Commission Nationale de l’Informatique et des Libertés
Subscribe to Commission Nationale de l’Informatique et des Libertés's Posts

A Simplified Norm to Represent an Expanding Power: the Right to Listen in on Employees’ Phone Calls and the Standardization of French Privacy Law

Since 2001, the French Court of Cassation has made a continuous effort to refine and, in some circumstances, narrow the scope of the right to privacy in the workplace with a view to reaching a fair and balanced approach. The January 6, 2015 declaration of the French Data Protection Authority (CNIL) further highlights this trend towards the standardization of information collection at work, and serves to clarify and expand the right of employers to listen in on employees’ phone calls at work.

Background

In the landmark 2001 “Nikon Case,” the Court of Cassation ruled that “an employee has the right to the respect of his private life – including the right to the secrecy of correspondence – on the work premises and during working hours.” This announcement was qualified, however, and the court further refined that unless marked by the employee as “private,” the documents and files created by an employee on a company-computer for work purposes are presumed to be professional, which means that the company can access those documents and files without the employee’s presence. This can lead to an employer using such emails against an employee in the case of employment termination. Nonetheless, employers have an obligation under privacy and labor laws to inform employees about the collection and use of their personal data.

Building off of this decision, in October 2014, the French Social Supreme Court held that evidence gathered against an employee from data that had not previously been declared to and registered with CNIL was de facto illegal.

The French Labor Code and the French Data Protection Act both stipulate rules for the use of monitoring software by employers in the event that an employer wishes to establish such mechanisms. In particular, the employer must submit information to and engage in consultation with the works council, provide information to employees impacted by the software and make a formal declaration of the proposed monitoring activities to CNIL.

CNIL Declaration: Movement Toward a Simplified Norm

Continuing this trend, the declaration issued by the CNIL on January 6, 2015, further demonstrates not only how important the CNIL is, but also how the area of data protection is evolving and become more standardized in France.
This recent declaration established that employers wishing to record their employee’s telephone communications must first declare such information by filling out a simplified declaration form in lieu of a normal declaration form. After effectuating this simplified declaration, an employer will have the ability to listen to and record employee conversations for the purpose of employee training, evaluation and betterment of the quality of service.

While this declaration serves to grant employers permission to monitor employees, it also imposes upon them a number of restrictions: (i) the employee must be notified and informed of his or her right to refuse such recordings and (ii) the employee may only keep recordings for a period of six months. The information gathered from such recordings, however, may be kept for a [...]

Continue Reading




Are You Monitoring Your French Employees? Make Sure You Have Registered That Activity with the CNIL!

French employers must declare monitoring to the French Data Protection Authority (CNIL) in advance if they want to use evidence obtained from that monitoring in court.   The use of the employee’s company mailbox for personal purposes is tolerated under French law, when reasonable. Where it is considered abusive, however, it could constitute a breach of conduct against which the employer may impose sanctions.

Employers generally use monitoring software to discourage and establish evidence of abuse. Such software may be lawful provided the employer follows the rules stipulated by the French Labor Code and the French Data Protection Act to ensure the protection of personal data. In particular, the employer must submit information to and engage in consultation with the works council, provide information to employees impacted by the software, as well as make a formal declaration of the proposed monitoring activities to CNIL – except where a Data Protection Correspondent (Correspondant Informatique et Libertés) is appointed.

These requirements must be met before the implementation of the monitoring software. If these steps are not fulfilled, the software and monitoring activity remains illicit and the employer cannot rely on evidence obtained through that software to establish the employee’s misconduct.

The requirement to comply with the French data privacy law was reinforced by the French Social Supreme Court in a case where an employer’s software monitoring company mailbox flows had detected that an employee had dispatched or received 1,228 personal messages. But the employer’s declaration to the CNIL about the software had been filed after the beginning of the employee’s dismissal process.

The Social Supreme Court ruled that the employer could not use the data collected and, more generally, that any data collected by an automated personal data processing tool prior to its CNIL filing, constitutes an illicit means of evidence.

This decision marks the first time that the French Social Supreme Court has officially ruled that prior declaration to the CNIL is a necessary condition affecting the validity of evidence in this context.  This is a similar conclusion and rationale to the 2013 decision where the sale of client files was rendered null and void by the French Supreme Commercial Court for failure to comply with the CNIL registration obligations and demonstrates once again how data protection is becoming a key matter in all legal areas, including employment law.




France About to Embark on a Cookies Sweep Day

Impending sweep day to verify compliance with guidelines on cookies

During the week of September 15–19, 2014, France’s privacy regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), is organizing a “cookies sweep day” to examine compliance with its guidelines on cookies and other online trackers.

Starting in October 2014, the CNIL will also be conducting onsite and remote inspections to verify compliance with its guidelines on cookies.

Depending on the findings of the sweep and inspections, the CNIL may issue warnings or financial sanctions to non-compliant websites and applications.

Investigations gaining momentum

France is not the only country stepping up its data privacy efforts.  Parallel sweeps to the one conducted by the CNIL in September 2014 will be undertaken simultaneously by data protection authorities across the European Union.  The purpose of the coordinated action is to compare practices on the information given by websites to internet users and the methods to obtain their consent for cookies.

Nor is this the first time such a sweep has been organized in France.  In May 2013, the CNIL joined 19 counterparts worldwide in an audit of the 2,180 most visited websites and applications.  In that operation, known as “Internet Sweep Day”, the CNIL examined the compliance of 250 frequently visited websites and found that 99 percent of websites visited by French internet users collect personal information.  Of those that provided information on their data privacy policy, a considerable number did not render it easily accessible, clearly articulated or even written in French.

Compliance made simpler through CNIL guidelines

EU Directive 2002/58 on Privacy and Electronic Communications imposes an obligation to obtain prior consent before placing or accessing cookies and similar technologies on web users’ devices, an obligation incorporated into French law by Article 32-II of the French Data Protection Act.

Not all cookies require prior consent by internet users.  Exempt are cookies used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” and those that are “strictly necessary for the provision of an information service explicitly requested by the subscriber or user.”

For those cookies that require prior consent, the CNIL will verify how consent is obtained.  Under the CNIL guidelines, consent may be obtained either through an actual click or by the user’s further navigation within the site notwithstanding a continuing banner informing him or her of the website’s use of cookies.

Website owners can rely on tools made available by the CNIL to ensure their compliance with the cookie requirements.  In particular, a set of guidelines released by the CNIL in December 2013 explains how to obtain consent for the use of cookies and other online trackers in compliance with EU and French data protection requirements.

Under the CNIL guidelines, owners of websites may not force internet users to accept cookies.  Instead, the users must be able to block advertising cookies and still use the relevant service.  Internet users can withdraw their consent at any time, and cookies have a [...]

Continue Reading




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021