So there it is – in a tremendous boost for transatlantic relations, the European Court of Justice has decided that America is not to be trusted with the personal data of EU residents. That is not exactly the way the decision is phrased, of course, which (so far as relevant to UK HR) is more like this:
Under the Eighth Principle of the UK’s Data Protection Act (and all or most of its EU cousins) the personal data of your employees can be transferred outside the EU only where the recipient country ensures an adequate level of protection for the rights and freedoms of data subject.
Until now an EU employer has been able to rely in this respect on a US company’s registration with the Safe Harbor (sic) scheme, a series of commitments designed to replicate the safeguards of EU law for that data. As of this week, however, that reliance has been deemed misplaced – the ability and tendency of the US security agencies to access personal data held by US employers has been found to compromise those commitments beyond immediate repair. In addition, one of the EU “model clauses” which can legitimise international data transfers requires the US recipient to confirm that it is aware of no legislation which could compel it to disclose that personal data to third parties without the employee’s consent. New US laws enacted to boost homeland security mean that this can simply no longer be said. Therefore Safe Harbor has been comprehensively blown up and can no longer be used as automatic air-cover for employee data transfers to the US.
This creates two immediate questions for HR in the UK. First, what exposure do we have for past data transfers to the US on a basis which is now shown to be illegitimate? Second, what do we do about such transfers starting now?
- Don’t panic!
To make any meaningful challenge out of this issue, the UK employee would need to show some loss or damage arising out of that transfer. In other words, even if the data has been used in the US as the basis for a negative decision about him (dismissal or demotion or no bonus), the employee would need to show that that decision would have been more favourable to him if it had been taken by the same people based on the same data but physically within the EU. Clearly a pretty tough gig.Second, all this case does is remove the presumption that Safe Harbor registrants are safe destinations – it does not prove that they are not, either now or historically. The question of adequacy of protection is assessed by reference to all the circumstances of the case, including the nature of the personal data sent, why it is sent to the US and what relevant codes of conduct and legislative protections exist there.
Last, Schedule 4 of the DPA disapplies the Eighth Principle where the data subject (the employee) has given his consent to the international transfer, or where the transfer is necessary for the entering or performance of the employment contract between the employee and the UK employer. It will rarely be the case that neither of these exceptions applies.
If you have not previously had complaints from your UK employees that their personal data has been misused/lost/damaged in the US, nothing in this decision makes that particularly likely now.
- Still don’t panic.
However, do be aware that this case is likely to lead to stricter precautions being required to ensure that what is sent to the US is genuinely only the bare minimum.On its face, Schedule 4 should allow most reasonable international transfers of employee data anyway, pretty much regardless of what level of protection is offered in the destination country. However, there is a strong body of opinion, especially in Continental Europe, that reliance on this provision alone is unsafe and that it is still appropriate for the EU employer to take specific steps (most usually, some form of data export agreement with its US parent) to satisfy itself that a reasonable level of protection for that data exists. It may also wish to be seen to reconsider how far those HR decisions need to be made in the US at all, and whether EU employee data could be kept on an EU-based server if that is not currently the case.
To the extent that employment contracts do not already include it, amend them to include an express consent to the transfer of relevant personal data to the US (but do note another possible avenue of attack much mulled-over in Europe, i.e. that consent in an employment contract is not freely given because the job hangs upon it). Last, be seen to prune the UK employee data you do hold in the US back to what is strictly necessary and get rid of stuff which is no longer (if it ever was) relevant to the performance of the employment contract.