If adopted non-compliance with the rules may imply huge fines on employers not acting according to the rules.

The European-Commission published in late January a proposal to amend the current data protection rules. The proposal aims, among other things, to increase the level of protection for the individual. One of the areas where protection is sought increased relates to employment law. It is, among other things, proposed that an employee’s consent will not be valid if provided in an employment (relationship) context.

Companies are on a daily basis processing personal information on employees. When personal information is being processed whether in relation to recruitment of employees, former employees or current employees the rules laid down in the various data protection acts apply. In many Member States companies, regarded as data controllers, may process non-sensitive personal information such as name, address, salary details, position etc. without the consent of the employee. This is due to the fact that the employer’s administrative processes would be rather burdensome if the employee’s consent was to be obtained in relation to for example payment of salary/wages and other ongoing administrative matters. In terms of the employer’s processing of sensitive personal information the situation is, however, somewhat different. Sensitive information may in general only be processed if the employee has provided his/her explicit consent. This if for instance the case if the employer wants to process information on trade-union membership or information concerning health or sex life.

The reason for the proposal lies in the imbalance which many believe is the case in the relationship between employee and employer. As long as the employee is in a situation where he/she one way or another is dependent on the employer and thus feel pressured to consent, the consent will not be seen as given voluntarily and thus not be valid. If for instance a job applicant is asked to take a personality test at a job interview, the job applicant may in theory refuse to take the test. The consequence of doing so is, however, that the job applicant most likely will not be considered as a candidate for the job.

If the proposal is adopted employers will no longer be able to process sensitive personal information based on the employee’s consent. Thus, if the employer does not process such information based on the required/necessary legal basis the processing will have to be stopped. Further, it should be noted that in some Member States prior permission from the Data Protection Authorities must have been obtained before processing of sensitive information must take place.

It remains unknown which legal basis the employer may use instead of the consent and whether the issue will be addressed by leaving the Member States space to introduce specific rules for processing of personal information. So far the European Data Protection Supervisor, Peter Hustinx, and the Article 29 Working Party have expressed their concerns in terms of the proposal not leaving “enough discretion for national authorities”.

Finally and as mentioned above, it is worth mentioning that the proposal envisages that violation of the rules may imply huge fines for up to €1 million or up to 2% of the global annual turnover of the company, which to some Member States implies major changes compared to what applies today. It is thus worth paying attention to the development of the proposed rules.