Technology has revolutionized human resources. Today's sophisticated HR offerings — be they web-based training, intranet benefits administration, on-line upward evaluations, or outsourced payroll and benefits administration — owe their existence to technology. The old days of the personnel file have become the new era of electronic HRIS and other sophisticated tools from providers like PeopleSoft, SAP, Oracle and Ceridian.
While Americans value the benefits that technology brings to business administration, many other countries are skeptical whenever technology intrudes on personal privacy. A decade ago, the European Union passed a broad law called the "data protection directive" that in practice has served as a legislative brake on cross-border trafficking in personal data — including HRIS data. EU data law has no US counterpart and is unusually strict as to overseas data transfers. This law, therefore, frustrates multinationals based in the US (and elsewhere outside Europe) that need to access, at headquarters, HR data about their own European workforce.
What the EU Data Directive Does
The EU data directive is a template law addressed to each of the 27 EU countries ("member states"). In turn, each EU state implements ("transposes") the directive into its local law. These local laws impose cumbersome rules on the "processing" (handling) of personal data including, but going well beyond, employee and HRIS data. EU data laws require good data security, but they go much farther and:
- require that "data subjects" (such as employees) be able to learn what data about them are on file and can (in limited cases) opt out of some "processing" of their data;
- mandate actively purging personal data once obsolete;
- impose strict rules on processing "sensitive" personal data, including diversity (race, ethnicity) and labor union membership data;
- require alternate dispute resolution systems for data disputes and
- limit the power of a "data controller" (such as an employer) to transmit ("onward transfer") personal data to third parties (such as providers of payroll services, benefits administration and Sarbanes-Oxley hotlines).
Then, to ensure the integrity of this comprehensive EU data regime, the EU data laws go on to impose tight restrictions on transferring personal data outside of Europe — such as to the US and to other countries whose local data laws do not offer EU-style "adequate protections." This cross-border transfer restriction is the highest EU data law hurdle to global HRIS.
"Data subjects" (such as European employees) have a private right of action to sue for data law violations. Separately, each European country has a dedicated data agency that enforces data law. Spain's data agency, which is said to be self-funded from fines, can impose penalties up to €600,000 and has recently imposed a number of illegal data transfer fines for €300,506. Outside Spain, though, European data agencies have been slower to assess big penalties, but enforcement may be toughening. German data law fines can reach €250,000 and France's cap is €150,000 for a first offense — plus five years in prison. UK fines are unlimited and UK data authorities are taking steps to add a criminal penalty, with prison time, for unauthorized data disclosures.
Further, in Europe an additional high cost to data law violations is public relations. Bad publicity about privacy violations has a significant P.R. impact in privacy-conscious Europe. -------------------------------------------------------------------------------- Pointer: Adopt a compliance tool — "safe harbor," "model contractual clauses," or "Binding Corporate Rules" — to insulate trans-Atlantic transmissions of HRIS data. -------------------------------------------------------------------------------- Compliance Multinationals can take effective compliance steps to transmit HR data legally onto global HRIS networks. While many US-based multinationals with significant European employee populations have already ensured their global HRIS regimes comply, thousands of other multinationals with European operations have taken no serious compliance steps — and are, every day, violating EU data laws as to their internal cross-border HRIS transmissions (and also as to their HR data "onward transfers" to third-party payroll, pension, benefits and hotline processors). Trans-Atlantic HRIS-context personal data transfers comply with European privacy law only if the "controller" (employer) has first implemented at least one of the six EU-approved tools that authorize out-of-Europe data transmissions: Consent: Collecting "unambiguous" and "freely given" employee consents (although consents in the employment context are void in many EU countries as presumptively coerced) Safe harbor: Self-certifying under the EU/US Department of Commerce "safe harbor" (an option only for data transferred to the US and not available to financial institutions) Model contracts: Entering one of the three EU-Commission-approved "model contractual clause" contracts (an option onerous for complex organizations and an imperfect solution for sensitive HR data such as diversity metrics and union data) BCRs: Implementing "Binding Corporate Rules" company-wide (a newer option recently seen as expensive and slow, but now becoming more streamlined and a viable alternative for larger concerns) Comply with contract/law: Transmitting to the US only employee data "necessary" to transmit under contracts to which employees are party, or mandated transmitted under some domestic European law (usually only a viable option for a small EU workforce employed directly by a foreign entity) "Anonymize": Sidestepping the data laws by completely "anonymizing" data (using employee ID numbers is not enough, so true "anonymization" is rarely practical in the HRIS context) Which of these six tools best insulates trans-Atlantic transfers of HR data? The answer depends on each company's specific HRIS needs. Just as a hammer is a tool that does not do the same job as a screwdriver, safe harbor does not do the same job as Binding Corporate Rules. To insulate a global HRIS regime from EU data protection law challenges requires a careful mapping of the institution's unique data processing needs onto the features of the available tools.