Weekly Data Privacy Alert – 4 September 2017
The European Court of Human Rights (ECtHR) Finds That Monitoring and Accessing an Employee’s Electronic Communications is in Violation of Article 8 of the European Convention
On 5 September 2017, the ECtHR ruled that the Romanian courts had failed to protect an employee’s right to a private life when he was dismissed for using company resources for personal purposes without being informed in advance of the extent and nature of his employer’s monitoring, nor of the possibility that the employer might have access to the actual contents of his message. It was found that the Romanian courts had not examined the scope of the monitoring and the degree of the intrusion into the employee’s privacy nor whether the aim pursued by the employer could have been achieved by less intrusive methods. These points, amongst others, led the ECtHR to conclude that there had been a violation of Article 8 of the European Convention (right to respect for private and family life, the home and correspondence).
The CNIL Publishes the List of Registration Formalities Completed Since 1979
The CNIL has published on its website lists of all registration formalities carried out by data controllers since 1979, which are updated weekly. It was previously only possible to find a limited number of the formalities carried out on Légifrance, mainly those for which processing requires prior authorisation from the CNIL. For any other formality carried out by a data controller, one had to request this information from the CNIL. From now on, this information is publicly available. However, these lists do not contain all the information provided by the controller in the course of his registration or application for authorisation.
This may be an opportunity for some data controllers to verify their state of compliance and whether all required registrations have been carried out. Once the GDPR comes into force in May 2018, most of these formalities will no longer be required and will be replaced by accountability obligations. However, a grace period will be put in place for processing activities for which the formalities have been completed (and which comply with the GDPR), as is the case for those that will require a Data Protection Impact Assessment, possibly followed by a consultation with the CNIL.
Brexit: The EU Data Protection Package
The European Union Committee of the UK’s House of Lords published its paper earlier this summer, Brexit: the EU data protection package. This paper urges the UK government to implement its goal to maintain unhindered and uninterrupted data flows between the UK and EU after Brexit, and examines the options available to ensure that this occurs. It warns that data flows have become very valuable to cross-border business and that it is important to establish an adequate framework in order to ensure the success of EU-UK trade.