On September 2, 2015, the French Data Protection Authority (“CNIL”) published the results of an Internet sweep of 54 websites visited by children and teenagers. The sweep was conducted in May 2015 to assess whether websites that are directed toward, frequently used by or popular among children comply with French data protection law. As we previously reported, the sweep was coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”). The CNIL and 28 other DPAs that are members of the GPEN participated in the coordinated online audit. A total of 1,494 websites and apps were audited around the world.
Hunton & Williams is pleased to announce its participation with the Global Legal Group in the publication of the second edition of the book The International Comparative Legal Guide to: Data Protection 2015. Members of the Hunton & Williams Global Privacy and Cybersecurity team prepared several chapters in the guide, including the opening chapter on “Legislative Change: Assessing the European Commission’s Proposal for a Data Protection Regulation,” and chapters on Belgium, China, France, Germany, the United Kingdom and the United States.
On June 30, 2015, the French Data Protection Authority (the “CNIL”) summarized the results of the cookie inspections it conducted at the end of 2014.
On May 25, 2015, the French Data Protection Authority (“CNIL”) released its long-awaited annual inspection program for 2015. Under French data protection law, the CNIL may conduct four types of inspections: (1) on-site inspections (i.e., the CNIL may visit a company’s facilities and access anything that stores personal data); (2) document reviews (i.e., the CNIL may require an entity to send documents or files upon written request); (3) hearings (i.e., the CNIL may summon representatives of organizations to appear for questioning and provide other necessary information); and (4) since March 2014, online inspections.
On May 11, 2015, the French Data Protection Authority (“CNIL”) and the UK Information Commissioner’s Office (”ICO”) announced that they will participate in a coordinated online audit to assess whether websites and apps that are directed toward children, and those that are frequently used by or popular among children, comply with global privacy laws. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.
On April 16, 2015, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2014 (the “Report”) highlighting its main accomplishments in 2014 and outlining some of the topics it will consider further in 2015.
On March 24, 2015, the CNIL announced the implementation of a new procedure that will simplify the registration formalities for French affiliates of groups that have implemented Binding Corporate Rules (“BCRs”).
On February 3, 2015, the Article 29 Working Party (“Working Party”) published a report on a sweep of 478 websites across eight EU Member States (Czech Republic, Denmark, France, Greece, the Netherlands, Slovenia, Spain and the United Kingdom). The sweep was conducted to assess compliance with Article 5.3 of the e-Privacy Directive 2002/58/EC, as amended by 2009/136/EC.
On January 13, 2015, the French Data Protection Authority (the “CNIL”) published a Referential (the “Referential”) that specifies the requirements for organizations with a data protection officer (“DPO”) in France to obtain a seal for their data privacy governance procedures.
In a decision published on January 6, 2015, the French data protection authority (the “CNIL”) adopted a new Simplified Norm NS 47 (the “Simplified Norm”) that addresses the processing of personal data in connection with monitoring and recording employee telephone calls in the workplace. Data processing operations in compliance with all of the requirements set forth in the Simplified Norm may be registered with the CNIL through a simplified registration procedure. If the processing does not comply with the Simplified Norm, however, a standard registration form must be filed with the CNIL. The Simplified Norm includes the following requirements:
On December 8, 2014, the Article 29 Working Party (the “ Working Party”) and the French Data Protection Authority (the “CNIL”) organized the European Data Governance Forum, an international conference centered around the theme of privacy, innovation and surveillance in Europe. The conference concluded with the presentation of a Joint Statement adopted by the Working Party during its plenary meeting on November 25, 2014.
On November 18, 2014, the Centre for Information Policy Leadership at Hunton & Williams (the “Centre”) held the second workshop in its ongoing work on the risk-based approach to privacy and a Privacy Risk Framework. Approximately 70 Centre members, privacy regulators and other privacy experts met in Brussels to discuss the benefits and challenges of the risk-based approach, operationalizing risk assessments within organizations, and employing risk analysis in enforcement. In discussing these issues, the speakers emphasized that the risk-based approach does not change the obligation to comply with privacy laws but helps with the effective calibration of privacy compliance programs.
On September 18, 2014, the French Data Protection Authority (the “CNIL”) announced plans to review 100 French websites on September 18-19, 2014. This review is being carried out in the context of the European “cookies sweep day” initiative, an EU online compliance audit. The Article 29 Working Party organized this joint action, which runs from September 15-19, 2014, to verify whether major EU websites are complying with EU cookie law requirements.
On July 11, 2014, the French Data Protection Authority (the “CNIL”) announced that, starting in October 2014, it will conduct on-site and remote inspections to verify whether companies are complying with its new guidance on the use of cookies and other technologies. These inspections will take place in connection with the European “cookies sweep day” initiative, which will be launched from September 15 – 19, 2014. During that initiative, each EU data protection authority will review how users are informed of, and consent to the use of, cookies.
On May 19, 2014, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2013 (the “Report”) highlighting its main accomplishments in 2013 and outlining some of its priorities for the upcoming year.
On May 13, 2014, the French data protection authority (“CNIL”) decided to examine 100 mobile apps most commonly used in France.
On March 18, 2014, a new French consumer law (Law No. 2014-344) was published in the Journal Officiel de la République Franҫaise. The new law strengthens the investigative powers of the French Data Protection Authority (the “CNIL”) by giving the CNIL the ability to conduct online inspections.
On March 5, 2014, the French Data Protection Authority (the “CNIL”) issued new guidelines in the form of five practical information sheets that address online purchases, direct marketing, contests and sweepstakes, and consumer tracking (the “Guidelines”).
On February 27, 2014, Chairwoman of the French Data Protection Authority (the “CNIL”) Isabelle Falque-Pierrotin was elected Chairwoman of the Article 29 Working Party effective immediately. Ms. Falque-Pierrotin succeeds Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, who chaired the Article 29 Working Party for four years. The Working Party also elected two new Vice-Chairs: Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, and Gérard Lommel of the Luxembourg Data Protection Authority.
In a decision published on February 11, 2014, the French Data Protection Authority (“CNIL”) adopted several amendments to its Single Authorization AU-004 regarding the processing of personal data in the context of whistleblowing schemes (the “Single Authorization”).
On January 21, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program highlighted some of the key privacy developments that companies will encounter in 2014, including cybersecurity issues in the U.S., California’s Do Not Track legislation, Safe Harbor, the EU General Data Protection Regulation and the CNIL’s new cookie guidance.
On December 16, 2013, the French Data Protection Authority (“CNIL”) released a set of practical FAQs (plus technical tools and relevant source code) providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements (the “CNIL’s Guidance”). Article 5.3 of the revised e-Privacy Directive 2002/58/EC imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices. Article 32-II of the French Data Protection Act transposes this obligation into French law.
On July 3, 2013, the French Data Protection Authority (“CNIL”) released its decision in a case against PS Consulting, imposing a fine of €10,000 on the information systems consulting company for violations related to the operation of its CCTV system.
On June 14, 2013, the French Data Protection Authority (“CNIL”) announced that last March it had created an internal working group to study the privacy issues arising from the access of the personal data of French citizens by foreign public authorities. The CNIL further announced that the working group has decided to organize meetings with the various concerned stakeholders (attorneys, telecommunications operators, public institutions and non-governmental organizations) and that it has already had discussions with some of them. A summary of the CNIL’s findings is expected to be published in September 2013.
On June 6, 2013, the European Union’s Justice and Home Affairs Council held legislative deliberations regarding key issues concerning the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). The discussions were based on the Irish Presidency’s draft compromise text on Chapters I to IV of the Proposed Regulation, containing the fundamentals of the proposal and reflecting the Presidency’s view of the state of play of negotiations. At the Council meeting, the Presidency was seeking general support for the conclusions drawn in their draft compromise text on the key issues in Chapters I to IV.
On June 3, 2013, the French Data Protection Authority (“CNIL”) published an article outlining the importance of binding corporate rules (“BCRs”) for data processors, and describing how to use them.
On May 30, 2013, the French Data Protection Authority (“CNIL”) launched a public consultation on the digital “right to be forgotten.”
The CNIL recalled that the principle of a digital “right to be forgotten” is established in the Proposed EU Data Protection Regulation and that this new right will have to be exercised in accordance with freedom of expression, freedom of the press and the duty of remembrance.
In this context, the CNIL decided to consult web users with a goal of defining the broad outlines of the digital right to be forgotten. The CNIL also announced that it will ...
On May 6, 2013, the Global Privacy Enforcement Network (“GPEN”) announced its first “Internet Privacy Sweep,” in which 19 data protection authorities are participating. This joint effort, which runs May 6-12, 2013, involves a review of the information notices posted online by major websites.
On March 26, 2013, the Article 29 Working Party issued a press release on the recent developments concerning cooperation between the EU and the Asia-Pacific Economic Cooperation group (“APEC”) on cross-border data transfer rules. A joint EU-APEC committee, which includes the French and German data protection authorities as well as the European Data Protection Supervisor and the European Commission, has been studying similarities and differences between the EU’s binding corporate rules (“BCRs”) framework and APEC Cross-Border Privacy Rules. The committee’s goal is to facilitate data protection compliance in this area for international businesses operating in the EU and the APEC region, including by creating a common frame of reference for both sets of cross-border data transfer rules.
On March 20, 2013, the French Data Protection Authority (“CNIL”) issued (in French) guidance on keylogger software (the “Guidance”). Keylogger software enables an employer to monitor all the activities that take place on an employee’s computer (such as every key typed on the computer’s keyboard and every screen viewed by the employee), without the employee’s knowledge.
On March 19, 2013, the French Data Protection Authority (“CNIL”) announced (in French) its annual inspection program, providing an overview of its inspections of data controllers in 2012 and a list of inspections that it plans to conduct in 2013. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and has access to data controllers’ electronic data and data processing programs.
On March 5, 2013, the French Data Protection Authority (the “CNIL”) announced that the French High Council for Statutory Auditors (“H3C”) and the U.S. Public Company Accounting Oversight Board (“PCAOB”) signed a Statement of Protocol (the “Protocol”) on January 31, 2013, to govern the exchange of information, including personal data, between them.
On March 6, 2013, the French Data Protection Authority (the “CNIL”) announced that it launched a consultation of relevant private and public actors for the purpose of determining whether the CNIL should adopt an initiative on “Open Data.”
Following up on the UK Information Commissioner’s Office’s (“ICO’s”) positive reaction to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”), the ICO has now published additional thoughts on the European Commission’s proposed revised data protection framework, reacting to the recent draft report prepared by the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, Jan Philipp Albrecht. In February 2012, the ICO released an initial analysis of the Commission’s package of proposals, which included the proposed Police and Criminal Justice Data Protection Directive (“Proposed Directive”).
On January 16, 2013, the French Data Protection Authority (“CNIL”) released its opinion on the draft report issued by Jan Philipp Albrecht, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Report”). The Report included detailed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) submitted by various stakeholders which Rapporteur Albrecht consolidated and distilled into a single text. The CNIL’s Report welcomes these amendments and in particular, the following:
On December 12, 2012, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released an accountability self-assessment tool designed to help organizations evaluate their internal privacy programs and practices. The tool is the product of the Global Accountability Project for which the Centre serves as Secretariat.
On April 19, 2012, the French Data Protection Authority (the “CNIL”) issued a press release detailing its enforcement agenda for 2012. In a report adopted March 29, 2012, the CNIL announced that it will conduct 450 on-site inspections this year, with particular focus on the specific themes described below. The CNIL also indicated that it will continue the work started in 2011 with at least 150 additional inspections related to video surveillance, especially with respect to surveillance in locations that are frequented by large numbers of individuals.
The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:
“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”
On November 30, 2011, the French Court of Cassation upheld a decision that excluded the application of the French Data Protection Act (Loi relative à l’informatique, aux fichiers et aux libertés) to an investigation conducted by the French Competition Authority (Autorité de la Concurrence) on the grounds that the search and seizure was authorized by an “freedoms and custody judge” (juge des libertés et de la détention).
Shortly before Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, gave her keynote address on binding corporate rules (“BCRs”) at the IAPP Europe Data Protection Congress in Paris, Hunton & Williams co-authored two articles on BCRs with the French Data Protection Authority (“CNIL”):
On November 29, 2011, at the International Association of Privacy Professionals (“IAPP”) Europe Data Protection Congress in Paris, France, Viviane Reding, Vice President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, provided insight into details of the proposals for the revised EU data protection framework. She focused explicitly on solutions for international data transfers, promoting Binding Corporate Rules ("BCRs") as a solution that can offer a simplified, yet comprehensive, structure for safeguarding international flows of data. Commissioner Reding referred to BCRs as offering the possibility of consistent enforcement and legal certainty, without stifling innovation.
On November 16, 2011, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2010 (the “Report”) highlighting its main 2010 accomplishments and outlining some of its priorities for the upcoming year. This year’s Report covers events that occurred since last year’s publication of the Annual Activity Report for 2009.
On November 3, 2011, the Labor Chamber of the French Court of Cassation (the “Court”) upheld a decision against a company that unlawfully used a geolocation device to track the company car of one of its salesmen. Although the company notified the salesman that a geolocation device would be used to optimize productivity by analyzing the time he spent on business trips, the device was in fact used to monitor his working hours, which ultimately led to a pay cut.
On November 2-3, 2011, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, is the chairman of the Conference’s advisory panel and principal advisor to Conference organizers on program content. Hunton & Williams is a proud sponsor of the event which will feature Hunton representatives as speakers or moderators on multiple panels and plenary sessions, including the following:
On October 17, 2011, the French Data Protection Authority (the “CNIL”) launched a public consultation on cloud computing (the “Consultation”). The Consultation seeks to gather opinions from stakeholders (clients, providers, consultants) regarding cloud computing services for businesses, to identify legal and technical solutions that address data protection concerns while taking into account the economic interests involved.
On October 10, 2011, the French Data Protection Authority (the “CNIL”) released a video of newly-elected Chairwoman Isabelle Falque-Pierrotin presenting her priorities and vision for the future of the CNIL. Ms. Falque-Pierrotin was elected as the new Chair of the CNIL on September 21, 2011.
On September 23, 2011, the Labor Chamber of the Court of Appeals of Caen (the “Court”) upheld a decision to suspend a whistleblower program implemented by a U.S. company’s French affiliate, despite the fact that the French Data Protection Authority (the “CNIL”) had inspected and approved the program prior to implementation. This decision follows recent amendments to the legal framework for whistleblower programs in France.
On September 22, 2011, new provisions under the French Data Protection Authority’s (“CNIL’s”) internal regulation (Délibération n°2011-249 du 8 septembre 2011) came into force. The CNIL recently amended its regulations to incorporate a new chapter (Chapter IV bis) that sets forth a specific procedure for issuing privacy seals in accordance with the French Data Protection Act. The Act authorizes the CNIL to “issue a quality label to products or procedures intended to protect individuals with respect to processing of personal data, once [the CNIL] has recognized them as in compliance with the provisions of the Act.”
On September 21, 2011, the board of the French Data Protection Authority (the “CNIL”) elected Isabelle Falque-Pierrotin as its new Chair, following Alex Türk’s resignation which he officially tendered at the board meeting.
On September 14, 2011, Alex Türk announced that he will be resigning his position as Chairman of the French Data Protection Authority (the “CNIL”), in accordance with a recent amendment to the French Data Protection Act (Loi n° 2011-334 du 29 mars 2011 relative au Défenseur des droits). The amendment prohibits the CNIL’s Chairman from holding any other elected office or public position. Although this restriction does not enter into force until September 1, 2012, Mr. Türk, who also serves as a senator in the French Parliament, chose to resign prior to the upcoming French ...
On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force. The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code. In particular, the Ordinance introduces new provisions under the French Data Protection Act, which impose an obligation on electronic communication service providers to provide notice in the event of a data security breach.
On August 24, 2011, France’s new law concerning electronic communications (Ordonnance n° 2011-1012 du 24 août 2011 relative aux communications électroniques, or the “Ordinance”) came into force. The Ordinance implements the provisions of the revised EU Directive 2002/58/EC (the “e-Privacy Directive”) with respect to the French Data Protection Act of 1978, the French Postal and Electronic Communications Code and the French Consumer Protection Code. Specifically, the Ordinance amends the existing legal framework concerning cookies and introduces an opt-in regime for the use of cookies.
On July 1, 2011, the French Data Protection Authority (the “CNIL”) released a comprehensive handbook for health professionals (the “Guidance”). The Guidance reiterates that health professionals (e.g., doctors, nurses, hospitals, research laboratories) have an obligation to comply with the French Data Protection Act when collecting and processing health data on patients.
On June 6, 2011, Hunton & Williams hosted a panel discussion on what organizations in the UK, France, Germany and the Netherlands are doing to comply with the EU’s new cookie law. The webinar, Consent for Cookies: Preparing for the EU Cookie Law, featured David Evans, Group Manager of Business and Industry of the UK Information Commissioner’s Office, and Hunton & Williams Brussels-based associates Olivier Proust, Dr. Jörg Hladjk and Martijn ten Bloemendal. The panel was moderated by Bridget C. Treacy, partner in the London office of Hunton & Williams.
On June 6, 2011, join Hunton & Williams for a panel discussion on the implementation of the new EU Cookie Law in the UK, France, Germany and the Netherlands. EU law on the use of cookies is changing. Opt-in consent will be required, but specific requirements may differ across the EU. What are organizations doing to ensure compliance with the new cookie law? Listen to David Evans, Group Manager of Business and Industry of the Information Commissioner's Office, explain the steps that UK organizations are expected to take. Learn about cookie compliance in France, Germany and the ...
On April 26, 2011, the French Data Protection Authority (the “CNIL”) issued a press release unveiling its inspection goals for the coming year. In a report adopted on March 24, 2011, the CNIL indicated that it intends to conduct at least 400 inspections in France (100 more than the 2010 goal), with a special focus on the following issues:
A new French law containing several key amendments to the French Data Protection Act and creating a new public authority referred to as the “Defender of Rights” (Loi n°2011-334 du 29 mars 2011 relative au Défenseur des droits, or the “Law”) came into effect on March 30, 2011. The Defender of Rights, whose role is to defend civil rights and liberties, to promote children’s rights and to fight against discrimination, also will serve as a member of the CNIL’s plenary committee.
On March 21, 2011, the French Data Protection Authority (the “CNIL”) published its decision to fine Google €100,000 for violating the French Data Protection Act.
In 2009, the CNIL inspected Google’s geolocation service (“Street View”), which revealed that Google had collected huge quantities of undeclared personal data (e.g., navigation data, email content, logins and passwords) through Wi-Fi connections accessed by its Street View cars. Google responded that the personal data had been collected by mistake, and promised to stop the Wi-Fi data collection.
On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly. If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL. The amendments are summarized below.
The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards. The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts. The basis for the binding international agreement would be the Madrid ...
On October 14, 2010, the French Data Protection Authority (the “CNIL”) adopted several amendments to its single authorization AU-004 regarding the use of whistleblowing schemes (the “Single Authorization”).
Since 2005, companies in France must register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL. Companies that self-certify to the Single Authorization make a formal undertaking that their whistleblowing scheme complies with the pre-established conditions set out in this authorization. In particular, the scope of the Single Authorization is limited to the following specific areas: finance, accounting, banking, fight against corruption and compliance with Section 301(4) of the Sarbanes-Oxley Act. Under the revised framework, the CNIL has extended the scope of the Single Authorization to include the prevention of anti-competitive practices and compliance with the Japanese Financial Instrument and Exchange Act.
On October 26, 2010, the Centre for Information Policy Leadership (the “Centre”) released its long-awaited paper, “Demonstrating and Measuring Accountability, Accountability Phase II – The Paris Project” at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Israel. This document is the result of the deliberations of an international working group that includes 60 representatives of business, civil society, government, data protection and privacy enforcement agencies, and the European Data Protection Supervisor. ...
On October 11, 2010, the French Data Protection Authority (the “CNIL”) released guidance (the “Guidance”) on data protection issues related to the outsourcing of data processing activities to non-EU countries (Les questions posées pour la protection des données personnelles par l’externalisation hors de l’Union européenne des traitements informatiques).
The Guidance was prepared following interviews held in 2009 by the CNIL’s international affairs department with consultancy groups, law firms advising on outsourcing deals, and companies actively engaged in offshore activities. The interviews were conducted to provide the CNIL with insight regarding the impact of data protection requirements on outsourcing activities. The Guidance is part of a broader analysis of the concepts of data controller and data processor carried out by the Article 29 Working Party (see the Working Party’s Opinion on the concepts of controller and processor).
In November 2009, the French Secretary of State in charge of the digital economy, Nathalie Kosciusko-Morizet, launched a wide-ranging campaign designed to secure the “right to be forgotten” on the Internet (“droit à l’oubli”). The main objectives of the initiative were to: (1) educate Internet users about their exposure to privacy risks on the Internet; (2) encourage professionals to adopt codes of good practice and to develop privacy-enhancing tools; and (3) foster data protection and the right to be forgotten at both the national and EU level.
On October 5, 2010, the Commission for Economic Affairs of the French National Assembly introduced a Resolution (the “Resolution”) to support the International Standards on the Protection of Personal Data and Privacy adopted in Madrid on November 5, 2009, at the 31st International Conference of Data Protection and Privacy Commissioners (also known as the “Madrid Resolution”).
The Resolution states: “the right to privacy is a fundamental value in our society; the development of information and communication systems must be contained in order to prevent uses of personal data which threaten this right.
On October 7, 2010, the French Data Protection Authority (the “CNIL”) released its first comprehensive handbook on the security of personal data (the “Guidance”). The Guidance follows the CNIL’s “10 tips for the security of your information system” issued on October 12, 2009, which were based on the CNIL’s July 21, 1981 recommendations regarding security measures applicable to information systems.
The Guidance reiterates that data controllers have an obligation under French law to take “useful precautions” given the nature of the data and the risks associated with processing the data, to ensure data security and, in particular, prevent any alteration or damage, or access by non-authorized third parties (Article 34 of the French Data Protection Act). Failure to comply with this requirement is punishable by up to five years imprisonment or a fine of €300,000.
On October 4, 2010, the French Data Protection Authority (the “CNIL”) stated in a press release that a recently enacted environmental law (Act No. 2010-788 of July 12, 2010, known as “Grenelle II”) expands the CNIL’s authority to regulate devices used to measure the viewership of advertisements in public places like shopping malls, train stations and airports. Grenelle II introduces a new provision under Article L. 581-9 of the French Environmental Code, which states: “Any system that automatically measures the audience of an advertising device or which analyzes the typology or behavior of individuals passing within the vicinity of such advertising device requires prior approval of the CNIL.”
On September 14, 2010, a French Appeals Court in Dijon (the “Court”) upheld a decision against an employer that had terminated an employee who not only used a company car for personal reasons, but also committed serious traffic violations while using the vehicle. The Court rejected evidence collected using a Global Positioning System (“GPS”) device embedded in the company’s vehicle on the grounds that the employer (1) had failed to register this data processing activity with the French Data Protection Authority (the “CNIL”) and (2) had not given proper notice to employees regarding the use of GPS devices in company cars. Nevertheless, the Court ruled that the use of a geolocation device in the employment context does not necessarily constitute an invasion of an employee’s right to privacy, provided the employer complies with applicable laws.
On September 2, 2010, police in New Zealand issued a statement to confirm that there was no evidence Google committed a criminal offense in relation to the data it collected from unsecured WiFi networks during the Street View photography capture exercise. The case has now been referred back to the New Zealand Privacy Commissioner. A spokesperson from the New Zealand police force took the opportunity to underline the need for Internet users to make sure that security measures are properly implemented when using WiFi connections in order to prevent their information from being improperly accessed.
On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d'orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate's Commission of Laws on June 2, 2010.
On June 17, 2010, the French data protection authority (the “CNIL”) reported that it had conducted an on-site investigation at Google on May 19 to examine activities by Google’s Street View cars. This investigation followed Google’s May 14 announcement that it had inadvertently captured Wi-Fi signals emitted in locations where its vehicles were taking photos.
On June 17, 2010, the French data protection authority (the “CNIL”) published its Annual Activity Report for 2009 (the “Report”) in which it outlines some of its priorities for the upcoming year.
In February 2009, the CNIL published a report on online targeted advertising. Among other things, the CNIL voiced its concern regarding online behavioral and advertising activities and analyzed the risks of increasing user profiling. In 2010, the CNIL is expected to issue a joint opinion with the Article 29 Working Party on targeted advertising and behavioral analysis. The CNIL also will open a dialogue with several stakeholders from the marketing sector to work on adopting a code of best practices.
According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding. In addition, DPAs impose few sanctions for violations of data protection laws. DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.” In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.” ...
On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt. The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”
On February 19, 2010, the Court of Appeals of Versailles (the “Court”) upheld the unlimited seizure and review of a company’s emails by several agents of the French Competition Authority (Autorité de la Concurrence). The agents had been authorized by a lower court judge to inspect the emails pursuant to an investigation into an alleged abuse of dominant position in the pharmaceutical market.
On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year. In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:
- ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
- verifying that data controllers comply with the technical recommendations defined in their registration forms; and
- assessing the effectiveness of data protection officers within organizations.
In a decision handed down on February 25, 2010, the French Constitutional Court ruled that the right to privacy derives from Article 2 of the Declaration of Human Rights, and is therefore considered a constitutional right under French law. The Court also ruled that the legislature must strike a balance between the right to privacy and other fundamental interests, such as preventing threats to public safety, which are necessary to preserve constitutional rights and principles.
On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”). Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.
On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights. This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports. The move has raised concerns about the excessive collection of personal data.
On November 6, 2009, the French Senate proposed a new draft law to reinforce the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Draft Law”). Following a Report on the same topic issued last spring, the Senate made concrete proposals with this Draft Law to amend the Data Protection Act.
On August 19, 2009, the Official Journal published guidelines issued by the French Data Protection Authority (Commission nationale de l’informatique et des libertés (the “CNIL”)) regarding transfers of personal data carried out in the context of U.S. discovery proceedings (the “Guidelines”). The CNIL’s publication comes in the wake of a recent increase in the volume of requests made to French-based companies involved in U.S. litigation to disclose information or documents for the purposes of civil pre-trial discovery.
On June 3, 2009, the French Senate’s Commission on Laws issued a report on the right to privacy in the digital age (‘La vie privée à l’heure des mémoires numériques’) (the “Report”). The issuance of the Report is perhaps the most important legislative initiative in France in the field of privacy and data protection since the implementation of the EU Data Protection Directive in 2004.
On May 13, 2009, the French Data Protection Authority (“CNIL”) published its Annual Activity Report. The Report highlights increasing enforcement activity, noting a record number of investigations, formal notifications and fines. Having recently celebrated its thirtieth anniversary, the CNIL stated that it seeks to constantly evolve and meet the challenges of modern society by pursuing three key points: (i) diversifying its sources of financing; (ii) increasing the number of personnel; and (iii) including data protection and privacy rights in the French constitution in the near future.
Various authorities, both at a European and a national level, are currently addressing the issue of online behavioral advertising. On March 31, 2009, Meglena Kuneva, the European Commissioner for Consumer Affairs, gave a keynote address in Brussels in which she raised the issue of online behavioral advertising and addressed the need to enhance consumer protection related to the practice. While recognizing the numerous beneficial applications for consumers made possible by the Internet, Kuneva expressed her concern that the World Wide Web could become the “world wide west” and called for a better balance between the interests of businesses and consumers.
In SACEM v. Cyrille Saminadin (Cour de Cassation, chambre criminelle, 13 janvier 2009), the SACEM (a representative body of authors, composers, and music editors) asked one of its agents to carry out an investigation and to collect evidence of copyright infringements on a peer-to-peer network. After selecting a peer-to-peer network, the agent manually typed in the title of a song belonging to one of the rights holders and searched for all available files corresponding to this title. The agent then randomly selected one of these files and saved all the information relating to it (IP address, country of origin, name of the internet service provider, etc.) onto a CD-ROM as evidence for use in filing a complaint. The question raised in this case was whether such activity constitutes data processing requiring the prior authorization of the French Data Protection Authority (CNIL).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code