HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

by Lionel de Souza

On May 26th, the European working party on data protection established by article 29 of the 1995 European Directive on Data Protection (the "Working Party") sent letters to the three main search engine providers, Google, Microsoft and Yahoo!, to express its concern about how the search engine providers protect the online privacy of their users.

These letters follow a number of exchanges that have taken place over the past two years between the Working Party and the companies.  The process started with the Working Party's March 2008 opinion on search engines, which was later followed by a questionnaire to search engine providers and a hearing in February 2009.

In response to the Working Party's opinion, Google, Microsoft and Yahoo! all publicly announced amendments to their respective policies regarding the term of retention and anonymization of user data.  While these modifications generally have been welcomed as improvements of search engine practices, the Working Party still considers them insufficient.  Overall, the Working Party points to:

(1) the insufficient level of anonymization of data implemented by search engines or the lack of complete information to appreciate the appropriateness of such measures; and

(2) the excessive term of retention of user data (especially in consideration of possible cross-referencing).

Based on these elements, the Working Party states that it "cannot conclude that [these companies comply] with the European Data Protection Directive" and "urges" them "to review their anonymization claims and make the process verifiable."

To do so, the Working Party recommends that all three search engine providers implement and submit to an auditing process which would be conducted by external and independent third parties.  It is interesting to note that such an auditing procedure does not rely on any specific legal ground imposed by the European data protection legislation and that the search engines are therefore under no obligation to implement such a procedure.  If they did agree to an audit,  however, a number of questions would arise, such as the adequate frequency at which audits should be conducted or the publicity of the results of the audits. 

Finally, the Working Party, taking into account the "strong international component of this debate" sent copies of the three letters to the FTC (as well as the European Commission Vice-President in charge of Justice, Fundamental Rights and Citizenship - Viviane Reading) to share its concerns and to request an inquiry of the compliance of the behaviors with Section 5 of the Federal Trade Commission Act which prohibits "unfair or deceptive acts or practices in the marketplace".

In a general context of increased attention in the European general public with regards to issues of privacy, the reactions by the search engines and the FTC to the issues raised will be closely scrutinized.

The Working Party's letters to can be found here. 

• Email This
• Print
• Share Link

This blog entry is provided by Hogan & Hartson litigators Trevor Jefferies in our Houston Office and Alvin F. Lindsay in our Miami Office:

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

European Union policies protecting personal privacy almost always conflict with United States policies that grant litigants full and complete discovery of documents and electronically stored information in U.S. court actions.  The conflict is particularly acute in France, where a French corporation participating in U.S. litigation may easily run afoul of the French Blocking Statute (Law No. 68-678, as amended), data processing laws (e.g. Law No. 78-17, as amended), and the EU Directive 95/46 on Personal Data (“Directive”), among others.

Indeed, after years of goading by U.S. courts, French authorities even prosecuted someone, a French lawyer, under the blocking statute.  His crime was attempting to comply with a U.S. court order compelling production of documents.  See In re Christopher X, Cour de Cassation, Chambre Criminelle, Paris, December 12, 2007, No. 07-83228 (French Supreme Court upholding conviction and €10,000 fine against French lawyer attempting to facilitate collection of evidence for use as ordered in a U.S. judicial proceeding).  Examples of U/S. goading include In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a “realistic risk of prosecution”) and Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987) (“this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"). 

With French and EU law acting to prevent a litigant engaged in the U.S. litigation discovery process even from collecting a relevant employees' e-mails for litigation purposes, let alone viewing the e-mails to see if they contain relevant information, French parties seem at a distinct disadvantage in a U.S. forum.  Failing to produce relevant documents is a direct path to an uncomfortable hearing before the U.S. judge and possibly severe sanctions such as a default judgment being entered against those parties for not complying with discovery orders.

Thus, Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 is a significant development.  In that case, an accounting firm fired Bruno after the firm discovered files on his work computer addressed to government regulators wherein Bruno disparaged the firm for alleged tax and related fraud as well as working conditions.

The documents held subject lines as “Essay 1”, “Essay 2”, and so on, which the firm discovered without Bruno’s permission or presence. Bruno sued the firm seeking damages for unjustified dismissal, arguing that the firm violated his rights under EU privacy (human rights) conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.  On appeal, the Cour de Cassation Chambre Sociale held for the accounting firm, finding that because Bruno failed to mark the documents as “private,” the firm justifiably assumed that the documents were work-related and could open them.

The Bruno B. case clearly refines the general rule set forth in an earlier case from the same court, Nikon France vs. Onof, Cass. Soc., No. 4164 (Oct. 2, 2001), where the French high labor court established that employees have a right to privacy in the workplace and held that an employer cannot search an employee’s files stored on a work computer without breaching the employee’s right to privacy.  The Nikon case’s broad ruling has been the subject of private criticism, especially from business interests in France, but now, after Bruno B., there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.  Simply labeling the documents as “personal” or “private” may have been enough to compel the Bruno B. court to rule in the employee’s favor, but the holding is still a far cry from the absolute presumption that any data with an employee’s name is private.

• Email This
• Print
• Share Link

By Jun Wei

On January 3, 2010, the Guangdong Provincial Higher People's Court announced the first enforcement action following the extension of Chinese criminal law to include the protection of personal information.  In that action, the Zhuhai Xiangzhou District Court sentenced an individual to one and a half years in prison and imposed a fine on him in the amount of  RMB 2,000 (approximately US $295) for the crime of illegally obtaining the personal information of citizens.  This is the first known case in China regarding the infringement of personal information security. 

The law upon which the action was based, the 7th Amendment to the PRC Criminal Law, was promulgated on February 28, 2009 by the Standing Committee of the National People’s Congress.  It includes provisions imposing criminal penalties for the infringement of personal information security, specifically targeting two types of infringement:  (i) the sale or illegal disclosure of information obtained by personnel in government agencies or financial, telecommunications, transportation, educational or medical institutions in the process of performing their duties; and (ii) the theft or illegal access of personal information by other individuals. 

In both types of conduct there are severe consequences for infringement, including imprisonment for less than three years, detention for less than six months, and/or the imposition of a fine (as a single penalty or concurrently with other penalties).   In the event that an entity is convicted of infringement, a monetary penalty shall be imposed on that entity, and the officer directly responsible and any other persons who may be directly responsible for such illegal acts shall be subject to the same criminal penalties that are applicable to natural persons.

According to news reports, in December 2008 the defendant in this case, Zhou Jianping, a resident of Zhuhai, Guangdong Province, illegally obtained the phone numbers and call history records of 14 government officials and sold these phone numbers and call histories for RMB 16,000 (approximately US $2,353).  The purchaser, in conspiracy with six other people, then used this information to impersonate the government officials and extract RMB 830,000 ( approximately US $122,060) from a variety of relatives.

The defendant did not appeal and the judgment took effect December 14, 2009.

• Email This
• Print
• Share Link