Nuevos Lineamientos del Aviso de Privacidad en México Requieren de una Acción Inmediata
El 17 de abril de 2013, los nuevos Lineamientos del Aviso de Privacidad en México entrarán en vigor, con la imposición de requisitos extensos para la adecuada elaboración del Aviso de Privacidad y para la obtención del consentimiento del titular previamente a que los datos personales se recaben directamente de una persona o en forma electrónica a través de "cookies", "web beacons" u otros medios automatizados. Las Lineamientos son obligatorios y particularmente importantes para los empleadores que obtienen, procesan y/o transfieren datos personales de los empleados o candidatos, así como para las empresas que operan o hacen uso de publicidad en México que utilizan medios tecnológicos que permiten la obtención automática de datos personales en el Internet. Para obtener más información acerca de los nuevos Lineamientos del Aviso de Privacidad en México, continúe leyendo la nota de Actualidad Laboral de Littler, Nuevos Lineamientos del Aviso de Privacidad en México Requieren de una Acción Inmediata, escrito por Javiera Medina Reza y Eduardo Osornio García.
Mexico's New Privacy Notice Guidelines Require Immediate Action
On April 17, 2013, Mexico's new Privacy Notice Guidelines will go into effect. The Guidelines impose extensive requirements for furnishing adequate data privacy notices and obtaining consent before personal data is collected directly from a person or electronically via "cookies," "web beacons" or other automated means. The Guidelines are mandatory and particularly important to employers that regularly collect, process, and/or transfer personal data about employees or job applicants, and to companies operating or advertising in Mexico that use media technology that automatically collects personal data online. To learn more about the Guidelines, please see Littler's ASAP, Mexico's New Privacy Notice Guidelines Require Immediate Action, by Javiera Medina Reza and Eduardo Osornio Garcia.
It's Official: The Supreme Court of Canada Concludes that Employees May Have a Reasonable Expectation of Privacy in Relation to Their Work-Issued Computers
By Christina Hall and Andrew Carricato
The Supreme Court of Canada released its eagerly awaited decision in R. v. Cole, 2012 SCC 53, on October 19, 2012. In the decision, the Court held that employees may have a reasonable, though diminished, expectation of privacy in personal information stored on their work computers - at least where the personal use of such devices is permitted or reasonably expected by employers. This reasonable expectation of privacy is protected by the Canadian Charter of Rights and Freedoms (the "Charter").
The Facts
Mr. Cole was an Ontario high-school teacher. In addition to his regular teaching duties, he was responsible for policing the use by students of their networked laptops. To this end, he was supplied with a laptop owned by the school board and he was given domain administration rights on the school's network. This allowed him to access the hard drives of students' laptops. Mr. Cole was also permitted to use his laptop for incidental personal purposes, which he did. He often browsed the Internet and stored personal information on the laptop's hard drive.
Mr. Cole's difficulties began when a school technician, performing maintenance activities on the school's network, found a hidden folder on Mr. Cole's laptop that contained nude photographs of a high school student. The technician reported his findings to the school principal who seized the laptop and handed the information over to the police. The police reviewed the information contained on the hard drive without first obtaining a search warrant. They proceeded to charge Mr. Cole with possession of child pornography and unauthorized use of a computer.
Continue Reading...California's New Social Media "Password Protection" Law Takes a More Balanced Approach by Accounting for Employers' Legitimate Business Interests
Under a new California law, employers cannot request or require that applicants or employees:
- Disclose social media log-in credentials;
- Access personal social media in the employer's presence; or
- Divulge any personal social media content.
However, an exception permits employers to ask an employee to divulge personal social media content that the employer "reasonably believe[s] to be relevant to an investigation of allegations of employee misconduct or employee violation of applicable laws and regulations."
To learn more about the law and its potential implications for employers, please continue reading Littler's ASAP, California's New Social Media "Password Protection" Law Takes a More Balanced Approach by Accounting for Employers' Legitimate Business Interests, by Philip Gordon and Lauren Woon.
Advances Between European Data Protection Law and U.S. Civil Litigation Duties
By Jessica Jacobi of Kliemt & Vollstadt (the Germany member of Ius Laboris)
In a recently published open e-mail of June, 12, 2012, the EU Article 29 Working Party on Data Protection commented on a publication (December 2011) of the Sedona Conference called "International Principles on Discovery, Disclosure & Data Protection" ("International Principles"). The Sedona Conference is a U. S.-based private research initiative which addresses issues related to pre-trial discovery in U.S. civil courts and, in particular, the discovery of electronically stored information (ESI).
As opposed to the courts in civil law countries, U. S. courts operate with a procedure known as pre-trial discovery. In this pre-trial phase, information is gathered, and each party can obtain evidence from the opposing party as well as from non-parties. In litigation involving parties, witnesses, or ESI (Electronically Stored Information) located in the E.U., this "cross-border discovery" often conflicts with European Data Protection Law. The Sedona Conference's International Principles, published in draft form, are aimed at reducing the situations in which a conflict of laws arises and at providing recommendations for resolving conflicts when they do arise.
Continue Reading...Employer May Not Demand List of Union Members
Pursuant to the resolution of the Supreme Court of 24 January 2012 (III PZP 7/11) a trade union may refuse to provide the employer with a list of union members, and such refusal does not release the employer from the obligation to consult the union in individual employee matters. In effect, every time the employer intends to give a notice of termination to an employee employed for an indefinite period of time, they should ask the union whether this employee is a member. If they are, the consultation is the second step of the procedure. The Supreme Court justifies its position on the grounds of the protection of employees' personal data, which include information on whether an employee is a union member.
No Right for Unsuccessful Job Applicant to Know Outcome of Recruitment Process
By Sophie Maes of Claeys & Engels (the Belgium member of Ius Laboris)
The European Court of Justice (ECJ) has considered a significant issue that may arise where a job applicant is rejected by the prospective employer and brings a discrimination claim. What is the effect of the employer refusing to provide information about whether another candidate was appointed at the end of the recruitment process?
While the ECJ ruled that an employer in this situation does not have a positive obligation to disclose the relevant information, the judgment nonetheless suggests that a refusal to do so could be dangerous for employers in some circumstances.
The case concerned a job applicant who on two separate occasions was not invited to an interview for a similar position at the same company. She brought an action alleging race, sex and age discrimination, requesting that the company produce the file for the person who was ultimately hired. The company refused and the court referred the case to the ECJ, which clarified the legal position as follows:
- A job candidate whose application was rejected and who claims plausibly that he or she meets the requirements listed in the advertisement for the position is not entitled to information indicating whether the employer hired another applicant at the end of the recruitment process.
- However, the employer's refusal to grant any access to information is one factor the court may take into account in deciding whether facts have been established from which discrimination could be inferred.
Should U.S. Employers Be Asking Applicants and Employees for Social Media Log-in Information?
By Chris Leh of Littler Mendelson (the U.S. member of Ius Laboris)
Employers continue to wrestle with the issue of whether to require employees and prospective employees to divulge their social media passwords. In the United States, a recent spike in interest by the media, advocacy groups, legislators and the general public has refocused attention on the issue. Although it may not be unlawful to seek the information, in most situations, it is inadvisable.
The efforts of law enforcement agencies to obtain social media log-in information to supplement background checks on prospective recruits have received the most notoriety. However, some private entities have engaged in the practice as well. For example, in New York a statistician withdrew his application when an interviewer at the company to which he had applied asked for his social media password.
Continue Reading...EU Data Protection Reforms Unveiled
By Ellen Temperton of Lewis Silkin (the UK member of Ius Laboris)
The European Commission has published proposals for a comprehensive reform of the 1995 EU Data Protection Directive.
The main aim is to remove inconsistencies created by the 27 EU member states having implemented the Directive in divergent ways and the consequent burdens for business. The proposals also attempt to reflect the rapid advances in technology since the Directive first came into effect.
The changes include a mandatory obligation to report data security breaches promptly and, where feasible, within 24 hours. At present, very few member states have compulsory rules requiring infringements to be notified. In addition, substantial powers to levy fines are proposed - between 0.5 and 2% of an organisation's global annual turnover.
Continue Reading...The Use of Geolocation Is Restricted
An employer who wishes to use a geolocation device must make a declaration to the CNIL (Commission nationale de l'informatique et des libertés), which is responsible for ensuring that information technology remains at the service of citizens and does not jeopardize human identity or breach human rights, privacy or individual or public liberties. The CNIL will also verify that the principles relating to the protection of personal data are respected.
The declaration may be made online. Only after the employer receives confirmation from CNIL that the declaration was received may the employer implement a system with geolocation devices.
A decision of the Supreme Court of 3 November 2011 points out that a system monitoring employee activity such as geolocation can not legally (CA Versailles, 17th ch., 17 September 2010, No. 09/02316, Messaoudi C / SA Sogeres) be used by the employer for any other purposes than those declared to the CNIL, and must be brought to the attention of the employees.
Moreover, geolocation limits the personal freedom of employees and this must be justified, in accordance with Article L. 1121-1 of the French Labour Code. According to the Supreme Court there is no such justification for controlling the hours of work of an employee who is free to organize his work. Furthermore, the employee in the case in question had not been informed that the device would be used for such purpose. The court ruled that this illegal use is sufficient to justify a notification by the employee of a breach of the employment contract by the employer (assimilated to unfair dismissal).