Category: France

Ready for Cookie Sweep Day?

Cookie Sweep Day is coming!

The French data protection authority CNIL will conduct a “cookie sweep” this coming September 15 to verify compliance with its recommendations on cookies and tracers used to collect and store personal user information on websites. These audits will be both on-site and remote inspections, meaning that as a website owner, your premises could be subject to a visit by the authorities for non-compliance.

Continued below…

Oreo

The CNIL will feed the data crumbs it gathers into a program of website audits it will conduct in October.

The cookie sweep is not limited to France – all other EU national data protection authorities will be conducting their own sweeps as well across the Member States, to inspect and monitor cookie compliance with the ePrivacy Directive.

Should you be concerned?

To be clear, under the regulations, only certain cookies require a user’s prior consent –  in general, cookies set by third party advertising networks. In a word, if you’re monetizing your site with third party ads, you must ask users for their consent to those cookies (if you’re not already asking for prior consent for these, you should really do it, er, now).

If you’re not already aware of how it works, a user can consent by clicking a banner explaining that the site uses cookies for tracking/advertising purposes or more simply, if the user continues through deeper links within the site and the banner remains persistent.

Users must be able to withdraw consent at any time, and cookies and consents must be reset at a minimum every 13 months. The CNIL holds sites and third party advertising networks jointly liable for compliance.

What’s the risk?

If you’re running a business through ads or tracking via your site, the financial risk is moderate, depending on your size. This past January the CNIL fined Google €150,000 for having cookies set while the banner was loading instead of after consent was given. Clever folks, Google. Anyway, the risk is there.

Nota bene…

Functional cookies and web analytics cookies do not require prior consent but users must have clear and user-friendly information regarding these cookies, including information on how to opt-out.

Another important note is that sites cannot deny users access if they choose to block advertising cookies and cannot make acceptance of advertising cookies a condition of using the service.  Where a business model depends on making content or services freely available in exchange for targeted advertising via cookies, the regulations are…highly disruptive.

The CNIL has also put up an app (“CookieViz”) for users to verify cookies on their Mac, Windows or Linux device.

 

 

 

French whistleblowers get new legal protections

Palais de Justice, Nice

As of 1 February, the new French whistleblower protection law is in effect. Its provisions protects French employees of private companies from sanction or dismissal “for having reported or testified in good faith, facts constituting an offense or a crime of which he was aware in the exercise of its functions”.

A similar provision took effect to protect civil servants in France’s considerable public sector from retaliation after reporting illegal activities.

Under both laws a whistleblower who took part in any alleged offenses is  granted immunity from prosecution so long the whistleblower’s actions only amounted to an attempted offense or if the whistleblowing action prevented the crime from actually occurring. Where the whistleblower has actively taken part in some of the criminal actions but acts in time to stop the commission of the final criminal act, any sentence  decided by a court will be halved.

Why is this a landmark for France when whistleblower status has existed for decades in other countries and in the US since 1778?

Firstly, compliance with international accounting, money laundering, anti-terror laws and banking regulations — and cross-border enforcement of them — means that New York or London listed companies located in France had to find a legal way to implement a whistleblowing policy for French employees, this in spite of the lack of a local legal regime and the protestations of the CNIL, the national data privacy authority.

Secondly, it should be understood that France has a culture in which reporting of “private affairs”  to authorities is highly taboo. The chastening World War II experience (laws requiring citizen cooperation and informing to fascist Vichy and Occupation forces) meant that any institution of a new legal frame for anonymous reporting to the authorities carried a heavy burden of proving its usefulness versus possible abuse.

Thirdly, this was also an excellent opportunity for the Ecologists, part of the governing coalition to extend whistleblowing protection for environmental law violations – perhaps the most satisfying result of the change for ordinary citizens.

Unlike the US whistleblowing provisions, the new French law does not provide for pecuniary rewards for whistleblowers and the immunity from prosecution provisions only apply to to natural persons. It also allows associations to join criminal proceedings as civil parties – another advantage for environmentalists that has not existed in the past.

In any case, it is a step forward for revealing corrupt practices and protecting honest citizens.

What to make of the EU reaction to Google’s new privacy policy?

Yesterday’s letter from the French National Commission on Information Technology and Freedoms (CNIL) points out some very specific problems in Google’s widely publicized new privacy policy, which comes into effect 1 March.

While the new policy is exemplary in its clear language, the issues the CNIL enumerates are not so arcane as to concern only specialists in data privacy law.

In sum, the CNIL wants Google’s privacy policy to explain 1) which Google services will collect and/or process personal data, 2) the specific personal data which will be collected and/or processed by each service and 3) how Google will inform the individual of her/his rights regarding access, correction, etc. for the personal data held by each service.

While all this sounds like formalities, complying with EU data privacy law is all about formalities. Google should know this better than anyone today, especially considering the level of expertise they have in data privacy matters.

As it is, Google has (for simplicity’s sake, one would surmise) used a negative definition of what it will not do with an individual’s personal data. From a philosophical point of view, this is a bit like the difference between Civil and Common Law conceptions of liberty. For Civilists, a right doesn’t exist unless it is enumerated. Civilists like things written down.

I think that we’ll likely see more PR pushback from Google in the next few weeks until their global data privacy counsel can talk his colleagues and clients into conceding that their new policy could use a few links to deeper explanations to be compliant with EU law. Google wants to be a good European, after all.

The Opinion 10/2004 on More Harmonised Information Provisions is basic but useful guidance on how to draft a compliant privacy policy statement. Well worth looking at.

 

French Competition Authority will cut fines 10% for companies with compliance programs.

More recognition across Europe that a well-built and delivered compliance program is being taken into consideration by regulatory authorities comes from France today as the Competition Authority published notice that it would reduce fines for companies that put into place a competition law compliance program. They note and recommend that an “an efficient program” include the following basic elements:

  • The existence of a clear, firm and public position of support adopted by the company’s management bodies;
  • The commitment to appoint one or more persons responsible for the program’s development and operation;
  • Developing information tools, awareness raising measures and staff training;
  • Setting up management, audit and whistle blowing mechanisms;
  • Establishing a system for reviewing reports of misconduct and taking relevant followup actions.

It’s edifiying to witness the principal of reducing sanctions for companies with an effective compliance program spread out to other areas of corporations law. This is a very welcome development for compliance officers and legal departments who can leverage it to demonstrate the value of their programs.

Finally, it wouldn’t be a surprising to see 1) every market leader (or near-leader) in the EU adopt a compliance program and 2) compliance programs being considered in sanctions on in other aspects of corporate behavior, especially in the financial and energy sectors.