EU Data Directive: HR Data and Transfers of HR Data Outside the EU

Date: Oct 25, 2002

EU Data Directive: HR Data and Transfers of HR Data Outside the EU

The EU Data Directive (Directive 95/46/EC) governs the collection, use and transfer of personal data, including Human Resources (HR) data. This overview focuses on the application of the Directive to HR data.

Primary Objectives:

    • Protect individuals with respect to processing of personal data

      • Personal Data- any information relating to an identified or identifiable natural person.

      • Identified Person- one who can be identified directly or indirectly in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

      • Employee Data- employers should assume all employee data falls within the purview of the directive.1

      • Processing- applies to all data processing online, offline, manual (copying), automatic, etc. Data transfers are a form of processing.

    • Ensure free movement of personal information within the EU through harmonization of national laws.

The Directive requires each Member State to establish an independent Data Protection Authority (DPA) responsible for protecting data. An employer processing data must appoint a Data Controller (DC) who must register with the DPA and notify the DPA prior to processing any data.

Threshold for Processing Employee Data
Legitimacy2- Employers can establish the legitimacy of Processing of Employee Data in one of the following ways:

    • Necessary to the Performance of an Employment Contract- Name, address, date of birth, terms and conditions of employment, reviews, salary, title, department are examples, but some Member States may specifically restrict the category.

    • Compliance with Legal Obligations- Such as providing tax or social security information or number of sick days to governmental agencies. Individual Member State laws must be consulted for specific restrictions..

    • Legitimate Interests of the Data Controller- Information such as performance assessments, etc., could be considered here, but the data must be necessary to the DC or a third party and must be balanced against the intrusion in the employees privacy.

    • Employee Consent- Consent may be opt-out consent unless the data is "sensitive," in which case it must be affirmative or opt-in. Some Member States and the Article 29 Data Protection Working Party have taken the position that consent cannot be freely given in an employer/employee situation.

Collection, Processing, and Use of Employee Data
Once the Employer establishes it meets the threshold legitimacy test, it must collect and use the information according to the following principles:

    • Proportional

      • Adequate

      • Relevant

      • Non-excessive

    • Specified Use

      • Specific

      • Explicit

      • Legitimate

      • No further processing in a manner incompatible with the specified purpose(s)

    • Notice

      • DC must disclose its identity

      • Purpose for collection

      • Category of recipients

      • That the employee has a right to access/correct information

    • Accuracy/Retention- Employer must take reasonable steps to ensure that data is

      • Accurate

      • Current

      • Not maintained longer than necessary

    • Security-Employer must establish technical and organizational measures against unauthorized disclosure/access.

Transfer of Data Outside the EU
Transfers of personal information outside the EU is restricted to countries with "Adequate" (as determined by the European Commission) Data Protection unless the transfer falls under one of the exceptions of Article 26 (see below). U.S. companies may also be deemed to have "Adequate" Data Protection by meeting the requirements and voluntarily complying with the Safe Harbor provisions negotiated between the EU and U.S., entering into approved contracts, or, potentially, adhering to a code of conduct or practice. We review first the Safe Harbor program.

Safe Harbor- voluntary self-regulatory framework which allows participating "safe harborites" to transfer Employee Data (and other data, if they so designate) from the EU to the U.S. Note, however, that the safe harbor does not offer a global solution for multinational companies, which is particularly problematic for companies seeking to implement enterprise management systems for global employee data.

    • Eligibility- Companies subject to jurisdiction of a governmental body empowered to investigate complaints/obtain relief against unfair practices in case of non-compliance (FTC or DOT jurisdiction) are eligible for participation in the Safe Harbor program (e.g., telecommunications or banking industries are not eligible).3

    • Compliance- Companies must agree to comply with all of the following Principles to participate in the Safe Harbor program:

      • Notice- An organization must inform individuals about the purposes for which it collects and uses information about them, how to contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure. This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party. 4

      • Choice- An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.

        • For sensitive information (i.e. personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), they must be given affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice. In any case, an organization should treat as sensitive any information received from a third party where the third party treats and identifies it as sensitive. 5

      • Onward Transfer- To disclose information to a third party, organizations must apply the Notice and Choice Principles. Where an organization wishes to transfer information to a third party that is acting as an agent, as described in the endnote, it may do so if it first either ascertains that the third party subscribes to the Principles or is subject to the Directive or another adequacy finding or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. If the organization complies with these requirements, it shall not be held responsible (unless the organization agrees otherwise) when a third party to which it transfers such information processes it in a way contrary to any restrictions or representations, unless the organization knew or should have known the third party would process it in such a contrary way and the organization has not taken reasonable steps to prevent or stop such processing.

      • Security- Organizations creating, maintaining, using or disseminating personal information must take reasonable precautions to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.

      • Data Integrity- Personal information must be relevant for the purposes for which it is to be used. An organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, an organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.

      • Access- Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.6

      • Enforcement- Effective privacy protection must include mechanisms for assuring compliance with the Principles, recourse for individuals to whom the data relate affected by non-compliance with the Principles, and consequences for the organization when the Principles are not followed. At a minimum, such mechanisms must include (a) readily available and affordable independent recourse mechanisms by which each individual's complaints and disputes are investigated and resolved by reference to the Principles and damages awarded where the applicable law or private sector initiatives so provide; (b) follow up procedures for verifying that the attestations and assertions businesses make about their privacy practices are true and that privacy practices have been implemented as presented; and (c) obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.

    • Safe Harbor Benefits- The safe harbor may provide a number of important benefits to U.S. firms. Benefits for U.S. organizations participating in the Safe Harbor include:

      • All 15 Member States of the European Union will be bound by the European Commission's finding of "Adequacy"

      • Companies participating in the Safe Harbor will be deemed to have adequate procedures in place to protect privacy, permitting data flows to those companies in accordance with the principles.

      • Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted (although some Member States still require a specific authorization).

      • Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions, but for HR data transfers, companies must agree to cooperate with the local DPAs. Safe harborites participating in the program for HR data must also agree to the jurisdiction of the FTC.

    • Information Required for Safe Harbor Certification

      • Organization Information

      • Organization Contact Information (for the handling of complaints, access requests, and any other issues arising under the safe harbor)

      • Corporate Officer who is certifying the organization's adherence to the safe harbor framework

      • Description of the activities of the organization with respect to personal information received from the EU

      • Description of the organization's privacy policy for personal information

        • Effective date of organization's privacy policy

        • Location of organization's privacy policy

        • Specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Annex to the Principles(Federal Trade Commission or Department of Transportation)

        • Information on any privacy programs relevant to the safe harbor in which the organization is a member

        • Method of organization's verification (e.g., In-house, Third Party.

        • Independent recourse mechanism(s) available to investigate unresolved complaints (e.g., private sector developed privacy program that incorporates the Safe Harbor Principles, legal or regulatory supervisory authorities that provide for the handling of individual complaints and dispute resolution, or EU data protection authorities.

        • Data Covered by the safe harbor (e.g., off-line, on-line, manually processed data, human resources data)

      • Additional Information Required

        • EU Countries from which you receive information

        • Industry Sector

        • Level of organization sales

        • Number of employees

Enforcement for Employee Data under the Safe Harbor Principles
In so far as information is used only in the context of the employment relationship, primary responsibility for the data vis-à-vis the employee remains with the company in the EU. It follows that, where European employees make complaints about violations of their data protection rights and are not satisfied with the results of internal review, complaint, and appeal procedures (or any applicable grievance procedures under a contract with a trade union), they should be directed to the state or national data protection or labor authority in the jurisdiction where the employee works. This also includes cases where the alleged mishandling of their personal information has taken place in the United States. In that case, mishandling is the responsibility of the U.S. organization that has received the information from the employer in the EU, and not of the EU employer. Those types of violations thus involve an alleged breach of the Safe Harbor Principles, rather than of national laws implementing the Directive, and may be the subject of enforcement action by the FTC. This approach was said to be the most efficient way to address the often overlapping rights and obligations imposed by local labor law and labor agreements as well as data protection law.

A U.S. organization participating in the safe harbor for transfers of human resources data transferred from the European Union must commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases. The DPAs that have agreed to cooperate in this way will notify the European Commission and the Department of Commerce.

Exceptions (Article 26)
Exceptions for the transfer of HR or other personal information outside the EU include:

    • Unambiguous Consent of employee (this is distinct from disclosure consent to third parties within the EU). This requires the unambiguous opt-in or affirmative consent. Note that a Working Party opinion questions whether employee consent is ever "voluntary."

    • Necessary for Performance of Contract with the individual.

    • Pursuant to an Ad Hoc Contract requiring approval of Member State DPA

      • Contract between Employer in EU and US affiliate (usually must be approved by member state DPA).

        • But: must still monitor use based on various Member State discrepancies.

    • Pursuant to a Model Contract approved by European Commission (EC) (effective 9/01).

      • Can be good for US Companies who either do not qualify for the safe harbor (Financial Services) or who prefer not to participate in the safe harbor. Under the Model Contract, the company must either:

      • abide by Member State guidelines of data exporter (various laws); or

        • abide by Mandatory Principles (higher standard than Directive); or

        • abide by Commission Adequacy decision (also higher standard). A limited number of adequacy findings have been issued to date, covering Hungary, Switzerland, Canada and the aforementioned U.S. Safe Harbor.

In addition, compliance with approved codes of conduct may offer another vehicle to facilitate data transfers. This option is being further explored by industry.

Notification of Transfers
Technically, national DPAs are required to notify the Commission when authorizing an Article 26 transfer. These notifications may well prove the EC and Member States with added information on the scope of compliance.

The issues of data transfers of all sorts of data is becoming increasingly complex in today's global, interconnected, electronic environment. The challenge will be even greater as more countries consider data protection laws. Sensitivity to privacy concerns is a must, as is ongoing educational efforts to understand the various laws that may apply. Moreover, effort by the business community to develop additional alternatives to facilitate data flows, while maintaining data security and adhering to accepted principles, is a must. While enforcement has been limited to date, there is every expectation that enforcement efforts will increase, so U.S. employers are well advised to begin the compliance effort now.

Editor's Note: The European Commission issued its long-awaited report on implementation of the Data Directive on May 16, 2003. Although, as anticipated, the report did not recommend any changes or amendments to the Directive, it did acknowledge a lack of harmonization between Member States. Moreover, it acknowledged that an overly lax attitude toward enforcement might weaken protection across the EU, while an overly strict approach would unduly restrict trade and create a "gap" between law and practice that would damage the credibility of the Directive. It noted that international transfers in particular "appear to be an area where the lack of enforcement creates such a gap." The report recommends more harmonization, and simplifying the requirements for international transfers, including broader use of adequacy findings, expanded contracts, recognition of binding corporate rules and more uniform interpretation of the Article 26 exceptions, among other things. Promoting self-regulation is also mentioned, an encouraging sign for industry groups.

For more information, please contact Sheila A. Millar at (202) 434-4143, or via e-mail at millar@khlaw.com, or Vanessa R. Hamilton at (202) 434-4111, or via e-mail at Hamilton@khlaw.com.


1 Where a company in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the safe harbor, the transferor enjoys the benefits of the safe harbor. In such cases, the collection of the information and its processing prior to transfer will have been subject to the national laws of the EU country where it was collected, and any conditions for or restrictions on its transfer according to those laws will have to be respected. The Safe Harbor Principles are relevant only when individually identified records are transferred or accessed. Statistical reporting relying on aggregate employment data and/or the use of anonymized or pseudonymized data does not raise privacy concerns. See United States Department of Commerce website www.export.gov.

2 See Article 29 Data Protection Working Party Opinion 5/2002

3 See List of U.S. Statutory Bodies Recognized by the European Union at the United States Department of Commerce website www.export.gov.

4 A U.S. organization that has received employee information from the EU under the safe harbor may disclose it to third parties and/or use it for different purposes only in accordance with the Notice and Choice Principles. For example, where an organization intends to use personal information collected through the employment relationship for non-employment-related purposes, such as marketing communications, the U.S. organization must provide the affected individuals with choice before doing so, unless they have already authorized the use of the information for such purposes. Moreover, such choices must not be used to restrict employment opportunities or take any punitive action against such employees.

It should be noted that certain generally applicable conditions for transfer from some Member States may preclude other uses of such information even after transfer outside the EU and such conditions will have to be respected.
In addition, employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.

To the extent and for the period necessary to avoid prejudicing the legitimate interests of the organization in making promotions, appointments, or other similar employment decisions, an organization does not need to offer notice and choice. See United States Department of Commerce website www.export.gov.

5 An organization is not always required to provide explicit (opt in) choice with respect to sensitive data where such choice is: (1) in the vital interests of the data subject or another person; (2) necessary for the establishment of legal claims or defenses; (3) required to provide medical care or diagnosis; (4) carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; (5) necessary to carry out the organization's obligations in the field of employment law; or (6) related to data that are manifestly made public by the individual. See United States Department of Commerce website www.export.gov.

6 The Principles on access provide guidance on reasons which may justify denying or limiting access on request in the human resources context. Of course, employers in the European Union must comply with local regulations and ensure that European Union employees have access to such information as is required by law in their home countries, regardless of the location of data processing and storage. The safe harbor requires that an organization processing such data in the United States will cooperate in providing such access either directly or through the EU employer. See United States Department of Commerce website www.export.gov.