European nations have a strong commitment to privacy and the protection of personal information. The European Union has afforded EU-wide statutory protection to personal data under Directive 95/46.
U.S. Companies employing EU citizens must follow the Directive's restrictions on the transfer of human resources information, and the range of information that may be transferred is limited. "Sensitive data", such as racial, ethnic, political, religious, health and lifestyle characteristics, may not be processed without explicit consent of the individual with some limited exceptions. Transfers of personal information outside the EU are also forbidden unless the transferee and "processing" of the information complies with the implementing legislation of the EU Directive in the European nation where the personal data was collected.
The U.S. Department of Commerce negotiated "safe harbor" conditions with the EU to provide certainty to United States parties subject to Directive 95/46. Safe harbor qualifications are found at URL http://www.export.gov/safeharbor.html.
Enforcement for alleged violations by U.S. employers under the safe harbor are left to the grievance process for employees under collective bargaining agreements and to the Departments of Labor in each state for direct-contract or at-will employees. U.S. employers who make misrepresentations about their compliance with the Directive's safe harbor may be subject to enforcement actions by the Federal Trade Commission under the Federal Trade Commission Act provisions on deceptive trade practices.
- How-to guide How-to guide: How to determine and apply relevant US privacy laws to your organization (USA)
- How-to guide How-to guide: How to develop, implement and maintain a US information and data security compliance program (USA)
- Checklist Checklist: Remote working - minimising cybersecurity risks (UK)