fyi.   
 

--Lizzette 

-----Original Message-----
From: Gregory, Sarah 
Sent: Tuesday, October 16, 2001 11:55 AM
To: Palmer, Lizzette
Cc: Chapman, Jon (London HR)
Subject: FW: Data privacy policy and intra-group agreement


Lizette
 
As requested
 
Sarah
-----Original Message-----
From: Gregory, Sarah 
Sent: 01 October 2001 13:01
To: Chapman, Jon (London)
Subject: FW: Data privacy policy and intra-group agreement


Jon
 
Please see the note below which is the result of a brief (4 hour review) by CC. Somewhat predictably, the main conclusion of the review is that, because we haven't followed the model contract relating to data transfers published by the EC, we may not have "adequately safeguarded" employees' positions especially since we missed bits out, changed the emphasis from time to time and accorded ourselves rights not otherwise envisaged by the master contract
 
Fundamantal points seem to be

we give no rights to employees to sue under the contract 
we seem to be confused as to whether we are getting consent from employees or relying on the model contract as we seem to be suggesting that we will do both 
we don't make it clear what we are doing with other data (other than employee date) and don't deal with sensitive data 
we impose a burden on Corp to comply with the contract and the laws of the exporter whch is a double whammy 
we don't expressly deal with international transfers 
we have missed a whole host of provisions out from the Model Contract 
we can change the uses for which employee data is used

 
How do you want to take this forward ?
 
Sarah



-----Original Message-----
From: Lawrence.Milner@CliffordChance.com
[ <mailto:Lawrence.Milner@CliffordChance.com>]
Sent: 28 September 2001 17:47
To: Gregory, Sarah
Subject: Data privacy policy and intra-group agreement


Dear Sarah

Further to our correspondence earlier this week, you asked me to look at the documentation that you sent me from a data privacy perspective.  As requested, I set out below what I believe are the significant issues in relation to the relevant documents. 

Preface to policy

*     In relation to the "Prefatory Statement To Employee Data Protection Policy" I note that this prefatory statement and the associated policy relate only to employee data and it is therefore unclear what steps Enron is taking in respect of other data.

*     The last paragraph on the first page of the prefatory statement states that "we are implementing the Employee Data Protection Policy attached to this Preface in an effort to assure employees and the appropriate regulatory agencies that we have in place data protections that are comparable to those mandated by the Directive and other similar data protection laws".  Enron's obligation is to ensure that it complies with applicable data protection laws.  To the extent that the policy only relates to employee data it will not satisfy regulatory authorities or others that Enron is complying with data protection laws in respect of any other data.

Policy

*     In relation to the policy itself, this does not identify or require employees to comply in a comprehensive way with the various data protection principles under the UK Act or the Directive.  Where principles are reflected, the relevant provisions are on occasion slightly misleading.  For example, the policy says that data is kept "as long as necessary".  The relevant data protection principle is that data should "not be kept for longer than is necessary" (a difference in emphasis). It seems to me that the policy is seeking largely to fulfil the requirement that individuals (employees in this case) are properly informed of the processing of their data.  This requires Enron to inform individuals of the data controller (or its representative), the purposes of processing and any other information to enable the processing to be fair.  In this regard, section 2 identifies the purposes of processing employee data.  Have checks been made to ensure this is an accurate and reasonably comprehensive description of the purposes for which employee data are processed?

*     Section 2 of the policy states that Enron companies do not access sensitive data "in making employment decisions described in (i) and (ii)" of section 2.  To what extent is any sensitive employee data processed by Enron and to what extent have any notices or consents been given or obtained in relation to such data? 


*     In relation to the consent sought in section 3, this does not clearly seek consent to international transfers of data.  The policy also seeks to deem consent stating that by continuing as an employee of an Enron Company" the employee agrees to the use of his or her data as described in the policy.  It is unclear whether such a deemed consent would be effective.  To what extent is it possible to seek employees' actual consent (e.g. as part of an annual agreement by employees to abide by applicable group codes of conduct, guidelines or policies)?

*     In relation to section 3, this provides that Enron may expand the uses to which employee data is put as described in this policy.  Unless employees are properly informed of or aware of any such changes, it is unlikely that any such changes will be lawful.

*     In relation to section 4, this states that "we have not established general guidelines for the use, disclosure and retention of personal data. Obviously, the purposes for which we will process personal data, the type of personal data in question and relevant regulatory requirements will guide us in such matters".  It is unclear what the purpose of this wording is bearing in mind that it would not offer any comfort to regulators that applicable data protection laws are being complied with.  From an employee's perspective, it is not very informative.

*     In the second paragraph in section 4, the policy provides that each individual who is retained by an Enron Company is responsible for ensuring that he or she takes into account the principles established by this policy.  As mentioned above the policy does not clearly address all relevant principles identified in the Directive.  

Master Agreement

*     The master data protection agreement only relates to intra-group transfers of employee data.  What is happening in relation to transfers of other data?

*     To the extent that consents by employees to processing and international transfer of their data have been or can be obtained (e.g. through employees agreeing to a policy that addresses this issue and) then this document would not be necessary as relevant conditions permitting international transfers would have been satisfied.  To what extent can employees' consents be obtained to international transfers?

*     The provisions in this document appear to be based on the European EU model contract.  However, they do not cover all the relevant provisions of the model contract and to the extent that relevant provisions are covered, they tend to be paraphrased in slightly inconsistent ways.  As a result, the question is to what extent can this document be relied on to ensure "adequate safeguards".  The EU decision adopting to the model contract states that "the scope of this Decision is limited to establishing that the clauses in the Annex may be used by a controller established in the Community in order to adduce adequate safeguards within the meaning of article 26 (ii) of Directive 95/46/EC".  The Decision does not state that similar terms adopted by particular entities will also offer adequate safeguards.  The more that the Master Agreement differs from the EU model contract, the less certainly an entity can have that there are adequate safeguards in place. 

*     Although many provisions in the model contract have been paraphrased in the Master Agreement, I could not find provisions in the Master Agreement corresponding with a number of provisions in the model contract, for example: clauses 2, 3, 4(b),  5(e), 6, 7(1), 9 and 11 of the model contract, and the detailed description of the processing in Appendix 1 of  the model contract.  In relation to Appendix 2, it is unclear where the following are reflected:  Appendix 2, paragraph 3;  the various information requirements in paragraph 6(a) and paragraphs 7, 8 and 9 of Appendix 2.

 *     In relation to the Data Importer - is Enron Corp. the only relevant data importer of employee data from Europe?

*     In relation to the definitions in the master data protection agreement, it is unclear why this does not use the same definition as the model contract.   For example, the definition of "data processor" identifies relevant entities that are "not a member of the corporate group".  Why are Enron Corporate Group members/excluded from the definition of data processors? 

*     The master data protection agreement does not address the question of sensitive data and no definition of sensitive data is included.  Are any sensitive data transferred? 

*     In relation to section 3(e), this lists again the various purposes of processing employee data.  The description of relevant processing should presumably track the description in the policy to which Enron Group companies are bound.  It is therefore unclear why it is necessary to list again the various purposes of employee processing rather than simply cross-referring to the policy.


*     Paragraph 3(f) states that data exporter will be responsible for obtaining any necessary consents from the data subjects with respect of the processing of personal data.  To the extent that consents are obtained they should also cover international transfers of data.  To the extent that appropriate consents to the international transfer of data is obtained then this agreement is unnecessary.  Again therefore the question is to what extent consents to international transfer of data by employees can be or will be obtained?


*     Clause 3(g) provides that the purposes for which data may be processed can be expanded and that the data importer will endeavour to inform the data exporter of additional purposes of using such data.  This does not conform with the strict "purpose limitation" in paragraph 1 of appendix 2 of the model contract.

*     Whereas clause 5(b) of the model contract entitles importers to either abide by the principles identified in the model contract or the laws of the data exporter (which need to be annexed to the contract), the master agreement addresses both these requirements (see in particular paragraph 5(b)).  As a result, to this extent it imposes a potentially higher standard than that required by the model contract.  How does Enron Corp propose to comply with the laws of multiple countries as per clause 5(b)?

*     Clause 9(b) provides that the "data processor will observe the obligations of a data controller" - this might mean for example that a data processor needs to register for data protection purposes with applicable data protection regulators.  What legal obligation is this clause seeking to address?

The above comments are based on the UK Act however it is likely that similar obligations will apply in other jurisdictions.

 In light of the above, the key issues are as follows:

*     To what extent is it possible to obtain consents from employees to international transfers?  To the extent this is possible then it is likely that an intra-group agreement will not be necessary;
*     To the extent that such an agreement is necessary, we would normally suggest that this is done substantially on the terms of the model contract.  To the extent that the relevant terms differ from the model contract then there is a risk that the relevant provisions do not offer "adequate safeguards" as provided by the Commission decision.  If however, Enron proposes to make transfers under the terms of the master agreement then I would suggest the master agreement should be reviewed in detail so as to ensure that to the fullest extent possible, it accurately reflects all the relevant provisions of the model contract more closely, in particular in relation to rights of relevant data subjects to enforce the contract as a party to it.

Please do not hesitate to contact me if you would like to discuss this further.

Yours sincerely


Lawrence Milner

*******

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure.  If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system.  If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person.

For further information about Clifford Chance please see our website at <http://www.cliffordchance.com> or refer to any Clifford Chance office.