Transatlantic and EU regulation changes move data protection up the HR agenda
Employers need to plan now how to manage proposed new regimes
The issues surrounding data protection are particularly challenging for HR. Businesses typically hold substantial amounts of personal data related to their staff, and much of this is in an ‘unstructured’ format – in emails, for example – and difficult to identify or search. Transferring employees’ personal data to the US is currently a concern because of a European Court of Justice ruling last October in the case Maximillian Schrems v Data Protection Commissioner.
Generally transfers of employee personal information to countries outside the European Economic Area (EEA) must comply with the data protection principle that the country receiving the data offers an adequate level of protection for the rights and freedoms of its citizens. Some non-EEA countries are classed as ‘adequate’ in this regard by the European Commission but this does not include the US.
The main options for transferring employee data to the US until now have been:
- the employer and a recipient organisation entering into a data transfer agreement that incorporates ‘standard contractual clauses’
- group companies using ‘binding corporate rules’ approved by the UK’s Information Commissioner’s Office
- US companies self-certifying in line with the Safe Harbor principles agreed between the European Commission and the US government in 2000.
Self-certification involved publicly declaring that the organisation complied with the data protection requirements through the Safe Harbor website or informing the US Department of Commerce of the company’s intention to comply.
In the Schrems case, the CJEU decided the Safe Harbor regime was invalid following worries about US surveillance of EU citizens’ personal data. Its proposed replacement, the Privacy Shield, imposes stronger obligations on US companies to protect EU citizens’ personal data and includes an assurance from the US regarding access to data by public authorities, and channels for individuals to seek redress. The details are being analysed at the moment by the European Commission but it is likely the Privacy Shield will be implemented in some form.
In principle, organisations can continue to use standard contract clauses and binding corporate rules, although arguably their long-term future is in doubt for the same reason as Safe Harbor. In the meantime, businesses should ensure they understand the basis of any transfers and monitor developments.
There are also challenges on the horizon from changes arising from the proposed EU General Data Protection Regulation due to come into effect in 2018. As a regulation rather than a directive, it will automatically become part of UK law and should result in a common set of rules across the EU. However, member states can legislate domestically in the area of employment so uncertainty remains for employers over the extent to which member states (including the UK) do this.
The EU regulation proposes increased penalties for non-compliance and changes to consent. It is already recognised that consent given in employment contracts is generally not sufficient to process employees’ personal data because most employees have no real choice over their contractual terms. The regulation sets out additional conditions for consent and makes it clearer that consent in employment contracts will not be sufficient. Employers will have to rely on another justification for the processing, such as their “legitimate interests” or processing being a necessary part of the employment contract.
The period for complying with data subject access requests will reduce from 40 days to one month, with a possibility of a two-month extension. Data controllers will also be able to charge a reasonable fee or refuse to comply with the request where it is “manifestly unfounded or excessive”. These changes should make it easier for employers to deal with requests but they will have to provide employee data subjects with extra information, including details of data retention periods and rights to have inaccurate data corrected.
The regulation will also provide the right to be forgotten and the right to rectification. It remains to be seen how commonly these rights are enforced in practice or used as leverage in employment disputes.
Whether the UK will still be subject to European data protection laws after the Brexit vote on June 23 remains to be seen. But HR should be considering now what resources they will need to allocate to data protection in the future.
Story via – http://www.cipd.co.uk/pm/peoplemanagement/b/weblog/archive/2016/04/14/transatlantic-and-eu-regulation-changes-move-data-protection-up-the-hr-agenda.aspx