Data protection issues are particularly challenging in the employment context, as businesses hold substantial amounts of personal data regarding their staff – often ‘unstructured’, for example in emails.
This Law Now considers the legally acceptable ways of transferring employees’ personal data to the U.S. in light of the October 2015 European Court of Justice ruling in Schrems v Data Protection Commissioner C-362/14 that the ‘Safe Harbor’ regime is invalid, following concerns about U.S. surveillance of EU citizens’ personal data. It also looks at the longer term, broader changes in data protection as a result of the proposed EU General Data Protection Regulation (GDPR), which will replace the Data Protection Directive and was recently formally approved by the European Parliament and will come into effect on 25 May 2018. This is a rapidly changing area and the position outlined here is correct as at publication.
Safe Harbor and the Privacy Shield
The general position is that transfers of employee personal data to countries outside the European Economic Area (EEA) (e.g. to offshore payroll departments) must comply with the principle that the country of the recipient must ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The European Commission has made a finding of ‘adequacy’ in relation to some non-EEA countries, but not the U.S. The main options for transferring employee data to the U.S. are:
- A data controller established in the EU and a recipient can enter into a data transfer agreement that incorporates standard contractual clauses (SCCs).
- Group companies can utilise binding corporate rules (BCRs), approved by the UK Information Commissioner’s Office (ICO).
- Until now, U.S. undertakings have been able to self-certify in relation to the Safe Harborprinciples agreed between the European Commission and the U.S. government in 2000. Self-certification involved publicly declaring that the organisation complied with the data protection requirements through the Safe Harbor website or informing the U.S. Department of Commerce of the company’s intention to comply.
Following the finding of invalidity of option 3 its proposed replacement, the Privacy Shield, imposes stronger obligations on U.S. companies to protect EU citizens’ personal data, including assurance from the U.S. regarding access to data by public authorities and a number of channels for individuals to seek redress including an independent ombudsman.
The independent Article 29 Working Party has analysed the Privacy Shield and recently concluded that, while it represents an improvement on Safe Harbor, there are a number of concerns. The Working Party’s opinion is persuasive, and the extent to which the European Commission will incorporate these concerns into further negotiations with its US counterparts is uncertain. On balance, however, it is likely that the Privacy Shield will ultimately be implemented in some form.
In principle organisations can continue to use SCCs and BCRs, although arguably their long-term future is in doubt for the same reason as Safe Harbor. In the meantime, businesses should ensure they understand the basis of any transfers they are making, and monitor developments with the support of their legal advisors.
While the GDPR is not due to come into effect until 2018, there has already been significant discussion of its implications and, for example, the ICO has published a checklist entitled Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now .
As a regulation (rather than a directive) it will automatically become part of UK law and therefore should result in a common set of rules across the EU. However, member states can legislate domestically in areas including employment, meaning some uncertainty remains for employers over the extent to which member states (including the UK) will do this.
In addition to increased penalties for non-compliance, proposed changes that are relevant to employers include:
- Consent – It is already recognised that consent given in the employment contract is generally not sufficient to process employees’ personal data, because most employees have no real choice over their contractual terms. The GDPR sets out additional conditions for the use of consent and effectively makes it clearer that consent in employment contracts will not be sufficient. This means employers should ensure they can rely on another ground to justify processing, such as their “legitimate interests” or processing being necessary for the performance of the contract.
- Data subject access requests – The period for compliance will reduce from 40 days to one month but with a possible two month extension. Data controllers can also charge a reasonable fee or refuse to comply with the request where it is “manifestly unfounded or excessive”. Overall, these changes should make it easier for employers to deal with requests, although they must also provide employee ‘data subjects’ with extra information including details of data retention periods and of their right to have inaccurate data corrected.
- The GDPR will provide additional rights including the right to be forgotten (as in the high profile case brought by a Spanish citizen against Google) and the right to rectification of inaccurate data. It remains to be seen how commonly these rights are enforced in practice or used as leverage in employment disputes.
- Data breaches – Employers will need to notify their national regulator promptly and within 72 hours, if feasible, if they discover a personal data breach, unless the breach is unlikely to result in a risk to the data subject. If there is a high risk to the data subject, he or she must be informed about it.
Early preparation and co-ordination between legal, HR, compliance and IT departments is prudent to reduce legal risk and, in relation to the GDPR, is being encouraged by the ICO. On the other hand, businesses should consider what resources they are prepared to allocate given the uncertainty regarding whether the UK will still be subject to European data protection laws following the upcoming Brexit referendum.
A similar version of this article was published on CIPD HR-inform on 14 April 2016.