Message-ID: <10650519.1075853132015.JavaMail.evans@thyme>
Date: Tue, 16 Oct 2001 15:06:41 -0700 (PDT)
From: lizzette.palmer@enron.com
To: michelle.cash@enron.com
Subject: FW: Data privacy policy and intra-group agreement
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-From: Palmer, Lizzette </O=ENRON/OU=NA/CN=RECIPIENTS/CN=LPALMER>
X-To: Cash, Michelle </O=ENRON/OU=NA/CN=RECIPIENTS/CN=Mcash>
X-cc: 
X-bcc: 
X-Folder: \MCASH (Non-Privileged)\Cash, Michelle\Inbox
X-Origin: Cash-M
X-FileName: MCASH (Non-Privileged).pst

fyi.  =20
=20

--Lizzette=20

-----Original Message-----
From: Gregory, Sarah=20
Sent: Tuesday, October 16, 2001 11:55 AM
To: Palmer, Lizzette
Cc: Chapman, Jon (London HR)
Subject: FW: Data privacy policy and intra-group agreement


Lizette
=20
As requested
=20
Sarah
-----Original Message-----
From: Gregory, Sarah=20
Sent: 01 October 2001 13:01
To: Chapman, Jon (London)
Subject: FW: Data privacy policy and intra-group agreement


Jon
=20
Please see the note below which is the result of a brief (4 hour review) by=
 CC. Somewhat predictably, the main conclusion of the review is that, becau=
se we haven't followed the model contract relating to data transfers publis=
hed by the EC, we may not have "adequately safeguarded" employees' position=
s especially since we missed bits out, changed the emphasis from time to ti=
me and accorded ourselves rights not otherwise envisaged by the master cont=
ract
=20
Fundamantal points seem to be

we give no rights to employees to sue under the contract=20
we seem to be confused as to whether we are getting consent from employees =
or relying on the model contract as we seem to be suggesting that we will d=
o both=20
we don't make it clear what we are doing with other data (other than employ=
ee date) and don't deal with sensitive data=20
we impose a burden on Corp to comply with the contract and the laws of the =
exporter whch is a double whammy=20
we don't expressly deal with international transfers=20
we have missed a whole host of provisions out from the Model Contract=20
we can change the uses for which employee data is used

=20
How do you want to take this forward ?
=20
Sarah



-----Original Message-----
From: Lawrence.Milner@CliffordChance.com
[ <mailto:Lawrence.Milner@CliffordChance.com>]
Sent: 28 September 2001 17:47
To: Gregory, Sarah
Subject: Data privacy policy and intra-group agreement


Dear Sarah

Further to our correspondence earlier this week, you asked me to look at th=
e documentation that you sent me from a data privacy perspective.  As reque=
sted, I set out below what I believe are the significant issues in relation=
 to the relevant documents.=20

Preface to policy

*     In relation to the "Prefatory Statement To Employee Data Protection P=
olicy" I note that this prefatory statement and the associated policy relat=
e only to employee data and it is therefore unclear what steps Enron is tak=
ing in respect of other data.

*     The last paragraph on the first page of the prefatory statement state=
s that "we are implementing the Employee Data Protection Policy attached to=
 this Preface in an effort to assure employees and the appropriate regulato=
ry agencies that we have in place data protections that are comparable to t=
hose mandated by the Directive and other similar data protection laws".  En=
ron's obligation is to ensure that it complies with applicable data protect=
ion laws.  To the extent that the policy only relates to employee data it w=
ill not satisfy regulatory authorities or others that Enron is complying wi=
th data protection laws in respect of any other data.

Policy

*     In relation to the policy itself, this does not identify or require e=
mployees to comply in a comprehensive way with the various data protection =
principles under the UK Act or the Directive.  Where principles are reflect=
ed, the relevant provisions are on occasion slightly misleading.  For examp=
le, the policy says that data is kept "as long as necessary".  The relevant=
 data protection principle is that data should "not be kept for longer than=
 is necessary" (a difference in emphasis). It seems to me that the policy i=
s seeking largely to fulfil the requirement that individuals (employees in =
this case) are properly informed of the processing of their data.  This req=
uires Enron to inform individuals of the data controller (or its representa=
tive), the purposes of processing and any other information to enable the p=
rocessing to be fair.  In this regard, section 2 identifies the purposes of=
 processing employee data.  Have checks been made to ensure this is an accu=
rate and reasonably comprehensive description of the purposes for which emp=
loyee data are processed?

*     Section 2 of the policy states that Enron companies do not access sen=
sitive data "in making employment decisions described in (i) and (ii)" of s=
ection 2.  To what extent is any sensitive employee data processed by Enron=
 and to what extent have any notices or consents been given or obtained in =
relation to such data?=20


*     In relation to the consent sought in section 3, this does not clearly=
 seek consent to international transfers of data.  The policy also seeks to=
 deem consent stating that by continuing as an employee of an Enron Company=
" the employee agrees to the use of his or her data as described in the pol=
icy.  It is unclear whether such a deemed consent would be effective.  To w=
hat extent is it possible to seek employees' actual consent (e.g. as part o=
f an annual agreement by employees to abide by applicable group codes of co=
nduct, guidelines or policies)?

*     In relation to section 3, this provides that Enron may expand the use=
s to which employee data is put as described in this policy.  Unless employ=
ees are properly informed of or aware of any such changes, it is unlikely t=
hat any such changes will be lawful.

*     In relation to section 4, this states that "we have not established g=
eneral guidelines for the use, disclosure and retention of personal data. O=
bviously, the purposes for which we will process personal data, the type of=
 personal data in question and relevant regulatory requirements will guide =
us in such matters".  It is unclear what the purpose of this wording is bea=
ring in mind that it would not offer any comfort to regulators that applica=
ble data protection laws are being complied with.  From an employee's persp=
ective, it is not very informative.

*     In the second paragraph in section 4, the policy provides that each i=
ndividual who is retained by an Enron Company is responsible for ensuring t=
hat he or she takes into account the principles established by this policy.=
  As mentioned above the policy does not clearly address all relevant princ=
iples identified in the Directive. =20

Master Agreement

*     The master data protection agreement only relates to intra-group tran=
sfers of employee data.  What is happening in relation to transfers of othe=
r data?

*     To the extent that consents by employees to processing and internatio=
nal transfer of their data have been or can be obtained (e.g. through emplo=
yees agreeing to a policy that addresses this issue and) then this document=
 would not be necessary as relevant conditions permitting international tra=
nsfers would have been satisfied.  To what extent can employees' consents b=
e obtained to international transfers?

*     The provisions in this document appear to be based on the European EU=
 model contract.  However, they do not cover all the relevant provisions of=
 the model contract and to the extent that relevant provisions are covered,=
 they tend to be paraphrased in slightly inconsistent ways.  As a result, t=
he question is to what extent can this document be relied on to ensure "ade=
quate safeguards".  The EU decision adopting to the model contract states t=
hat "the scope of this Decision is limited to establishing that the clauses=
 in the Annex may be used by a controller established in the Community in o=
rder to adduce adequate safeguards within the meaning of article 26 (ii) of=
 Directive 95/46/EC".  The Decision does not state that similar terms adopt=
ed by particular entities will also offer adequate safeguards.  The more th=
at the Master Agreement differs from the EU model contract, the less certai=
nly an entity can have that there are adequate safeguards in place.=20

*     Although many provisions in the model contract have been paraphrased =
in the Master Agreement, I could not find provisions in the Master Agreemen=
t corresponding with a number of provisions in the model contract, for exam=
ple: clauses 2, 3, 4(b),  5(e), 6, 7(1), 9 and 11 of the model contract, an=
d the detailed description of the processing in Appendix 1 of  the model co=
ntract.  In relation to Appendix 2, it is unclear where the following are r=
eflected:  Appendix 2, paragraph 3;  the various information requirements i=
n paragraph 6(a) and paragraphs 7, 8 and 9 of Appendix 2.

 *     In relation to the Data Importer - is Enron Corp. the only relevant =
data importer of employee data from Europe?

*     In relation to the definitions in the master data protection agreemen=
t, it is unclear why this does not use the same definition as the model con=
tract.   For example, the definition of "data processor" identifies relevan=
t entities that are "not a member of the corporate group".  Why are Enron C=
orporate Group members/excluded from the definition of data processors?=20

*     The master data protection agreement does not address the question of=
 sensitive data and no definition of sensitive data is included.  Are any s=
ensitive data transferred?=20

*     In relation to section 3(e), this lists again the various purposes of=
 processing employee data.  The description of relevant processing should p=
resumably track the description in the policy to which Enron Group companie=
s are bound.  It is therefore unclear why it is necessary to list again the=
 various purposes of employee processing rather than simply cross-referring=
 to the policy.


*     Paragraph 3(f) states that data exporter will be responsible for obta=
ining any necessary consents from the data subjects with respect of the pro=
cessing of personal data.  To the extent that consents are obtained they sh=
ould also cover international transfers of data.  To the extent that approp=
riate consents to the international transfer of data is obtained then this =
agreement is unnecessary.  Again therefore the question is to what extent c=
onsents to international transfer of data by employees can be or will be ob=
tained?


*     Clause 3(g) provides that the purposes for which data may be processe=
d can be expanded and that the data importer will endeavour to inform the d=
ata exporter of additional purposes of using such data.  This does not conf=
orm with the strict "purpose limitation" in paragraph 1 of appendix 2 of th=
e model contract.

*     Whereas clause 5(b) of the model contract entitles importers to eithe=
r abide by the principles identified in the model contract or the laws of t=
he data exporter (which need to be annexed to the contract), the master agr=
eement addresses both these requirements (see in particular paragraph 5(b))=
.  As a result, to this extent it imposes a potentially higher standard tha=
n that required by the model contract.  How does Enron Corp propose to comp=
ly with the laws of multiple countries as per clause 5(b)?

*     Clause 9(b) provides that the "data processor will observe the obliga=
tions of a data controller" - this might mean for example that a data proce=
ssor needs to register for data protection purposes with applicable data pr=
otection regulators.  What legal obligation is this clause seeking to addre=
ss?

The above comments are based on the UK Act however it is likely that simila=
r obligations will apply in other jurisdictions.

 In light of the above, the key issues are as follows:

*     To what extent is it possible to obtain consents from employees to in=
ternational transfers?  To the extent this is possible then it is likely th=
at an intra-group agreement will not be necessary;
*     To the extent that such an agreement is necessary, we would normally =
suggest that this is done substantially on the terms of the model contract.=
  To the extent that the relevant terms differ from the model contract then=
 there is a risk that the relevant provisions do not offer "adequate safegu=
ards" as provided by the Commission decision.  If however, Enron proposes t=
o make transfers under the terms of the master agreement then I would sugge=
st the master agreement should be reviewed in detail so as to ensure that t=
o the fullest extent possible, it accurately reflects all the relevant prov=
isions of the model contract more closely, in particular in relation to rig=
hts of relevant data subjects to enforce the contract as a party to it.

Please do not hesitate to contact me if you would like to discuss this furt=
her.

Yours sincerely


Lawrence Milner

*******

This message and any attachment are confidential and may be privileged or o=
therwise protected from disclosure.  If you are not the intended recipient,=
 please telephone or email the sender and delete this message and any attac=
hment from your system.  If you are not the intended recipient you must not=
 copy this message or attachment or disclose the contents to any other pers=
on.

For further information about Clifford Chance please see our website at <ht=
tp://www.cliffordchance.com> or refer to any Clifford Chance office.
