, does it ensure that it “does what it said it does”?

(more…)

Read More

Compliance by Design

Francoise Gilbert

How to build cloud applications that anticipate your customers’ legal constraints?

To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.

(more…)

Read More

CNIL Issues Data Protection Guide for Health Professionals

Alain Bensoussan

French data protection authority, the CNIL, recently published a Guide for Heath Professionals (Guide des professionnels de santé), available online (view here in French).

The first pages of this Guide remind the core principles of the French Data Protection Act, the missions of the CNIL and the role of data protection officers (“CIL”).

The second part is divided into practical, easy-to-read fact sheets designed to give health professionals the basic information and guidelines they need when processing personal and health data.

(more…)

Read More

FTC Proposes Changes to COPPA Rule

Francoise Gilbert

On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment can be found at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Written comments must be received on or before November 28, 2011.

(more…)

Read More

How to Submit a Complaint to the EDPS

Alain Bensoussan

On June 15, 2011, Peter Hustinx, European Data Protection Supervisor (EDPS), and Giovanni Buttarelli, Assistant Supervisor, presented their Annual Report of activities for 2010 (read full report here). This Report covers the sixth full year of activity of the EDPS as a new, independent supervisory body. Peter Hustinx, the EDPS, said it “is fully in line with the need to increase our efforts to ensure a more effective protection of privacy and personal data in a changing world which is increasingly global, Internet driven and dependent on the wide spread use of ICTs in all areas of life.”

This report is a good opportunity to get to know the European guardian of personal data protection. Do you know that you can lodge a complaint to the EDPS? (more…)

Read More

First Multimodal Biometric System Authorized in France

Alain Bensoussan

The CNIL has given its green light to a multimodal biometric system. Striking the right balance between security and the protection of privacy and personal data, the French data protection watchdog decided that the security measures taken satisfactorily protected personal data and that the multimodal biometric system was “adapted and proportionate to the purpose pursued”. This is the first time that a multimodal biometric system is authorized in France.
Purposes of biometric recognition systems
On May 12, 2011, the French data protection authority, the CNIL, authorized for the first time a company to deploy a multimodal biometric system combining finger vein and fingerprint recognition to control access to its workplace premises (CNIL Deliberation No. 2011-141 of May 12, 2011, in French).

Vauban Systems, an information security consulting firm, had applied for an authorization, in compliance with Article 25-I-8° of the French Data Protection Act, which provides that automatic processing comprising biometric data necessary for the verification of an individual’s identity may be carried out only after the CNIL’s authorization. 

A biometric system is designed to identify individuals based on their physical, biological or even behavioral features. Biometric data is data produced by the human body, positively identifying individuals and enabling to trace them. Vein pattern is a more reliable and secure biometric method than fingerprints, which may be lifted and reproduced unbeknownst to the individual.

(more…)

Read More

France Adopts EU Telecoms Package and Amends Data Protection Act

Alain Bensoussan

France has recently adopted an ordinance implementing the EU Telecoms Package into its national law. The new ordinance introduces a series of measures related to data protection, including a data breach notification requirement, leading to the amendment of the Data Protection Act.

Adoption of the ordinance implementing the “Telecoms Package”

An ordinance implementing the European “Telecoms Package” has just been adopted by the French Council of Ministers last August 24. It came into force on August 26, 2011, date of its publication in the French Official Journal. 

The ordinance is divided into three main chapters. Chapter 1 relates to the changes made by the Telecoms Package into the French Posts and Electronic Communications Code (mainly the strengthening of the powers of the French Telecommunications Regulator, ARCEP), Chapter 2 deals with the impacts in the Consumer Code (clearer contacts for consumers) and Chapter 3 focuses on the protection of data and privacy.

Regarding, in particular, the changes made to the data protection legislation, the following three concepts have been decided:

Creation of a data breach notification requirement 

The ordinance amends Article 34 of the Data Protection Act by introducing an Article 34 bis. Electronic communications service providers now have to notify any personal data breach to the French data protection authority (the CNIL) and indicate the measures they have taken or intend to take to remedy the breach.

(more…)

Read More

First Keystroke Biometric System Authorized in France

Alain Bensoussan

In a deliberation dated June 23, 2011, the French data protection authority (“CNIL”) agreed to the use by a company of a behavioral biometric system based on the typing pattern of individuals, designed to strengthen the identification of individuals accessing to an information system. This is the first time that a biometric system based on keystroke dynamics is authorized in France by the CNIL.

The system requires the recording of personal data, such as the last name, first name, pseudonym and IP address.

In France, companies have to obtain the authorization of the CNIL before processing biometric data (Article 25-I-8° of the French Data Protection Act of January 6, 1978).

This authorization has been granted exclusively for a specific purpose, namely the demonstration of a product to prospects, and is subject to the implementation of stringent security measures to ensure the confidentiality of the data.

CNIL Deliberation No. 2011-183 of June 23, 2011

Read More

France: FAQ About Biometric Devices

Alain Bensoussan

Can a company legally use biometric devices in France?  

YES. Businesses may use a biometric device, subject to first obtain the prior authorization of the French data protection authority, the CNIL. (Article 25 of the French Data Protection Act (Loi Informatique et libertés))

The CNIL has established simplified notification formalities for some biometric devices, such as:

  • Hand geometry recognition for access control, working time management and food catering at the workplace;

CNIL Deliberation No. 2006-101 of April 27, 2006

  • Fingerprint recognition with fingerprint exclusively recorded on an individual medium held by the data subject, designed to control access to work buildings;

CNIL Deliberation No. 2006-102 of April 27, 2006

  • Vein pattern recognition to control access to work buildings;

CNIL Deliberation No. 2009-316 of May 5, 2009

  • Fingerprint recognition to control access to professional laptops.

CNIL Deliberation No. 2011-074 of March 10, 2011

(more…)

Read More

EU Commission Launches Consultation on DBN

Alain Bensoussan

The European Commission has launched a consultation (read EU press release here) on the practical rules needed for the entry into force of the obligation requiring ISPs to inform relevant national authorities of any personal data breaches, introduced by the ePrivacy Directive 2009/136/EC of November 25, 2009.
 
The purpose of the consultation is to seek the views of telecoms operators, Internet service providers, Member States, national data protection authorities and consumer organizations on data breach notification (“DBN”).
 
Stakeholders have until next September 9 to provide their feedback and input on the issues involved.
 
The consultation could result in the proposal by the Commission of “technical implementing measures” to be reviewed by the EU Parliament.
Read More