Francoise Gilbert
In late October 2011, the European Council of Ministers formally adopted the new EU Consumer Rights Directive. The new Directive will drastically affect the rules that apply to online shopping. Numerous provisions will also apply to both the online and the offline markets. (more…)
Francoise Gilbert
While the COPPA Rule is going through a facelift – a final draft is expected to be published in 2012 – the FTC continues its enforcement actions against websites with lax COPPA practices. On November 8, 2011, the FTC announced a proposed settlement with the social networking site, www.skidekids.com, which collected personal information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.
Francoise Gilbert
Many companies post on their websites a statement indicating that they care about the privacy of their customers or users, and then describe in general terms their policies with respect to certain categories of personal information. The golden rule for these privacy statements is “Say what you do, and do what you say you do.” Let’s assume that the company actually “said what it does;” that the disclosures in its privacy statement are accurate, complete, and up-to date; and that they clearly describe the company’s commitment to protect personal information. How, then, does it ensure that it “does what it said it does”?
Francoise Gilbert
How to build cloud applications that anticipate your customers’ legal constraints?
To succeed and gain market share, developers of cloud services and cloud-based applications must take into account the compliance needs of their prospective customers. For example, a cloud that offers services to the health profession must anticipate that its customers are required to comply with HIPAA, the HITECH Act, and the applicable medical information state laws. If it fails to do so, it will not be able to sign-up customers. Similarly, a cloud that uses servers that are located throughout the world must be sensitive to the fact that foreign data protection laws will apply, and that these laws have stringent requirements that differ from those in effect in the United States. If you fail to address these obstacles, your potential customers will take their business elsewhere.
Alain Bensoussan
French data protection authority, the CNIL, recently published a Guide for Heath Professionals (Guide des professionnels de santé), available online (view here in French).
The first pages of this Guide remind the core principles of the French Data Protection Act, the missions of the CNIL and the role of data protection officers (“CIL”).
The second part is divided into practical, easy-to-read fact sheets designed to give health professionals the basic information and guidelines they need when processing personal and health data.
Francoise Gilbert
On September 15, 2011, the Federal Trade Commission published for comments its proposed amendment to the current COPPA Rule, which is codified as 16 CFR Part 312. This proposed amendment is based on the information and comments collected during several public round tables and other consultations with the public and stakeholders in 2010. The text of the Proposed Amendment can be found at http://www.ftc.gov/os/2011/09/110915coppa.pdf. Written comments must be received on or before November 28, 2011.
Alain Bensoussan
On June 15, 2011, Peter Hustinx, European Data Protection Supervisor (EDPS), and Giovanni Buttarelli, Assistant Supervisor, presented their Annual Report of activities for 2010 (read full report here). This Report covers the sixth full year of activity of the EDPS as a new, independent supervisory body. Peter Hustinx, the EDPS, said it “is fully in line with the need to increase our efforts to ensure a more effective protection of privacy and personal data in a changing world which is increasingly global, Internet driven and dependent on the wide spread use of ICTs in all areas of life.”
This report is a good opportunity to get to know the European guardian of personal data protection. Do you know that you can lodge a complaint to the EDPS? (more…)
Alain Bensoussan
Vauban Systems, an information security consulting firm, had applied for an authorization, in compliance with Article 25-I-8° of the French Data Protection Act, which provides that automatic processing comprising biometric data necessary for the verification of an individual’s identity may be carried out only after the CNIL’s authorization.
A biometric system is designed to identify individuals based on their physical, biological or even behavioral features. Biometric data is data produced by the human body, positively identifying individuals and enabling to trace them. Vein pattern is a more reliable and secure biometric method than fingerprints, which may be lifted and reproduced unbeknownst to the individual.
Alain Bensoussan
France has recently adopted an ordinance implementing the EU Telecoms Package into its national law. The new ordinance introduces a series of measures related to data protection, including a data breach notification requirement, leading to the amendment of the Data Protection Act.
An ordinance implementing the European “Telecoms Package” has just been adopted by the French Council of Ministers last August 24. It came into force on August 26, 2011, date of its publication in the French Official Journal.
The ordinance is divided into three main chapters. Chapter 1 relates to the changes made by the Telecoms Package into the French Posts and Electronic Communications Code (mainly the strengthening of the powers of the French Telecommunications Regulator, ARCEP), Chapter 2 deals with the impacts in the Consumer Code (clearer contacts for consumers) and Chapter 3 focuses on the protection of data and privacy.
Regarding, in particular, the changes made to the data protection legislation, the following three concepts have been decided:
The ordinance amends Article 34 of the Data Protection Act by introducing an Article 34 bis. Electronic communications service providers now have to notify any personal data breach to the French data protection authority (the CNIL) and indicate the measures they have taken or intend to take to remedy the breach.
Alain Bensoussan
In a deliberation dated June 23, 2011, the French data protection authority (“CNIL”) agreed to the use by a company of a behavioral biometric system based on the typing pattern of individuals, designed to strengthen the identification of individuals accessing to an information system. This is the first time that a biometric system based on keystroke dynamics is authorized in France by the CNIL.
The system requires the recording of personal data, such as the last name, first name, pseudonym and IP address.
In France, companies have to obtain the authorization of the CNIL before processing biometric data (Article 25-I-8° of the French Data Protection Act of January 6, 1978).
This authorization has been granted exclusively for a specific purpose, namely the demonstration of a product to prospects, and is subject to the implementation of stringent security measures to ensure the confidentiality of the data.