August

"The French CNIL has adopted and published a new set of guidelines that set forth ""best practices"" about privacy protection at work. According to the Guidelines, employers can monitor an employee's Internet use such as web-surfing and electronic mail. They can keep track of the list of websites visited and of the amount of time an employee spends online. However, they cannot use ""keyloggers"" to track all activities on a computer. Any monitoring must be declared by employers to the CNIL. Employers must inform their employees about the procedure in place, its aim and duration. Employers cannot access any email marked as ""private"" or ""personal,"" except during a trial, and based on a court order. Additionally, employers cannot receive a copy of every email sent by employees. The first principle set forth by the Guidelines is that employers cannot use the result of illegal monitoring during a performance evaluation or against an employee under disciplinary procedure. The CNIL recommends that employers set up policies in their companies to notify their employees of every rule, or monitoring procedure in place."

The French data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libert�s), has published its annual report for 2012, emphasizing a significant increase in complaints, audits, and sanctions. The CNIL says it processed the largest amount of complaints in its history in 2012-over 6,000. Those complaints were received principally from private individuals regarding their right to access, rectify, or oppose data processing. In addition, CNIL audits increased by almost 20% since 2011. The audits were triggered as a result of the CNIL's annual programme of audits (approximately 40%), in reaction to public events (approximately 25%), or to complaints (23%). While the number of financial sanctions was relatively stable (4 versus 5 in 2011), the total amount of financial sanctions decreased. However, the CNIL has increased substantially the number of public sanctions, taking advantage of a new provision, which allows it to order the publication of its cease-and-desist letters. The CNIL's report dwells on the challenges of regulating big data, and argues that privacy protection does not necessarily have to create costs in terms of innovation and economic development.

Three legislative acts with far reaching implications are being placed on employers and organizations: The Criminal Justice (Withholding of Information on Offences against Children and Vulnerable Persons) Act, 2012 (Withholding Act), The National Vetting Bureau (Children and Vulnerable Persons) Act 2012 (Vetting Act), and Children First 2012 (Children First). The key provision of the Withholding Act is the creation of an offence of withholding information in relation to certain arrestable offences committed against children and vulnerable people. The intent is to introduce a form of mandatory reporting by creating the threat of criminal sanctions for those withholding information. The Vetting Act provides a legislative basis for the vetting of persons who seek positions of employment relating to children or vulnerable persons, making vetting mandatory. The overarching policy objectives of Children First is raising awareness of child abuse, recognizing and reporting child abuse, and the management of child safety concerns for specified organizations. The key provisions of the Bill, from an employer's perspective, is to train and set standards for its staff and volunteers and to appoint its most senior manager as a Designated Officer, to ensure children in its care are protected through recording, monitoring and reporting.