EU+Data+Security+Requirements

Executive Team:

Attached is the report on EU regulations for the storage and processing of data you requested. Because our plants are limited to two locations (Brussels, Belgium, and here in Austin, Texas) we advise using the safe-harbor system. As we expand globally, however, a system of BCR’s will be ideal.

SCOPE

The scope of this report is to understand the various laws which our HR department must comply with when transferring data internationally. While the laws of each individual nation cannot be explored, we can examine the frameworks put in place by the EU, and the requirements they impose on each multinational corporation which gather HR data in Europe. Four different methods of complying with the EU’s regulations are provided, as are recommendations for when to use each.

EXECUTIVE SUMMARY

No unified international framework exists regarding the storage and usage of HR data. Privacy rights regarding HR data, therefore, are creatures of local law which vary jurisdiction to jurisdiction. Local data privacy laws vary in the amount of protection they require for HR data, ranging from laws which require no protection of data at all (many developing nations have not explored the area of Data Privacy), to laws which vest fundamental humans rights to an individual over his or her own personal data (such as those enacted by certain EU member states.) The US has adopted a standard somewhere in the middle of this continuum - namely, no protection is required except for very specific types of data – HIPPA protection of medical records would be an example. Outside of specifically enumerated exceptions, however, the US favors a “free-flow of information.” Despite US preferences, large companies with employees operating globally often find that it makes sense to adopt the most stringent set of data-protection requirements and adopt those across the board. Using the “European Union Directive on the Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement of Such Data,” (hereafter, the DPD) as our model, we will examine the four major areas the DPD regulates: Data Quality, Data Legitimacy, Data Confidentially, and Data Transfer. The final step in our analysis will be to examine how a non-EU member state can utilize HR data gathered from European employees.

HR data is unique in that it can be used to uniquely identify a person. Besides identification, however, HR data often shows, “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and … health or sex life,” (EU DPD, Chapter 2, § 3, Article 8). A growing international consensus is realizing that this data simply feels, “private,” and it should not be accessible without permission.

The DPD internally restricts the manner in which HR data may be processed. In order to assure this data is not processed in improperly outside of the EU, the DPD presents several hurdles for HR departments wishing to process data gathered from European employees. While the DPD explains each requirement thoroughly, this paper will concentrate on the “broad strokes” of the DPD, and their implications.

The requirements imposed by the DPD may be divided into four categories: Data Quality, Data Legitimacy, Data Confidentially, and Data Transfer Requirements. The first, and easiest to understand, are called, “Data quality principles.” Data quality principles, as defined in article 6 of the DPD, require that HR data is relevant to the purposes for which it are used – nothing more, and nothing less (EU DPD, Chapter 2, Article 1, § 6). To ensure data quality, data subjects are given the right to correct errors, and object to data gathered for marketing purposes.

The second set of rules, those pertaining to Data Legitimacy, require acquiring the consent of the person the HR data identifies. Exceptions in this area are provided only if other laws affirmatively require a data controller to gather the data. The rules on mandatory disclosure of data to its subject also fall into this category.

Rules on Data Confidentially, the third category, require the use of technology to protect against, “loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.” (EU DPD, Chapter 3, Article 8, § 17). These rules require specific contractual obligations for data processors and data controllers.

The final set of rules is concerned with the transfer of HR data within an EU-member state to a non-EU country. These are among the most important provisions of the DPD for HR managers to be aware of, specifically because, “EU data law reaches even internal, confidential HRIS information about company employees transmitted only to the company’s US headquarters.” (Dowling, 5) The DPD regulates all HR data from gathering to storage to erasure.

Under DPD article 25, HR Data may be sent to any non-EU country which, “ensures an adequate level of [data] protection.” (EU DPD, Chapter 4, Article 25) So far, over 39 nations, including Russia and Dubai, have adopted DPD-style legislation, and this number will only grow as the EU model of Data Protection spreads. (Harris, 2)

Countries which do not fulfill the EU’s laundry-list of requirements, such as the US, do not qualify to receive HR data under DPD article 25. The DPD does, however, supply several legally valid methods that allow countries with less-strict data protection laws to utilize data gathered from European data-subjects. Two of these methods are enumerated in DPD article 26, however both apply only in very specific circumstances. The first way to get around DPD is for the Data subject to unambiguously consent to the data’s transfer. While this sounds like a simple workaround, most EU member states view consent as being coerced by an employer due to an “imbalance of bargaining power.” (Dowling, 6) For this reason, DPD 26.1.a is rarely invoked.

DPD sections 26.1.b-26.1.d recognize that HR data transmission may be contractually or otherwise legally, required. To qualify under these sections, the data must not only be a part of a contract, the transmission must also be necessary – and courts, again, rarely see the transmission of protected data as necessary.

While the previous workarounds are limited, three viable methods of transferring HR data from the EU exist. One of the simplest is a special safe harbor provision designed to work specifically with US businesses. If an American company agrees to adopt EU style data protection policies and fills out a one page form with Department of Commerce, the company becomes free to receive the transfer of protected information. The safe harbor has one glaring weakness – namely that the safe harbor applies only to a, “EU-to-US HRI system.” (Dowling, 7) Any offices outside of the US or EU are unable to receive EU data through the safe harbor, even if they are part of the same company!

Binding Contractual Clauses, or BCC’s, are in most cases the optimal way to make sure data can flow between the EU and non-EU countries. BCC’s are non-negotiable contracts of adhesion drafted by the EU commission which allow an individual European branch of a corporation, and an individual corporate receiving office, to decide whether or not to adhere to the EU DPD’s requirements. This is particularly useful for companies with an international presence that extends beyond the United States and Europe (Dowling, 9), as the company’s Asian offices, may need access to, say, a British office’s HR records. Each BCC is a bilateral contract between the EU member-state and a non-EU country, so each global corporation will require multiple BCC’s. Correctly used, however, BCC’s create a useable, if unwieldy, legal framework in which multinational corporations may share data between offices.

Binding Corporate Rules (BCR’s), provide the final method through which data may be legally transmitted from the EU to a non-EU member states. A BCR allows a company to bind all of its global branches to following EU-style data protection. Once the BCR is in place, the company may freely share HR data between its branches. BCR’s are expensive, and are difficult to implement. In 2006 GE became the first company to utilize BCR’s. (Dowling, 11)

Sources

1. Dowling, Donald C. "Global Human Resource Information Systems and HR Data Privacy Law in Europe: A Guide to the Legal Issues." Employment Law Update (2007): 1-14. Print.

2. Harris, Donald F. "Trends in Global Privacy Environment." IHRIM.link Aug/Sept (2007): 30-31. Print.

3. Bond, Robert. Data Protection Laws. Rep. SpeechlyBircham. Web. 01 Nov. 2009. .

4. OECD. "OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data." Organisation for Economic Co-Operation and Development. OECD, 6 June 2003. Web. 2 Nov. 2009.

5. Official Journal of the European Communities of 23 November 1995 No L. 281 p. 31.

6. Dowling, Donald C. "Global HRIS and EU Data Privacy Law Compliance." Global HR Hot Topics (May 2007). White and Case LLP. Web. .

7. Federal Trade Commission. Protecting Personal Information: A Guide for Business. Rep. Federal Trade Commission. Web. 29 Oct. 2009. .

8. Gordon, Phillip. "New Nevada Law Mandates Encryption of Sensitive HR Data." Workplace Privacy Council. 15 June 2009. Web. 28 Oct. 2009.

9. AccessData Corporation. Using SilentRunner in Compliance with EU Privacy Laws. Accessdata.com. Web. 28 Oct. 2009. .

10. E.U. "Frequently Asked Questions Relating to Transfers of Personal Data From the EU/EEA to Third Countries." Http://ec.europa.eu/justice_home/fsj/privacy/docs/international_transfers_faq/international_transfers_faq.pdf. E.U. Web. 1 Nov. 2009. .

MEDIA: • “Data Privacy: Your Digital Life” http://www.youtube.com/watch?v=mCOMEVOVRho