EU data protection reform: compliance challenges for multinational employers1
Introduction The EU data protection framework is on the eve of its first major overhaul since 1995. A proposed European Data Protection Regulation will, once adopted, repeal the current Data Protection Directive (95/46/EC) and radically reshape obligations for those who process data about EU-based individuals within or outside the EU. For employers processing employee data on a daily basis, often across multiple jurisdictions, the reform will mean a considerably higher compliance burden with the risk of
Artikel kopen € 79,00 excl. BTW
In plaats van abonneren kunt u dit artikel ook afzonderlijk kopen.
significant fines – potentially up to EUR100 million or 5% of annual worldwide turnover – for slip-ups. In this context, there is understandable concern about what the new rules entail. In this article, we consider how local employment practices will have to change under the new regime and challenges and action areas for multinational employers.
When will the new law apply? The draft Regulation, first published in January 2012, was subject to intense lobbying and debate causing some delay to its progress through the early stages of the EU legislative process. Since the European Parliament’s approval of a compromise text in March 2014, there has been impetus at EU level to agree the reforms by the end of 2014, and trilogue discussions among the EU institutions to achieve this are currently underway. The Regulation will come into effect two years after it is adopted. Given the number of outstanding issues, expected continued lobbying, and the recent EU elections, we are more likely to see a final form Regulation in 2015, which will take effect from 2017. Employers will become subject to the new obligations from this time, but should be considering in advance how to prepare for the new regime. How will it regulate employment practices? One of the reform’s main aims is to harmonise data protection rules across the EU, thereby removing the legal uncertainty and complexity that has arisen for multinational companies having to contend with different local rules. With this in mind, the Regulation will apply directly to local laws across Member States, with no need for implementing legislation and with minimal flexibility left to local legislators and regulators. The controversial ‘one-stop shop’ proposal, which has still to be resolved, would also make an employer accountable to one local data protection regulator (in the country in which it has its main establishment) in respect of all its processing activities across the EU. In the employment context, the draft Regulation permits Member States to adopt national rules regulating the processing of employees’ personal data, addressing among other areas recruitment, performance of employment obligations, management, work organisation, health and safety at work, employment rights, employment benefits and termination of employment. However, these rules must adhere to certain minimum standards on employment processing, as well as complying with all other aspects of the Regulation. The rules adopted must also be notified to the European Commission. Restriction of consent as a processing ground According to the current draft Regulation, consent can be relied upon to process employees’ personal data or to send data outside the EEA only if it is ‘freely given’. This is less restrictive than the original draft Regulation which would virtually have ruled out the consent route as an option for employment processing. However, the EU Article 29 Data Protection Working Party has commented in separate guidance2 that job applicants and employees cannot freely consent because they are in a subordinate position. In its view, their consent is not freely given if the requirement for consent is a condition of their employment and if their refusal to consent could have an adverse consequence such as loss of a job opportunity or disciplinary sanctions. These concerns have been echoed by most European data protection regulators.3 Other issues are the risk of consent being considered too broad in scope (e.g. a ‘blanket consent’ for an open-ended set of processing activities). Such consent may be invalid because the employee is deemed to be insufficiently aware of the nature and consequences of the processing activities. Pending further guidance to reassure employers that employee consent can be freely given, employers will therefore need to look to other grounds to justify their processing activities. In practice, this has already been happening as in recent years consent has been used much more as a safety net to bolster other processing grounds, rather than as the sole basis for processing. Employers will have broadly the same menu of alternative processing grounds. These include processing that is necessary to meet employment contract obligations, to comply with a legal requirement, or to pursue ‘legitimate interests’ (which would be subject to stricter notification and documentation requirements under the new regime). They can also process ‘sensitive data’ (such as that relating to race or ethnic origin, political opinions, religion or belief, health, sex life or criminal convictions) to meet employment law obligations, subject to any specific safeguards in EU or national rules. The thresholds for showing valid consent will also be higher. Consent will either have to be given expressly or by some affirmative action – meaning that implied consent will not be an option – limited to a particular purpose and capable of being easily withdrawn. Minimum standards on employment processing As a general principle, processing must be linked to the purpose for which the data was originally collected and stay within the employment context. Use of employee data for secondary purposes will be prohibited. The data protection implications of employee monitoring will be addressed for the first time by EU law. Data processing undertaken without the employees’ knowledge (socalled ‘covert monitoring’) will be permitted only if criminal activity ‘or serious dereliction of duty’ is suspected, and provided that certain other safeguards are met, e.g. conducting the monitoring in a proportionate manner. The draft Regulation suggests that the data protection authority will have a role in verifying how any covert monitoring is conducted. This is consistent with the current approach in some EU countries such as the UK, Luxembourg,4 Germany,5 the Netherlands, Poland and Italy, which permit covert monitoring only in exceptional circumstances, but it is more permissive than the regimes in other EU countries such as France, Belgium, Spain6, Slovakia, Czech Republic and Italy, where covert monitoring is strictly prohibited. Rules regulating private use of IT systems must be addressed either by collective agreement or by agreement with employees. Where this is permitted, ‘traffic data’ (but apparently not the e-mails, websites visited or calls themselves) can be monitored to ensure data security, to ensure that the system is operating properly, and for billing purposes. The extent to which traffic data may be monitored for other purposes is unclear, though national rules may permit this in the same circumstances as covert monitoring. Given that most employees expect some limited private use of IT systems, employers will need to review the impact on their monitoring practices in each country. While there are already strict constraints on an employer’s ability to monitor private use of IT systems in some countries such as Italy (monitoring private use of IT systems is allowed only if the employer implements a specific policy meeting certain conditions set out by the Data Protection Authority and upon authorization of the competent Labour Bureau), France, the Netherlands, Spain, Belgium, Slovakia, Czech Republic and Germany, the draft Regulation will result in a more restrictive approach in countries such as the UK and Poland where monitoring can be undertaken in wider circumstances or where the content of communications can be accessed to some extent. Other areas addressed include new safeguards for the collection and processing of data from medical examinations or aptitude tests, requiring individuals to be kept informed as to how the data will be used and of the results of its use. There will also be a prohibition on the use of electronic acoustic and optical surveillance in areas where employees should expect privacy such as bathrooms and rest areas, and a prohibition on the blacklisting of employees based on sensitive data such as their political or trade union membership. This is unsurprising and consistent with the current position under most national laws. Data transfers outside the EEA Most multinational employers are transferring employee data to and from multiple jurisdictions on a daily basis. The original draft Regulation contained a new ‘legitimate interests’ addition to the permitted grounds for transfers of data outside the EEA. This would have made life slightly easier for employers, particularly given the new restrictions around the use of consent, but this has been dropped from the current draft Regulation. Employers are therefore left with the same menu of exceptions for overseas transfers (including consent in its stricter form, contract compliance or transfers necessary for the establishment, exercise or defence of legal claims) to supplement options such as transfers based on binding corporate rules, a proposed new ‘European Data Protection Seal’ or model contractual clauses. Stronger subject access rights An individual’s rights to apply for access to their personal data (‘subject access request’) will be strengthened. Employers will be required to establish a formal process for responding to subject access requests. The information itself, or access to a secure system enabling individuals to access their data, will have to be provided free of charge within 40 calendar days, subject to some exceptions for multiple or excessive requests. Employers will also have to respond with more detailed information, including the length of time for which the data will be stored (or the criteria for determining the storage period), the individual’s right to complain to the data protection authority and the significance and likely consequences of the processing.
The combination of these changes and the EU Article 29 Data Protection Working Party’s broad interpretation of the ‘personal data’7 which employees can legitimately expect to see about themselves in a subject access request, will put additional pressure on employers being asked to deal with requests. This will present an added challenge for employers in countries such as the UK and more and more in the Netherlands where subject access requests are often used by lawyers acting for employees as a nuisance tactic, requiring employers to undertake complex, costly and time-consuming data searches. Processors directly liable Data processors appointed on behalf of employers, such as outsourced payroll functions and benefit plan administrators, will be accountable under EU law for the first time. In countries such as the Netherlands, Poland, Slovakia and the Czech Republic, data processors can already now be held liable under certain, specific circumstances. Currently, employers are required to ensure contractually that processors take the necessary security measures to protect employees’ data. However, the draft Regulation requires processors to share responsibility for taking security measures, and to assume certain compliance obligations on behalf of employers. In turn, they are at risk of penalties, including fines, in the event of a breach. Employers will need to take care when negotiating commercial agreements with processors to assess security risks and measures upfront and to protect themselves against potential liabilities. General compliance obligations Employers, or data processors acting on their behalf, will also need to contend with a raft of more general compliance obligations. There will be an obligation to conduct data protection impact assessments prior to risky processing operations, such as the processing of personal data of more than 5000 individuals within a 12-month period, the processing of sensitive personal data or of employee data in large scale filing systems. Other obligations include requirements to notify data security breaches ‘without undue delay’ which is presumed to be within a 72-hour time period, to appoint data protection officers (which will be restricted to employers who process personal data of more than 5000 individuals within a 12-month period) and to maintain detailed records on a range of matters. Penalties The aspect of the draft Regulation which has attracted the most publicity is the prospect of the significant antitrust style fines which can be imposed in the event of breach. In order to give the new rules teeth, the draft Regulation outlines a sliding scale of administrative sanctions, starting with a written warning and increasing to a maximum of EUR100 million or 5% of annual worldwide turnover for the most serious breaches. Although data protection authorities will take into account a range of factors (including aggravating or mitigating factors) when deciding on the level of fine to impose, the potential amounts in question greatly exceed the maximum fines that can be imposed under current local rules and will leave employers and processors understandably concerned to ensure full compliance. What next? A busy time lies ahead. Whilst the law is unlikely to change before 2017, employers are advised to start work early – as soon as the final text of the Regulation is known – to prepare for the new regime. Guidance from local data protection regulators will no doubt follow in due course. As the reform will tighten the data protection restrictions applicable to many employment practices, employers will need to audit all data processing practices affecting their EU-based employees. Those who rely on prior worker consent to justify particular processing activities should, for example, reassess whether consent has been freely and validly given and, if not, either seek fresh consent or identify alternative processing grounds. As explained above, consent has to date been used much more as a safety net to bolster other processing grounds, rather than as the sole basis for processing. In situations where an employer nevertheless relies on consent for its processing activities, it may not be able to ‘switch’ to an alternative ground in case the Regulation would render previously given consent invalid.8 Compliance will also entail having full documentation, effective organisational structures and other measures such as training. These steps will be necessary to meet specific obligations and to manage the risk of ‘worst case’ sanctions in the event of inadvertent breaches. Compliance costs could be significant and budgets for future years should be set accordingly.
U heeft op dit moment geen toegang tot de volledige inhoud van dit product. U kunt alleen de inleiding en hoofdstukindeling lezen.
Wanneer u volledige toegang wenst tot alle informatie kunt u zich abonneren of inloggen als abonnee.
