The Article 29 Working Party (“Working Party”) recently issued its Opinion on data processing at work (the “Opinion”). The Opinion, which complements the Working Party’s previous Opinion 08/2001 on the processing of personal data in the employment context and Working document on the surveillance of electronic communications in the workplace, seeks to provide guidance on balancing employee privacy expectations in the workplace with employers’ legitimate interests in processing employee data. The Opinion is applicable to all types of employees and not just those under an employment contract (e.g., freelancers).
On January 12, 2016, the European Court of Human Rights (“the Court”) ruled in Bărbulescu v. Romania that companies can monitor their employees’ online communications in certain circumstances.
The case concerned the dismissal of a Romanian engineer, Bărbulescu, by his employer, for the use of the company’s Internet and in particular, Yahoo Messenger, for personal purposes during work hours. The employer alleged that Bărbulescu was violating internal regulations that prohibit the use of the company’s equipment for personal purposes.
As reported in the Hunton Employment & Labor Law Perspectives Blog:
On October 27, 2015, the Ninth Circuit held in EEOC v. McLane Co., Inc. that the EEOC has broad subpoena powers to obtain nationwide private personnel information, including Social Security numbers (“SSNs”), in connection with its investigation of a sex discrimination charge.
On October 2, 2015, California Attorney General Kamala D. Harris announced that her office settled a lawsuit against home design website, Houzz Inc. (“Houzz”). Houzz was charged with secretly recording incoming and outgoing telephone calls for training and quality assurance purposes without notifying its customers, employees or call recipients, in violation of California eavesdropping and wiretapping laws. As part of the settlement, the Attorney General required Houzz to destroy the recordings, pay a fine of $175,000 and hire a Chief Privacy Officer to supervise its compliance with privacy laws and conduct privacy risk evaluations to assess Houzz’s privacy practices. This is the first time that the Attorney General has required the hiring of a Chief Privacy Officer as part of a settlement.
On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.
In a decision published on January 6, 2015, the French data protection authority (the “CNIL”) adopted a new Simplified Norm NS 47 (the “Simplified Norm”) that addresses the processing of personal data in connection with monitoring and recording employee telephone calls in the workplace. Data processing operations in compliance with all of the requirements set forth in the Simplified Norm may be registered with the CNIL through a simplified registration procedure. If the processing does not comply with the Simplified Norm, however, a standard registration form must be filed with the CNIL. The Simplified Norm includes the following requirements:
On June 28, 2013, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) issued its 20th annual Report of Activities (the “Report”), highlighting the FDPIC’s main activities during the period from April 2012 to March 2013. The Report is available in French and in German, and the FDPIC also has prepared a summary of the Report in English.
On March 20, 2013, the French Data Protection Authority (“CNIL”) issued (in French) guidance on keylogger software (the “Guidance”). Keylogger software enables an employer to monitor all the activities that take place on an employee’s computer (such as every key typed on the computer’s keyboard and every screen viewed by the employee), without the employee’s knowledge.
On November 30, 2011, the French Court of Cassation upheld a decision that excluded the application of the French Data Protection Act (Loi relative à l’informatique, aux fichiers et aux libertés) to an investigation conducted by the French Competition Authority (Autorité de la Concurrence) on the grounds that the search and seizure was authorized by an “freedoms and custody judge” (juge des libertés et de la détention).
On November 16, 2011, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2010 (the “Report”) highlighting its main 2010 accomplishments and outlining some of its priorities for the upcoming year. This year’s Report covers events that occurred since last year’s publication of the Annual Activity Report for 2009.