For the first article of this blog, the Proskauer International Labor Group has decided to focus on this tricky question since we know that our friends and clients having an international presence face various issues when it comes to try to comply with all different local regulations about data privacy.
The globalization of our economies compels companies to collect, transfer and store HR personal data in the regular course of business. However, this kind of data concerning employees’ private life is very sensitive and governments are increasingly passing laws to protect personal data.
That is the reason why we chose to give an overview of applicable regulations on various countries such as the European Union, the United States, Canada and India, to provide a comprehensive understanding of the principles of data protection in those jurisdictions.
So far, personal data in Europe is regulated by a Directive of October 24, 1995. As opposed to an EU regulation which is automatically binding in all the 27 Member States, a Directive sets forth the final goals to achieve and it is therefore incumbent upon each country to adapt its own legislation to reach that standard. That means that still slight differences may exist between European Member States with respect to data protection laws. It is noteworthy that the current regulation is undergoing negotiations and could result in an EU regulation which would supersede the existing laws.
According to the current applicable Directive, employers must:
Comply with the following 7 principles:
- Fairness: all data must be processed fairly and lawfully;
- Specific purpose: data collected for one purpose cannot be used for another end (e.g. data collected for calculating employees’ overtime cannot be used for checking employees’ access to and departures from the company);
- Restriction: the data collected must be adequate and relevant;
- Accuracy: the data must be kept up to date;
- Destruction when obsolete: data cannot be kept longer than needed;
- Security: data should be secured;
- Automated processing: decisions cannot be based solely on automatic data processing.
- Inform their employees about the data processing implemented.
- Ensure that their employees can access and rectify their personal data.
- Report their data processing with the local Data Protection Agency (e.g. in the UK, companies must file annual reports documenting all personal data processing activities. In France, certain data processing is exempted from filing -like payroll databases- and data protection officers can be appointed by companies to be exempted from various reportings).
- Legally collect personal data i.e. obtain the employee’s consent or prove notably that the processing is necessary to perform a contract, to comply with the law or to protect the data subject’s vital interests;
- Make sure that they are entitled to transfer personal data outside the EU. According to the EU Directive, personal data cannot be transferred in a country which does not offer an adequate level of protection. So far, 13 countries are considered by the EU to meet those standards (Argentina, Andorra, Canada, Guernsey, Jersey, Isle of Man, the Faroe Islands, Switzerland, Iceland, Norway, Lichtenstein, Uruguay and Israel).
If a company wants to transfer personal data in a country which is not regarded as offering an adequate level of protection, it is recommended:
- to enter into model contractual clauses established by the EU;
- to enter into Binding Corporate Rules which enable a free flow of data within a same group, regardless of the location of the different companies of the group;
- to apply to the Safe Harbor if the data is exported to the US.
Speaking about the US, it is noteworthy that as opposed to the EU which has an omnibus data protection law, the US has adopted a sectorial approach by regulating certain types of personal data.
Although at present there is no overarching personal data protection regime in the United States, the Stored Electronic Communications Act (“SCA”) and the Computer Fraud and Abuse Act (“CFAA”) do provide a measure of protection to employees’ privacy interests in personal information stored in electronic format, for example, in email accounts. However, this protection often must yield to employers’ substantial rights to monitor and access files and documents stored on company computers, and is further compromised by an employee’s reduced expectation of privacy with respect to information stored in the workplace, particularly because company officers and supervisors are afforded access to such files and information. The right to monitor such employee created communications and documents is further strengthened when they have been informed that they have no expectation of privacy. Usually this notice is communicated via an appropriate policy contained in an employee handbook, which the employee is asked to affirmatively acknowledge and agree to comply.
Employers in many states are required to allow their employees access to their own medical and personnel records. Some states do, however, exempt from mandatory disclosure reports concerning job references, records relating to a possible criminal offense, records obtained prior to an employee’s employment, or supervisors’ notes.
Additionally, several states have enacted statutes expressly intended to safeguard the confidentiality of employee personnel files and that set forth specific procedures that third parties must adhere to in seeking to obtain employment records. For example, in California, an employer who has been sued by a former employee and that wishes to obtain the employee’s personnel file from his or her former employers must first provide the employee with notice of intent to seek such documents, which affords the employee the opportunity to object to the records request. Moreover, employment records may also be protected under state or federal constitutions, as well as principles of common law. In weighing a third party’s demand for access to employment records, courts balance the third party’s need for the information against the employees’ privacy claims. Where employee files are discoverable, judges may often issue a protective order limiting discovery to relevant documents and allowing for the redaction of personal information, such as addresses and Social Security numbers.
Under the federal Occupational Safety and Health Act (OSHA), employers are required to maintain employee medical records including, for instance, medical questionnaires, results of examinations, and records of employee complaints regarding safety issues. Employees and their designated representatives must be afforded access to such records. An affirmative obligation is imposed on employers to notify their employees at the time of hiring and annually thereafter of their right to access these records and the steps that must be taken in order to avail themselves of this right. Employees also reserve the right to access an employer’s complete OSHA log regarding accidents, including the names of employees whose identities an employer is not obligated to keep confidential.
Data protection in Canada is governed by an overlapping patchwork of federal and provincial laws that often proves difficult to negotiate. The determination of whether federal or provincial law applies hinges on an analysis of the commercial activities of a particular organization. The overarching federal data protection law in Canada is known as the Personal Information Protection and Electronic Documents Act (“PIPEDA”). This federal law applies to all personal data that is processed by an organization in the course of “commercial activities.” However, it bears noting that with respect to human resources personal data, PIPEDA only applies to organizations that are engaged in activities that are deemed to be federal in nature and, therefore, under the legislative authority of Parliament. In practice, this means that only organizations that operate in such areas as banking, inter-provincial or international transportation, aviation, telecommunications, and radio or television broadcasting, among others, are obligated to comply with PIPEDA’s employee personal data protection regime. Organizations not falling within the above-listed categories may still be subject to Canadian privacy laws regarding the use, collection, and disclosure of human resources data on the basis of provincial laws in force in three provinces as further discussed below.
The definition of “personal information” is similarly broad to the EU definition of “personal data,” in that it encompasses any “information about an identifiable person.” Notably, however, the name, title, business address or telephone number of an employee of an organization are categories of data that are excluded from this definition.
Under Schedule 1 of PIPEDA, employers must adhere to the following ten fundamental privacy principles:
- Accountability: An employer is ultimately responsible for personal information pertaining to employees that are under its control. Accordingly, an employer must designate an individual who will remain accountable for the handling of such data and for the organization’s compliance under PIPEDA.
- Identifying Purposes: At (or before) the time that it collects personal information from employees, the employer must inform the employees why it is necessary to collect their information.
- Consent: Subject to certain exceptions, in order to collect, use, and/or disclose personal information, the company must obtain the employee’s consent.
- Collecting Limitation: The collection of personal information should be undertaken in a fair and lawful manner, and only that information which is necessary for the purposes articulated should be collected.
- Limiting Use, Disclosure, and Retention: Absent consent of the employee (or a compelling legal justification), employers may use or disclose personal information only for the purposes for which it was collected.
- Accuracy: Employees’ personal information should always be accurate, complete, and up to date.
- Security Safeguards: Appropriate security safeguards must be in place in order to adequately protect the personal information used or disclosed.
- Openness: An employer’s personal information policies should be affirmatively communicated to employees such that all employees are put on notice of the existence of such policies.
- Individual Access: Subject to certain exceptions, employees must be able to access their personal information and make changes as necessary to rectify any inaccuracies.
- Compliance Control: Employers should have in place a mechanism by which an employee may raise a complaint about the employer’s treatment of personal information. Such complaints ought to be directed to an appropriately designated person within the employer’s organization.
An organization is not subject to PIPEDA if it is not a federal undertaking under the legislative authority of Parliament and operates in the provinces of British Columbia, Alberta, or Quebec, all of which have enacted Personal Information Protection Act (“PIPA”) statutes, which provide robust privacy protections and are substantially similar in scope and content to the privacy principles set forth in PIPEDA. Should an organization collect, use, or store employee personal data in any one of these provinces, it will likely be bound by one of these acts’ provisions. On the other hand, where an organization processes personal information in a province other than the three listed above, and is not a federal undertaking operating under the legislative auspices of Parliament, it will likely not be subject to an overarching law governing how such data is to be treated.
It should be noted that the definitions of “personal data” vary slightly among each provincial statute. For example, the definition of “personal information” contained in the Alberta PIPA has been amended to include former employees, and not just current or prospective ones. In addition, the definition of “employee” under the Alberta act has been expanded to include “partners, directors, offices, or something else.” That said, the three provincial statutes have been deemed to be “substantially similar” to PIPEDA and contain many of the same principles.
In India, the government issued the Information Technology Rules in 2011. As the EU Directive, the Indian privacy law applies to personal data and sensitive personal data (such as passwords, bank, credit card or other financial account information, physical and mental health condition, sexual orientation, medical records and history or biometric information).
The Indian law mirrors the EU Directive because it also obliges the companies to ensure:
- that the employees are informed about the data collected, for which purpose and who is the data controller;
- that the employees have the possibility to access and correct data;
- the security of the data collected. That means concretely that companies have to implement information security programs. The law recognizes ISO 27001 security standards as being an acceptable standard.
A particularity of this new regulation is that when a company discloses personal data to a third party, it must beforehand get the employee’s consent, except if disclosed to a government agency in case of offense.
In light of the foregoing, it appears that to establish effective data privacy policies, multinational companies must comply with local law requirements. As a result, it is not recommended to implement global policies, except if they remain very general, because companies, in trying to comply with certain local obligations, can put themselves in breach of other local requirements. It is therefore highly advised to check local laws before applying global policies and where possible, to have data privacy policies per geographical areas.