French data protection authority
Subscribe to French data protection authority's Posts

CNIL Announces Inspection Program—Focus Will Be on BCR Compliance and Treatment of Psychosocial Data, Among Others

The mission of the French data protection authority—the Commission Nationale Informatique et Libertés (CNIL)—is “to protect personal data, support innovation, [and] preserve individual liberties.”

In addition to its general inspections, every year the CNIL establishes a different targeted-inspection program. This program identifies the specific areas that CNIL’s controls will concentrate on for the following year. The 2014 inspection program was focused on everyday life devices, such as online payment, online tax payment and dating websites, among other things.

On May 25, 2015, the CNIL announced its 2015 inspection program and identified a focus on six issues in particular: contactless payment, Driving Licenses National File (Le Fichier National des Permis de Conduire), the “well-being and health” connected devices, monitoring tools used for attendance in public places, the treatment of personal data during evaluation of psychosocial risks and the Binding Corporate Rules.

The last two issues caught our attention:

  • Treatment of personal data during evaluation of psychosocial risks: Since 2008, many companies have been investigating psychosocial risks within the workplace in order to provide a more stress-free environment. This practice, however, raises issues concerning the employee’s right not to share private information with the employer. The CNIL will try to identify which prior investigations may have jeopardized (or may still be jeopardizing) the employee’s rights to privacy.
  • Binding Corporate Rules: Companies seeking to export data outside of the European Union (EU) may adopt a voluntary set of data-protection rules within their corporate group called Binding Corporate Rules (BCR). These BCRs are intended to provide a level of privacy and data protection within the entire corporate group equivalent to the one found under EU law. So far, 68 companies have adopted BCRs. Through its 2015 inspection program, the CNIL wants to give the BCRs a closer look, making sure that the means and devices used are in compliance with French law.

In addition to focusing its 2015 inspection program on BCR compliance, the CNIL also announced, earlier this year, the simplification of intra-group data transfers. Prior to simplification, companies whose BCRs had been approved by the CNIL were also required to obtain the CNIL’s approval for each new type of transfer. The CNIL has since declared that a new, personalized “single decision” will be given to companies with approved BCRs. In return, the companies must keep an internal record of all transfers detailing certain information (the general purpose of each transfer based on the BCR; the category of data subjects concerned by the transfer; the categories of personal data transferred; and information on each data recipient) in accordance with the terms of the single decision issued.

With respect to its targeted inspection program, the question still remains: How many inspections will the CNIL conduct in 2015? In 2014, the CNIL performed a total number of 421 inspections. The CNIL declares that, in 2015, the objective is to achieve 550 inspections. However, only 28 percent of the CNIL’s inspections typically result from the annual inspection program. Forty percent are initiated by the [...]

Continue Reading




GPEN Children’s Privacy Sweep Announced

On 11 May 2015, the UK Information Commissioner’s Office (ICO), the French data protection authority (CNIL) and the Office of the Privacy Commissioner of Canada (OPCC) announced their participation in a new Global Privacy Enforcement Network (GPEN) privacy sweep to examine the data privacy practices of websites and apps aimed at or popular among children. This closely follows the results of GPEN’s latest sweep on mobile applications (apps),which suggested a high proportion of apps collected significant amounts of personal information but did not sufficiently explain how consumers’ personal information would be collected and used. We originally reported the sweep on mobile apps back in September 2014.

According to the CNIL and ICO, the purpose of this sweep is to determine a global picture of the privacy practices of websites and apps aimed at or frequently used by children. The sweep seeks to instigate recommendations or formal sanctions where non-compliance is identified and, more broadly, to provide valuable privacy education to the public and parents as well as promoting best privacy practice in the online space.

Background

GPEN was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development. GPEN aims to create cooperation between data protection regulators and authorities throughout the world in order to globally strengthen personal privacy. GPEN is currently made up of 51 data protection authorities across some 39 jurisdictions.

According to the ICO, GPEN has identified a growing global trend for websites and apps targeted at (or used by) children. This represents an area that requires special attention and protection. From 12 to 15 May 2015, GPEN’s “sweepers”—comprised of 28 volunteering data protection authorities across the globe, including the ICO, CNIL and the OPCC—will each review 50 popular websites and apps among children (such as online gaming sites, social networks, and sites offering educational services or tutoring). In particular, the sweepers will seek to determine inter alia:

  • The types of information being collected from children;
  • The ways in which privacy information is explained, including whether it is adapted to a younger audience (e.g., through the use of easy to understand language, large print, audio and animations, etc.);
  • Whether protective controls are implemented to limit the collection of childrens’ personal information, such as requiring parental permission prior to use of the relevant services or collection of personal information; and
  • The ease with which one can request for personal information submitted by children to be deleted.

Comment

We will have to wait some time for in-depth analysis of the sweep, as the results are not expected to be published until the Q3 of this year. As with previous sweeps, following publishing of the results, we can expect data protection authorities to issue new guidance, as well as write to those organisations identified as needing to improve or take more formal action where appropriate.




Are You Monitoring Your French Employees? Make Sure You Have Registered That Activity with the CNIL!

French employers must declare monitoring to the French Data Protection Authority (CNIL) in advance if they want to use evidence obtained from that monitoring in court.   The use of the employee’s company mailbox for personal purposes is tolerated under French law, when reasonable. Where it is considered abusive, however, it could constitute a breach of conduct against which the employer may impose sanctions.

Employers generally use monitoring software to discourage and establish evidence of abuse. Such software may be lawful provided the employer follows the rules stipulated by the French Labor Code and the French Data Protection Act to ensure the protection of personal data. In particular, the employer must submit information to and engage in consultation with the works council, provide information to employees impacted by the software, as well as make a formal declaration of the proposed monitoring activities to CNIL – except where a Data Protection Correspondent (Correspondant Informatique et Libertés) is appointed.

These requirements must be met before the implementation of the monitoring software. If these steps are not fulfilled, the software and monitoring activity remains illicit and the employer cannot rely on evidence obtained through that software to establish the employee’s misconduct.

The requirement to comply with the French data privacy law was reinforced by the French Social Supreme Court in a case where an employer’s software monitoring company mailbox flows had detected that an employee had dispatched or received 1,228 personal messages. But the employer’s declaration to the CNIL about the software had been filed after the beginning of the employee’s dismissal process.

The Social Supreme Court ruled that the employer could not use the data collected and, more generally, that any data collected by an automated personal data processing tool prior to its CNIL filing, constitutes an illicit means of evidence.

This decision marks the first time that the French Social Supreme Court has officially ruled that prior declaration to the CNIL is a necessary condition affecting the validity of evidence in this context.  This is a similar conclusion and rationale to the 2013 decision where the sale of client files was rendered null and void by the French Supreme Commercial Court for failure to comply with the CNIL registration obligations and demonstrates once again how data protection is becoming a key matter in all legal areas, including employment law.




CNIL Expands Scope of Whistleblowing Programs under French Privacy Law

On February 11, 2014, the French data protection authority (CNIL) published Deliberation #2014-042 and expanded the list of issues that a whistleblowing program may permissibly receive and process under French privacy laws.  Now, these programs also can be used to report employment discrimination and harassment, and health, hygiene, safety and environmental issues.  This is a significant development under French privacy law because, up to this point, the Single Authorization No. 4 strictly limited the type of data that French subsidiaries and other companies operating in France could collect.  In particular, companies only could receive reports concerning finance, accounting, banking, anti-corruption, and unfair competition.  A program that was constructed to receive reports concerning employment discrimination or harassment, for example, was technically in breach of French data privacy laws.  Under Deliberation #2014-042, this is no longer the case.  For full coverage of these developments, please read: Whistleblowing and Data Privacy in France: A New Pragmatic Approach for Employment and Discrimination Claims.




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021