Transferring HR Data to US from EU May Hit a Snag

It may surprise some members of the converting industry with subsidiaries in the European Union that the EU's framework Data Directive and implementing national legislation could restrict the transfer of human resources (HR) data into the US. One reason this has become so important is the increased focus on enforcement of data protection laws in the EU at the same time companies are adopting enterprise management software to centralize and manage HR data.

Directive 95/46/EC applies to “any operation or set of operations which is performed upon personal data,” which in turn is broadly defined to include “any information relating to an identified or identifiable natural person.”

“Processing” includes collection, storage, disclosures, and transfers of any personal data (involving customers or employees), whether in automated or manual form. Data controllers must register or notify national data protection authorities of data processing activities. The Data Directive includes the following core principles:

  • Data must be processed fairly and lawfully for explicit and legitimate purposes.

  • Data must be relevant and not excessive in relation to the purpose for which they are processed.

  • Data must be accurate, kept up to date where necessary, but kept for no longer than necessary.

  • Data subjects have the right to access, rectify, erase, or block incorrect data.

  • Data controllers must adopt appropriate measures to prevent unauthorized processing of data or accidental destruction or loss.

  • Data subjects have the right to be notified and to have a judicial remedy for violations, including the right to damages.

  • Data may be transferred only to non-EU countries that offer an “adequate” scheme of protection.

The US legal system has not been recognized to provide an “adequate” system of protection. Although data can be transferred outside the EU with the consent of the data subject under the Directive, some Member States do not believe employee consent is given freely. Companies, therefore, must consider other approved means to transfer HR data to the US.

One is to participate in a “safe harbor” program agreed to between the US and EU some years ago. Participants must pay a fee, register with the Dept. of Commerce, subject themselves to the jurisdiction of the Federal Trade Commission, and where HR data transfers are concerned, agree to cooperate with local Data Protection Administrators (DPAs) in the EU. Some companies feel the added conditions make the safe harbor undesirable for HR data transfers.

Contracts between a “data exporter” in the EU and “data importer” in the US are another vehicle. These contracts are subject to review and approval by the DPAs. Ad hoc contracts have been used as a basis for data transfers, but if local DPAs approve different versions, the company must assure its internal procedures allow it to comply with differing contractual obligations approved in each relevant Member State.

The European Commission approved a “model” contract, but it imposes joint and several liability on the data exporter and importer, requires them to acknowledge jurisdiction of the relevant DPA, and makes the data subject a third-party beneficiary of the agreement. Some companies report DPAs are delaying review and approval of contracts that don't conform to the model, thus moving away from the ad hoc approach and requiring use of the model form.

Finally, industry is exploring industry or company codes of conduct as a vehicle for data transfers. Codes of conduct may offer a global solution to expedite data transfers while assuring individuals enjoy an appropriate level of privacy and data security under the growing number of laws that include EU-style restrictions on data transfers outside their borders.

Each of these options has drawbacks, and unfortunately, the situation may become more complex: The EU Data Protection Working Party has suggested a separate directive on employee data may be needed. In the meantime, in today's global, networked environment, members of the converting industry that have or are planning an EU presence should adopt privacy and data-security compliance programs.

Sheila A. Millar, a partner with Keller and Heckman LLP, counsels both corporate and association clients. Contact her at 202/434-4143; This email address is being protected from spambots. You need JavaScript enabled to view it.;

Subscribe to PFFC's EClips Newsletter