A recently reported enforcement decision in France serves as a stark warning to multinational corporations that the net is closing in on those who continue to flout the EU's data privacy laws and demonstrates that the data protection authorities are far from "paper tigers" and are now beginning to reveal their claws.
Following a decision in December 2006, the French data protection authority (La Commission Nationale de L'informatique dt des Libertés (CNIL)) has fined Tyco Healthcare France ("Tyco") €30,000 for, amongst other things, improperly transferring employee personal data to Tyco's headquarters in the US. Whilst the fine is unlikely to unduly worry Tyco's accountants and is reportedly only the second the CNIL has ever issued for breach of French data protection laws, it is nevertheless indicative of the recent drive by European data protection authorities to more aggressively enforce the EU's data protection regime.
A common phenomenon
The implementation of tools to help a firm consolidate and administer human resources functions is not a new concept. Indeed, such tools might even be considered "necessary" by some firms to stay competitive and increase efficiency. Like many others, Tyco had implemented a global human resources database which, as required by French law, it had registered with CNIL. Having done so, however, CNIL took exception to the broad statement that Tyco engaged in "data collection and processing for the purpose of ‘managing the careers of [Tyco's] international employees'". When requested by CNIL to elucidate this by giving exact descriptions of the purposes for which the information was sought, exact places of installation of servers and systems, exact recipients of the data and safety measures applied to such data as well as details of precise cases in which data was transferred to the US, Tyco declined to respond. Several times.
Following Tyco subsequently informing CNIL that it had suspended use of the database pending a corporate reorganisation, CNIL, presumably frustrated by Tyco's lack of cooperation, flexed it authoritative muscle and conducted an on-site investigation at Tyco Healthcare France.
In addition to finding that Tyco was in fact still using the database, CNIL also found that Tyco was using the database to manage a much broader range of information than had previously been disclosed by Tyco when initially seeking to register the database. Importantly, CNIL found that Tyco was using the database to transfer employee personal data to the US even though CNIL's approval for such cross-border transfer hadn't been sought. Concluding that "Tyco Healthcare France has clearly not understood the gravity of the failures of which it is accused concerning its lack of cooperation and transparency", it promptly issued the €30,000 fine.
The European Data Protection Supervisor, responsible for overseeing implementation and enforcement of the EU Data Protection Directive, recently listed strengthening the enforcement initiatives of EU Member States as an area of particular importance — a call that is being heeded by national data protection authorities. In the UK, the Information Commissioner has been lobbying the Home Affairs Committee for greater enforcement authority and auditing powers and recently deferred to the Financial Services Authority's greater powers to implement sanctions in the case of a data privacy breach caused by a lost laptop by the Nationwide Building Society which saw a fine of £980,000 being issued. Such increased enforcement of the EU data protection laws is further evidenced by the Hellenic Authority for the Information and Communication Security and Privacy fining Vodafone €76 million over a wiretapping scandal in December 2006.
Enforcement cases of this kind are obviously on the up. It is paramount, therefore, that multinational companies take heed of Member States' more aggressive enforcement strategies and learn from Tyco's mistake. Generally speaking, accessing your own European employee personal data, or other personal data, from outside the EU, is prohibited by law. Multinationals should therefore implement strategies to legitimise such transfers as a matter of urgency, for which there are a number of options. These include signing up to Safe Harbor (for transfers from the EU to the US only), implementing a web of Model Contractual Clauses for the transfer of data from each EU subsidiary to the US, or implementing a set of Binding Corporate Rules (BCRs) to enable the seamless transfer of such data throughout the company's worldwide operations. The latter methodology is arguably the one of choice for large global companies, particularly with the recent publication of a streamlined application procedure for the approval of BCRs, and is the means by which large corporations such as General Electric, Daimler-Chrysler and, most recently, Philips have opted to deal with this issue of transferring employee data cross-border.