What Does the Criminal Conviction for Privacy Law Violations of Three Google Executives in Italy Mean for Multi-National Employers in the U.S.?

Posted on March 9, 2010 by Privacy and Data Protection Practice Group

On February 24, 2010, a Milan court convicted Google’s Chief Legal Officer, Global Privacy Counsel, and a former member of Google Italy’s board of directors for violating Italian privacy law and imposed a six-month, suspended jail sentence. The case stemmed from a posting on Google Video® — a YouTube® predecessor — of a video depicting several teenagers bullying a classmate with Down’s Syndrome. Although the Google executives had no involvement in either the posting or in the decision whether and when to remove it, Italian law imposes criminal liability on senior executives for the actions of the corporation. Prosecutors alleged that Google should be held responsible not only for permitting the video to be posted in the first instance, but also for allegedly not having acted quickly enough to remove the video after receiving a complaint.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.
Tags: , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Caveat Employer: Let the Employer Beware of Employee Endorsements on Social Media Websites

Posted on January 5, 2010 by Employment Litigation Practice Group

Employers already face concerns about how to handle employees trash-talking about them on blogs, Facebook and other social media. Now, employers must be cautious of the converse — employee endorsements of their employers’ products and services on social media websites. The Federal Trade Commission (FTC) recently issued updated guidelines aimed at protecting consumers from misleading endorsements and advertising. As these guidelines make clear, employers whose employees use social media like blogs or Facebook to comment on their employer’s products or services face potential liability, even where the employer has not authorized or ratified the employee’s remarks.

The FTC’s revised Guides Concerning the Use of Endorsements and Testimonials in Advertising, published in the Federal Register at 16 C.F.R. Part 255 (the “guidelines”), address the application of Section 5 of the FTC Act (the “Act”) – which prohibits unfair or deceptive acts or practices and unfair competition in or affecting commerce -- to the use of endorsements and testimonials in advertising.

In the guidelines, the FTC identifies the general principles it will apply when evaluating whether endorsements and testimonials, including those given by employees about their employers’ products and services, are deceptive. The guidelines provide specific examples, and suggest that employees endorsing their employer’s products or services have a duty to disclose to their audience their relationship to an employer at the time they give the endorsement or testimonial. To be an endorsement or testimonial subject to these guidelines, the posting must be a message “that consumers are likely to believe reflects the opinions, beliefs, findings, or experiences of a party other than the sponsoring advertiser, even if the views expressed by that party are identical to those of the sponsoring advertiser. The party whose opinions, beliefs, findings, or experience the message appears to reflect will be called the endorser...” 16 C.F.R. Part 255.01(b).

The duty of disclosure applies even when the employee’s endorsement appears on a site that is not maintained by the employer or employee (such as a popular “bulletin board”) and the statement itself is not misleading. See 16 C.F.R. Part 255.5 (entitled “Disclosure of material connections”), Example 8. Failure to make such disclosure may expose the employer to liability under the Act.

If employees make misleading statements about the employer’s products and services that result in injury to consumers, the FTC may bring an enforcement action against the employer. The FTC reports that it has brought enforcement actions against employers “whose failure to establish or maintain appropriate internal procedures” had resulted in consumer injury, but the FTC suggested in comments on the guidelines that it would be unlikely to take action against an employer for the conduct of a single “rogue” employee whose conduct violated an adequate company policy.

Additionally, because postings on blogs and Facebook pages can reach wide audiences, employers may be vulnerable to large-scale liability like class-action lawsuits by consumers and/or legal action by state attorneys general.

In view of this latest possible exposure to employers from employees’ use of blogs and social websites, employers should consider reviewing their electronic communications or social media policies to ensure: (1) that they have policies addressing the use of the company’s name, trademarks, and other proprietary information in blogs and other social media; and (2) that these policies include either prohibitions or appropriate guidance regarding references to company products or services. Such prohibitions and/or guidance should no longer be limited to criticisms of the employer and its products and/or services. Endorsements, if permitted at all, should be limited to truthful and verifiable statements, or should be subject to prior approval by management. And in either event, such statements must be accompanied by an employee’s written disclosure of the employment relationship so that consumers can fairly weigh the testimonial.

This entry was written by Lisa Brauner.

Tags: , , , , , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link

Want To Get Rid Of Tag-Along State Law Claims? Try The Communications Decency Act

Posted on June 27, 2007 by Philip Gordon

For years now, employers have been warned that a detailed, electronic resources policy is the best defense against vicarious liability for the actions of employees who use corporate e-mail or Internet access like a bully in a sandbox. A recent decision from the California Court of Appeals highlights a potentially more potent defense that has received little attention in employment law circles.

The Communications Decency Act of 1996, 47 U.S.C. §230 [CDA] immunizes any “provider . . . of an interactive computer service” from liability under any state law for information published on the service by someone else. In Delfino v. Agilent Technologies, the plaintiffs sued Agilent for intentional infliction of emotional distress because a former Agilent employees had used Agilent’s e-mail system and Internet access to communicate numerous threatening messages to the plaintiffs. The California Court of Appeals affirmed summary judgment for Agilent based on the CDA.

As a matter of first impression, the court held that a corporate employer, like Agilent, who offers e-mail and Internet access is an interactive computer service provider for purposes of the Act. Because the employee, not Agilent, provided the threatening messages, and the plaintiffs sought relief only under state tort law, the CDA immunized Agilent from liability. By analogy, the CDA can be used to get rid of those pesky state law claims, like negligent hiring, negligent supervision, intentional infliction of emotional distress, and defamation, that tend to accompany Title VII claims alleging harassment through an employee’s use of corporate electronic resources.

Tags: , , , , , ,
  • Email This
  • Print
  • Trackbacks
  • Share Link