On Friday, February 27, the White House released its promised draft privacy and data security legislation. The proposed Consumer Privacy Bill of Rights Act of 2015 contains few, if any, surprises and would codify the framework that the White House proposed in 2012, imposing privacy and data security requirements across sectors and industries. The proposal has drawn criticism from the Federal Trade Commission and privacy advocates for not containing enough consumer protections, and from the business community for a lack of clarity and the potential to stifle innovation and to create other unintended consequences. In this post, we summarize the Act and some of the ramifications if it were to be adopted in its current form.
The UK First Tier Tribunal issued a decision on August 21 finding that the Information Commissioner’s Office (ICO) was wrong to impose a £250,000 fine on Scottish Borders Council in relation to an incident where pension records of former Council employees were discovered overflowing from recycling bins outside a local supermarket. The Tribunal held that the contravention, while serious, was not of a kind likely to cause substantial damage or substantial distress, which is a requirement for imposing such a penalty. The decision may have implications for the ICO’s approach to imposing monetary penalties in the future.
A Scottish council has been required to provide data indicating whether it pays traditionally “male” jobs more than traditionally “female” roles, after the Supreme Court rejected its argument that Data Protection legislation prevented disclosure. The case provides clarification on what is meant by the requirement that disclosure, and other forms of data processing, be “necessary” for the purposes of a legitimate interest.
In a previous post back in 2010, we discussed a then-new data-privacy case decided by the French Cour de Casson (high court), called Bruno B v. Giraud et Migot, Cour de Cassation [Cass.], soc., Paris, 15 Dec. 2009, No. 07-44264. As we said at the time, Bruno B was “a significant development” because, previously, French privacy laws offered an extremely high level of protection for employees’ data, as exemplified by the 2001 decision, Nikon France v. Onof, Cour de Cassation [Cass.], soc., 2 Oct. 2001, No. 4164.
The Spanish Constitutional Court has ruled against two company employees who claimed an infringement of their privacy right and their right to secrecy of communications, in a recent judgement from 17 December 2012, published in the States’ Official Gazette on 22 January 2013. The Constitutional Courts’ Decision 241/2012 (the “Decision“), is available (in Spanish) here: […]
Tim Wybitul, who is Of Counsel at Hogan Lovells in Frankfurt, provides this analysis of forthcoming German legislation on employee privacy. James Denvil, an associate in our Washington office, contributed to the entry. Companies with employees in Germany should pay attention to data privacy legislation that is likely to affect their operations this year. That […]
Last week, Michigan enacted a social media privacy law that prohibits employers and educational institutions from requesting access to the personal social media or other internet-based accounts of employees or students. The new law, known as the Internet Privacy Protection Act, provides that employers or educational institutions (ranging from elementary schools through institutions of higher learning) may not […]
California has become the latest state to pass a law prohibiting employers from requesting access to employees’ and job applicants’ social media information or accounts.
This summer, several states have enacted legislation addressing a broad range of privacy issues including data breach notification, health care privacy, employer access to employees’ and applicants’ social networking accounts, the collection of Social Security numbers, and telemarketing. We provide an overview of the recent privacy regulation developments in Vermont, Connecticut, Hawaii, New York, and Illinois.
On May 30 the National Labor Relations Board Acting General Counsel Lafe E. Solomon issued his third and latest report on social media cases, providing specific guidance on how to construct a lawful social media policy. In the report, Solomon takes a narrow view of what types of policy provisions are acceptable and instructs, for example, that certain confidentiality provisions, rules against “friending” co-workers, and blanket prohibitions of disparaging remarks are unlawful because they unduly restrict employees’ rights to discuss working conditions and terms and conditions of employment under the National Labor Relations Act.
In its first enforcement action under the Fair Credit Reporting Act (“FCRA”) about the sale of data compiled from publicly available online sources in the context of employment screening, the Federal Trade Commission (“FTC”) announced yesterday that it had entered into a $800,000 settlement with an online data broker, Spokeo, for allegedly marketing consumer profiles to employers and recruiters without complying with the requirements of FCRA. In addition, the FTC settled charges that Spokeo violated Section 5 of the FTC Act by posting surreptitious endorsements of its services under the names of others.
A French Court of Appeals in Caen recently confirmed a lower court’s order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the “CNIL”).
Employers have a right, and in some cases a duty, to monitor the e-mail communications of their employees that are sent from the employer’s e-mail system. As a general matter, employees have no expectation of privacy in e-mails sent through their workplace system. Since employees who communicate with their personal lawyers through their employer’s e-mail are subject to employer monitoring, the American Bar Association has issued a formal ethics opinion stating that lawyers have a duty to warn such employees that their e-mails may not be confidential.
A decision by the Higher Labor Court of Berlin-Brandenburg Germany allowing an employer the right to access and review work-related email correspondence of an employee during his/her absence from work provides grounds for employers to access employees’ business-related email, even without the employee’s explicit consent, provided that the employer does not interfere with ongoing email traffic and does not access emails which are clearly private.
This blog entry provides a summary of the Hogan Lovells Chronicle of Data Protection’s recent coverage of legal developments regarding social media.
The National Labor Relations Board (NLRB) has social media in its sights. There has been a spate of activity at the NLRB on the social media front, including the issuance of two new complaints in the last three weeks alone, as reported in this blog entry.
The German Federal Court of Labor ruled on 23 March 2011 that an internal data protection officer’s appointment may not be validly terminated because the employer wants to transfer this function to a service provider as external data protection officer.
On January 19, the Supreme Court decided NASA v. Nelson, a case brought by NASA contractors alleging that questions asked by the federal agency in a background check violated their constitutional right to information privacy — i.e., a constitutional privacy interest in the government “avoiding the disclosure of personal matters” recognized in a pair of 1977 cases, Whalen v. Roe and Nixon v. Administrator of General Services. At issue were questions that asked whether the contractors received “any treatment or counseling” regarding illegal drug use within the previous year (as a follow up to a question regarding whether they used, possessed, supplied or manufactured illegal drugs within that year), and questions directed toward references for information bearing on “suitability for government employment or security clearance,” including “adverse information” about an the contractor’s “honesty or trustworthiness,” “violations of the law,” “financial integrity,” “abuse of alcohol and/or drugs,” “mental or emotional stability,” “general behavior or conduct,” or “other matters.”
E-mails to an attorney that clearly otherwise would have been privileged were found by the California Court of Appeal not to qualify as a “confidential communication between client and lawyer” because the employee used a company computer to send the e-mails
Lionel de Souza, a Hogan Lovells privacy lawyer in our Paris Office provides a thorough review of 2010 developments in French privacy law and a look ahead to 2011.
Employees who claim a Facebook “zone of privacy” from their employers for complaints about working conditions got a boost recently from the National Labor Relations Board’s which filed a complaint over a termination based on an employee’s Facebook posting.
Yesterday, the Supreme Court reversed a decision of the Ninth Circuit in City of Ontario v. Quon and unanimously decided in favor of a public employer that had engaged in a limited administrative/accounting review of employee text messages. In this blog entry, we explain how the Court avoided deciding what is a reasonable expectation of privacy in electronic devices; we observe how a dormant federal case allowing a private employer search of e-mail despite an expectation of privacy may have renewed vitality; but in light of a recent New Jersey Supreme Court case, we remind private employers of the importance of a clear electronic communications policy (to limit or defeat expectations of privacy), of training and of purpose-limited searches.
A brief summary of the April 19, 2010 oral argument before the U.S. Supreme Court in the case of City of Ontario v. Quon, a Fourth Amendment privacy case on appeal from the Ninth Circuit.
The New Jersey Supreme Court’s recent decision in Stengart v. Loving Care Agency upheld attorney-client privilege protection for personal web-based e-mails sent by an employee planning to sue her employer, notwithstanding a broad electronic communications monitoring policy by the employer. The case, though limited jurisdictionally to New Jersey, may be followed elsewhere, and suggests additions to company monitoring policies, which we set forth in this blog entry.