Date: Oct 25, 2002
The EU Data Directive (Directive 95/46/EC) governs the collection, use and transfer of personal data, including Human Resources (HR) data. This overview focuses on the application of the Directive to HR data.
The Directive requires each Member State to establish an independent Data Protection Authority (DPA) responsible for protecting data. An employer processing data must appoint a Data Controller (DC) who must register with the DPA and notify the DPA prior to processing any data.
Threshold for Processing Employee DataLegitimacy2- Employers can establish the legitimacy of Processing of Employee Data in one of the following ways:
Collection, Processing, and Use of Employee DataOnce the Employer establishes it meets the threshold legitimacy test, it must collect and use the information according to the following principles:
Transfer of Data Outside the EUTransfers of personal information outside the EU is restricted to countries with "Adequate" (as determined by the European Commission) Data Protection unless the transfer falls under one of the exceptions of Article 26 (see below). U.S. companies may also be deemed to have "Adequate" Data Protection by meeting the requirements and voluntarily complying with the Safe Harbor provisions negotiated between the EU and U.S., entering into approved contracts, or, potentially, adhering to a code of conduct or practice. We review first the Safe Harbor program.
Safe Harbor- voluntary self-regulatory framework which allows participating "safe harborites" to transfer Employee Data (and other data, if they so designate) from the EU to the U.S. Note, however, that the safe harbor does not offer a global solution for multinational companies, which is particularly problematic for companies seeking to implement enterprise management systems for global employee data.
Enforcement for Employee Data under the Safe Harbor PrinciplesIn so far as information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the company in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employee works. This also includes cases where the alleged mishandling of their personal information has taken place in the United States. In that case, mishandling is the responsibility of the U.S. organization that has received the information from the employer in the EU, and not of the EU employer. Those types of violations thus involve an alleged breach of the Safe Harbor Principles, rather than of national laws implementing the Directive, and may be the subject of enforcement action by the FTC. This approach was said to be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law.
A U.S. organization participating in the safe harbor for transfers of human resources data transferred from the European Union must commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases. The DPAs that have agreed to cooperate in this way will notify the European Commission and the Department of Commerce.
Exceptions (Article 26) Exceptions for the transfer of HR or other personal information outside the EU include:
In addition, compliance with approved codes of conduct may offer another vehicle to facilitate data transfers. This option is being further explored by industry.
Notification of TransfersTechnically, national DPAs are required to notify the Commission when authorizing an Article 26 transfer. These notifications may well prove the EC and Member States with added information on the scope of compliance.
ConclusionThe issues of data transfers of all sorts of data is becoming increasingly complex in today's global, interconnected, electronic environment. The challenge will be even greater as more countries consider data protection laws. Sensitivity to privacy concerns is a must, as is ongoing educational efforts to understand the various laws that may apply. Moreover, effort by the business community to develop additional alternatives to facilitate data flows, while maintaining data security and adhering to accepted principles, is a must. While enforcement has been limited to date, there is every expectation that enforcement efforts will increase, so U.S. employers are well advised to begin the compliance effort now.
Editor's Note: The European Commission issued its long-awaited report on implementation of the Data Directive on May 16, 2003. Although, as anticipated, the report did not recommend any changes or amendments to the Directive, it did acknowledge a lack of harmonization between Member States. Moreover, it acknowledged that an overly lax attitude toward enforcement might weaken protection across the EU, while an overly strict approach would unduly restrict trade and create a "gap" between law and practice that would damage the credibility of the Directive. It noted that international transfers in particular "appear to be an area where the lack of enforcement creates such a gap." The report recommends more harmonization, and simplifying the requirements for international transfers, including broader use of adequacy findings, expanded contracts, recognition of binding corporate rules and more uniform interpretation of the Article 26 exceptions, among other things. Promoting self-regulation is also mentioned, an encouraging sign for industry groups.
For more information, please contact Sheila A. Millar at (202) 434-4143, or via e-mail at firstname.lastname@example.org, or Vanessa R. Hamilton at (202) 434-4111, or via e-mail at Hamilton@khlaw.com.
1 Where a company in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the safe harbor, the transferor enjoys the benefits of the safe harbor. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected. The Safe Harbor Principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized data does not raise privacy concerns. See United States Department of Commerce website www.export.gov.
2 See Article 29 Data Protection Working Party Opinion 5/2002
3 See List of U.S. Statutory Bodies Recognized by the European Union at the United States Department of Commerce website www.export.gov.
4 A U.S. organization that has received employee information from the EU under the safe harbor may disclose it to third parties and/or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees.
It should be noted that certain generally applicable conditions for transfer from some Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected. In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.
To the extent and for the period necessary to avoid prejudicing the legitimate interests of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice. See United States Department of Commerce website www.export.gov.
5 An organization is not always required to provide explicit (opt in) choice with respect to sensitive data where such choice is: (1) in the vital interests of the data subject or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; (5) necessary to carry out the organization's obligations in the field of employment law; or (6) related to data that are manifestly made public by the individual. See United States Department of Commerce website www.export.gov.
6 The Principles on access provide guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union must comply with local regulations and ensure that European Union employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The safe harbor requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU employer. See United States Department of Commerce website www.export.gov.