The European Court of Justice’s decision in the Google case that it was required to remove links to “outdated” or “irrelevant” information about an individual has brought EU data privacy laws to the forefront of public consciousness. In part one of this three-part series, we looked at the core principles of data privacy law in the United Kingdom (UK) that employers need to know, including the meaning of personal data and the first five data protection principles, such as the need for data to be accurate, relevant, not excessive, and obtained only for specified lawful purposes. Today, in part two, we cover the remaining three data protection principles—in particular, the need for employers to take appropriate security measures, and the restrictions on the transfer of data outside the European Union (EU).
Data Protection Principles 6 through 8 are set forth below:
- Process data in accordance with data subjects’ rights. The most important element of this principle is the right of subject access. Individuals have a right to see all of the data held about them within 40 days of a valid request, subject to a few exemptions. Complying with this right can sometimes be a time-consuming and expensive task. Employers may rely on several key exemptions from the duty to disclose information in response to a valid request from a data subject. One exemption is for information that relates to a third party. (This exemption allows employers to legitimately refuse to supply details of an employment reference as this disclosure reveals information about the third party’s opinions.) Another is for information about negotiations with the individual. (Employees, therefore, cannot use this right to obtain information about negotiations concerning their own severance payments.) Finally, information for management forecasting and planning is exempt from disclosure (so employers need not reveal information about planned reorganizations involving a reduction in force). Note, however, that this last exemption may cease to apply once the reorganization has been implemented, so it may not remain secret forever!
- Take appropriate technical and organizational measures against accidental loss or destruction of data. Employers have a duty to ensure that personal data is not accidentally or negligently lost, disclosed, or destroyed. Accordingly, employers must establish appropriate policies and internal processes, which limit access to employee data to those who truly need that access and should ensure that electronic information is properly encrypted and password protected. On an even more basic level, employers should require that employee records be kept in locked filing cabinets and not left lying around on desks or taken home. The largest fines for a breach of this principle have been awarded against municipal authorities that have lost laptops or USB flash drives containing highly confidential information about the public (although private entities have been heavily fined as well). The maximum penalty that can currently be levied against employers for the loss or destruction of data is $825,000. In ensuring compliance with this principle, employers should also consider the reputational damage that could ensue when a company loses or destroys sensitive data. Finally, employers should keep in mind that plans for a new EU-wide data protection regulation promise much higher penalties.
- Restrictions on transfers of data outside the EU. A real challenge for U.S. employers is that EU employers may not transfer data outside the EU if the recipient country does not ensure “an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” The EU has declared that the United States is one of the countries that does not provide adequate protection. Thus, an employer would be breaching the law by sending any personal data to the U.S. unless one of the data transfer solutions outlined below are put in place. This means, for example, that UK employees cannot be placed on an HR or talent management system unless the rules have been complied with.
Solutions for Transfer of Personal Data Outside the EU
U.S. employers wanting to receive personal data from their European subsidiaries will have to adopt one of the following options:
Sign up for the Safe Harbor Program
A company can agree to adhere to the data protection standards established by the U.S. Department of Commerce Safe Harbor Program, a framework which has been recognized by the European Commission as providing adequate protection in connexion with the transfer of personal data to signatories of the scheme in the USA. The program is not available to companies in the telecommunications or financial services sectors.
Use model contract clauses
A company can agree contractually to take steps to protect personal data. The European Commission has authorized the use of standard contract clauses which, if agreed upon and followed in their entirety between the transferring and receiving entities, will not require each to separately assess the “adequacy” of the arrangements.
Agree to Binding Corporate Rules
Binding Corporate Rules (BCRs) are internal rules used by multinational companies to define their global policy on the international transfers of personal data. BCRs are used for multinational organizations that need to make intra-organizational transfers of employee data between numerous entities, including to entities in countries that do not provide an adequate level of protection. Once a company establishes a framework of data security and compliance with EU privacy laws, no further authorization is required for the company to transfer data, although the company must monitor and audit compliance. Companies must seek approval for their BCRs from a lead data protection authority that coordinates the views of other applicable authorities before granting approval.
None of these options are easy and each requires that companies take significant technological and organizational steps to ensure the protection of personal data. However, data privacy regulation is increasing worldwide, including in the United States, so compliance should be regarded as a necessary cost and condition of doing business globally in the future.
In the final part of this three-part series, “Data Privacy Law in the UK, Part III: Employment Background Checks and Monitoring,” we will look at the practical implications for data privacy as it relates to monitoring and background checks.
Justin T. Tarka is an associate in the London office of Ogletree Deakins.