A landmark decision of the European Court of Justice (ECJ) has held that companies may no longer rely on “Safe Harbour” to justify transferring personal data from the European Union to the US, because the US Government has a right of access over all data held in the US. The decision related to user data held by Facebook, but the decision has ramifications for multinational employers who hold employee data on US HR information systems, or transfer data in order to make management or HR decisions in the US.
Below, we answer some common questions from clients.
Does the ECJ’s decision apply in all of the European Union member states?
Yes, the ECJ decisions apply to all European member states with immediate effect. The ECJ decided that the national data protection authorities in each of the Member States should make their own decision as to whether “safe harbour” is in fact “safe” — rather than relying on the Commission decision of 2000 which approved “safe harbour” from all the EU countries to the US. This means each authority can now take a different view: some authorities (like the UK Information Commissioner) are typically more pragmatic, while other authorities take a stricter approach (such as the French CNIL or the Data Protection Commissioners in Germany).
Does a case concerning the personal data of a Facebook user apply in the employment context?
Yes, the same data transfer principles apply whether transferring customer or employee data. However, the risk in practice of challenge by employees is always lower than when handling external data. It is difficult to see on what basis damages could be assessed for the transfer of data in an employment context.
We don’t rely on Safe Harbour - does this case apply to other forms of transfer?
Safe Harbour is just one of the permitted routes to transfer personal data to outside the EU. Other methods include consent, binding corporate rules and EU model clauses. Given the US Government has a right of access over all data held in the US, there is a question over whether employees could also challenge these other transfer routes.
Employers could also continue to transfer personal data to the US under one of the other exceptions, for example:
- The employee’s informed consent to the transfer. However, an employee’s consent can be revoked at any time, and it is questionable whether an employee’s consent can ever be freely given in the employment context, even at the time of recruitment before the individual becomes an employee.
- The transfer being necessary for the performance of relevant contractual obligations. This could include an employer’s obligations under the employment contract (for example processing salary and benefits), although there may also be an argument that the transfer to the US is not the only way in which these obligations could be carried out.
What should we do now?
The Information Commissioners Office (“ICO”) in the UK has said that employers relying on Safe Harbour should review their approach, but acknowledges that it will take employers time to do this. It also stated that it will be working with its European colleagues to produce consistent guidance following the ECJ ruling. Although employers will want to look into alternative options for transfer, none is failsafe. A better pragmatic option is likely to look at limiting transfers of the most sensitive employee personal data and wait for consistent guidance from the national Data Protection Commissioners — and for the EU and the US to finally agree a new Safe Harbour framework, which was under negotiation even before this ECJ decision. This may however not be achievable in practice.
Extension of shared parental leave and pay to working grandparents
The UK Chancellor has announced that shared parental leave and pay will be extended to working grandparents. This will increase flexibility and choice in parental leave arrangements for working parents. The government plans to implement legislation governing this change by 2018, and it will consult on the details of this new scheme during the first half of 2016.
New FCA and PRA whistleblowing rules
The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have issued new policy statements on whistleblowing. The new rules aim to encourage a culture in which individuals feel able to raise concerns, for example requiring employers to establish an internal whistleblowing channel and expressly stating in settlement agreements and employment contracts that employees are still free to “blow the whistle”. The new rules apply to deposit-takers with over £250 million in assets, PRA-designated firms and insurers subject to the Solvency II Directive among others. The rules come into force on 7 September 2016, other than the requirement to appoint a senior manager as a “whistleblowers’ champion” which comes into force on 7 March 2016.
New rules relating to employee representation in France
A new law on employee representation was recently published in France (Loi Rebsamen of 17 August 2015), however many measures of the law were subject to the publication of regulations, known as implementation Decrees. The French government has now announced these Decrees will be published from this month to as far as March 2016. Among the important changes expected to be published in the Decrees this month are several changes impacting employee representation at company level. More flexibility should be granted to works council meetings, such as allowing meetings to be held by video conference. Further rules on the recording and drafting of minutes of meetings will be issued, and more importantly the Decrees will regulate how soon the Works Council must issue an opinion to close the consultation when there are several co-existing works councils, a thorny area of employment law in France. We will keep you updated in due course.