While the European Commission is seeking to update its 15-year-old Directive regarding the protection of personal data, several regulations have been passed to strengthen privacy rights in Europe.
First, the European Union’s Article 29 Working Party has decided to define more clearly what is considered genuine consent for the processing of personal data. According to its opinion issued on July 14, 2011, consent requires the use of mechanisms that leave no doubt on the data subject’s intention to authorize. As such, in the Working Party’s view, only affirmative statements or actions, not mere silence or inaction, are able to constitute a valid consent. It is incumbent upon data controllers to prove that they have obtained genuine consent; the data subject is not required to rebut any presumption of consent in the controller’s favor.
In the meantime, in France, the French Data Protection Agency (CNIL) has for the first time authorized two companies to implement a whistleblowing process dedicated to receiving and handling complaints about discrimination. The CNIL has always been reluctant to approve the adoption of whistleblowing programs other than those relating to banking, financial, accounting and anti-corruption matters. Moreover, in response to a December 2009 decision of the French Supreme Court, CNIL had recently decided to narrow the scope of the agency’s “blanket authorization” for whistleblowing programs which affected “vital interests of the business or the physical or moral integrity of employees.” But the CNIL’s recent approval of whistleblowing programs relating to discrimination suggests that it may be possible to obtain approval for programs that fall outside the scope of the blanket authorization. In the instant cases, it is noteworthy that as part of its certification of the whistleblowing systems dedicated to uncovering potential discrimination, the CNIL relied upon the following elements of the programs:
- anonymous alerts were prohibited;
- the whistleblowing system was not mandatory for employees;
- security measures were implemented; and
- employees’ representatives had been informed.
These observations may offer some insight into the kinds of safeguards required for others to obtain approval of a whistleblower program from the CNIL.
In another recent decision, the CNIL decided to exonerate from certain filing obligations the French suppliers acting on behalf of companies located outside the EU. Prior to the CNIL’s decision, it was understood that both non-EU-based companies processing personal data in France and their French suppliers needed to file paperwork with the agency about the processing of personal data. The CNIL realized, however, that it could be burdensome (and duplicative) for French suppliers acting on behalf of non-EU-based companies to comply also with the relevant filing obligations. As a consequence, the CNIL has decided to exonerate French suppliers from their filing obligations for purposes of data processing related to human resources, clients and prospects performed on behalf of companies based outside the EU.
Finally, by application of a new law dated March 15, 2011, the CNIL has seen its powers of control and sanctions modified. According to this new law, the CNIL must now systematically inform data controllers of their opportunity to object to on-site reviews conducted by the agency. If the data controller objects to a proposed on-site check, the review can only be performed if a court authorizes it. In case of emergency or risk of destruction of documents, however, the CNIL can conduct the on-site check, after authorization of the court, without informing the data controller. In such a case, the latter cannot object to the CNIL’s review. Furthermore, the new law authorizes the CNIL to give publicity to the sanctions that it imposes on data controllers for their data processing violations even if the data controllers have not acted in bad faith.
With all this activity in France, it’s clear that the United States is not the only country trying to adapt its privacy and information security standards to rapidly evolving technologies and marketplaces. Companies with an international presence need to stay alert to stay compliant.