Proceed With Caution When Remotely Monitoring Employees in the EU

One effect of COVID-19 has been a sharp increase in businesses’ use of remote surveillance solutions to protect corporate resources and monitor the productivity and behavior of employees who will be working from anywhere but the office for the foreseeable future. Although such tools can provide valuable performance insights and mitigate data loss and other risks, they can also significantly increase a business’s legal risk.

This is especially true for businesses with employees working in the EU, where employee privacy is typically protected to a much greater extent than in the United States. Indeed, the German subsidiary of international retailer H&M recently learned a €35.3 million (approximately $41 million) lesson about these legal risks after being fined by a supervisory authority in connection with a workforce monitoring program that “led to a particularly intensive encroachment on employees’ civil rights.”

Employers are permitted to monitor EU employees at work, as long as they comply with the laws and regulations of both the EU and individual Member States. This includes the EU’s General Data Protection Regulation (GDPR), which applies to any U.S. or multinational business that has employees in, or monitors the behaviors of, individuals in the EU.

Remote surveillance solutions increasingly offer sophisticated features that promise—among other things—to identify suspicious activity, detect potential insider threats, and provide real-time alerts about employee behaviors. But automated technologies that generate insights or conclusions about employees based on data collected from employer-monitored systems, networks, and connected endpoints can generate additional risk because the GDPR (as well as the laws of some individual Member States) provides protections for individuals subject to automated decision making and profiling.

Further, the use of employee surveillance solutions powered by Artificial Intelligence (AI) and Machine Learning (ML) technologies may trigger additional compliance requirements under the GDPR. We will explore those issues and others, and offer risk mitigation strategies that employers should consider before monitoring employees in the EU.

Health Data Made in France- Is France Moving Towards a Sovereign Cloud Requirement for Health Data?

Since the decision of the European Court of Justice (“ECJ”) in the Schrems II case, transfers of personal data from the EU to the United States have been under scrutiny. The ECJ reviewed the situation where personal data are sent from an EU affiliate to its U.S. headquarters as part of how the company structured its business-as-usual practices. But what the ECJ did not consider is whether the mere fact that an EU company is affiliated with a U.S.-headquartered company is problematic, even if no transfer of personal data to the United States takes place.

Whether merely being affiliated with a U.S.-headquartered company is a problem from a data transfer perspective is precisely what a number of associations (“claimants”) and the French data protection authority (“CNIL”) argued in a recent appeal before the French Council of State. This question arose in the context of a case involving Microsoft Ireland in respect of its hosting of French public health data. The claimants and the CNIL argued that any affiliation of an EU hosting provider, in this case Microsoft Ireland, with a U.S. parent company, in this case Microsoft U.S., is in and of itself problematic. The claimants and the CNIL contended that because of such affiliation, U.S. authorities could have jurisdiction over data held by Microsoft Ireland in the EU. As a result, the claimants called for the immediate suspension of the use of Microsoft Ireland, even though Microsoft Ireland had already committed to storing the data in a pseudonymized form in the EU. The French Council of State, however, denied the immediate suspension of the use of Microsoft. While this seems like a good outcome for transatlantic commerce, the Council’s decision suggests that in the future, organizations will be required to use a French-based cloud solution. We provide further details below.

A Lei Geral de Proteção de Dados Pessoais nos setores condominial e imobiliário

A regulamentação das políticas de uso de dados, por meio de uma lei específica, há muito tempo vinha sendo discutida no Brasil, o que resultou na aprovação da Lei Geral de Proteção de Dados Pessoais (LGPD), em 14 de agosto de 2018, influenciada pela GDPR (General Data Protection Regulation), que regulamenta a temática da proteção dos dados nos países europeus e está em vigor desde maio de 2018.

Em vigor desde agosto deste ano, a nova lei impacta diversos setores da sociedade, que precisam se adequar às novas regras, como as administradoras de condomínio e imobiliárias, que necessitam cuidar dos dados dos condôminos, locadores e locatários – sendo, em alguns casos, considerados como dados pessoais sensíveis.

Como garantir uma página de captura de dados adequada à LGPD

Em agosto de 2018 foi sancionada a Lei de Proteção de Dados – LGPD, que visa mudar como as organizações públicas e privadas coletam, tratam, guardam e processam os dados pessoais dos consumidores. A lei entrou em vigor em setembro de 2020 e regulamenta a privacidade e proteção aos dados pessoais, impactando de maneira drástica como empresas e órgãos públicos tratam a segurança das informações dos usuários. Com isso, a forma como você coleta os dados de seus clientes, por meio das páginas de captura, deverá ser repensada para se adequar à LGPD. 

Isso influencia até mesmo a forma como é planejada a sua estratégia de marketing. Mas fique tranquilo, nós vamos mostrar como garantir que uma landing page que esteja dentro das normas da nova lei.

Tempo de permanência dos dados de acordo com a LGPD

Limitações ao tratamento de dados pessoais não impedem o controlador de resguardar seus direitos. A LGPD autoriza o tratamento de dados pelo controlador para exercício regular de direito (artigo 7°, V), sempre que houver legítimo interesse (artigo 7°, IX).

O empregador é detentor de informações pessoais de seus empregados e embora a LGPD autorize as empresas a usarem os dados pessoais dos seus empregados para a legítima execução dos contratos, em benefício do próprio trabalhador, não se pode desconsiderar cautela e observância das regras da LGPD em todas as suas fases, nos atos praticados antes da contratação, durante a vigência do contrato, nas terceirizações e após a rescisão dos contratos.

Poder público na vanguarda da implementação da LGPD, por Eugênio Vasques

Em 22 de outubro de 2020, mediante esforço comum do Ministério da Economia, da Secretaria Especial de Desburocratização, Gestão e Governo Digital, e da Secretaria de Governo Digital foi publicada a Instrução Normativa DEGDI nº 100/2020, que dispõe sobre a indicação de Encarregado pelo Tratamento dos Dados Pessoais nos órgãos do Sistema de Administração dos Recursos de Tecnologia da informação – SISP.

Thinking outside the (pre-ticked consent) box

The decision in Orange România SA v Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal doesn’t particuarly break new ground, but rather reinforces what we already know about consent to data processing in the EU, namely:

  • That it must be freely given, specific, informed and unambiguous; and
  • Silence, inactivity or pre-ticked boxes don’t meet this standard.

Tribunais trabalham para mudar a cultura digital interna e adequar à LGPD

As bases de dados do Poder público dispõem de muitas informações pessoais que vão desde a data de nascimento até a placa do carro dos cidadãos. Com pouca cultura digital, grande parte dos tribunais brasileiros acaba de dar início aos trabalhos para implementar a Lei Geral de Proteção de Dados (LGPD) em seus protocolos e garantir a privacidade, em especial, das pessoas identificadas nos processos. 

Q&A: the data protection legal framework in Russia

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

Federal Law No. 152-FZ on Personal Data dated 27 July 2006 (the PD Law) is the main law governing personally identifiable information (personal data) in Russia. The PD Law was adopted in 2005 following the ratification of the Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data. In general, the PD Law takes an approach similar to the EU Data Protection Directive and is based on the international instruments on privacy and data protection in certain aspects, but the Russian regulation places special emphasis on the technical (IT) measures for data protection. Notably, the PD Law has concepts similar to the one contained in the General Data Protection Regulation, which became effective in the EU on 25 May 2018. Data protection provisions can also be found in other laws, including Federal Law No. 149-FZ on Information, Information Technologies and Information Protection (2006) and Chapter 14 of the Labour Code of the Russian Federation (2001).

GDPR offers possibilities for scientific research in the context of COVID-19 (but must be observed)

Nowadays, researchers hunt for the right vaccine for protection against the virus and/or and medication for the effective treatment of coronavirus patients. That means a lot of scientific research. And that often leads to questions about the protection of personal data. To what extent can health data be used for these purposes and how does one ensure that – even in times of crisis – the requirements of the General Data Protection Regulation (“GDPR”) are met?