What Does the Criminal Conviction for Privacy Law Violations of Three Google Executives in Italy Mean for Multi-National Employers in the U.S.?

Posted on March 9, 2010 by Privacy and Data Protection Practice Group

On February 24, 2010, a Milan court convicted Google’s Chief Legal Officer, Global Privacy Counsel, and a former member of Google Italy’s board of directors for violating Italian privacy law and imposed a six-month, suspended jail sentence. The case stemmed from a posting on Google Video® — a YouTube® predecessor — of a video depicting several teenagers bullying a classmate with Down’s Syndrome. Although the Google executives had no involvement in either the posting or in the decision whether and when to remove it, Italian law imposes criminal liability on senior executives for the actions of the corporation. Prosecutors alleged that Google should be held responsible not only for permitting the video to be posted in the first instance, but also for allegedly not having acted quickly enough to remove the video after receiving a complaint.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Multinationals Certified to the U.S.-E.U. Safe Harbor Agreement Beware: The Federal Trade Commission Has Bared Its Enforcement Teeth

Posted on October 13, 2009 by Privacy and Data Protection Practice Group

European FlagSince its inception in the year 2000, the U.S.-E.U. Safe Harbor Agreement has attracted nearly 2,000 multinationals seeking to establish a lawful basis to transfer to the U.S. the personal data of their consumers and employees who reside in the European Union (E.U.). To obtain the benefits of the Safe Harbor, these organizations are required to (a) certify to the U.S. Department of Commerce that they have implemented the seven Safe Harbor principles, (b) post for their employees and/or customers (depending upon the type of personal data being imported from the E.U.) a Safe Harbor privacy policy that embodies those principles, and (c) implement policies and procedures to ensure that the organization processes personal data received from the E.U. in compliance with the privacy policy. The Safe Harbor certification must be updated annually.

Until just a few weeks ago, the Federal Trade Commission (FTC), which enforces the Safe Harbor, had not commenced a single enforcement action in the nine years that the Safe Harbor has been in effect. Last week, the FTC requested public comment on six separate settlements of complaints alleging that multinationals had violated the Safe Harbor by representing to the public that they were current members of the Safe Harbor even though their certification was not up-to-date. Notably, the settlements do not include any monetary penalties, but instead would enjoin the targets from future misrepresentations about their Safe Harbor status.

The lessons learned include the following:
 

  • Multinationals must take compliance with all of the Safe Harbor’s requirements seriously; there is now some enforcement risk.
  • The nature of the enforcement risk is uncertain. The FTC’s charges required virtually no enforcement resources. The agency had to do nothing more than compare the target’s statements in their publicly posted Safe Harbor privacy policy against the certification records maintained by the Commerce Department. These settlements do not (at least yet) reflect the agency’s intention to perform on-site audits to determine whether the multinational’s internal process for handling personal data actually conforms to the seven Safe Harbor principles embodied in the organization’s Safe Harbor privacy policy.
  • The next, most likely enforcement step would be the FTC’s request to review the mandatory, annual self-assessment or third-party assessment of Safe Harbor compliance. The FTC would not have to expend any resources to “look behind” the assessment to find a violation. The failure to conduct the required annual assessment itself would be a violation.
  • Given the above, multinationals certified to the Safe Harbor should promptly confirm that their certification is current and conduct an assessment of their compliance with the Safe Harbor if they have not performed one during the preceding year. To the extent the assessment reveals any gaps in compliance, the gaps should be closed.

This entry was written by Philip L. Gordon.

Photo Credit: S. Solberg J.
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

IAPP Practical Privacy Series: Human Resources 2008

Posted on June 6, 2008 by Nancy N. Delogu

Workplace privacy obligations continue to grow more burdensome for employers. As more information about workers becomes readily available, employers are often caught between a sense that failing to use that information may lead to negligent hiring and retention claims, and a fear that using or disseminating information that is private or protected will lead to litigation in its own right.

Littler Mendelson is a member of the International Association of Privacy Professionals, and a Gold Sponsor of the IAPP's "Practical Privacy Series Human Resources 2008" conference. The conference, which will take place in New York City on June 17, will cover a range of topics, including:

  • "What to Do When a Human Resources Security Breach Inevitably Occurs":  A security breach involving human resources data is high-stakes for organizations. This presentation focuses on the most common causes of HR security breaches and explains from the trenches how to respond in compliance with applicable notice laws, and without a disgruntled workforce when the dust clears;
  • "It's 10:00 A.M. -- Do You Know Where Your Employees Are and What They Are Doing?": New technology offers employers ever more sophisticated tools to keep tabs on their employees, but to what extent does this monitoring expose them to liability? This session examines the evolving U.S. law on these issues and discusses the challenges for global employers confronting data protection regimes modeled on the EU Data Protection Directive;
  • "H.R. Risk Assessments": Safeguarding HR information often plays second fiddle to seemingly more imperative privacy data, such as patient or customer information. Yet it can be among the most sensitive at an organization. This presentation highlights key lessons learned from HR privacy risk assessments across industries, and from helping organizations remediate weaknesses in their control environments. This session looks into the logistics of operationalizing a response program and handling specific recurring incidents; 
  • Littler's own Phil Gordon will speak on "Sex Offenders, Terrorists, And Video Resumes: How Far Can You Go To Get Information About Prospective, Current, And Former Employees?": With ready access to sensitive personal information, employers are under increasing scrutiny to maintain a workforce that is beyond reproach. Social networking sites, blogs and other resources offer a wealth of information on candidates and employees. How deeply should employers tap these new information sources? This presentation will help frame the debate for your own organization; and
  • I'll be talking about how--and when--an employer can use sensitive medical information in the employment context in a presentation called "How To Handle Employee Health Information And Drug And Alcohol Testing In Compliance With The Alphabet Soup Of State And Federal Confidentiality Requirements": Managing employees’ health is a critical business imperative. Employers confront a maze of laws and regulations governing the confidentiality of employee health information, and dire consequences for mishandling such information. This session addresses questions on collecting, using, storing, documenting and disclosing employee health information, among other concerns.

If you are interested in these topics, or know someone who is, go to International Association of Privacy Professionals and click on the box titled "Practical Privacy Series." We'd love to see you there!

Tags: , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link