PL&B International E-news, Issue 88

1. FTC takes enforcement action on Safe Harbor breach

Following complaints from European consumers, the FTC has taken enforcement action against a Californian company, Balls of Kryptonite, and its owner Jaivin Karnani. The FTC charged the defendants with deceiving consumers about their participation in the Safe Harbor programme, which is administered by U.S. Department of Commerce.

The FTC was assisted in its investigation by the U.K. Office of Fair Trading, one of the FTC’s principal international law enforcement partners. Many consumers in the United Kingdom registered complaints with the FTC by using the Web site The company, which sells electronic goods, had led customers to believe that they were buying from a UK-based business.

This is the first FTC enforcement action on Safe Harbor. It issued the company with a temporary restraining order on 31 July in which the defendants agreed to halt their deceptive representations and provide an accounting of their assets.

2. Germany publishes draft Employee Data Protection Act

The German Federal Ministry for Labor and Social Affairs (BMAS) presented a draft of the Employee Data Protection Act (BFDatG) on 4 September, reports

The draft bans the creation of personality and health profiles. It regulates the use of video surveillance in the workplace, the use of biometric data, and the analysis of telecommunication services used. It is suggested that companies appoint an officer to supervise employee data protection. This officer would be separate from the data protection officer.

In addition to the fundamental provisions on data processing, this draft also contains a detailed listing of employee rights, e.g. a comprehensive right to information concerning stored data.

Although the Bill may not be discussed during the current Parliamentary term, it provides a basis for companies to plan ahead with an understanding of planned legislation.

Peter Schaar, Germany’s Federal Data Protection Commissioner, has agreed to explain the provisions of this Bill in his session at PL&B’s conference on November 3rd in Madrid: Employee surveillance in Europe: Balancing privacy rights and management control.

3. France proposes data breach notification

French Senate’s Commission on Laws has issued a report on the Right to Privacy in the Digital Age (‘La vie privée à l’heure des mémoires numériques’). The report, which was published on 3 June 2009, is an important legislative initiative, as it includes suggestion on how to enhance privacy both nationally and internationally.

The report discusses the impact of technological developments on privacy, and proposes that adequate and sustainable solutions need to be developed. The Commission suggests internal Data Protection Officers for companies and organizations with more than fifty employees, and a new legal obligation to notify the data protection authority of data security breaches. It is also proposed that the CNIL (France’s DPA) should establish a network of regional offices.

A full analysis of this report, and its impact, will be published in the October issue of PL&B International.

4. Netherlands, Spain now have tighter TPS rules

Spain and the Netherlands now have legally enforceable “Do not call” lists that are mandatory for telemarketers, reports OPT4. Breaching the Spanish Robinson List will carry a fine of €150,000. In the Netherlands, from 1 October, consumers will be able to lodge a complaint with the Consumer Authority, which can impose a fine of up to €450,000.

Read more about the topic in the October issue of the PL&B International: we will compare six of the largest Do Not Call Registers (Australia, Canada, India, Spain, UK and the US).

5. Denmark issues guidance on whistleblowing lines

The Danish DPA has published guidance on how to set up whistleblowing lines and how they should be used. The DPA should be notified using a standard form available on their website.

The guidance mainly deals with how to fill in this form. It is said that when the parent company is located outside the European Economic Area, the subsidiary and the parent company must take a decision on which one acts as data controller for personal data which is processed in connection with the whistleblowing line. If a third party service provider provides the facility, it must comply with the requirements of the Data Protection Act.

See the guidance, issued on 27 July 2009 (in Danish).

6. Swiss banking secrecy/privacy limited

During August and at the beginning of September, the Swiss government signed agreements with the United States, France, the United Kingdom, and Finland for the disclosure of information by Swiss banks to tax authorities in those countries. Although the Swiss government insists that Swiss banking secrecy laws are intact, and that “fishing expeditions” will not be allowed, Swiss banks will disclose information about individuals with Swiss accounts, if names and evidence of tax evasion are provided.

A full account will appear in the October issue of PL&B International.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2009