Posted on October 17, 2011 by Lionel de Souza

French Data Protection Authority launches public consultation on cloud computing

The French Data Protection Authority (the Commission Nationale de l'Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: "already €6 billion at the European level, with a yearly growth of approximately 20%". The CNIL believes that the opacity inherent in cloud computing raises data protection concerns.

The CNIL’s consultation focuses on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security.

The consultation process opened on 17 October 2011 and input is sought from the public.

Turning specifically to the five areas of focus:

(i) definition of cloud computing: the CNIL suggests a definitional approach based on the main functional characteristics of various cloud computing services ;

(ii) role of the parties: the CNIL analyzes the role of the customer and service provider as data controller and data processor, respectively. According to the CNIL, the customer should always be regarded as a data controller. The role of the service provider might vary; the service provider could be a data processor or in some cases a co-controller.

(iii) applicable law:  one of the stickiest issues relates to applicable law. If the controller (in most cases the cloud customer) is established in France, French law would apply. But the situation is more complex where the controller is located outside of France and uses a cloud service provider with servers in France.  Note that in a March 2011 decision, the CNIL decided to exempt companies established outside the European Union and using processors based in France from notifying their processing when the processing relates the processing of human resources data or client and prospects data.

(iv) international transfers: most cloud services do not have a fixed location. Rules on international transfers of personal data are therefore difficult to apply. The CNIL suggests a two-fold approach, applying both legal and technical safeguards to international transfers. From a legal standpoint, the CNIL recommends the implementation of Standard Contractual Clauses in service providers' agreements, but also launches the idea of developing "Processor Binding Corporate Rules" or "Processor BCRs". Technically, service providers should apply security measures and data minimization (e.g. through the use of metadata) before data are transferred internationally;

(v) data security: the CNIL recommends the inclusion of security requirements in cloud computing agreements, while noting that customers are not always in a position to impose these requirements.

Interested parties have until November 17 to submit their comments. This consultation is an excellent way to enhance the French DPA’s understanding of cloud computing and propose technical solutions that may mitigate data protection risks.

The public consultation paper can be found (in French) here
Tags: , , , ,
Posted on October 7, 2011 by Lionel de Souza

French Court of Appeals reject company's whistleblower system despite CNIL approval

A French Court of Appeals in Caen recently confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the "CNIL"). 

Under French law, the implementation of whistleblowing systems is subject to prior authorization by the CNIL. To reduce the burden of such formalities, the CNIL issued, in 2005, a general authorization for whistleblowing systems limited to the reporting of accounting, financial, banking and corruption misconducts (the "General Authorization"). Benoist Girard decided to implement their whistleblowing system in 2008 by relying on the General Authorization, regardless of three negative opinions on the system issued by the company's Works Council (the "CE").

In 2009, Benoist Girard's CE and Hygiene and Security committee (the "CHSCT") contested the validity of the whistleblowing system before the Caen Tribunal of First Instance, arguing that it allowed the reporting of alleged misconducts which exceeded the scope of those covered by the General Authorization. The CE and CHSCT therefore argued that the system required the obtaining of a prior specific authorization from the CNIL. The Tribunal ruled in favour of the CE and CHSCT, considering that the system, as implemented, was therefore in breach of French data protection legislation and posed an immediate and substantial threat to the rights and freedoms of the employees. Benoist Girard appealed this decision.

In its analysis of the matter, the Caen Appeal Court first held that the CE and the CHSCT had to be consulted prior to the implementation or modification of the whistleblowing system and then moved on to it analyse in detail to evaluate its compliance with French law.

First, the Court analysed the scope of the system. It noted that, while the system was presented as limited to the reporting of misconduct in the fields of accounting, finance, banking and corruption, it still allowed for reporting other matters. Indeed, even though the menus of the online interface did not contain references to the reporting of "matters of vital interest to the company" or "concerns,"  the homepage of the Ethics Point platform still indicated that it was designed to "report anonymously to the company any suspected bad behaviour or other problems" or "report matters on issues relating to compliance with our code of conduct and the online ethics policies". In addition and more importantly, the Court noted that the system as conceived still allowed any whistleblower to submit an alert with facts relating to any type of misconduct.

Consequently, the Court found that the system did not demonstrate the scope limitations applicable for French employees using the online interface but actually favoured "denunciations" of all sorts. Indeed, according to the Court, reports of concerns outside the scope of admissible concerns still have to be processed for filtering and then generate replies which "far from being limited to restating the categories of admissible concerns, incite the whistleblower to pursue the process through hierarchy".

In addition, the appellate judges considered that regardless of the fact that the company's internal rules expressly stated that "Stryker strongly recommends that users of the whistleblowing helpline identify themselves" the online interface did not discourage employees from remaining anonymous, "on the contrary, various recommendations are even made to preserve [such anonymity]".

Finally, the Court found that the documents provided to the employees did not provide them with sufficient information on their rights in the event that they were the subject of an investigation in this context.

In light of these elements, the Caen Appeal Court ruled that the system could damage the rights and collective and individual liberties of the employees of the company and therefore confirmed the suspension of the system.

The Court's approach appears to be extremely stringent and could require a number of international companies to further review the implementation of their whistleblowing helplines. In this respect, it is important noting that the Court's decision seems to go against the CNIL's position on the Benoist Girard case. Indeed, Benoist Girard had put forward, during the procedure, a letter from the CNIL which confirmed that their whistleblowing system had been inspected and appeared to be compliant with the requirements imposed by the CNIL. 

Thus, it appears the CNIL's position on whistleblower programs, in some instances, may not be sufficient to ensure full compliance with French data protection legislation.  A further appeal by Benoist Girard may be possible.
Tags: , , , , , ,
Posted on September 26, 2011 by Winston Maxwell

CNIL Cites French Yellow Pages Operator for Illegal Use of Social Media Data

France's Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) announced on September 23, 2011 that it had found the French provider of universal telephone directory services, “Pages Jaunes,” guilty of violating several provisions of the French data protection law. The CNIL did not fine Pages Jaunes, but published a detailed warning, listing each privacy violation that the CNIL had identified during its investigation of Pages Jaunes’s activities. 

At issue was Pages Jaunes’s web crawler function, which Pages Jaunes has discontinued. The crawler captured information contained in Facebook, Twitter and LinkedIn profiles of persons having the same name as the person being looked up in the directory service. For example, if someone were to look up the telephone number of Pierre Dupont. Pages Jaunes would show Mr. Dupont’s phone number, and would also show information on social media sites relating to persons named Pierre Dupont. The information may include photos, the name of Dupont’s employer, the schools he attended, his geographic location, his profession, etc.

Pages Jaunes argued that the persons whose profiles were copied had been duly informed and consented, because the general terms and conditions of the social media sites indicate that information posted on public profiles may be accessible to search engines. 

The CNIL dismissed this argument. First, a number of the profiles that were being accessed were profiles of minors, and the informed consent of minors for this type of activity cannot be deemed to exist in these circumstances. Second, the reference to “search engines” in the social media sites’ general terms and conditions cannot be deemed to extend to companies whose principal activities are not that of a search engine. The CNIL pointed out that Pages Jaunes is a telephone directory and not a search engine. According to the CNIL, if the terms of use of the social media sites expressly mentioned that data in public profiles could be re-used by Pages Jaunes, that might constitute sufficient information and consent to allow Pages Jaunes to extract data from those sites. The CNIL pointed out that Pages Jaunes had entered into an agreement with one social media site called Trombi pursuant to which Trombi expressly mentioned on its site that data could be accessed and used by Pages Jaunes. For the major social media sites, however, no such agreement with Pages Jaunes existed. 

The CNIL also found that Pages Jaunes had breached its obligation to ensure that only accurate and updated data are processed. According to the CNIL, the profile data that was presented by Pages Jaunes was in many cases outdated by 4 to 12 months.

Pages Jaunes argued that it provided data subjects with the ability, on the Pages Jaunes website, to ask that their profile data not be accessed by Pages Jaunes, but the CNIL found that the procedures put in place by Pages Jaunes were too burdensome. A person must fill out a form and submit to Pages Jaunes proof of his or her identity for each social media site that the person wants to block. The CNIL also criticized Pages Jaunes for keeping logs of IP addresses and the time and date of queries made on the Pages Jaunes site. According to the CNIL, the retention of these data is excessive and not required under French law because Pages Jaunes is neither a telecommunications operator nor a hosting provider. Finally, the CNIL found that Pages Jaunes had violated its obligations with respect to the telephone directory data that it processes, because Pages Jaunes used that data to help refine the results of the social media profile searches. Under French law, universal directory providers are prohibited from using telephone directory data for any purpose other than providing a universal directory service. Pages Jaunes’s use of these data exceeded the scope permitted under French law.

The CNIL’s decision is a useful analysis of issues that are arising when collecting data publicly available on social media sites.
Tags: , , , , , , , , , , , ,
Posted on September 1, 2011 by HL Chronicle of Data Protection

Upcoming EU Cloud Strategy Announced: Application of Local Privacy Laws Remain an Issue, To Be Explored at IAPP Navigate on September 14

GlobeThe European Commission’s Vice-President for a Digital Agenda, Neelie Kroes earlier this week indicated that the EC is aiming for a 2012 Cloud strategy that reflects the EU focus on human rights. She has recruited former federal Chief Information Officer Vivek Kundra to be an adviser in the creation of the strategy.

As reported in the Washington Internet Daily, Kroes and Kundra were speaking at Salesforce.com’s Dreamforce conference in San Francisco where Kroes said that because "this is by definition a global issue," Europe should work with the U.S. and Asia in setting policy. But she also said that privacy and other human rights considerations are central to the way Europe approaches issues like this, "even if it's taking more time" to complete policymaking, "the human rights system ... is the basis of our democracy," Kroes is reported to have said.

In this connection, recall that Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner has proclaimed that as essential "pillar" of EU citizens' privacy rights is "protection regardless of location" which has obvious implications for the Cloud.

"[P]rotection regardless of data location" [] means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries' service providers controlling our citizens' data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.

(The EU also generally takes the position that its privacy laws cover nationals from countries outside the EU whose data is processed in the EU, but France's data protection authority, the CNIL recently exempted certain outsourcing services performed in France, a move followed by India with respect to its new privacy law, to the relief of companies performing outsourcing services in India.)

Presumably, Mr. Kundra's involvement in Vice-President Kroe's efforts to develop a Cloud strategy will help temper the rigid application of EU privacy laws to data stored in the Cloud.

The issue of whose law will apply in the Cloud and the potential conflicts will be illustrated in an upcoming session at the IAPP Navigate program in Dallas on September 14, which was created and will be co-chaired by Hogan Lovells privacy practice director Chris Wolf and Michelle Dennedy, Chief Privacy Officer of McAfee, Inc. and Founder of The iDennedy Project.

From the IAPP, in its announcement of the Navigate conference:

Cloud computing involves data and data applications stored and processed remotely, often in places far away, sometimes in multiple places, and in places with differing legal regimes. Who has authority to prescribe and enforce rules about personal data in the cloud? When does law enforcement have the right to demand access to data in the cloud?

Decide these critical questions of jurisdiction and control in a “moot court,” where you will put cloud computing on trial and deliberate on the outcome. Provocateurs will portray opposing lead counsel in a hypothetical case involving a nation within the EU requesting a preliminary ruling from the European Court of Justice (ECJ) on whether a cloud computing company with a physical presence within its borders is subject to its enforcement of national data protection laws enacted under the EU Directive. Navigate participants will be split into two groups—counsel for the Petitioner and counsel for the Respondent. Five participants will be selected as "justices" who will be free to question "counsel" about their positions. The judges will have an opportunity to deliberate and will return to deliver a verdict when the group reconvenes.

For those who are interested, a copy of the Moot Court Hypothetical is available at www.privacyassociation.org (PDF).
Tags: , , , , , , , , , ,
Posted on July 9, 2011 by Winston Maxwell

Privacy v. Anti-Piracy: Content Owners Warned to Supervise Anti-Piracy Monitor to Ensure Privacy

The anti-piracy efforts of the content industry in France recently resulted in a warning from French authorities that, when policing online piracy through use of a third-party contractor, privacy must be respected and enforced. 

The French agency entrusted with fighting online copyright infringement, the HADOPI, sends warning letters to suspected online infringers after receiving IP addresses collected by right holders. Right holders use a service provider, TMG, to collect these IP addresses. Before putting the system in place, right holders obtained an authorization from the French data protection authority, the CNIL, allowing them to collect IP addresses for this purpose.

May 16, 2011, a third party notified the CNIL of a data security breach at TMG. This triggered a security audit by the CNIL, which vulnerabilities in the TMG system, including insufficient procedures for updating computer facilities, faulty physical security measures, and the absence of any formal procedure for ensuring that security rules are applied in practice. The CNIL also found that TMG had failed to comply with its obligations to make notifications to the CNIL and had not put into place procedures to limit the period of time during which data are retained.

The CNIL issued a formal warning, giving TMG three months to correct all the measures of non compliance identified during the audit. The CNIL issued a press release on July 6, 2011 announcing the TMG audit and security deficiencies. The CNIL indicated in its press release that it had also issued a formal warning to the right holders who had entered into the contract with TMG. The right holders are the “data controllers” and are responsible for ensuring that their subcontractor TMG complies with data security obligations under French law. The CNIL has substantially increased the number of audits it conducts, and  the audits are often triggered after a third party notifies the CNIL of security breaches.
Tags: , , , , , , ,
Posted on March 22, 2011 by Lionel de Souza

CNIL Simplifies Formalities for Non-EU Companies Using Data processors in France

In a decision published on 2 March 2011, the French data protection authority (the “CNIL”)  announced a simplification of the formalities regarding data processing in France done on behalf of non-EU entities.

Under French data protection law, the general rule is that a data controller processing personal data in France is required to either file a notification or obtain an authorization from the CNIL prior to the implementation of the processing. Such obligations apply not only to French entities or entities having local presence in France but also to entities located outside the EU but which use “processing means” (such as servers, third party service providers, etc.) on the French territory.

In order to comply with this requirement, foreign entities wishing to use the services of French companies to process their personal data in France are required to appoint a representative in France which acts as their local point of contact with the CNIL and completes the required formalities on their behalf.

In consideration of the development of such services in the fields of human resources or client and prospect management, the CNIL, using its regulatory powers for data protection formalities in France, has decided to exempt non-EU companies using service providers located in France to process their human resources and/or their client and prospects data from the completion of formalities. In such cases, the appointment of a local representative is therefore no longer required either.

Finally, it should also be noted that this exemption from formalities also applies to the “return transfer” of data from the French service provider to the non-EU based data controller. While international transfers of data from France to a jurisdiction not regarded as providing an adequate level of protection to personal data generally are subject to prior authorization from the CNIL, the exemption expressly indicates that such “return transfers” would be justified and dispensed from prior authorization on the basis of the “performance of an agreement” exceptions provided for in sections 69 (5°) and 69 (6°) of the French law, which implement into French law the provisions of sections 21(5) and 21(6) of the 1995 European Directive on data protection.

The full text of this exemption (exemption #15) can be found here (in French).

Tags: , , , , , ,
Posted on January 6, 2011 by Lionel de Souza

Privacy in France: 2010 review, 2011 perspectives

The beginning of the New Year gives us an opportunity to reflect on the evolution of privacy in France over the past twelve months and also to consider the new challenges and opportunities that will develop in 2011.

2010 was a year of evolution for the French data protection authority, the Commission Nationale de l'Informatique et des Libertés - "CNIL" and 2011 promises to bring further changes and evolutions. Formal changes came with evolution in the management of formalities with a new online platform for the completion of formalities, which seems to bring a much needed improvement in the delays for management of files. Policy evolutions also resulted from the adoption of documents providing guidance to data controllers with regards to the security of data or with the amendment of the general authorization of certain whistleblowing systems, which although it was needed could be regarded as slightly disappointing. 

In France, 2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high profile cases such as the Google StreetView controversy or the decision acknowledging the legitimacy of the dismissal of an employee on the basis of comments posted on his Facebook page.

The review of the past year also allows us to anticipate some of the CNIL's points of focus for 2011. Firstly, the evolution of technologies will still be at the forefront of data protection discussions during the coming year. In 2010, the CNIL approved a number of processes involving biometric data and the development of these technologies will continue to raise questions and issues this year. In 2011, the CNIL will also focus on the development and implentation of a major project: certification labels for products and services, which could become an important and discriminating factor to attract customers in the short and long term.

 

Evolution of formalities

In 2010, the CNIL decided to take a steep turn in the management of formalities which any data controller has to comply with in France. In France, unless a limited number of exceptions apply, any processing of personal data must either be declared or authorized by the CNIL.

Until 2010, all such formalities had to be completed by submitting paper hard files. This system changed when the CNIL introduced new notification and request for authorization forms which were also made available for electronic filing. The CNIL has clearly taken a turn towards increased dematerialization of formalities with the obvious objective to reduce notifications or requests for authorizations in paper format to a minimum.

While filings using paper hard files are still possible, they are clearly not encouraged and the delays for the handling of paper submitted formalities now appear much longer than those for documentation submitted through the CNIL online interface.

The new forms which now have to be used have not fundamentally changed the obligations imposed on data controller. However, a couple of their features should be pointed out.

Firstly, the new form for the notification of a processing is a simplified version of the previous one. In this respect, it does not require anymore the listing of the exact types data actually processed by the data controller anymore (even through general categories of data still have to be listed). This modification however calls for greater attention for data controllers internally to ensure that they do know the extent of their processing.

The second feature worth mentioning concerns the data controller's undertakings. Now, the data controller, when submitting its notification or request for authorization has to certify that "the processing is conducted in accordance with the requirements" of French data protection legislation by ticking a box. This new wording potentially puts a greater level of liability on the data controller to ensure that, at all times, the processing is fully compliant with French law.

Finally, it should be underlined that practice to date has revealed that use of the online system offers a greater reactivity in the management of files and especially of requests for authorization. Such progress could only be welcomed. 

Recommendation on security measures

Even though it mentions the obligation for data controllers to implement appropriate technical and organizational security measures for the protection of personal data, French legislation does not provide for any instrument setting out the specific framework defining those measures deemed appropriate (as opposed, for instance, to Italy).

Fully aware of this void, the CNIL had already issued recommendations regarding security measures relating to health data or electronic votes. In order to further address this situation, the CNIL issued a "Guide on security" (.PDF) in October 2010.

This guide, divided in 17 sections, addresses various issues in the field of security, ranging from the management of outsourcing to maintenance, archiving, anonymization or encryption.
The CNIL's "Guide on security" should therefore progressively become a tool used to set a minimum standard for technical and organizational security measures required for the implementation of any processing of personal data subject to French law.

It should also be noted, in the same vein, that the CNIL adopted a working document on the issues potentially associated with the outsourcing of processing of data outside the European Union.

Modification of the whistleblowing general authorization

In 2005, the CNIL had adopted a general authorization for the implementation of whistleblowing systems in France. Indeed, given the potential risks perceived by the CNIL as associated with whistleblowing systems, French law requires that whistleblowing systems are subject to prior authorization by the CNIL. In order to address the majority of systems implemented by French companies in order to comply with the requirements of the Sarbanes-Oxley Act, the CNIL had issued a general authorization whereby all whistleblowing systems complying with its requirements were pre-authorized and only subject to the filing of a mere undertaking of compliance.

The general authorization only covered systems allowing the reporting of alleged misconducts in the fields of accounting, finance and banking. Due to an ambiguous paragraph included in the original version of the general authorization, it was however thought that, in cases where the vital interests of the company were at stake, the whistleblowing systems covered by the general authorization could be used. However, in 2009, the French Supreme Court denied this analysis and considered the terms of the general authorization as being restricted to the three main fields mentioned above.

In order to clarify this ambiguous situation and align with the position of the French Supreme Court, the CNIL revised, late in 2010, the terms of the original general authorization.

The new amended version of the general authorization (in French) now encompasses whistleblowing systems implemented for the reporting of potential frauds to accounting, auditing and banking rules but also intended at being used to fight against corruption. In addition, the CNIL deleted the misleading section which previously made reference to the potential protection of the vital interests of the company.

As previously, all other whistleblowing systems (having wider or different scopes, etc.) will still have to be individually authorized by the CNIL.

One can regret that the CNIL decided to opt for a conservative road and therefore expressly strictly limit the scope of the general authorization as described above. Given both the already existing limitations to such systems (requirement of subsidiarity, limitations on anonymity, etc.) and the practice of whistleblowing systems in France, one could have hoped that the CNIL could have broadened the scope of the general authorization to the protection of certain vital interests of the company or to legally sanctioned misconducts (e.g. discrimination, harassment, etc.).

Development of processes involving biometric data

Use of biometric systems is increasing sensibly in France and the CNIL's activity clearly reflects this trend. This has been evidenced by decisions involving both the use of fingerprints and palm-vein or finger-vein technology.

The use of fingerprints has been approved by the CNIL in February 2010 in the context of the provision of medical treatment. More specifically, the technology was used in connection with patients treated by radiotherapy in a hospital located in the north of France. The system was deemed acceptable in consideration of a number of factors. First, the CNIL noted the potential public health considerations connected with the potential misadministration of radiotherapy treatments. Indeed, the system is intended at identifying patients to ensure that they receive the radiotherapy treatment required and thus avoid medical errors. In addition, amongst the relevant elements to evaluate the appropriateness of the system, the CNIL mentioned the fact that use of the system was subject to prior informed consent of the data subject and that the biometric data was retained solely for the period of the treatment.

Another interesting element was the fact that the CNIL noted that as well as the fact that palm-vein or finger-vein could not be used in this specific case due to the alterations caused by the radiotherapy treatment.

This information is all the more relevant that the CNIL seems to be inclined to favour palm-vein or finger-vein technology over fingerprints or other biometric systems. The CNIL refers to these new biometric technologies as "no-touch" biometrics and considers that they raise less issues than older systems: such technologies do not involve "exterior" attributes of the data subject and cannot be collected without the data subject's knowledge (as opposed to fingerprints which can be collected without the data subject's knowledge on any object he or she touches).

This favourable analysis was evidenced in April 2010 by the CNIL's authorization of a payment system using finger-vein technology in connection with a no-contact payment card.

It should be noted that in both cases of biometric technology mentioned above, the CNIL only granted authorizations for experimentations, respectively for 1 year and 6 months. However, this underlines possibilities offered to providers and users of biometric technologies in France, provided, naturally, that appropriate security measures are implemented.

Controls, sanctions and case-law

In 2010, the CNIL has continued the development of the exercise of its controlling and sanctioning powers as previously announced.

In this respect, it showcased the variety of its powers by imposing, for instance:

- a warning, published on its website, of the leader in tuition services in France in consideration of the existence of illegitimate and "excessive" comments which appeared in its client database;

- the immediate and urgent suspension of a video-surveillance system allowing a company to constantly monitor its employees' activities;

- the suspension of a fingerprint access control system implemented by a company which had been denied the authorization to implement the system in 2007 in the absence of any security imperative;

- a €10,000 fine on two bailiff offices which had failed to comply with their undertaking to amend their processes of personal data taken after an initial control conducted by the CNIL;

- a €15,000 fine to a clothing retail company, which had been previously sanctioned in 2007 for similar facts, for the illicit sending of unsolicited advertising faxes.

French courts have also applied the provisions of data protection legislation. In September 2010, the Dijon Court of appeal held the termination of an employment contract as wrongful because the employer had failed to comply with data protection legislation. In this case, the employee had been dismissed because of an alleged use of the company's car for personal use. To evidence this fact, the employer had installed a geolocation tracking device in the vehicle without informing the employee of this processing and without declaring it to the CNIL. Both in first instance and in appeal, the dismissal was considered wrongful. In addition, the Court of appeal sentenced the employer to €1,000 in damages to the employee for "unfair performance of the employment contract".

On the other hand, it should also be mentioned that, late in 2010, the dismissal of an employee was found to be legitimate when grounded on the fact that said employee had posted derogatory comments about its employers and hierarchy on its Facebook wall. The posts being accessible to all on the person's Facebook profile, the Employment Tribunal did not consider that they should have been treated as private correspondence.

Finally, it should also be mentioned that the CNIL exercised its controlling powers in the wake of the collection of personal information by Google Streetview vehicles. Further to the disclosure of this information by Google on 14 May, the CNIL conducted an onsite control on 19 May. In the absence of satisfactory answers, on 26 May, the CNIL ordered Google to provide, within 7 days, all relevant and specific information regarding the information collected. This request was then met by Google on 4 June 2010. The CNIL investigations on this matter are still not closed to date.

Certification labels: one of CNIL's top priorities for 2011

When modified in 2004, French data protection legislation provided for the possibility for the CNIL to award labels to products or procedures aimed at ensuring protection of personal data.

Due to procedural impediments (the required implementation decree was never adopted), this power was never effectively used. However, thanks to the passing of a new law in 2009, the CNIL now can fully exercise this power and intends to make of the definition of the criteria and award of the first labels one of its main topics for 2011.

The CNIL intended to have the first labels awarded to training and auditing services in the first quarter of 2011. It seems that keeping up with this calendar will be extremely difficult for the CNIL. Indeed, even though consultations on the matter with training and auditing services providers have started, the final version of the methodology, content and format of the services eligible for labels have not been communicated yet.

In a second step, the CNIL intends to award its labels to software providing a satisfactory degree of protection to personal data.

The development of these certification labels will therefore be one of the main topics to be followed upon over the coming year in France. This new project could become of interest for companies in the longer run. Indeed, with increased awareness of the requirements of data protection and privacy in the general public, a product or service enjoying the benefit of a CNIL certification label might gain a competitive advantage over others. 
Tags: , , , ,
Posted on December 11, 2009 by Winston Maxwell

French Supreme Court invalidates whistle-blowing code

By Sarah Jacquier and Winston Maxwell

On December 8, 2009, the French Supreme Court found illegal a Code of Business Conduct put in place by the Dassault Group for compliance with Sarbanes-Oxley requirements.

Dassault’s Code of Business Conduct had two aspects: It (i) required employees to obtain an approval from their employer prior to using any information (not just confidential information but all information used for “internal purposes”) that employees could have knowledge of in the course of their employment and (ii) put in place a whistle-blowing policy whereby employees could - but had no obligation to - report any breach of the Code of Business Conduct, in accounting, financing, and anti-corruption matters. However, the policy also contemplated the possibility for employees to report any breach of the Code of Business Conduct in other matters (e.g. intellectual property rights, confidentiality, discrimination, harassment) to the extent the breach threatened Dassault Group’s vital interests or an individual’s physical or psychological integrity.

The Court ruled that requiring employees to obtain the prior approval of their employer before using any and all internal information infringed employees’ freedom of speech, which may be limited only in a proportionate manner. The prohibition was too broad, and therefore the proportionality test was not satisfied.

As far as the whistle-blowing policy is concerned, the Court ruled that the policy could not cover matters other than accounting, financing, and anti-corruption. In France, whistle blowing policies need to be approved by the French data privacy authority (“the CNIL”) because their enforcement may lead to sanctions of employees. In 2005, the CNIL published a blanket authorization which generally authorizes whistle blowing policies in France for Sarbanes-Oxley requirements compliance purposes, but this authorization is limited to pure accounting, financing and anti-corruption matters. If the whistle-blowing policy exceeds the scope of the blanket authorization, it needs to be authorized on an individual basis. Otherwise, the whole policy will be deemed invalid, as confirmed by the Supreme Court’s decision.

Most international groups are reviewing the French versions of their Codes of Conduct to ensure that they comply with this new ruling.

Tags: , , , ,
Posted on October 26, 2009 by Winston Maxwell

French CNIL comments on nanotechnologies

On October 15, 2009, the French Data Protection Authority, the CNIL, issued a white paper regarding the privacy risks of nanotechnologies.  In its white paper, the CNIL attempts to identify the privacy risks associated with RFID tags which are so small they can be injected into the human body.   The CNIL mentions RFID tags used to trace Alzheimer patients, which the CNIL considers would satisfy the proportionality test set forth in French law.  Other tags, such as an RFID tag injected under the skin which permits nightclub users to pay for their drinks, are more problematic. 

The risks outlined in the CNIL document are not unlike those already identified in connection with RFID devices and the “Internet of things.”  Of particular concern are the small size and potential ubiquity of tracing devices, both of which make it difficult for citizens to control the personal data that is collected about them.  The CNIL recommends application of Privacy by Design methodology to nanotechnologies so that privacy is incorporated into nanotechnology applications from the time of their initial design.  The same recommendation applies to security associated with these devices.  In fact, the CNIL emphasizes the security risks of potential viruses or malware which could be introduced into nanotechnologies so as to permit them to be used for improper purposes.  To prevent such, the CNIL recommends integrating security by design in nanotechnologies in a multi-disciplinary and cooperative approach. 

The CNIL mentions several key principles that should guide any nanotechnology application, such as the right for citizens to “turn off” the device thereby guaranteeing the right to “be forgotten” and to remain anonymous. 

In its white paper the CNIL also recommends clear labeling of nanotechnology applications, comparing nanotechnologies to genetically modified foods for which France has required special labeling which informs consumers about the product being purchased before actual purchase.  The CNIL further suggests that French law should be broadened to ensure that the CNIL has responsibility to implement these general principles, although it does not suggest specific language or legislation.

In conclusion, the CNIL’s consultation document regarding nanotechnologies is not fundamentally different from the European Commission’s recommendations on RFIDs, except that the CNIL puts more emphasis on bio-ethic issues, undoubtedly due to the fact that many of the nanotechnology applications will somehow be linked to the human body, which obviously raises significant privacy issues.

The CNIL's paper was issued as part of a national debate on nanotechnologies, organized by the French government in the Spring of 2009.

Tags: , , , ,
Posted on October 20, 2009 by Winston Maxwell

French CNIL Issues Data Security Tips

On October 12, 2009 the CNIL issued ten recommendations for companies to help protect their data.  The recommendations are fairly basic, ranging from implementing a rigorous password policy to ensuring that only authorized personnel have access to the company’s computer room.  The recommendations have an important pedagogical role, however, and illustrate that the CNIL is broadening its scope of focus from its traditional role of defining under what conditions personal data can be processed in France to dealing with the results of that processing,  in particular focusing on the prevention of data breaches. 

For those familiar with the security recommendations issued by ENISA, the European Network and Information Security Agency, the CNIL’s recommendations may seem quite rudimentary in comparison.   ENISA has issued a number of detailed recommendations on data security, and it is unfortunate that the CNIL did not refer to the excellent ENISA work in this area.   See, for example, ENISA's 2009 papers "10 Security Awareness Good Practices" and "Information Security Awareness in Financial Organizations - Guidelines and Case Studies."   However, the CNIL's recommendations may only be a first step, and it will be interesting to see whether the CNIL's guidance evolves as concern about data breaches continues to grow. 

Tags: , , ,