Archive for July, 2011

Belgian Privacy Commission clarifies employee monitoring

Posted on July 26th, 2011 by



With virtually every employer performing some kind of employee monitoring, cyber surveillance on the work place remains a hot topic inBelgium. The last annual report of the Belgian DPA (‘Privacy Commission’) revealed that labour related phone queries make up the top 5 of the most frequently asked issues, and the Privacy Commission’s president stated in a recent newspaper article that not a day goes by without someone asking for clarification.

As the results of employee monitoring are often used in connection with dismissal procedures, no wonder employers want to know under what conditions the results can be used, whereas employees wonder what their privacy rights are.

A lot of this confusion results from a multitude of legal text dealing directly (e.g. Collective Bargaining Agreement n° 81 on the monitoring of electronic online communication data, hereafter ‘CBA n°81’) or indirectly (e.g. the 1992 Data Protection Act) with this issue, and which sometimes seem to contradict each other. In addition to that, there is a lot of debate around whether a CBA – negotiated between the employer’s and worker’s representations, and subsequently ratified by Royal Decree – prevails over an Act adopted in parliament.

Being faced with the growing confusion of the key stakeholders, the Privacy Commission has therefore opted to publish draft guidelines on the monitoring of email and internet traffic in the work place, which are aimed at clarifying its previous recommendations and at offering practical recommendations.

The highlights of the draft guidelines are:

-          The Privacy Commission now also covers the modalities of the employer’s access to professional data stored on the employee’s computer, instead of its exclusive focus onprivatedata in the past. Thus, it offers a more complete oversight of the topic.

-          A detailed justification is given as to why, in the Privacy Commission’s opinion, the rules of CBA n°81 do not conflict with higher ranked legal texts, especially sections 124 of the Electronic Communications Act (unauthorized perusal of the existence of electronic communication) and 314bis of the Criminal Code (unauthorized tapping during the transmission).

-          According to the Privacy Commission, the most important recommendation for employers is to completely ban the use of the professional email account forprivatepurposes. In case the IT-policy obliges employees to use a webmail client for theirprivateemails, all email in the professional email account is assumed to be professional. As a result, the employer would be entitled to access those emails to ensure the continuity of the services to its clients. While this does indeed seem the easiest solution, one may wonder whether in practice such approach is workable.

-          Most of the other recommendations focus on putting in place detailed and clear preventive rules and procedures that minimize the employer’s need to actually access or control personal information of its employees. This may include implementing a proper document and email management system on a company level and implementing business continuity measures in case of employees’ absence.

The Privacy Commission’s guidelines are not law as such but any employer wanting to undertake employee monitoring which does not strictly comply with these guidelines must be able to justify that the applicable rules and regulations are still complied with – especially the principles of proportionality, transparency and finality.

All stakeholders are invited to provide the Privacy Commission with their observations or comments on the draft guidelines by 30 November 2011.

Proportionality – the key to compliant anti-bribery due diligence

Posted on July 20th, 2011 by



On 1 July, the long anticipated Bribery Act 2010 came into force.   The Act attracted significant debate during its passage into law, largely due to concerns about how the newly-created s.7 offence of “failure by a commercial organisation to prevent bribery” would apply in practice. 

At an overview level, any organisation carrying on business in the UK can potentially be liable under s.7 for a bribe paid by its “associated persons” (including employees, contractors and subsidiaries), whether or not it knew of the bribe.  There is no requirement that the bribe must take place in the UK – organisations can attract liability for bribes paid by “associated persons” in overseas jurisdictions.  Criminal penalties apply for breach, including unlimited fines and even the prospect of personal liability (including jail time) for directors.  These onerous liabilities, coupled with the wide jurisdictional reach of s.7, are enough to give any senior executive sleepless nights.

“Adequate procedures” to guard against bribery risk

Organisations charged under s.7 have a defence if they can show that they had implemented “adequate procedures” to protect against bribery risk.  With a view to clarifying the anti-bribery measures it expects organisations to adopt, the Government published guidance on implementing “adequate procedures” in March this year (available here: www.justice.gov.uk/guidance/docs/bribery-act-2010-guidance.pdf).  This explained that implementation of “adequate procedures” by an organisation to guard against bribery risk should be informed by six principles: (i) Proportionate procedures; (ii) Top-level commitment; (iii) Risk assessment; (iv) Due diligence; (v) Communication (including training); and (vi) Monitoring and review of anti-bribery policies and procedures.  

FFW has separately published detailed overviews (including FAQs) of the Bribery Act and the Government’s “adequate procedures” guidance at http://www.ffw.com/feature/the-bribery-act-2010.aspx

Due diligence and data protection

With the excitement surrounding s.7 and the need to mitigate bribery risk by implementing “adequate procedures”, it’s all too easy for organisations to overlook their privacy compliance responsibilities.  However, organisations that do not take proper account of the privacy consequences of implementing “adequate procedures” risk jumping out of the frying pan and into the fire – on the one hand, mitigating risk under the Bribery Act while on the other hand exposing themselves to a raft of potential liabilities under UK and European data protection legislation.

This is particularly the case with counterparty due diligence.  Undertaking appropriate due diligence will be a compliance cornerstone in guarding against risk under the Bribery Act.  Of critical importance – for both data privacy and Bribery Act purposes – is that any due diligence conducted must be proportionate to its aims. The level of due diligence appropriate in any given situation will necessarily depend on a variety of factors, including the nature of the role and the organisation concerned, the services to be provided, and any other readily identifiable business or bribery risks. 

In the course of conducting due diligence, businesses will undoubtedly handle sensitive personal data relating to prospective clients, employees and contractors – such as information relating to criminal convictions and proceedings, political affiliations (e.g. if the data subject is a ‘politically exposed person’), trade union membership or otherwise.  This raises a number of issues, not least in terms of the need to make (or update) suitable data processing registrations with the Information Commissioner’s Office in order to reflect any sensitive data processed – bearing in mind that failing to make and maintain accurate and up-to-date registrations is, itself, a criminal offence. 

In particular, sensitive data benefits from enhanced protection under data protection law, and organisations must establish a lawful basis to legitimise their sensitive data processing in the first place.  In this context, it is important to note that the Bribery Act does not create a legal obligation to conduct due diligence or to process sensitive data.  It says only that “adequate procedures”, where implemented, are a defence to liability under the Bribery Act.  For this reason, simply assuming that the Bribery Act itself legitimises due diligence processing of sensitive data is misguided.  Businesses must instead consider the sensitive data processing grounds set out in the Data Protection Act 1998 and identify those that permit the specific due diligence processing in question.  Whilst various grounds potentially exist, it is important to identify the specific grounds that will be relied on in any given case, and to ensure that the sensitive data processing keeps within the scope of those grounds.  In many cases, it may be necessary to obtain explicit, informed consent directly from the due diligence subject to enable processing of his or her sensitive data.

The jurisdictional reach of the Bribery Act also has the potential to strain data privacy compliance.  Given their potential liability for acts of bribery conducted by overseas employees, subsidiaries and contractors, a natural response for UK organisations would be to conduct due diligence on any overseas counterparty they engage, either directly or through a subsidiary.  However, overseas data protection regimes may not readily permit processing of sensitive data for due diligence activities designed to mitigate risk under UK law (Spanish and Belgian data protection regimes, for example, impose strict requirements for sensitive data processing).  As a consequence, overseas subsidiaries and contractors that want to process and share due diligence data with UK businesses for Bribery Act compliance purposes may find themselves hindered by their national data protection regimes.  Likewise, overseas organisations that carry on business in the UK may want to implement due diligence procedures to guard against Bribery Act risk, but find themselves constrained by their local data protection laws.   Organisations therefore need to consider carefully how to implement “adequate procedures” in a way that fully addresses the requirements of wider European (and other) data protection regimes where these apply.

Why this matters

Any organisation implementing “adequate procedures” to mitigate Bribery Act risk must consider carefully its responsibilities under data protection law.  Without doing this, it runs the risk of implementing procedures that, while carefully designed to protect against bribery risk, attract liabilities under data protection law.  Due diligence is just one example, but organisations also need to consider other data privacy liabilities arising when, for example, implementing ‘speak up’ or whistleblowing procedures, or when conducting internal investigations into allegations of bribery by staff.

At first glance, the Bribery Act and data protection law might appear to impose conflicting demands on organisations that are difficult to resolve.  However, proportionality is at the heart of both regimes: whatever the “adequate procedures” implemented, they must be proportionate in light of the actual risks to the organisation.   For this reason, rather than considering data protection as a barrier to Bribery Act compliance, it should be viewed as an enabler to implementing effective and proportionate Bribery Act compliance mechanisms.  By considering and identifying potential privacy risks at the outset and rolling out “adequate procedures” that take account of these risks, a happy – and compliant – compromise can be achieved.

If you would like more information, please contact Phil Lee, Senior Associate, at phil.lee@ffw.com.

The gold standard for consent

Posted on July 19th, 2011 by



Irrespective of whether one agrees or disagrees with the Article 29 Working Party’s Opinion on the definition of consent, the Working Party should at least be praised for taking a clear cut line on this issue. Never before has the group of EU data protection authorities carried out such a detailed assessment of one of the legal grounds for the use of personal information. If there was ever any doubt as to where the regulators stood in terms of the conditions for obtaining individuals’ consent, that is no longer the case. Whether their assessment is entirely correct is a different matter and deserving of debate.

Here are the bottom lines of the Working Party’s Opinion:

• Consent has to be given before the processing starts.

• Consent differs from the right to object – basically, just allowing people to opt out is not good enough.

• Consent based on an individual’s inaction or silence would normally not constitute valid consent, especially in an online context.

• A situation of subordination often prevents consent to be free.

• Blanket consent without specifying and separating each purpose of the processing is not acceptable.

• The mere availability of information is not good enough for consent to be informed – the information should be provided directly to individuals.

• Consent must always be unambiguous so that there is no reasonable doubt about the individual’s intention.

• Evidence of consent should be created and retained, so that consent is verifiable.

• And finally, the measures used to ensure that consent is verifiable should be put at the disposal of the data protection authority upon request.

To summarise, this is the gold standard for consent and anything below that is simply not enough. There is no middle ground. No wavering for the sake of pragmatism. As far as the EU data protection authorities are concerned, consent is basically a rock solid prior opt-in. Anything less will not cut it. But there is one problem with this stance: data protection is not mathematics. Privacy and data protection compliance always involve a balance of interests, and this balancing exercise does not come across in the Opinion. In other words, the Working Party’s approach is just too dogmatic. Wherever there is room for legal interpretation, the Opinion invariably chooses the most conservative approach.

There are three aspects of the Opinion where this approach is particularly extreme. The first is that, whilst the Working Party briefly concedes that consent can be reasonably concluded from behaviour, its position is that only some kind of positive action will qualify as proper consent. However, this ignores that in the real world ascertaining consent is a matter of assessing the level of certainty arising from an individual’s behaviour. The onus of this should of course be on the data controller, but there will be situations where it may be perfectly reasonable to accept someone’s passive behaviour as consent – particularly when the use of that person’s information is within their expectations and ultimate control.

Another extreme position adopted by the Working Party is in respect of the requirement for all consent to be unambiguous and for that unambiguity to be based on express or unmistakable actions. Because the standard sought by the Working Party is so high, there is no room for such consent to be implied – at least not in an online environment. This results in another extreme assessment of the requirement for consent in the specific situation regarding the use of Internet cookies under the e-privacy directive. In this respect, the Working Party demands both prior and express consent, irrespective of the uses made of those cookies.

The outcome is somewhat disproportionate. The e-privacy directive itself distinguishes between different purposes for which third parties may wish to store or gain access to information stored in the terminal equipment of an Internet user. These purposes will range from the legitimate – in particular, cookies – to those involving an unwarranted privacy intrusion, such as spyware or viruses. Therefore, a balanced and realistic assessment of the requirement for consent should take those differences into account and aim not just for a blind gold standard, but for the right and reasonable standard. Even if it is at the expense of complete legal certainty.

This article was first published in Data Protection Law & Policy in July 2011

Cookie consent – The state of the (European) Union

Posted on July 8th, 2011 by



Now that a month has passed since the deadline for implementation of Europe’s new cookie ‘consent’ law – a deadline missed by almost all EU Member States – it seems that the law is now (slowly) coming into effect across Europe. With online operators everywhere anxiously awaiting news about how Member States are implementing these requirements, now seems a good time to provide our followers with an update.

Aside from the UK, Ireland, Latvia, the Netherlands and Sweden have all now taken the plunge and introduced new cookie ‘consent’ laws. If these early adopters are anything to go by, then national legislators are broadly falling into one of two implementation camps – implementing cookie consent laws either on a strict ‘prior opt-in’ basis or, instead, qualifying the consent requirement by reference to ‘appropriate’ browser (or other application) settings.

So far, there is a roughly 50/50 split between these two camps. Ireland and Sweden have followed the UK’s pragmatic lead by qualifying consent by reference to browser settings, whereas Latvia and The Netherlands appear instead to have taken a strict prior opt-in approach. Most interestingly, the Netherlands has gone even further and clarified that the use of cookies to collect browsing behaviour for targeted advertising purposes will qualify as personal data processing – exposing ad networks not just to compliance with new cookie consent requirements, but with national data protection rules in full.

Coming down the pipeline, Spain and Germany also have legislative proposals under consideration – in each case, qualifying consent by reference to browser settings. However, even in territories that have chosen to allow consent to be expressed through browser settings, the message ringing loud and clear is that the current generation of browsers do not offer suitable settings to obtain consent – principally because they accept cookies by default. In fact, the legislative proposals under consideration in Spain state that users must expressly configure their browser settings in order to consent to cookies.

So there we have it – six more jurisdictions have brought their cookie consent laws online. Interestingly, when publishing his annual report, the UK Information Commissioner took the opportunity to caution businesses to ”take their ‘consent’ obligations seriously” adding ”I’ll be after them if they don’t” (see http://goo.gl/SLvTh). You have been warned!

If you would like a copy of FFW’s “Cookie Assessment Tool” to audit your organisation’s use of cookies, please e-mail my colleague, Phil Lee: phil.lee@ffw.com.