New Luxembourg bill on data retention – Criminal Data



On January 7, 2015, the Luxembourg Ministry of Justice filed with the Chamber of Deputies bill n° 6763 (the Bill) modifying Article 67-1 of the Luxembourg Criminal Procedure Code (the Criminal Code) and Articles 5, 5-1 and 9 of the Act of May 30, 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector, as amended from time to time (the 2005 Privacy Act).

By so doing, the Luxembourg government aims to comply with the Court of Justice of the European Union (the ECJ) ruling of April 8, 2014, the so-called “Digital Rights”, in joint cases C-293/12 – Digital Rights Ireland and C-594/12 – Seitlinger and Others, whereby the ECJ has declared the Data Retention Directive 2006/24/EC to be invalid.

The Bill focuses on traffic data (Article 5 of the 2005 Privacy Act) and location data other than traffic data (Article 9 of the 2005 Privacy Act).

Firstly the Bill intends to amend the current access by the judicial authorities to retained data for the purposes of the investigation, detection and prosecution of criminal offences subject to a criminal or correctional penalty of at least one year of imprisonment. Now Articles 5 (1) (a) and 9 (1) (a) will refer to Article 67 -1 (4) of the Criminal Code where an exhaustive list of offences has been inserted.

Furthermore, the Bill proposes to amend Articles 5 (1) (b) and 9 (1) (b) by stating that service providers and operators must delete irrevocably and without any delay the retained data at the end of the 6 months retention period. Service providers and operators cannot keep anonymous data at the end of the retention data anymore.

The Bill also amends Articles 5 (6)- and 9 (6) of the 2005 Privacy Act by modifying the penalties to be imposed in case of breach of Article 5 (1) to 5 (5) and Article 9 (1) to 9 (5) o the 2005 Privacy Act. The penalty incurred will be now a sentence of six months to two years of imprisonment and/or a fine of between EUR 251 and EUR 125 000.

Finally, the Bill will oblige service providers and operators, through the amended Article 5-1, to store data on the territory of the European Union.

Source: StibbeJohanne Mersch

Categories: Uncategorized

China proposes draft privacy legislation with significant potential implications

ChinaOn July 6, 2015, China’s legislature, the National People’s Congress (NPC), circulated for comment two pieces of draft legislation with significant potential implications for data privacy and data security in China. The key provisions of these two draft laws are summarized below.


Coming closely on the heels of the July 1, 2015 promulgation of a new national security law, the draft Cyber Security Law (网络安全法) has as its stated goal the protection of “cyber sovereignty” and the preservation of cyber security. It includes provisions governing data localization, protection of personal information and other data, and network security.

  • Definition of personal information. Many Chinese regulations that include provisions governing the protection of personal information are unclear on the scope of the term “personal information”. The draft law includes a relatively detailed definition of “citizens’ personal information”, meaning personal information such as a citizen’s name, birth date, ID number, biometric data, profession, residence, or telephone number, recorded electronically or through another method, as well as other kinds of information that, alone or combined with other information, may be used to determine a citizen’s identity.
  • Data localization. Article 31 of the draft law would require an operator of “key information infrastructure” to store personal information and other “significant data” collected and produced in the course of its business operations inside China. It would also require that, before any of that data can be shared with parties overseas or stored overseas, the Chinese company complete a security evaluation in order to evaluate the security risk associated with the data export. The term “key information infrastructure” refers to, among other things, public communications infrastructure and information systems used by public utilities, government at the municipal or higher level; the military, or used in transportation systems, health care, or the financial sector. Notably the term also includes networks and systems owned or managed by network services providers that provide services to “large groups of users”, potentially giving the data localization requirements of the draft law a very broad application. Frustratingly, the term “significant data” is not defined in the draft law. We anticipate the intention is to reinforce exisiting restrictions on the export of state secrets, as well as address other information whose export may have an impact on national security, but further guidance will be needed on this issue, as well as on the nature of the security evaluation required in connection with data exports.
  • Data protection. Chapter 4 of the draft law includes broad provisions governing the protection of network data, including personal information. The term “network data” refers to all kinds of electronic data collected, stored, transmitted, processed, and produced through networks. The personal information protection provisions take a similar approach to personal information protection in sector-specific data privacy rules already in place with respect to the telecommunications sector. The provisions apply to all “network operators”. “Network operator” and the term “network” are both defined broadly so that the obligations apply to the owner of any computer information network, as well as to any party who administers a computer information network or provides services over it. As such, the data protection provisions of the draft law apply broadly to a very wide range of parties who either own or use a computer information network (and effectively to all personal information in electronic form), and not only within the limited sectors covered by current rules. The principal requirements include the following:
    • Collection and use of personal information must comply with the principles of legality, legitimacy, and necessity.
    • The purpose, method, and scope of the collection and use of personal information must be expressly disclosed, and the collection and use of personal information must be based on the individual’s consent.
    • Network operators may collect and use personal information only in connection with their provision of services and should not collect or use personal information outside the scope agreed by the individual.
    • Network operators should disclose to individuals their policies for the collection and use of personal information.
    • Individuals can demand that personal information collected unlawfully be deleted, and they have the right to demand correction of personal information that is inaccurate.
    • No entity or individual may steal or acquire personal information by other unlawful means, or sell or unlawfully provide personal information to others; language that corresponds to language in the Ninth Amendment to the Criminal Law is also discussed in this update.
  • Security certification/inspection. Article 19 of the draft law would require that key network equipment and special- purpose network security products comply with applicable security standards and be subject to a security certification or security inspection before being sold in the market. The security certification/inspection requirement builds on a similar requirement contemplated in regard to equipment used in the telecommunications and Internet sectors in the Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectors. Article 19 makes clear that its implementation is subject to the issuance of a catalogue of key network equipment and special-purpose network security products by the “State network information department”, a reference to the Cyber Administration of China (CAC).
  • National security review. Article 30 of the draft law contemplates a vague national security review requirement, requiring the operator of “key information infrastructure” procuring network products or services to undergo a security review process led by the CAC if the procurement “might have an effect on national security”. This brief provision does not provide further details but states that the implementing measures for this process will be issued by the State Council. This requirement echoes the announcement made by the State Internet Information Office on May 22, 2014, which stated for the first time that all important technology products and services affecting national security or the public interest will be subject to a “cyber security” review. This provision of the draft law would establish the formal statutory basis for implementing such a national security review process for the procurement of IT equipment and services for important IT infrastructure.

It is difficult to predict how long it will take for the NPC’s legislation process to be completed after the period for comments closes on August 5, 2015. The draft law is still subject to two readings before the full NPC or its Standing Committee, and we anticipate that a significant amount of debate within government circles has yet to take place on various aspects of the draft law before the law is formally promulgated. Some commentators are predicting that the draft law will be promulgated before the end of 2015.

In the meantime, various other regulatory efforts continue as part of the Chinese government’s campaign to enhance network security, many of which are likely to have an adverse impact on market access by foreign IT companies.


As we reported previously, the NPC’s circulation for public comment Amendment 9 to the Criminal Law of the People’s Republic of China (Draft) (中华人民共和国刑法修正案(九)(草案)), which contemplated a significant broadening of the scope of criminal liability under Article 253 of the Criminal Law for misuse of personal information.

The NPC has circulated a second draft of Amendment 9 (刑法修正案(九)(草案二次审议稿), which while reworking the drafting of the data privacy provisions of the first draft, preserves the scope of criminal liability contemplated in the first draft while increasing related penalties. Now any breach of Article 253 is subject to a prison term of up to three years, with a longer prison term of between three and seven years if the circumstances are especially serious. Under the previous draft, the maximum penalty was three years (two for the new offense of unlawfully “selling or providing personal information to another party” introduced in the first draft).

It is likewise difficult to predict how long it will take for the NPC to complete its legislation process in respect of the Criminal Law amendment completed after the period for comments closes on August 5, 2015. The draft is still subject to one reading before the full NPC or its Standing Committee.

Source: Morrison & Foerster LLPPaul D. McKenzie and Wei Zhang

Electronic Signatures in Global Human Resources

ElectronicSignaturePart 1 – A cautionary tale for obtaining electronic signed consent from applicants

Human Resources has historically faced the challenges posed by having to manage a multitude of hard-copy HR documents containing employee signatures and internal sign-offs – consider job applications, offer letters, I9 verifications, background check notice and consent forms, employment agreements as well as restrictive covenants and non-disclosure agreements to name a few. Even just fifteen years ago the vast majority of the background screening industry relied on faxed based consumer authorization forms from clients prior to initiating a background check on U.S. candidates.

Today, with advances in technology, domestic and global organizations look to automate as much of the manual paperwork generated and maintained by HR, which can be challenging to say the least especially when multi and transnational companies are involved. More and more organizations small medium and large have or are in the process of transitioning to more electronic recordkeeping as well as computer generated HR documents that are maintained on intranet servers or in the cloud – much of that bearing manual employee signatures – is in decline. Manual documentation is becoming redundant as HR embraces various types of HRIS, ATS and On-Demand Background Screening systems as well as hundreds of other paperless HR solutions. Not to mention of course, the drive to “going green” or a “paperless office” is considered much more environmentally friendly.

All of this of course means, many new-hires today have less and less need for pen to paper during the recruitment, selection, and possible onboarding process and with even less “wet signatures” to manual documentation. It’s much simpler to have an applicant tic a box or scribble their name on a tablet within an online application with electronic forms and to endorse agreements via email.

A Cautionary TaleAdvances in high-technology occur at lightning fast speed but laws and regulations governing technology develop at what seems like a snail’s pace. This is highlighted by the on-going legal issues related to social media sites like Facebook, Google, and the online taxi service Uber and Lyft. These advances have quickly outdated many slowly developing legal doctrines around the globe. As globalization, conservation and technology minimize HR documentation to include wet signatures from the human resource process point of view, well-established philosophy of law around the globe remain firmly embedded in “old-school” document execution and authentication procedures – wet-signatures, originals, notarizations, counter signatory witnesses and in some cases stamps and seals.

The challenge is that in many countries around the globe, legal doctrines preceding the Internet remain firmly embedded when deciding questions pertaining to admissibility and enforceability of electronic signatures, acknowledgements, assents, and verifications. Most legal issues around document enforceability in the “paperless office” involve signed paperwork—duly distributed electronic business records that do not bear any signatures can always simply be printed out.

Consider the following fictitious scenario, in any number of countries, a Human Resource professional sacks two employees for violating the company’s code of conduct. Both employees deny ever having read or even seen the code, and their disputes end up in a labor tribunal or court proceeding. Employee #1, had allegedly signed a hard-copy of the code of conduct acknowledgement in wet ink agreeing to abide by the code, which the employer duly filed away in the employees personnel file. Employee #2, who was hired later on, allegedly must have at some point clicked “I agree” to an electronic code of conduct acknowledgement – the company’s IT department vehemently insists that all employees who were on boarded well before employee #2’s hire date have had to click past a code of conduct acknowledgement page to sign onto the company intranet system. A legal opinion from in country general counsel isn’t needed to understand why this employer is going to have a far weaker case with employee #2 to his code of conduct acknowledgement as compared to employee #1.

Stay tuned to Part II to Electronic Signatures in Global Human Resources, as we discuss some of the major pieces of national and international legislation on this topic around the globe, the differences between Formal “Advanced” Employee Electronic Signatures versus Electronic Assents, Acknowledgements and HR records and finally possible solutions for minimizing the risks associated with electronic consent technology.

Copyright © 2015 Aletheia Consulting Group

Aletheia Consulting Group provides expert cost-effective global advisory solutions for multinational organization human resource, compliance, privacy, and security risk management resource needs. Our primary focus is on companies that have overseas operations that seek to navigate the sometimes challenging sea of international risk management involving the people, processes, technology and organization. If you’d like to learn more about our Services for Multinational Employers please feel free to contact us at

Privacy Policies not up to pare with Australia’s Privacy Requirements

Privacy_handAustralia’s Information Commission released the results of its assessment of the online privacy policies of 20 Australian and multi-national organizations many of which covered companies within a multitude of industries such as finance, government, retail and many other sectors. The goal was to assess privacy policies of companies either phyiscally located and or that collect, process, and export data from Australia against the new requirements of the Australian Privacy Principle 1 (APP 1) which requires organizations and agencies to have a privacy policy that is clearly expressed and up-to-date.

The Australian Privacy Commissioner, Timothy Pilgrim, said that all of the organizations and agencies assessed had privacy policies that were easy to locate but for some there was still room for improvement —55% of the policies did not meet one or more of the basic content requirements under APP 1.

‘Under Australian privacy laws, privacy policies need to include certain information so that people can be informed about how their personal information will be handled if they choose to deal with a particular organisation,’ Mr Pilgrim said.

‘The key to a good privacy policy is to make the information easy to read and accessible and we certainly saw some great examples of creative ways in which this type of information can be presented. However some policies are still too long making it difficult to locate relevant information’.

While all policies adequately described the kinds of personal information they collect and how it is collected, some did not outline how personal information could be accessed and corrected; how a privacy complaint could be made, how personal information would be protected, and whether the personal information was likely to be sent overseas.

This is keenly important for those HR departments that routinely recruit from places like Australia. Candidates need to be presented with clear easy to understand privacy policies if it’s anticipated that their information may be collected and processed during the recruitment and selection process.

Categories: Uncategorized Tags:

Ireland: Irish Data Protection Commissioner Investigates Alternative Methods Of Employee Vetting

Ireland_Data_protection_Commissioner_logo_webThe Irish Data Protection Commissioner (“DPC”) recently announced a plan to assess employers’ compliance with the newly-commenced rules on “enforced subject access requests“. The DPC has written to 40 organisations, including banks, energy suppliers, recruitment companies and large retail stores. Since 2014, it is an offence for employers and prospective employers to require an individual to make an access request or to supply information received in response to the request.  According to the DPC, this initiative is to prevent organisations from “vetting by the back-door”.

What is an enforced subject access request?

One of the core rights under Irish data protection law is the right of an individual to request a copy of any information relating to him/her held by an individual or organisation controlling the data. This is often termed a subject access request.

An “enforced” subject access request occurs where an employer or prospective employer forces an individual to exercise his/her right of access and provide any information obtained as a result of the request. These requests are usually made to the Irish police as part of a background screening process.

A criminal offence

In July 2014, access requests of this nature became an offence under the Irish Data Protection Acts. Specifically, section 4(13) prevents anyone from “requiring” an individual, in connection with their role as an employee, potential employee or contractor, to make a subject access request or to provide any data received in response to such a request.

gardaGarda Vetting vs. Access Requests

A subject access request differs from the mandatory vetting of individuals for certain roles, such as teaching, childcare and for those working in the private security industry. The Irish police (Garda) receive numerous vetting applications on an annual basis as part of this formal vetting process.

The DPC’s concerns stem from the particularly high number of subject access requests received by the Garda Vetting Unit in 2014. While vetting applications are regularly processed by the same unit, those checks have always been subject to certain restrictions on what is disclosed. In contrast, individuals’ access requests could result in everything about that person held on Garda records being disclosed. As a result, the DPC considers that there may be an abuse of the access right by organisations which would not otherwise qualify to conduct a vetting check.

What happens next?

Companies contacted as part of this initiative have been given three weeks to provide a response to the DPC. Follow-up inspections will be carried out by the DPC to ensure compliance.

Improvement in compliance with section 4(13) will be important for those companies targeted. Any organisation that is found guilty of an offence under this section may be faced with a maximum penalty of €100,000.

What does this mean?

Employers based in Ireland need to review their hiring and staff vetting process to ensure that they are not engaging in enforced subject access requests. This is likely to be an area of significant regulatory scrutiny in the near future.

Article by Philip Nolan and Oisin Tobin

Categories: Uncategorized

New proposed EU General Data Protection (Privacy) Regulation – How will it impact Global HR?

EUflag2On June 15, 2015, the Article 29 Working Party published proposed new EU General Data Protection Regulations addressed to representatives of the Council of the European Union and the European Commission detailing the Working Party’s position on a range of core issues in the Regulation in efforts to ensure the Working Party’s views are taken into account to negotiate and agree on a final test of the revised Regulation later this week with the intent to finalize the Regulation by the end of 2015.

The proposed new Regulation may have broad ramifications for employers that operate both within the EU as well as around the globe including those that operate within the U.S but recruit and employ both Expats as well as local nationals within the European Union.

Key points for employers to consider include:

One Jurisdiction, One Law: In addition to the existing broad territorial scope of the Regulation, the Working Party is of the view that the Regulation should also apply to non-EU processors, where they act on behalf of controllers (such as background screening providers) that are subject to the Regulation (in line with the Parliament’s views on this issue). The Regulation would establish a single, pan-European data protection law replacing the current inconsistent patchwork of national laws. In the future, your company will only have to deal with one law, not 28. Similarly, individuals will only have to deal with their national data protection authority—in their own language—even if their personal data is processed outside their home country.

Enhanced Individual Rights:  Employers will have to inform individuals in a clear and understandable way about the collection, processing and transfer of their personal data. When there are no longer legitimate grounds for retaining data, an individual will be able to ask for the data to be deleted (right to be forgotten).

Right to Know if Hacked: Employers will have to notify the national data protection authority as soon as possible (not later than 72 hours) about data breaches and will also have to notify affected employees without undue delay.

penpaperData Protection Impact Assessment: An assessment will be required when processing is likely to result in a high risk for individuals, such as discrimination, identity theft or fraud, financial loss, damage to reputation, unauthorized reversal of pseudonym techniques or significant economic or social disadvantage. This directly speaks to the employer employee relationship.

Mandatory Data Protection Officers: The Working Party is in favor of imposing a mandatory obligation to appoint a Data Protection Officer upon data controllers, if they meet certain thresholds in terms of the type, volume or nature of the data being processed (although the Working Party has not specified what those thresholds should be). Since employers generally deal with sensitive data it is expected they will fall within this category.

Information Notices: The Working Party supports the use of layered privacy notices, and the proposal that data subjects (candidates/employees) should also be provided with information relating to further processing, data retention periods, international transfers and security measures.

Data Portability: The Working Party supports the proposed broad scope of the right to data portability, and suggests that this right should be separate to the right of access.

Right to Object: The Working Party is of the view that the right of data subjects to object to processing should apply widely, and should not be limited to processing performed on the basis of: (1) the legitimate interests of a data controller; (2) the public interest; or (3) the exercise of an official authority.

Codes of Conduct: The proposed regulation will encourage codes of conduct to be drawn up for specific sectors and for specific needs.

European Rules on European Soil: If your organization is based outside the EU, it will have to apply the same rules and guarantee the same level of protection for personal data when offering services in the European market.

Profiling: The Working Party highlights that the proposals in the Regulation relating to data subject profiling are unclear and do not ensure sufficient safeguards to protect data subjects. The Working Party recommends that the creation of profiles should be limited to particular purposes (although the Working Party does not specify those purposes), and that specific obligations should be imposed on data controllers to inform data subjects of: (1) the relevant profiling measures that will apply to their data; and (2) the right to object.

Risk-Based Approach: While the Working Party does not directly oppose the risk-based approach in general, it considers that risk should not be a determining factor in relation to a controller’s accountability obligations.

Access by Public Authorities: In the event that a court, tribunal or public authority in a non-EU jurisdiction demands access to personal data that are subject to the Regulation, the Working Party recommends that such matters be dealt with under a Mutual Legal Assistance Treaty, where one exists. Where no such treaty is in place, the relevant controller should report the matter to the competent Supervisory Authority. The Working Party’s previous guidance on this point in the context of Binding Corporate Rules (“BCRs”) for processors provides some helpful context.

Binding Corporate Rules: The Working Party considers it essential that BCRs for processors continue to be recognized as a valid mechanism for cross-border data transfers.

Fines: The Working Party welcomes the introduction of significant fines for breaches of the Regulation, and also considers that the imposition of fines where a data controller or processor violates the Regulation as well as fails to cooperate with Supervisory Authorities. In order to effectively enforce the rules, national data protection authorities will be empowered to fine companies that violate EU data protection rules. The fine may be up to €1 million or 2% of the global annual turnover of the offending company.

Aletheia Consulting Group provides expert cost-effective global advisory solutions for multinational organization human resource, compliance, privacy, and security risk management resource needs. Our primary focus is on companies that have overseas operations that seek to navigate the sometimes challenging sea of international risk management involving the people, processes, technology and organization. If you’d like to learn more about our Services for Multinational Employers please feel free to contact us at

Categories: Uncategorized

Dutch Criminal Records – Employers at risk of violating Dutch Data Protection Act (“DDPA”)

penpaperEmployers have a need to background check applicants for their criminal records for certain positions. The access and processing of criminal records in The Netherlands is, however, prohibited under the DDPA, unless one of the legal exceptions can be met. In practice, the use of the Certificate of Good Conduct (“VOG”) is most often made. This is a statement showing that an individual’s behavior should not prevent him/her from undertaking a particular type of employment. It is not a guarantee that an individual does not have a criminal record. A VOG is the only type of criminal records disclosure available to an employer.

VOGs are only issued by the Central Organization for Certificates of Good Conduct (“COVOG”) on behalf of the Minister of Justice. An application for a VOG must be completed by both the subject and the prospective employer.

Because an application for a certificate can take some time, employers usually ask an applicant to fill out a statement, in which they indicate if they have or have not committed any criminal offences. If an applicant report criminal facts through the statement, processing of criminal information takes place. If in the case of an employment agency, this statement is also shared with clients of the employment agency. Employers and employment agencies are of the opinion that this is allowed because they have received consent for the processing thereof from the applicant or temps. However, according to the DPA, this consent cannot be relied upon: a successful appeal to base the processing of personal data on the justification ground of ‘consent’ can only exist if the consent is freely given. In this case consent is not given freely because of the imbalance in the relationship between the applicant and the employment agency.

The practical application and implementation of the obligations of the DDPA that relate to background screening which companies and business must comply with remain an obstacle for many organizations. Other areas to review and evaluate are the processing, use, and access to copies of Identification Cards, Absentee Data, Consumer Credit as well as Data Retention. Know the rules of the road as it relates to what types of information and how it must be applied within the background screening process. The Dutch DPA can order enforcement actions, for example imposing an order subject to civil and criminal penalties.

Categories: Uncategorized
%d bloggers like this: