PL&B International E-news, Issue 83

1. UK’s Information Commissioner approves Atmel’s and Accenture’s Binding Corporate Rules in successive weeks

After years of negotiations, the UK’s Information Commissioner has approved the Binding Corporate Rules applications of Atmel on April 22nd and Accenture yesterday, April 30th. They are only the third and fourth BCR applications to be accepted after General Electric and Philips. There are differences in that Atmel’s application covers employee records while Accenture’s application covers both employee and client information.

This step is not the end of the road, as the Information Commissioner states that the Data Protection Authorities in most of the other EU Member States “will in time issue equivalent authorisations for transfers falling within their jurisdictions.” Binding Corporate Rules gives a company the opportunity to demonstrate to national Data Protection Authorities that they have sufficient legal and practical measures in place to protect personal data transferred from the European Economic Area to other countries.

Theses cases show that the mutual recognition procedure (PL&B International Newsletter October 2008 p.1) now seems to be working to speed up BCR applications. The remaining questions include:

  1. the time it will take to move from preliminary agreement to formal agreement by the other 20 national DPAs involved, for example, in the Accenture process, and
  2. whether these two cases will significantly speed up the process for any other company beginning the BCR application process from now on.

There will be presentations on both cases at Privacy Laws & Business’s 22nd Annual International Conference, July 6-8th, at St. John’s College, Cambridge. More information on this conference will be coming soon.

2. EU starts legal action against UK over Phorm

On 14 April the European Union took the first step in a legal action against the UK for failing to protect Internet users from Phorm, a behavioural advertising technology tested by BT without its customers’ knowledge in 2006 and 2007. The European Commission said that the UK had failed to enforce EU data protection rules because broadband Internet subscribers were not informed that their browsing was being tracked and used to target advertising.

If the Commission is not satisfied with the UK response, the next step will be a “Reasoned Opinion”, and then an action in the European Court of Justice if the Commission is still not satisfied.

A full report is contained in the April issue of PL&B’s International Newsletter.

3. EU close to data breach notification law

The European Union’s Council of Ministers and the European Parliament are moving towards agreement on a rule that would require all 27 Member States to introduce breach notification laws. Parliament is expected to vote on a proposal during May, and agreement with the Council of Ministers is expected before the Parliament’s elections in June. The questions remaining include: who will be subject to the law, how serious a breach must be before notice is required, and who must be notified?

A full report is contained in the April issue of PL&B’s International Newsletter. PL&B has now published its report Data Breach Notification Laws in Europe on Data Protection Commissioners' Views and Recommendations from 21 European countries.  

4. France: close to adopting law to cut off Internet for file-sharers

In France, the Senate has passed a bill that would introduce a “three strikes” system for illegal downloading. Those suspected of breaching copyright would first receive a warning email, then a warning letter. If they continue downloading, the Internet service provider would be required to cut off access for a year. The bill was rejected by the National Assembly in April, but it is expected to be re-introduced soon.

A full report is contained in the April issue of PL&B’s International Newsletter.

5. Finland: employers get right to snoop on employee email

Finland has adopted changes to its Electronic Communications Act to give employers the right to monitor employees’ email traffic if they are suspected of leaking trade secrets. The new law, which will go into effect on 1 June, allows employers to monitor traffic data, but not the content of communications.

A full report is contained in the April issue of PL&B’s International Newsletter.

6. Deutsche Bahn spied on most of its employees over a ten-year period

In January German newspapers reported that the German rail company had engaged in surveillance of some 173,000 of its 220,000 employees in three major screenings in 1998, 2002-2003, and 2005-2006. On 1 April, the Berlin Data Protection Commissioner sent a “preliminary final report” to the company. On 31 March, the Deutsche Bahn CEO resigned, and his successor has promised a full review of the matter by 1 June.

A full report is contained in the April issue of PL&B’s International Newsletter.

7. Strasbourg court upholds right to information

On 14 April the European Court of Human Rights ruled that when public bodies hold information needed for public debate, the refusal to provide it on request is a violation of the right to receive and impart information. The case was brought by the Hungarian Civil Liberties Union over the refusal by the Constitutional Court to release information contained in a request by a member of parliament for judicial review of a statute.

There will be a full report and analysis in the June issue of PL&B’s International Newsletter.

8. ECJ rules unpublished rules not enforceable

On 10 March the European Court of Justice ruled that a list of articles prohibited on board aeroplanes cannot be enforced against individuals if it has not been published. A man was stopped at the security control of Vienna Airport because his cabin baggage contained tennis racquets, which airport staff considered to be prohibited articles under EU regulations. The man said that there was no mention of tennis racquets on the published list of items prohibited on board aircraft. He boarded the aircraft with the tennis racquets in his baggage, and security staff then ordered him to leave the aircraft. His legal action in the Austrian court was referred to the ECJ. The case means that unpublished EU and national rules cannot be enforced. (Case C-345/06, Gottfried Heinrich)

There will be a full report and analysis in the June issue of PL&B’s International Newsletter.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2009