EXECUTIVE SUMMARY

Many foreign companies operating in the European Union (the "EU")1 are unaware that their traditional business practices may violate EU and Member State laws regarding personal data protection. The EU Data Protection Directive 95/46/EC (the "Directive") regulates the collection, use, and transfer of individually identifiable personal information about employees, such as name, address, telephone number, and marital status, as well as information such as salary, bonuses, terms of an employment contract, and performance appraisals. It also requires the Member States to adopt laws implementing the Directive requirements. In addition, the transfer of employee information to another entity, even a related corporate affiliate, without providing explicit notice to employees and in some cases obtaining consent from employees may be considered a violation of the Directive and Member State laws. Thus, for example, if a company with operations in England provides information regarding individual employees to the home office in the United States, that company must comply with the U.K. Data Protection law. The potential liability for employers failing to abide by these laws can be quite high.

The Spanish Data Protective Authority, for example, recently fined an organization nearly 840,000 euros (approximately US$900,000) for sharing customer data with a subsidiary organization and fined another organization 1.08 million euros (approximately US$1.17 million) for disclosing protected personal information to the public. Companies with operations in the EU, especially those that centralize human resources information in databases located outside the EU or regularly transfer employee data among offices outside the EU, may have to change the way they collect and use employee data.

Virtually every business with employees in a Member State in the EU must comply with the Directive and Member State laws implementing the Directive. These laws apply to the collection, processing, and transferring of employee personal data, online and offline and manual, as well as automatic. Employers must have appropriate legal grounds to collect and process personal employee information and transfer that data to another entity, even an affiliated organization such as a parent company or a subsidiary.

In addition to specific regulations regarding the collection and use of personal data within the EU, the Directive also requires Member States to restrict the transfer of personal data to only those countries outside the EU that provide "adequate" data protection. "Adequate" is not defined by the Directive or by any of the Member States. The Directive also provides several exceptions that allow for international transfers of personal information where there is no adequacy determination in place for the relevant jurisdiction. .2 The rules are extensive and still evolving. They also differ significantly from Member State to Member State. Given the possible fines and potential injury to reputation and goodwill that may result if a serious privacy violation is publicized, it is imperative that employers review and adopt appropriate policies and practices.

RECOMMENDATIONS FOR EMPLOYERS

Limit information to essential information.

Any company operating in the EU has to comply with all relevant Member State data protection laws. A company should, therefore, know what employee information it collects, how such information is used, to whom it is disclosed and to what countries it is transferred. Such information and uses should be cataloged by the company. Special attention should be paid to any information collected that is considered sensitive information, because it requires special handling. Once a company understands what data it collects from its employees, the company should examine the purpose(s) for collecting the information to ensure that it has specified, explicit, and legitimate bases for such collection so that the Member State requirements are met. Thus, all information must be tested under these standards and any "nice to have" but unessential information should not be collected.

Review internal procedures.

A company must put procedures in place to ensure the accuracy of information and purging of information no longer required for the purposes for which it was collected. Further, the company should evaluate its technical and organizational measures for ensuring that employee information is protected against unauthorized disclosure or access and also ensure that appropriate training is in place for staff that have access to personal data of other employees. The company should ensure that it is in compliance with registration requirements in those Member States in which the company has employees and that require registration.

Review legal basis for transfer of information.

As part of its employee data collection and use inventory, a company should review whether it transfers any employee data to the United States, or other third countries that have not been declared "adequate" by the European Commission. If a company does, indeed, transfer data to the United States, the company should have a legal basis for the transfer of such information, e.g., ad hoc contracts, model contracts, consent, and bring itself into compliance with the requirements of the chosen basis.

Monitor legislative changes

Finally, given the intense discussion on collection and use of employee information currently underway at the European Commission and many of the Member States, companies should routinely monitor new developments and adjust their procedures accordingly.

INTRODUCTION

Businesses that collect and use employee personal data in the European Union ("EU") face an extensive legal framework, which unlike the privacy laws and self-regulatory regimes adopted in the United States ("U.S."), also imposes strict privacy conditions on employee data. The EU Data Protection Directive 95/46/EC.3 ("Directive") applies to both employee and consumer personal information, and the Member States’ laws enacted to implement the Directive also apply to employee and consumer personal information. These laws impose substantial requirements on the collection and use of virtually all employee data while those data are in the EU.

In addition, these laws restrict the transfer of that information from the EU to third countries, such as the U.S., unless the third country has been found to provide an adequate level of protection or the employer can identify another legal basis for the transfer. Accordingly, any employer operating in the EU must first conform its data practices to the Directive and Member State laws while the data are in the EU. And, when transferring employee data from the EU to third countries, employers must also identify and implement a legal basis for such transfers. Employers operating in the EU that collect or process personal information in the EU without adhering to Member State laws or transfer personal information from the EU to a country without "adequate" protection or a relevant exception may incur substantial legal liability.

The Directive is framework legislation and requires each Member State to enact implementing legislation. All but three Member States (France, Ireland, and Luxembourg) have now done so. The Directive sets a floor for the Member State legislation, and in some instances it may also set a ceiling. It does not, however, prohibit divergences among Member State laws. Accordingly, employers doing business in the EU must inform themselves about and comply with all the terms of the specific Member State data protection laws that are in effect in the countries in which the companies have employees.

This article is intended as a primer for companies with employees in the EU who are evaluating their employee data practices. It provides an introduction for employers to: (i) the Directive; (ii) how human resources data are defined in the EU; (iii) basic EU data protection requirements; (iv) the legal grounds for transferring employee information to countries outside the EU; and (v) practical steps U.S. companies operating in or receiving employee data from the EU should take to ensure compliance with EU legal requirements.

OVERVIEW OF THE DIRECTIVE; IT'S APPLICATION TO EMPLOYEE DATA

Consistent with the history of the European legal regime, the Directive sets forth a broad, highly regulatory, and inclusive approach to privacy issues. The primary objectives of the Directive are: (i) to protect individuals with respect to the "processing" of personal information; .4 and (ii) to ensure the free movement of personal information within the EU through the harmonization of national laws.5

The Directive is extraordinarily broad in scope. It applies to all processing of data, online and offline, manual as well as automatic, and all organizations holding personal data. Only data used "in the course of purely personal or household activity" are excluded from its reach.6 Thus, an employer’s collection and use of employee data clearly falls within the ambit of the Directive. The Directive establishes strict requirements for the processing of personal information. "Processing" of data includes any operations involving personal information, except perhaps its mere transmission. For example, copying information or putting it in a file is viewed as "processing." An employer should keep in mind that "sensitive" data, such as that pertaining to racial or ethnic origins, trade union membership, political or religious beliefs, or health or sex life, may not be processed unless such processing comes within limited exceptions.7

The Directive also requires each Member State to establish an independent data protection authority ("DPA") to supervise the protection of personal data. .8 An employer that is processing data must register with (or notify) the DPA prior to processing any data, .9 unless the employer fits within an exemption provided under a Member State law. .10 This requirement mandates that prior to carrying out any processing, an employer must provide the relevant DPAs with information on the purpose of the processing, the categories of individuals whose data are being processed and the types of data relating to them, the categories of the recipients to whom the data may be disclosed, proposed transfers to third countries, and the security measures in place.

What are "Human Resources Data"?

Despite its applicability to employee data, the Directive does not provide any specific guidance on the processing of data in the employment context, nor does it specifically define human resources data. The definition of "personal data" is extremely broad, however, and, as noted above, encompasses "any information relating to an identified or identifiable natural person. . . . An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." (Emphasis added.) 11

An employer will also find, for the most part, little guidance in Member State laws, which either fail to define human resources data or do so very generally. A definition of human resources data often must be inferred from data protection registration forms that require an employer to provide the purpose of the employee database and its specific use. The inferences that may be drawn from the examples of human resources data on these forms are very broad and suggest that all personal information about employees collected by employers is covered.12 Accordingly, an employer doing business in the EU should assume that any information relating to prospective, present, or past employees collected in any form will be subject to the protections of the Directive and must be handled in a manner compliant with Member State data protection law.

EU DATA PROTECTION REQUIREMENTS APPLICABLE TO HUMAN RESOURCES DATA

While all the Directive’s data protection principles apply to personal data in all contexts, in some instances the principles may apply differently in the employment context than in other contexts.

Legitimacy: Establishing the Legal Grounds for Processing Employee Data.

An employer must have appropriate legal grounds to process personal information.13 An employer must meet this legitimacy standard for processing employee data, and such processing must be "necessary for the achievement of the objective in question rather than merely incidental to its achievement" ("Working Party Opinion").14 An employer may establish this legitimacy by several means, with the most relevant to the employment context including: (i) processing necessary for performance of the contract between the company and the employee; (ii) processing necessary for compliance with a legal obligation; (iii) processing necessary for purposes of a legitimate interest by the controller; and (iv) processing with employee consent.

  1. Performance of Employment Contract. An employer may process most employee information based on the grounds that the processing is necessary for the performance of a contract to which the employee is party,.15 e.g., the "employment contract." The DPAs generally take a fairly strict view of what information is "necessary" for performance of the contract and make their determinations on a case-by-case basis. Data such as name, home address, date of birth, appraisals and promotions, job title, department, terms and conditions of employment, supervisors, salary, promotions, and reviews have been found to be necessary to the performance of an employment contract.16
  2. Compliance with Legal Obligations. An employer may also establish legitimacy if the data processing is "necessary for compliance with a legal obligation." 17 For example, an employer may have a legal obligation to provide to government authorities information on tax and social security status and the number of days absent due to sickness. To the extent that such information is sensitive information under Article 8 of the Directive, 18 such as data on specific illnesses, under many Member State laws it is also necessary to obtain consent from the individual, despite the existence of the legal obligation.
  3. Legitimate Interests of the Controller. An employer may process data if it is "necessary to meet the legitimate interests pursued by the controller or by a third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. .." 19 For example, collection of certain information for employee performance assessment purposes may be considered a legitimate interest of the controller. Employers may not, however, use the data in a manner that would "unjustifiably prejudice the rights and freedoms of the data subject," and care should be taken in utilizing this ground for processing.
  4. Employee Consent. At first glance, employee consent appears likely to be an employer’s simplest option for legitimizing its data processing practices as it could be drafted to cover all uses of the data without question. In most Member States, the consent would be opt-out consent, unless the personal information in question is sensitive, in which case a more onerous opt-in or affirmative consent is required. This method, however, poses significant issues for the employer. Whether "consent" may be freely given in the context of an employment relationship has been the subject of much debate among the Member States. Several Member States maintain the view that an existing employee cannot freely give consent. Moreover, the Working Party Opinion takes the view that:
where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data, it is misleading if the employer seeks to legitimize this processing through consent. Reliance on consent should therefore be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment..20

Accordingly, in the Member States that take this position, an employer who relies on consent to legitimize data processing in the employee context may face significant risks and should consider another ground for processing. In addition, this method may provide at best only a short-lived solution for an employer because employees may withdraw their consent at any time.

Collection and Use of Employee Data

  1. Proportionality. In addition to establishing grounds for legitimate data processing, the employee information an employer collects "must be adequate, relevant and not excessive" in relation to the purposes for which the data are collected and/or further processed.21 Thus, an employer must gather information and use it in the "least intrusive way." The concept of proportionality is closely related to legitimacy.
  2. Finality of Processing. Under the Directive, the employee data an employer collects must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes..22 Thus, an employer may not use employee information collected for a legitimate purpose for any other "incompatible" purposes without the specific consent of the employee. For example, home addresses collected for payroll purposes should not be used for direct mailings without specific consent. An employer, however, would not be prohibited from using the data for a "compatible" purpose, such as calculating travel allowances.
  3. Notice. The Directive further requires the employer (a data controller) to disclose its identity, the purposes of the processing, categories of recipients of the data, and the right of access and correction.23 Thus, even if an employer’s processing is legitimized on the grounds that it is necessary to complete the contract and consent is not necessary, the employer may still have to provide notice to employees about what employee data the employer is collecting, both directly and from other sources, and how the information will be used. Therefore, companies should provide employees with appropriate disclosures about the collection and processing of their personal data.
  4. Accuracy and Retention. Under the Directive, personal data must be accurate and up-to-date.24 To comply with this requirement, an employer must take reasonable steps to ensure that employee data maintained by the employer meet these requirements. Moreover, the employer should not maintain data in a form that identifies specific individuals any longer than necessary for the purposes for which the information was collected or processed.
  5. Security. Under the Directive, an employer must institute technical and organizational measures to ensure that personal data is maintained securely and protected against unauthorized disclosure or access. Thus, an employer wishing to comply with the Directive will need to establish security procedures and access controls for employee data. Some countries have enacted regulations that set forth in great-exacting detail the particular technical and organizational security measures that must be implemented.
  6. Employee Access. The Directive requires that an employer provide each employee the right to access and correct information maintained about him or her.25 The Working Party Opinion shed light on this requirement by stating that employers must provide employees with access "without constraint at reasonable intervals and without excessive delay or expense."26 Access includes confirmation about whether data relating to the employee are being processed, the purposes of the processing, the categories of data concerned, and the recipient or categories of recipients to whom the data are disclosed. In addition, the Directive also requires that an employer permit an employee to correct, erase, or block data that do not comply with data protection law, for example, if the data is incomplete or inaccurate. The Article 29 Working Party Recommendation 1/2001 on Employee Evaluation Data,27 which provides that personal data includes "subjective judgments and evaluations," also recommends that employees be provided with notice about and afforded a right of access to such data.
  7. Other Requirements. In most Member States, an employer must inform the DPAs before the company may transfer information outside the EU to countries that do not provide "adequate" privacy protection, register the company’s database, and obtain the DPAs’ approval. In addition, the Directive sets forth many other requirements that an employer should consider, including prescribing specific rules where personal information has not been obtained from the individual and where automated individual decision-making and direct marketing are involved.

Employer Liability Under EU Law

For the most part, enforcement of Member State privacy laws is complaint driven. Employees who believe the law has been violated may bring a complaint either to the relevant DPA authority or to a court. Given the expense of bringing suit, the lack of contingency fees in EU countries, and obligations in the EU for the losing party to pay both parties’ fees, many individuals choose to bring their complaints to their DPAs.

An employer may be liable to an individual for compensatory damages as a result of unlawful data processing.28 Employers’ possible liability differs significantly from Member State to Member State. For example, German law allows for a variety of penalties and remedies, including injunctions and orders to comply. The German law also provides for fines up to 255,000 euros (approximately US$2725,000), and criminal penalties in extreme cases. In France, fines may be assessed up to a maximum of 45,000 euros (approximately US$48,500) and criminal penalties imposed of imprisonment of not more than three years. The UK law provides for a variety of sanctions similar to those described for the German law, including criminal penalties. The maximum fines in Spain are considerably higher as can be as much as US$500,000. In assessing their risks under European privacy laws, employers also should consider injury to reputation and goodwill that may result if a serious privacy violation is publicized.

Transfers of Employee Information to Third Countries

In addition to covering the collection, use, processing, or disclosure of personal data within the EU, the Directive also requires Member States to restrict the transfer of personal data, including human resources data, to countries that provide "adequate" data protection. Neither the Directive nor Member State laws define "adequacy," thus leaving a great deal of uncertainty about whether a particular privacy framework would be deemed "adequate" by the EU and information may continue to be transferred.

Article 26 of the Directive provides several exceptions that allow for international transfers of personal information where there is no "adequacy" determination in place for the relevant jurisdiction. These exceptions are similar to those that are provided by the Directive for legitimizing data processing in general and include situations where: (i) the data subject has given his or her unambiguous consent; (ii) the transfer is necessary for the performance of the contract with the individual; or (iii) the controller has entered into an appropriate contract, which, if individually negotiated, requires approval of the Member State DPA ("ad hoc contracts"), or which incorporates certain standard contractual clauses that have been approved by the European Commission ("model contracts"). Relying on these exceptions in the cross border contract has significant drawbacks, however. These drawbacks are discussed below.

After the enactment of the Directive, concerns arose over whether the EU would grant the U.S. an adequacy determination, given the disparity between the EU and the U.S. approaches to privacy. Accordingly, in 1998, the U.S. Government and the European Commission began negotiations to develop an alternative basis for data transfers to the U.S. These resulted in the safe harbor privacy accord ("safe harbor"). The safe harbor provides another basis for transferring personal data to the U.S. in addition to the exceptions set forth in the Directive.

Employee Consent for the Transfer of Data

Employee consent for the transfer of personal data outside the EU is distinct from, for example, the consent required to disclose such data to third parties within the EU. Although the Directive requires "unambiguous" consent in both instances,29 if consent is relied on to legitimize disclosures to third parties within the EU, in some Member States an employer need only obtain opt-out consent (unless sensitive information is involved). Where consent is required to legitimize cross border data transfers from the EU to third countries, nearly all the Member States interpret unambiguous consent to require opt-in or affirmative consent. Many Member States also require the employer to inform the employee that the data will be transferred to a country that may not ensure "adequate" privacy.

As previously discussed, the view taken by some Member States that consent from existing employees is either suspect or invalid means that in those countries it is also a risky proposition for employers to rely on even opt-in employee consent for cross border transfers. At a minimum, employers that rely on employee consent will need to examine whether the Member State from which the data are to be exported accepts employee consent as a valid basis for legitimizing such transfers. The Working Party Opinion casts further doubt on the use of employee consent to legitimize transfers of employee data out of the EU. Given the uncertainty of whether employee consent may be relied upon in certain Member States and proposed legislation in others, employers wishing to transfer employee data to the U.S. (or other countries that do not meet the EU "adequacy" standards) may wish to consider relying on grounds other than employee consent for such transfers.

Information Necessary to Complete the Employment Contract

Employers who transfer employee information on the basis that it is necessary to complete the employment contract are limited in the purposes for which they may use the information once it is transferred out of the EU. Thus far, there has been no detailed discussion in the EU of what would be considered "necessary" in this context. As noted above, many Member States take a fairly narrow view of what is necessary to complete the contract. When relying on this ground for transferring employee information from the EU, employers should be cautious about using such information after it has been transferred to do more than pay employees and provide benefits. Using employee information for purposes such as creating an employee telephone list or tracking employee mobility and travel availability may not be permitted if a company relied on this exception in transferring the data.

The need to transfer for the purposes of performing a contract also extends to those cases where an agreement is concluded between an EU data controller and a non-EU third party involving a transfer to the third party if such transfer is carried out in the interest of the data subject. For example, a U.S. company with offices in the EU could use this as legal grounds to transfer data concerning its EU employees from the EU to a third-party company in the U.S. to enable such company to provide a health or pension scheme to its EU employees.

Contracts

Ad Hoc Contracts. Ad hoc contracts are individually negotiated contracts and are concluded between the data exporter in the EU and the data importer located outside the EU. In most Member States, these contracts must be approved by the relevant Member State DPA. In the employment context, the contract would be between the employer in the EU and its U.S. affiliate. Ad hoc contracts vary from country to country, but generally provide that the data must be processed consistently with the Directive and, in many instances, with the laws of the Member State from which the data are exported.

A major advantage of ad hoc contracts is that they have served as a legal basis for transferring personal data from Europe for over ten years and, therefore, provide a great deal of legal certainty for companies relying on them. Ad hoc contracts, however, have several significant disadvantages as well. While the purpose of the Directive is to harmonize data protection law throughout the EU, differences still remain among the Member States’ data protection laws. Consequently, when an employer relies on ad hoc contracts to legitimize the transfer of data from the EU, the employer or company would need to continue to track data received from the Member States by country of origin to ensure that the data are handled in compliance with the appropriate Member State data protection requirements. In addition, employers considering this option need to consider scheduling requirements because extensive delays may occur due to the approvals of ad hoc contracts that are required in many Member States. Approvals generally take a minimum of one to two months to obtain and may take longer if the DPA has questions about the transfer or the requisite forms were not completed properly in the first instance. Subsequent additional approvals also may be required, for example, if changes are made in the processing of or type of personal information collected.

Model Contracts. The Commission formally adopted model contract clauses for transfers of data from one controller to another controller located outside the EU30in June 2001, and the clauses went into effect in September 2001. Many had hoped that model contracts, which are intended to provide one form contract useable in all EU countries and require no approval by individual DPAs, would create a workable and substantially more streamlined data transfer process. Unfortunately, it appears that the model contracts’ drawbacks may outweigh its advantages.

The model contract clauses approved by the EU allow the data importer three different options. It may elect to comply with the national law of the data exporter, with the Mandatory Principles attached to the model contract31 or with a Commission adequacy decision, provided the company is located in the jurisdiction to which the decision applies and the company also complies with yet other mandatory privacy principles also attached to the model clauses.32 These options leave companies with a burdensome and potentially unworkable scenario. For example, if companies choose to comply with the national law of the data exporter and they have employees in several EU countries, as discussed above, companies may have to comply with multiple legal requirements of different Member States.

If companies elect to abide by the Mandatory Principles, these companies will be required to adhere to a higher standard than is required by the Directive. For example, under the Directive, information may be processed for the use for which it was acquired, as well as for any other compatible uses. The Mandatory Principles, however, more narrowly restrict uses of the information, allowing it to be used only for the specific purpose for which it was collected. Additionally, if companies choose to rely on the terms of a Commission adequacy determination, such as the safe harbor (discussed below), they have to "top up" and comply with stricter requirements than those set forth in the "adequacy" determinations. In both instances, companies will be limited in their uses of personal information so that it may only be used for the specific purpose for which it was collected, requiring employers to go back to their employees if the companies want to use employee data for additional purposes than those contemplated when the companies collected the data. In both instances, the companies’ use of data would be more limited once the data are transferred from the EU than while the data are still in the EU.

The model clauses further require that: (i) the data subject be made a third party beneficiary of the agreement; (ii) the data exporter and data importer be jointly and severally liable for any damages; (iii) the data importer submit to audit by the data exporter or an inspection body selected by the data exporter (and where applicable, in agreement with the DPA); (iv) the data importer have security measures in place that are appropriate to the risk; (v) the data importer warrant that it "has no reason to believe" that the legislation applicable to the data importer prevents it from fulfilling its obligations under the contract; (vi) the governing law of the agreement is the law of the Member State where the data exporter is established; and (vii) the parties agree to the jurisdiction of the relevant Member State courts.

These onerous requirements potentially create a host of difficulties for companies that choose to rely on model contracts. For example, a U.S. company would have to agree to be subject to the jurisdiction of each Member State from which it transfers data. Thus, the model clauses do little, if anything, to provide a less burdensome approach to data transfers from the EU to third countries than the other alternatives provided by Article 26 of the Directive.

Safe Harbor

As noted above, in response to the difficulties faced in satisfying the alternative grounds for data transfers provided under the Directive, the U.S. and the EU negotiated and adopted the safe harbor. Under the safe harbor, U.S. companies that voluntarily decide to adhere to the self-regulatory safe harbor framework will be deemed "adequate" and data flows from the EU to such companies may continue.

The safe harbor provides several advantages not provided by the other legal grounds for transferring data from the EU. First, because all 15 Member States are bound by the EU adequacy determination, an employer that chooses to adhere to the safe harbor generally is subject to one privacy regime for all EU personal data that are transferred to the U.S. Second, the safe harbor provides a more streamlined approach for data transfers from the EU and makes those transfers less expensive and bureaucratic because the safe harbor eliminates the need for prior approvals or makes such transfers automatic. Finally, the safe harbor principles also more clearly reflect the U.S. approach to privacy and to some extent moderate requirements of the Directive. Given the many disadvantages of transferring data from the EU under the provisions previously discussed, many companies are considering the safe harbor as the legal basis for transfers of personal data from the EU to the U.S.

General Safe Harbor Requirements. For a U.S. employer to be eligible for the safe harbor, it must be subject to the jurisdiction of a "government body which is empowered to investigate complaints and to obtain relief against unfair and deceptive practices …in case of noncompliance with the [safe harbor] Principles."33 At present, only the Federal Trade Commission ("FTC") (under Section 5 of the Federal Trade Commission Act) and the Department of Transportation ("DOT") (under 49 U.S.C. Section 41712, which covers air carriers)34 would satisfy this requirement, as only they have been recognized by the European Commission35 Therefore, only employers subject to the jurisdiction of either of those two agencies are eligible to join the safe harbor. Financial services institutions that are subject to the jurisdiction of the banking regulatory agencies and telecommunications common carriers (which are subject to the jurisdiction of the Federal Communications Commission) are not eligible for the safe harbor at this time.

An organization must publicly declare in its privacy policy statement that it adheres to the safe harbor in order to participate. To be assured of safe harbor benefits, an employer also should self-certify to the U.S. Department of Commerce. The Department of Commerce maintains and makes public a list of all organizations that file self-certification letters.

To be compliant, employers must comply with the complete safe harbor framework 36 The operative framework includes the safe harbor principles and accompanying 15 frequently asked questions ("FAQs"),37 as well as the European Commission’s decision finding the safe harbor adequate. The safe harbor applies to both consumer and employee information. Furthermore, FAQ 9 specifically addresses human resources issues.38

While the safe harbor bears similarity to the Directive in many respects, it also provides more flexibility than the Directive. Similar to the Directive, the safe harbor principles require an employer to provide employees with notice of the purposes for which information about them is being collected and the types of third parties to which the information is disclosed as well as of the means for limiting the use and disclosure of information. An employer must provide employees the opportunity to choose (opt-out) when their personal information may be used for an incompatible purpose or disclosed to a third party other than an agent of the employer. An employer would be required to obtain affirmative opt-in consent for use of sensitive information.

The access requirements are less restrictive and provide explicit and extensive exceptions. The safe harbor limits the right to access with a "reasonableness" standard that is not included in the Directive. The right of access may be limited if "the burden or expense of providing access would be disproportionate (unreasonable) to the risks to the individual’s privacy in the case in question or where the rights of persons other than the individual would be violated."39 Thus, an employer would have some flexibility in providing employee access to information. Finally, there is no requirement for appointment of a data controller or registration of databases as there is in some Member states.

Consistent with the safe harbor’s self regulatory approach, companies that adhere to the safe harbor are required to make available a dispute resolution mechanism for investigating and resolving individual complaints as well as procedures for verifying compliance. An employer also is required to remedy problems arising out of a failure to comply with the safe harbor, and sanctions must be severe enough to ensure compliance.

Generally, the dispute resolution, verification, and remedy requirements can be satisfied by an employer in different ways. For example, generally companies may choose to comply with a private sector privacy seal program that incorporates and satisfies the safe harbor principles. Or, companies may satisfy the dispute resolution and remedy requirements by committing to cooperate with DPAs located in the EU.

Safe Harbor Requirements Specific to Human Resources Data. Although employment data falls within the general purview of the safe harbor, the safe harbor subjects employment data to additional requirements. For example, with respect to employment data, employers have no choice but to agree to cooperate with the DPAs for the complaint resolution mechanism. In addition, in some instances, national requirements may continue to "run with" the data even after they are transferred from the EU to the U.S.40

FAQ 9 makes clear that primary responsibility for the data remains with the company in the EU. Therefore, even if an alleged mishandling of personal information involving a breach of the safe harbor framework takes place in the U.S. and is the responsibility of the U.S. organization, the employer in the EU would remain primarily liable. Although somewhat unorthodox, this approach does reflect the reality of how many companies would choose to deal with data protection compliance even after EU employee data are transferred from the EU to other countries. Many if not most companies would prefer that employees based in the EU address their data protection concerns first to the EU company, which will be far more familiar with the employee(s) and local requirements. At the same time, in the view of many companies, the safe harbor leaves employers in a better position than they would be if they had to rely on a model contract, with its more restrictive requirements, or on ad hoc contracts, with their burdensome requirements.

Employer Evaluation of Employee Data Practices

Any company operating in the EU has to comply with all relevant Member State data protection laws. A company should, therefore, know what information relating to its employees it collects and how such information is used. Such information and uses should be cataloged by the company. Special attention should be paid to any information collected that is considered sensitive information,41 because it requires special handling. Once a company understands what data it collects from its employees, the company should examine the purpose(s) for collecting the information to ensure that it has specified, explicit, and legitimate purpose(s) for such collection so that the Directive’s stringent "necessary" standard is met. Also, an employer should take into account when examining its practices that the proportionality requirement bars collection and use of information that is excessive in relation to the purposes for which it is collected. Thus, all information must be tested under these standards and any "nice to have" but unessential information should not be collected.

A company must put adequate procedures in place to ensure the accuracy of information and purging of information no longer required for the purposes for which it was collected. To comply with the notice requirement, a company should assess its practices and create appropriate descriptions of what the company collects about its employees and how such information is used and disclosed, and provide these descriptions to employees. In certain instances, it may be necessary for an employer to obtain informed employee consent.

Further, the company should evaluate its technical and organizational measures for ensuring that employee information is protected against unauthorized disclosure or access and also ensure that appropriate training is in place for staff members who have access to personal data of other employees. An employer may want to consider employment contracts that include confidentiality clauses for staff members handling employee data.

Finally, the company should ensure that it is in compliance with DPA registration requirements in those Member States in which the company has employees and that require registration.

Assessing the Legal Ground(s) for Transfer of Employee Data from the EU

As part of its employee data collection and use inventory, a company should review whether it transfers any employee data to the U.S. or other third countries that have not been declared "adequate" by the European Commission.42 If a company does, indeed, transfer data to the U.S., the company should determine the most practical ground on which it will transfer such information, e.g., ad hoc contracts, model contracts, or consent, and bring itself into compliance with the requirements of the chosen ground.

Ongoing Considerations

Finally, given the intense discussion on collection and use of employee information currently underway in the EU and many Member States, companies should routinely monitor new developments and adjust their procedures accordingly. For example, responses to the recently issued Consultation Document likely will play an important role in shaping an initiative at the Community level and, therefore, affect community employment data practices.


Footnotes

1:Any reference to the EU should be understood as referring to the territory of the European Economic Area (EEA). The Member States are Belgium, France, Germany, Iceland, Italy, Liechtenstein, Luxembourg, the Netherlands, Norway, Denmark, Ireland, the United Kingdom, Greece, Spain, Portugal, Austria, Finland, and Sweden.

2:Four countries have been determined to provide adequate data protection: Switzerland, Canada, Hungary, and the United States through the voluntary self regulatory system called the Safe Harbor.

3:Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regards to the processing of personal data and on the free movement of such data, 1995 O. J. (L 281) 0031-0050. The Directive took effect in October 1998.

4: Personal information is defined as information relating to an identified or identifiable natural person.

5:See Directive, Article 1.

6:See id., Article 3.

7:See id., Article 8.

8:See id., Article 28.

9:See id., Article 18.

10:See id., Articles 18 and 19.

11:See id., Article 2(a).

12: For example, the Spanish registration form contains categories for employee management, management of payrolls, employee training, social security, and recruiting. The Working Party Opinion (as defined in the text) also gives examples of employment records covered by the Directive, which include: "[a]pplication forms and work references, travel, payroll and tax information, tax and social benefits information, sickness records, and annual leave." See infra note 14.

13:See Directive, Article 7

14:Article 29 Data Protection Working Party Opinion 8/2001 on the processing of personal data in the employment context, September 13, 2001, available at http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp48en.pdf.

15:See Directive, Article 7(b).

16:In some Member States, what is necessary for performance of the employment contract may be interpreted more strictly than in others. In those states, companies should consider establishing additional legal grounds for processing employee data, such as employee consent.

17:See Directive, Article 7(c).

18:See supra note 7 and accompanying text.

19:See id., Article 7(f).

20:See supra note 14.

21:See Directive, Article 6.1(c).

22:See id., Article 6.

23:See id., Articles 10 and 11.

24:See id., Article 6.1(d).

25:See id., Article 12.

26:See supra note 14.

27:SeeArticle 29 Data Protection Working Party Recommendation 1/2001 on Employee Evaluation Data (5008/01/EN final), Adopted 22.3.2001, available at http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp42en.pdf

28:See Directive, Article 23.

29:See id., Articles 7(a) and 26.1(a).

30:See Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC, O.J. (L181/19) of 4.7.2001 available at http://europa.eu.int/comm/internal_market/en/dataprot/news/1539en.pdf. The Commission is also in the process of considering standard contractual clauses for the transfer of personal data to third countries from a data controller to a data processor. See Draft Commission Decision (version 31 August 2001) on standard contractual clauses for the transfer of personal data to data processors established in third countries under Article 26(4) of Directive 95/46, available at http://europa.eu.int/comm/internal_market/en/dataprot/wpdocs/wp47en.pdf.

31:See id., Commission Decision 2001/497/EC of 15 June 2001, at Appendix 2.

32:Id., at Appendix 3.

33:See Section 314 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Interpret and Obstruct Terrorism (USA PATRIOT ACT) of 2001, Pub. L. No. 107-56 (2001).

34:See Article 1(2)(b) of the Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the U.S. Department of Commerce, available at http://www.europa.eu.int/comm/internal_market/en/dataprot/adequacy/dec2000520ec.pdf

35:The EU wanted to ensure that a government body (state or federal) would provide safe harbor enforcement in the event that self-regulatory mechanisms did not operate appropriately. To date, only the FTC and DOT have agreed to enforce the safe harbor principles. Unless the banking regulators agree to enforce the safe harbor principles, U.S. financial institutions regulated under the banking statutes will not be eligible to participate in the safe harbor.

36:The European Commission requests that U.S. agencies provide a letter stating that they will enforce the safe harbor framework. As the Annex attached to the safe harbor principles indicates, only the FTC and DOT agencies have done so.

37:The principles, FAQs and other safe harbor documents can be located at www.export.gov/safeharbor.

38:The 15 FAQs provide further guidance that clarifies and supplements the safe harbor principles on issues such as access, publicly available information, and public record information as well as sector-specific guidance for information processing by medical, pharmaceutical, travel, and accounting firms.

39:FAQ 9 states explicitly that the safe harbor applies to the transfer of human resources data.

40:Safe Harbor Privacy Principles, July 21, 2000, available at http://www.export.gov/safeharbor/SHPRINCIPLESFINAL.htm

41:See supra note 7 and accompanying text.

42:Adequacy determinations have been reached for Hungary, Switzerland, and Canada, and the United States through the voluntary self regulatory system called the safe harbor.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved