Tag Archive | "internet regulation"

privacy professionals

One Size Won’t Fit All: Multinational Corporations’ Compliance with Privacy Regulations (Part 3 of 3)

Part 3: Proposed Solutions

This is the third and final post in a three-part blog post examining privacy issues confronting multinational corporations in a global economy. The first post explored privacy generally by analyzing privacy as the concept is understood and applied in the European Union, in China, and in the United States. The second post assessed the experiences of Google and McDonald’s in adhering to privacy regulations while operating on a global level in attempting to comply with the three privacy regimes described in the first post.  This post will provide recommendations on privacy strategies companies can implement to mitigate some of the issues identified in the second post. These posts do not attempt to provide an exhaustive list of privacy issues multinational corporations encounter, but they are intended to show the importance of privacy concerns and to highlight the need to confront compliance issues in a proactive manner.



“The establishment of good privacy and data security practices, backed by a commitment of resources, and assignment of responsibility for implementing such practices, may be some of the best insurance the company can buy.”Steven Bennet.[1]

Target breach

The recent breach at Target shows how vulnerable large companies are to hackers (USA Today)

The recent high-profile privacy breaches at Target and at Neiman Marcus demonstrate the consequences of failing to take privacy issues seriously. Companies with greater presence on the world stage expose themselves as even greater targets for privacy attacks. Similarly, companies operating in multiple jurisdictions have to comply with varied privacy regimes. The Google and McDonalds examples from the second post in this series indicate how difficult it can be to adhere to multiple privacy demands. As these examples illustrate, privacy is a difficult, but essential, component to any company’s operations. This final post seeks to provide some proposals companies operating on a global level should consider when implementing or reviewing their privacy policies.



The most important thing for any multinational corporation to do is to have an understanding of privacy in every jurisdiction in which it operates. The thorough understanding of privacy laws I propose is multifaceted. It is, or should be, obvious that companies must adhere to privacy regulations that currently exist; to have a good compliance program, “one must first know the rules.” Whether it is the Sarbanes-Oxley (“SOX”) requirements McDonald’s was attempting to comply with or Google executives being found guilty for not adequately protecting an individual’s privacy rights, companies must have an understanding of the privacy laws that are presently in place in the jurisdictions in which they operate. Google’s timely action of removing the video helped to ensure its executives were ultimately relieved of liability. Similarly, McDonald’s France’s request for approval of its professional integrity plan came prior to implementation, which was prudent given the fact that the plan was found to be in violation of France’s privacy policies. The two cases illustrate the necessity of complying with laws and regulations that are currently in place.

In tandem with compliance of existing laws, companies also have to stay current on any new regulations or laws that come into force. This is likely axiomatic to most companies, but it is well worth consideration. A globalized economy requires that companies keep up to date with any new regulations in every country in which they operate. For instance, the SOX requirements of providing whistleblower hotlines and ensuring anonymity of whistleblowers definitively apply to American companies operating exclusively in the U.S. It is unclear, however, if those same requirements apply to every country in which U.S. companies operate.[2] Because the SOX requirements might apply in every country in which they operate, companies have to be alert to any new amendments to the SOX requirements in the U.S. as well as any new developments in foreign jurisdictions, such as France, in which SOX compliance might violate privacy laws. What this means for multinational companies is that being up to date on the latest privacy regulations requires keeping abreast of privacy developments both domestically and abroad.

The greatest difficulties in keeping up-to-date with both domestic and foreign developments in privacy laws are undoubtedly the expertise required and the costs associated with maintaining that expertise. One way to offset these costs involves the third facet of a thorough understanding of privacy concerns; understanding the cultures in which privacy laws develop.

Brandeis and Privacy

From the first post, Louis Brandeis was one of the first jurists to write about the concept of privacy in the law

Laws reflect society’s values.[3] Privacy laws have developed out of cultural norms that contrast according to a wide variety of actors, including philosophy, religion, history, and culture. Thus, it comes as no surprise that no two privacy regimes are identical. In the U.S., the sectoral model of privacy laws traces its development to a strong mistrust of a strong central government. In the E.U., on the other hand, privacy is equated to personal dignity, and personal dignity is manifest when all Europeans are treated equally before the law. The concept of personal equality lends itself toward omnibus regulations that exist in the E.U. and China. However, the omnibus regulations in China stem from its socialist development. Because of the different contexts from which modern privacy regimes arose, it is important to understand privacy regimes in their greater cultural context. Understanding the bigger picture in how particular privacy regimes evolved will allow for a degree of predictability in how the regimes will develop.

The fact that it is best to incorporate a privacy policy in a prospective rather than a reactive manner is largely agreed upon to be the best course for companies to take. Yet, pursuing such a course is fraught with difficulty because of the changing nature of today’s changing marketplace. However, a thorough understanding of how a privacy regime has developed in the past will provide insight into how it will evolve in the future.

The Google case provides a perfect example of how understanding where privacy law developed from will help predict how it will evolve. Google may or may not have been aware that an Italian court would find that its activities in China exposed its executives to liability, but Google certainly knew that such a decision was not in keeping with E.U. privacy laws. Knowledge that the E.U. privacy directive precluded content providers from liability unless the content provider controlled the information, Google was able to successfully argue that, despite its activities in China arguably to the contrary, it did not host the content. As a result of Google’s thorough understanding of where the E.U.’s privacy laws stem from, it was therefore able to convincingly show that it was not liable.

A thorough understanding of privacy regimes takes three forms: knowledge of what the laws currently are, an up-to-date knowledge of laws as they develop, and comprehensive knowledge of how the laws advanced in the past to help predict how they will progress in the future. This understanding should form the bedrock of a company’s approach to privacy; without it, a company is missing vital pieces of the picture that could have severe implications.

Nuanced Policies

After a thorough understanding of the privacy regimes in which a company operates, the next logical step is to develop nuanced privacy policies. As both the Google and McDonald’s experiences highlight, a company cannot simply develop a one-size-fits-all mentality when it comes to privacy. Google’s censorship activities in China created complications for its operations in Italy. SOX compliance in the U.S. was potentially implicated by McDonald’s activities in France. These are but two examples of how privacy policies must be narrowly tailored to comply with each jurisdiction’s privacy laws. The privacy regimes in world’s largest economies are simply too divergent to allow for a single prophylactic privacy compliance program.[4]

The simple solution to divergent privacy schemes is to create privacy policies specific to each jurisdiction, or a common approach to jurisdictions with similar privacy policies like the E.U., in which the company operates. This allows for adopting privacy policies that adhere to each jurisdiction’s unique privacy regulatory system, including the powers of each jurisdiction’s regulatory bodies.[5] Adopting a whistleblower hotline in France that meets that nation’s whistleblower directive permitted McDonald’s France to comply with French law while still following the SOX requirements in the U.S. Similarly, Google was able to filter the content accessible in China while still providing unfiltered material elsewhere.

Companies operating in multiple jurisdictions have to think domestically before they think globally. Each jurisdiction requires adherence to their privacy laws, and such adherence requires nuanced privacy policies that apply a thorough understanding of each jurisdiction’s privacy scheme. Companies likely view complying with every jurisdiction’s particular laws as natural as breathing, but compliance with each jurisdiction’s regulations is impossible if obedience to the laws of one nation creates violations in a second country. Both the McDonald’s and Google examples illustrate this point; it can be seemingly impossible to obey laws if doing so violates another. The solution requires a global awareness in terms of thinking about privacy policies.

Global Awareness

Crafting nuanced privacy policies in each jurisdiction creates the potential for conflict with the regulations of a second state. To overcome this conflict, companies need to have an awareness of how privacy policies developed for compliance with U.S. or E.U. laws will be interpreted in China or vice versa. Developing nuanced privacy policies while considering their global ramifications is a tight line to walk to be sure, but it is essential in today’s globalized market.

viviane reding

European Justice Commissioner Viviane Reding – The E.U.’s stricter data protection laws require companies to pay greater attention to compliance

Each jurisdiction in which a multinational company operates will have different requirements for privacy. When Google altered its search algorithm in order to comply with China’s “Great Firewall,” it moved itself from being in a position of a passive purveyor of information to a content provider. This approach allowed Google access to China’s massive population of internet users, but it also exposed Google to liability in Italy. It is debatable whether Google could have prevented this occurrence; Google likely could not have perceived that an Italian court would deviate from the commonly understood interpretation of the E.U. Privacy Directive based on Google’s activities in China. The debate over the efficacy of potential preventative measures should not take away from the need for a global awareness of privacy regimes, however; only through an awareness that its actions in China could have ramifications in other jurisdictions would allow Google to more ably predict the best policies to implement. Such an awareness of the risks involved in filtering the content available in China allowed Google to weigh the potential compliance issues against the potential benefits of access to the Chinese market.

McDonald’s France’s experience in attempting to comply with SOX regulations reinforces the need to have a global awareness of privacy regimes. Attempting to comply with U.S. whistleblower hotlines and protections by requiring every McDonald’s subsidiary to implement a one-size-fits-all global whistleblower hotline scheme would have resulted in privacy violations in France if it had been executed. Although McDonald’s would have been relieved of any SOX liability in the U.S., the potential damages in France could have been severe. Breaking consumer trust from privacy breaches or violations from mishandling personal information can cost millions and the loss of goodwill associated with such mishandling is “immeasurable.” This is especially true in places where data collection is carefully scrutinized and where regulators are willing to impose hefty fines for improper data collection practices.

Understanding the current privacy context in every jurisdiction is obviously necessary for every multinational company, but the benefits of such understanding are diminished unless companies think globally. As the Google and McDonald’s examples illustrate, actions in one country will have ramifications in others. As a result, multinational companies should implement nuanced privacy policies for each jurisdiction while simultaneously ensuring that the policies will not fun afoul of competing privacy regulations. Balancing nuanced privacy strategies with global awareness of privacy regulations requires creativity and meticulousness. Such a juggling act nearly mandates that multinational companies retain one or more privacy experts.

Increased Reliance on Privacy Experts

Privacy has increasingly become a “C-Suite issue” for many companies, highlighting privacy’s role in the broader context of a company’s business strategy. The proposals outlined above—a thorough understand of privacy regimes, nuanced privacy policies, and a global awareness of privacy policy implications—are meaningless if there is not some person or group of individuals responsible for overseeing a company’s privacy program. This is where the importance of privacy experts comes in.

For privacy and data protection professionals to obtain a certificate in privacy matters, the International Association of Privacy Professionals (“IAPP”) requires an understanding of the following topics: (1) the U.S. legal system: definitions, sources of law and sectoral model for privacy enforcement; (2) U.S. federal laws for protection of personal data: FCRA and FACTA, HIPAA, GLBA, COPPA and DPPA; and (3) U.S. federal regulation of marketing practices: TSR, DNC, CAN-SPAM, TCPA and JFPA. And that list is only to become certified as an Information Privacy Professional for the U.S.; it does not entail certification as an expert on other privacy regimes. The IAPP certification process simply shows how much information there is to cover in each jurisdiction. If a company wishes to operate on the global stage and to implement a privacy policy that is thorough, nuanced, and globalized, companies cannot afford to not hire privacy experts.

privacy professionals

Privacy professionals meet for a summit in 2012 (U.S. Dept. of Commerce)

Privacy experts are critical to any global company. The Google and McDonald’s cases focus specifically on how essentially important it is for companies to know not only what the laws are, but how those laws affect companies’ operations. A privacy expert blends knowledge of the legal aspects of privacy with the demands of the particular business. Further, privacy experts, working in conjunction with security experts, can help make or break a company’s reputation; the loss of goodwill resulting from security breaches or non-compliance with privacy regulations has the potential of creating “major backlash from customers.”

Privacy experts also allow for a focal point of privacy responsibility. Complying with the numerous existing and evolving laws, not to mention any future compliance issues resulting from increases in technology or changes in the economy, is difficult. Ensuring compliance in a piecemeal fashion, with each department myopically focusing on their own compliance issues, is nearly impossible. A privacy expert allows for a single, comprehensive source for all of the privacy issues a company confronts. Further, a single repository for privacy issues allows that expert to assist the company in making the most economically desirable decisions. The decision to ask the French privacy agency’s permission before enacting whistleblower hotlines likely saved McDonald’s France from a disaster, and a privacy expert can help facilitate that discussion.


The proposals outlined in this blog post represent some common sense steps multinational companies can take to maximize privacy compliance. The first step is to thoroughly understand what the laws are, to keep up to date with any new laws that might impact a company’s business, and to know the context from which privacy laws and regulations result. A thorough understanding of the laws then allows for the next step, which should be to create nuanced privacy policies tailored to each jurisdiction in which a company operates. The nuanced privacy policies company’s implement cannot be viewed in isolation, but must instead be viewed holistically with a mind toward how they impact the privacy regimes in other jurisdictions. Such a global awareness will save the company time and, most importantly, will shield the company from liability. It is incumbent on privacy experts to guide companies through this process and to be the focal point of a company’s privacy strategy.

Rather than shying away from privacy in the hopes that their privacy compliance procedures are adequate, companies should take a proactive role in embracing privacy. It is undoubtedly better to think in advance of how a company will ensure compliance with privacy regulations than to suffer the consequences of learning that its privacy policy is inadequate after the fact. And privacy cannot be ignored; the high profile cases of McDonald’s and Google, not to mention other instances of privacy breaches, indicate how serious an issue privacy currently is as well as how critical it will be in the future. As one vice president of information protection and privacy stated, “[g]ood privacy is good business.” Bad privacy is, by implication, bad business.


Greg Henning is a 3L at the University of Denver Sturm College of Law and a General Editor for the View From Above.


[1] Partner of Jones Day’s New York office and  professor of Privacy Law at Hunter College. 53 No. 1 Prac. Law. 17, 19.

[2] There has been an administrative law decision that found SOX to have no extraterritorial reach. See Villanueva v. Core Labs. NV, ARB No. 09-108, ARB’s Final Decision and Order (Dept. of Labor, Dec.22, 2011), available at http://www.oalj.dol.gov/PUBLIC/ARB/DECISIONS/ARB_Decisions/SOX/09_108.SOXP.HTM. For an analysis of the implications of this decision, see Anthony J Oncidi & Jeremy M Mittman, New US Decision Limiting Extraterritorial Scope of ‘Whistleblowing’ Provides Welcome Clarification to US Multinationals, 22 No. 1 Emp. & Indus. Rel. L. 15 (2012).

[3] Francisco M. Ugarte, Reconstruction Redux: Rehnquist, Morrison, and the Civil Rights Cases, 41 Harv. C.R.-C.L. L. Rev. 481, 507 (2006).

[4] See Dennis D. Hirsch, In Search of the Holy Grail: Achieving Global Privacy Rules Through Sector-Based Codes of Conduct, 74 Ohio St. L.J. 1029, 1035 (2013)  (“The important differences among national systems occur, not with respect to these broad principles, but in how countries interpret and apply them. Examples abound. Some nations define “personally identifiable information” (PII) more broadly than others. Some exclude certain types of personal information, even if it falls within the definition of PII. Countries disagree on what constitutes adequate notice.”) (citations omitted).

[5] See Joel R. Reidenberg, Resolving Conflicting International Data Privacy Rules in Cyberspace, 52 Stan. L. Rev. 1315, 1334 (2000) (“Oversight of information privacy is also handled in many different ways. Data protection supervisory agencies are a common feature in democracies, but agency powers are often specific to each country. Some countries, for example, established regulatory enforcement agencies and licensing boards, while others adopted an ombudsman position.”) (citations omitted).

Posted in DJILP Online, DJILP Staff, Featured Articles, Greg HenningComments (1)


One Size Won’t Fit All: Multinational Corporations’ Compliance with Privacy Regulations (Part 2 of 3)

Part 2: Privacy Approaches Applied

This is the second post in a three-part blog post examining privacy issues confronting multinational corporations in a global economy. The first post explored privacy generally by analyzing privacy as the concept is understood and applied in the European Union, in China, and in the United States. This post will assess the experiences of Google and McDonald’s in adhering to privacy regulations while operating on a global level in attempting to comply with the three privacy regimes described in the first post.  The third post will provide recommendations on privacy strategies companies can implement to mitigate some of the issues identified in the second post. These posts do not attempt to provide an exhaustive list of privacy issues multinational corporations encounter, but they are intended to show the importance of privacy concerns and to highlight the need to confront compliance issues in a proactive manner.



“[I]n times of globalized business operations, a company’s business strategy in one market might affect the standard against which the company is measured in other markets and jurisdictions.”[1]

 As the first post in this series discussed, privacy regimes vary according to geography, societal values, and historical contexts. Companies operating in multiple jurisdictions have to function in these varied privacy regimes, and it is not always a simple task. As the following case illustrations demonstrate, compliance with one privacy scheme raises the possibility of violating the privacy regulations in another jurisdiction. The first case illustration depicts Google’s troubles in Italy following its activities in China. The second case illustration explores McDonald’s struggles in complying with mandatory whistleblowing requirements in the U.S. that were in violation of E.U. privacy laws.

Unexpected Consequences: Google in Italy and China

The Setting

google office

Google execs were convicted for sharing of information related to a video (Bloomberg)

On February 24, 2010, three Google executives were found guilty of violating the privacy of a child. The controversy started in 2006 when a video was uploaded to a site owned Google featuring a group of teenagers insulting and assaulting an autistic boy, specifically calling the boy a “mongoloid.”[2] After it was uploaded, the video became popular enough that it was ranked as “the funniest video on Google Italia. It was rated 29th of the most downloaded videos on Google Italia.”[3] Although Google removed the video within hours after being notified that it infringed on the victim’s privacy, the damage was already done.

During the trial, the Google executives were charged with, among others, violating the victim’s privacy rights, though the Google employees were only found guilty of the privacy charge. At the heart of the ruling was Google’s AdWords program, which placed advertising on the side of the screen when users watched videos on the Google-operated site. The court found that the video contained personal information based on the use of the word “Mongoloid.” According to Directive 95/46/EC of the European Parliament and of the Council, discussed in Part I, personal information is prohibited from being shared without the subject’s unambiguous consent. Because Google permitted the content of the video to be shared and derived a profit from sharing such information in the form of revenue generated from the AdWords program, the court determined that Google had violated the victim’s right to privacy.

The Google executives unsuccessfully argued that they fell under an exemption for personal liability found in the Directive 95/46/EC of the European Parliament and of the Council. Paragraph 47 of Directive 95/46/EC excuses liability for those who merely serve as a vehicle to transmit personal data, as opposed to those providers who actually control the transmission of personal data.[4] The court dismissed this argument, finding that Google has increasingly taken on a more active approach in the services it provides.[5] The Court relied primarily on the fact that Google’s revenue from its AdWords program is proportionate to the popularity of a given video. Because the video was popular and because Google had the potential of deriving greater profits based on that popularity, the court reasoned that Google obtained profit, through it AdWords program, at the expense of a violations of the victim’s privacy rights.[6] Google’s active approach to providing services, rather than simply its role as a passive vehicle for the transmission of data, is evidenced by its activities in China, on which the prosecution rested its case.[7]

Google as a Content Provider

When Google launched its services in China in 2005, the company modified its search algorithm to exclude controversial topics, such as information relating to Tiananmen Square or the Falun Gong movement. The main draw of the Chinese internet market is its colossal size; the population of internet users in China was estimated at 384 million in 2010, which was more than the entire population of the United States at the time. In order to tap into such a massive market, Google had to comply with China’s internet censorship protocol, known colloquially as “the Great Firewall.” The Great Firewall is but a part of the Chinese government’s attempts to censor information domestically and abroad, and tens of thousands of Chinese workers are employed to ensure that sensitive information is restricted from general access. In order to adhere to such China’s censorship regime, search engines in China, like Google, are prevented from linking to sensitive information. In 2010, Google moved its services for operations in China to Hong Kong, which allowed Google to stop its self-censorship, though the content accessed through Google’s services was still filtered in mainland China. The move to Hong Kong was seen as a partial retreat from Google’s stance of filtering the content it provided. Thereafter, Google actively sought to promote freedom of information on the internet by informing the Chinese population that they would likely experience short breaks in their connection when searching for prohibited content, although this practice was quietly abandoned in January 2013.

Although there was general disagreement with Google’s censorship policy in China, resulting in claims that Google’s modifications in China contradicted Google’s core value of “don’t be evil,”[8] the decision to restrict user access to the content Google provided also had another, more insidious component; it pushed Google’s activities from a “mere conduit of information” toward becoming a “full-fledged media company.”[9] Google has a long-standing tradition of insisting that it “is not a media company, that its [sic] organizes and manages content, but stays away from producing it.” This mantra is being tested, however, as Google expands into offering more services and products. “[I]t may be time to retire the trope,” says a Forbes article, indicating that any argument over Google’s media company status is now moot. Google’s image as a passive conduit for unfiltered media has been questioned when it attempted to buy a social-networking site, its launch of a magazine, and its operating of a recipe-sharing site. However, it was Google’s censorship activities in China that raised serious questions to the Italian court about Google’s passive role in the provision of internet content.

The Court Decision and the Aftermath

David Thorne, the American ambassador to Italy during the time of the 2010 case against the Google executives, stated in response to the Italian court’s decision that he disagreed with the idea that “Internet service providers are responsible prior to posting for the content uploaded by users . . .” During the case, Google argued in its defense that their and other search engines’ activities would be significantly impacted if an internet company could be liable to for the content uploaded by third parties. The winning argument for the prosecutors took a contrary view; if Google was able to filter the content it provided in China, it could do the same in Italy to “protect human dignity.” Alfredo Robledo, prosecutor against Google, stated that the case was not about the freedom of the internet, but rather human dignity; “[t]he rights of a business enterprise cannot take precedence over the dignity of the individual.”

The Italian court’s decision finding the Google executives guilty was overturned in December 2012. The initial guilty verdict had raised concerns about internet freedom in Italy. Under E.U. law, internet service companies that merely serve as a conduit for information are exempt from liability for the content uploaded by third parties.[10] Under the lower court’s decision, this exemption from liability would be significantly narrowed to those few internet service companies who do absolutely nothing more than provide access to information. The appeals court rejected the narrow reading of the hosting exemption and instead adopted a position imposing liability only for companies that “host user-generated content” and fail to act once illegal content had been uploaded to the provider’s site. In the Google case, this meant that the executives would only be liable if they failed to remove the video despite having received notice that it violated the victim’s privacy rights. Because Google removed the offensive video within hours of receiving notice of a violation of the victim’s privacy, the appeals court reasoned that Google was not liable. The reasoning of the appeals court was upheld by Italy’s highest court in December 2013.

Clash of Regulatory Schemes: McDonald’s in France

The Setting

mcdonalds france

Le McDonald’s (Alamy)

In January 2005, McDonald’s France, the French division of McDonald’s global operations, sought an opinion from France’s privacy regulatory body, the Commission Nationale De L’informatique et des Libertés (“CNIL”), in regard to creation of a system of “professional integrity.”[11] The professional integrity plan would have permitted McDonald’s France employees to report any misconduct anonymously. Any reported misconduct, including questionable accounting practices and internal control over accounting or auditing methods, would have been processed in the U.S. and reported to the general counsel of McDonald’s France. McDonald’s France requested the opinion for its professional integrity plan at the behest of its U.S. parent corporation in an attempt to comply with provisions of the Sarbanes-Oxley Act (“SOX”). Although McDonald’s France requested the opinion before it had actually implemented its proposed professional integrity plan, the CNIL refused to authorize any such “whistleblower” hotline. The CNIL’s decision to reject McDonald’s France’s proposal made it impossible for its U.S. parent corporation to comply with its obligations under SOX.


To truly understand the obstacles McDonald’s France was facing, it is important to explore SOX in more depth. Following the Enron and WorldComm scandals, Congress enacted SOX in order to improve the accuracy and reliability of corporate disclosures. Among the many provisions Sox introduced, of particular importance to McDonald’s was the SOX requirement that companies must create and apply procedures for the confidential, anonymous reporting of questionable accounting or auditing controls.[12] Further, SOX mandates that employees reporting on such practices must be protected from retaliation for their disclosure activities.[13] That these requirements apply to U.S. companies is apparent, but it is far less certain whether these requirements apply extraterritorially as well.[14] Because of this uncertainty, many multinational corporations, such as McDonald’s, determined that it would be prudent to act as if SOX applied to all of their operations, including subsidiary operations in foreign jurisdictions.[15] Therefore, McDonald’s France’s professional integrity plan, calling for anonymous reporting of confidential information regarding misconduct, is best understood in the context of an American parent corporation, McDonald’s in the U.S., attempting to comply with the SOX requirements in every geographic region of its operations.

French Agency’s Determinations

The CNIL review of McDonald’s France’s proposed professional integrity plan found that the plan involved the collection of personal information and that McDonald’s France was a “controller” of personal data. According to Article 2(d) of the E.U. Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data and French law implementing the Directive, controllers of personal data are permitted to “collect and process personal data in order to satisfy legal obligations to which they are subject.”[16] Because McDonald’s France employees participated in the professional integrity plan, the CNIL determined that McDonald’s France was a controller of personal data and that the CNIL had authority to make findings on whether the professional integrity plan complied with the law.[17]

The CNIL ultimately concluded that McDonald’s France’s professional integrity plan involved violations of the law. Of primary concern to the CNIL was that individuals alleged to have participated in misconduct, as disclosed by whistleblowers, would be unable to “hear or reply to the accusations made against them.” The CNIL determined that the policy behind French data protection laws, and the E.U. laws by extension, are to ensure that citizens know who possesses their personal information, to be informed about who has access to that information, and that citizens can take remedial measures to correct any false information. Because anonymous and confidential reporting of personal information would not allow for the requisite transparency in regard to personal information, the CNIL determined that the professional integrity plan “could lead to an organized system of professional denunciation.”

The CNIL also determined that McDonald’s France’s system was disproportionate to the objectives it sought to accomplish. Noting that “other legal means exist to guaranty [sic] compliance with legal provisions and company rules,” the CNIL found that the risk of professional denunciation and the “stigmatization of employees” was greater than the need for the professional integrity plan’s reporting system.[18] Although the CNIL was aware of the obligations imposed by the SOX provisions when it denied McDonald’s France’s application for permission to implement the professional integrity plan, the decision did nothing to ameliorate McDonald’s conundrum of seeking to comply with SOX and French privacy laws.

Aftermath of Determination

After the McDonald’s France ruling, the CNIL attempted to provide some guidance in how to comply with SOX whistleblowing requirements and French privacy laws. In November 2005, the CNIL indicated that whistleblowing procedures may be implemented but only as long as they are voluntary and are a supplement to other means of communication within a corporation. Further, the November 2005 guideline document stated that “a whistleblowing system may only be considered as legitimate if it is necessary to comply with a legal obligation.” Because the November 2005 guidance document was limited and left important issues unresolved, the CNIL released a whistleblowing directive in December 2005. The directive explains that whistleblowing procedures are permissible so long as they strictly comply with the directive’s requirements. Among the many items addressed in the December directive, one important requirement is that whistleblowers are obligated to identify themselves, and that this identification remains confidential.[19] The directive also allows for two instances where a whistleblower may remain anonymous: when precautions are properly taken in processing the information and when the company does not promote anonymous whistleblowing.[20] Although the December 2005 directive obviates some of the confusion surrounding compliance with French laws while still adhering to the SOX requirements, McDonald’s France still must ensure that the SOX compliant whistleblower procedure it adopts is similarly compliant with French regulations concerning privacy.


Both Google’s and McDonald’s experiences illustrate the complications that arise when operating in a global marketplace. In Google’s experience, its actions in China had a direct impact on the liability it faced in Italy for privacy issues entirely unrelated to its operations in China. In McDonald’s experience, its attempts to comply with U.S. regulations resulted in a direct conflict with the privacy regulations in France. Although both of these examples have been ameliorated to a certain extent, Google’s executives were relieved from liability by Italy’s highest court and McDonald’s is able to better comply with French privacy regulations due in large part to clarifications of the law, these examples serve to illustrate the complexities inherent to operating in multiple jurisdictions with many varied, sometimes even competing, privacy regulations. This dilemma, encountered by every company multinational corporation, must be addressed, and the final installment in these blog posts will offer potential methods for addressing privacy issues in an effective manner.


Greg Henning is a 3L at the University of Denver Sturm College of Law and a General Editor for the View From Above.

[1] David Scheffer & Caroline Kaeb, The Five Levels of CSR Compliance: The Resiliency of Corporate Liability Under the Alien Tort Statute and the Case for a Counterattack Strategy in Compliance, 29 Berkeley J. Int’l L. 334, 394 (2011).

[2] See Raul Mendez, Google Case in Italy, Int’l Data Privacy L., Feb. 25, 2011, http://idpl.oxfordjournals.org/content/early/2011/02/25/idpl.ipr003.full#xref-fn-1-1.

[3] Id.

[4] See Council Directive 95/46/EC, ¶ 47, 1995 O.J. (L 281) 31, 36.

[5] See Mendez, supra note 2.

[6] See id.

[7] See Sheffer & Kaeb, supra note 1.

[8] Google has limited its activities in China but still complies with Chinese authorities in restricting content. See Mic Wright, Google Shows China the White Flag of Surrender, The Telegraph (Jan. 7, 2013),  http://blogs.telegraph.co.uk/technology/micwright/100008624/google-shows-china-the-white-flag-of-surrender/

[9] Sheffer & Kaeb, supra note 1.

[10] See Council Directive 95/46/EC, ¶ 47, 1995 O.J. (L281) 32, 36.

[11] Marisa Anne Pagnattaro & Ellen R. Peirce, Between a Rock and a Hard Place: The Conflict Between U.S. Corporate Codes of Conduct and European Privacy and Work Laws, 28 Berkeley J. Emp. & Lab. L. 375, 411 (2007).

[12] See 15 U.S.C. § 78j-1(m)(4)(B) (2010).

[13] See 18 U.S.C. § 1514A (2010).

[14] See Donald C. Dowling, Jr, Sarbanes-Oxley Whistleblower Hotlines Across Europe: Directions Through the Maze, 42 Int’l Law. 1, 7 (2008) (“But our SOX hotline question here is international: Whether SOX’s mandate of “confidential, anonymous” employee reporting “procedures” extends as well to “employees” of SOX-regulated companies (and their subsidiaries) who work and live abroad.”).

[15] See id. (“But contrary to the widespread assumption of countless U.S.-based multinationals examining this issue, a viable argument exists that the Section 301 “complaint procedure” mandate is confined to “employee” populations working on U.S. soil.”).

[16] See Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data art. 2(d), Jan. 28, 1981, E.T.S. 108.

[17] See Pagnattaro & Pierce, supra note 10, at 412.

[18] See id. at 413 (“In other words, the harm that could be caused by a slanderous accusation–to which the employee may not be able to adequately respond–was too great a burden and outweighed the justifications for the hotlines.”).

[19] See id. at 421.

[20] Id.

Posted in DJILP Online, DJILP Staff, Featured Articles, Greg HenningComments (1)


Critical Analysis: Internet Surveillance Concerns Spark International Response

In May 2013, NSA contractor Edward Snowden leaked classified documents relating to mass surveillance programs igniting a long overdue international conversation concerning the legal rights and protections of data and digital communications in the internet age. Initially the media focused on the compelling story of Snowden’s decision to sacrifice his comfortable lifestyle and personal privacy in his flight from the US to asylum in Russia. Eventually the attention returned to the main question: how do we ensure that internet users’ rights are protected as the internet becomes an ever-increasing part of our daily lives? One of the biggest challenges in answering this question will be balancing the competing interests of governments, international organizations, businesses and individuals.

Vivane reding

European Union justice commissioner Viviane Reding addresses Parliament over privacy issues (picture-alliance/dpa)

The disclosures, which immediately sparked worldwide outrage, are now starting to bring about real change as governments begin to enact legislation that seeks to address many of the concerns exposed.  The European Union recently approved new data protection rules aimed specifically at preventing the issues presented by mass governmental surveillance programs. The rules seek to establish online privacy rights for EU citizens, simplification of the complaint process, and tougher standards for businesses that use personal data. The initial approval of these regulations has met criticism from internet businesses that say the new rules will result in impractical burdens.

While the European Union has led the charge, countries around the world have escalated the priority of data privacy laws. Indonesia publicly announced their support for United Nations’ actions with regards to data privacy. Opportunistic countries like the Bahamas are trying to establish themselves as safe places for companies to process personal data. Other countries, like Brazil, are taking more drastic positions on protecting their citizen’s data, calling for data localization and a break from the US-Centric Internet. Part of the concern arises out of the perceived dominance of the United States in the realm of internet governance. However, there are legitimate concerns that regulations restricting the flow of data will fundamentally change the internet, resulting in data silos and reduced innovation.

Reactions to the NSA spying program have been mixed in the United States. Many officials at the federal level have either denied culpability or maintained the importance of the programs. United States citizens concerned about data privacy may have better luck taking up the issue with their local state governments. While the United States federal government has sidestepped the issue many states have recently enacted new data privacy laws and state attorneys general can enforce those statutes. Privacy advocates hope that these laws will help to encourage laws at the federal level which can be more expansive in the scope of their protection.

If global internet usage trends are any indication, the issues of data privacy and internet governance will remain at the forefront of international policy discussions. The issue of data privacy prevents challenges on many fronts, including the fact that the pace of technology innovation vastly exceeds the ability of governing bodies to create legislation. In addition, we are seeing how the fear of data surveillance can strain the international relationships between countries. However great the challenges may be, the fact that this issue has gained international attention and created an active dialogue on the issues is a necessary step in the right direction.

Matthew Aeschbacher is a 3LE law student at the University of Denver Sturm College of Law and a staff editor for the Denver Journal of International Law & Policy.

Posted in DJILP Online, DJILP Staff, Featured Articles, Matthew AeschbacherComments (0)

Protesters against the U.N. Internet Treaty (Micro Center Blog)

Critical Analysis: The Threat of International Internet Regulation

Protesters against the U.N. Internet Treaty (Micro Center Blog)

Protesters against the U.N. Internet Treaty (Micro Center Blog)

At a United Nations conference last December, eighty-nine countries voted to create a revised telecommunications treaty that would implement a system of international government regulation over the internet.  The treaty will increase the authority of the International Telecommunication Union—a United Nations agency—in the regulation of the internet on a global scale.  Despite the tremendous response in favor of the treaty, the United States, along with fifty-five other countries, refused to sign.  The United States expressed concern over the threats to various freedoms that would result from such a law.

Opponents throughout the U.S. and abroad believe government regulation of the internet will have a decidedly negative effect on the global economy. The primary fear of government internet regulation is the implementation of widespread censorship which would not only affect individuals, but many online companies including internet giants such as Google and YouTube.  Internet censorship laws exist in several countries already and they provide a frightening example of the impending threats of the proposed U.N. regulations.  Russia, for example, passed an internet blacklist bill last summer requiring ISP’s to censor certain sites in an attempt to protect children from harmful content.  However, the bill also censors many Russian journalists and sites containing criticisms of the Russian government. This kind of censorship is a dangerous threat to free speech.  Further, the blacklist is already showing signs of a fragmented internet as legal challenges by rights advocates mount and companies as large as YouTube seek freedom from censorship.

Censorship is not the only threat to the global economy.  Many see a definite financial danger if government regulation of the internet were to succeed.  One fear is that governmental bureaucracy will come to control the engineering and business aspects of the internet.  Some regulatory proposals include dramatically altering website distribution, or even charging companies fees for visitor usage.  This could be as devastating to companies as outright censorship.  FCC Commissioner Robert McDowell believes this could even kill websites. He explained, “MIT and Harvard recently introduced free classes online…. That sort of thing starts to dry up if they have to start paying to put things online.”

While government regulation is a very real threat, there’s still time to stand against it. The United Nations treaty will not go into effect until 2015; that means the U.S. and other opposed nations can still make a case for internet freedom.  And, some progress is being made in this direction.  Lawmakers have drafted new legislation intended to define the US government’s official policy regarding the internet.  The proposal was submitted on February 5, 2013, at a hearing on global efforts for internet regulation and works to further clarify the United States’ position on internet regulation.  Above all, the drafted legislation promotes a “global internet free of governmental control.”

It is not hard to understand why now is the time for the U.S. to act on such legislation. The internet is a vital means of communication and commerce throughout the world.  Mandatory government involvement in the regulation of the internet will not only hurt the availability of information and access to content for people around the world, but it shakes the very foundations of our global economy. Thus, it is crucial that the United States and other countries stand behind a decentralized model of web governance meant to promote the continued innovation and growth of this important resource.  As FCC Commissioner McDowell warned, “dynamic new wonders of the early 21st century are inches away from being smothered by innovation-crushing old rules designed for a different time.”

Stacy Harper is a 2L at Denver University Law School and a Staff Editor for the Denver Journal of International Law and Policy.

Posted in DJILP Online, DJILP Staff, Featured Articles, Stacy HarperComments (0)

University of Denver Sturm College of Law