International E-news - September 2010

  1. Germany’s Federal Government approves new Bill on employee data
  2. Enforcement network strengthened by new DPA members
  3. US Federal Trade Commission joins the Asia Pacific Privacy Authorities Forum
  4. EU Art. 29 DP Working Party adopts opinions on RFID, a European Direct Marketing Code, and Accountability

1. Germany’s Federal Government approves new Bill on employee data

A draft Bill, approved on 25 August by Germany’s Federal Government would replace the current S32 of Germany’s Federal Data Protection Act (PL&B International Newsletter June 2010 p.1) reports Dr. Jürgen Hartung, Partner at the Oppenhoff law firm in Cologne. Importantly, if approved, the Bill would make employee consent invalid, apart from cases specified by the Federal DP Act.

On collection of personal data from the Internet, employers would be able to use information in making recruitment decisions if that data is collected from social networks, such as LinkedIn, which are about professional qualifications. Employers would not be able to use information from other social networks, such as Facebook.

The legislator says that the aim is to create a trusting relationship between the employer and employee, but the Bill leaves several questions unanswered.

For example, the draft Bill is silent on employees’ private use of telecommunications services. The current situation where employers are considered telecoms service providers and therefore fall under the Telecoms Act, and the obligation to comply with telecoms secrecy, would thus continue. This would mean that employers would continue to not be able to legally access employees’ email content.

The draft bill regulates Closed Circuit Television (CCTV) monitoring in the private sector. Secret CCTV monitoring would no longer be allowed. Any investigations should be completed within four days. There would also be new, stricter rules on the use of biometric data.

See the draft Bill (in German).

There will be a fuller report in the October edition of the Privacy Laws & Business International Newsletter.

2. Enforcement network strengthened by new DPA members

The Global Privacy Enforcement Network (GPEN) has formalised its functions (PL&B International Newsletter June 2010 pp.18-19) by establishing a website where it lists the current members and its action policy. The group aims to ‘facilitate effective cross-border privacy enforcement in specific matters by creating a contact list of privacy enforcement authorities interested in bilateral cooperation in cross-border investigations and enforcement matters.’ The group will share information about privacy enforcement, trends and experiences, and engage in dialogue with relevant private sector organisations on privacy enforcement issues.

The GPEN now includes the following members:

  • Australia: Office of the Privacy Commissioner, Office of the Victorian Privacy Commissioner
  • Canada: Office of the Privacy Commissioner of Canada
  • France: Commission Nationale de l’Informatique et des Libertés
  • Germany: Federal Data Protection Commission
  • Ireland: Office of the Data Protection Commissioner
  • Israel: The Israeli Law, Information and Technology Authority
  • Italy: Garante Per La Protezione Dei Dati Personali
  • Netherlands: Dutch Data Protection Authority
  • New Zealand: Office of the Privacy Commissioner
  • Spain: Agencia Española de Protección de Datos
  • United Kingdom: Information Commissioner’s Office
  • United States: Federal Trade Commission.

On 21 September the GPEN launched its website, which is supported by the OECD.   

3. US Federal Trade Commission joins the Asia Pacific Privacy Authorities Forum

The New Zealand Privacy Commissioner, Marie Shroff, announced on 23 September that the US Federal Trade Commission has become a member of the Asia Pacific Privacy Authorities (APPA) Forum.

“The Federal Trade Commission enforces a range of specialist privacy laws in such diverse areas as credit reporting and children’s on-line privacy. It makes extensive use of trade practices law to protect consumers by holding companies accountable for their privacy policies. It is active, both in policy development and enforcement, in relation to cutting edge areas such as internet security, on-line behavioural advertising and ID fraud. It is a key player in privacy protection in the largest economy in the world,” said Ms Shroff.

Recently, the APPA Forum broadened its membership criteria to enable privacy enforcement authorities from across APEC economies to join the forum. The new criteria allow entry to a greater diversity of public authorities that enforce privacy laws and the Federal Trade Commission is the first authority to take advantage of that change.

The existing members include privacy commissioners and authorities from Australia, Canada, Hong Kong, Korea and New Zealand.

4. EU Art. 29 DP Working Party adopts opinions on RFID, a European Direct Marketing Code, and Accountability

The EU Data Protection Working Party adopted an opinion on 13 July 2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications saying it does not endorse the document as it is.

The group also issued an opinion on the ‘European code of conduct of for the use of personal data in direct marketing’. After years of negotiation, the Federation of European Direct and Interactive Marketing, FEDMA, has now managed to satisfy privacy concerns created by on-line marketing. There is an explicit requirement, with regard to commercial electronic mail, to provide unsubscribe facilities to stop commercial communications. Individuals should be able to unsubscribe free of charge without stating a reason. Privacy policies should include clear and comprehensive information about any cookies sent. The Code also includes examples of best and unacceptable on-line advertising practices.

On accountability, the DP Working Party, with a view to the revision of the EU DP Directive, put forward a concrete proposal which would require data controllers to establish appropriate and effective measures to ensure compliance. Such measures could include, for example,

  • Setting up written and binding data protection policies to be applied to new data processing
  • Appointing a data protection officer
  • Offering adequate data protection training
  • Setting up of transparent procedures to manage access, correction and deletion requests
  • Establishing an internal complaints handling mechanism
  • Ensuring effective management and reporting of security breaches
  • Conducting privacy impact assessments
  • Carrying out internal or external audits.

Some of these measures could, in turn, diminish current administrative requirements, for example, regarding notification.

The documents can be seen here.  

For further details on the Privacy Laws & Business International Newsletter, please click here.

Copyright Privacy Laws & Business 2010