Data dangers

Free
flow of employee information between offices is vital to multinational firms.
But they must beware of falling foul of different countries’ laws controlling
the transfer of data. Liz Hall reports

Transferring
employees’ personal data across the Atlantic is a minefield for global
companies – tread carelessly and they face adverse publicity, hefty fines, and
the blocking of their data flow channels.

Data
transfers are the lifeblood for multinationals that routinely share between
different offices a vast array of personal information, from personnel
telephone directories to personnel records. But while data transferral within
the EU is covered by the Data Protection Directive, Article 25 of the directive
prohibits data being sent outside the EU unless adequate protection is
provided.

The
article has been the thorn in companies’ sides for three years, as according to
the European Commission, the US self-regulatory framework does not offer enough
protection. The Safe Harbor Agreement, which came into effect in November 2000,
is the result of lengthy negotiations between the EC and US Department of
Commerce. It aims to stop US firms being prosecuted under European law and to
avoid interruptions in transatlantic business dealings.  

"In
the eyes of the EU, none of the US systems amounted to adequate protection,
meaning employers faced fines and being cut off," says Brian Hennesbaugh,
senior associate at law firm Baker & McKenzie in Chicago, Illinois.
Hennesbaugh was the lead attorney at the US Department of Commerce in
negotiations for the Agreement.

"We
created a self-regulatory framework which, if firms publicly declared they
adhered to its principles, could ensure the continued data flow between the EU
and US," says Hennesbaugh. So far, only about 76 firms have signed up,
including the Dun & Bradstreet Corporation, BMW, Procter & Gamble,
medical firm Baxter International and Microsoft.

"There
has been an element of ‘you go first’ and of not sticking one’s neck out. If a
company is knocked off the list, it would be very bad publicity," says
Alison Wetherfield, partner in the employment department of London law firm
McDermott Will & Emery.

Wetherfield
says many clients are concerned about data protection issues in transatlantic
transactions. "But our message is that there are a variety of ways to
satisfy data protection requirements," she says.

With
Microsoft joining the Safe Harbor employer ranks, it is hoped that more
organisations will take the plunge. "There appears to be some momentum
gathering, and the signing of Microsoft could make a difference
psychologically," says Hennesbaugh.

For
those companies whose data protection policies are already in line with the DP
Directive’s requirements, Safe Harbor should not represent too much of a
challenge. Matt Lambert, Microsoft head of government affairs in the UK, says,
"We looked at our systems and found we were doing as much as, or more than
the EC requirements. We couldn’t think of any good reason not to sign, and we
wanted to make a statement of intent to our customers and consumers that we
take their privacy seriously."

Safe
Harbor sets out seven principles that aim to reflect the US privacy approach
while satisfying the DP Directive’s core requirements, including that of adequate
protection.

But
firms that sign up and then fail to live up to their statements face
enforcement action from the US Federal Trade Commission under the False
Statements Act. They can be fined or sanctioned by the Federal Trade Commission
or by individual US states. They also face adverse PR, with the Department of
Commerce publicising their failure to comply.

Fines
can be substantial, considering the standard penalty per occurrence is $11,000
and the fact that company databases contain so many people. Telecoms firm
AT&T, for example, has some 120,000 people on its global address list,
including homeworkers.

Both
Hennesbaugh and Stephen Sidkin, commercial partner at Fox Williams, say that
bad PR is businesses’ worst fear. "Worse than fines is the bad publicity.
One of our clients has been investigated and is not very happy. Once you have a
profile with the Information Commissioner in the UK, for example, they will
keep looking at you," says Sidkin. "Then there is the amount of
management time that has to be dedicated to digging the company out of a hole."

Hennesbaugh
says, "The real threat is unwanted, adverse press reports. In the US, the
press is very active on the issue of privacy and companies are very concerned
about maintaining their reputations."

Although
nobody has been dragged across the coals yet, this autumn could see the law
closing in. Under Safe Harbor, the EC made a political commitment that it would
not cut off data flow while negotiating. Originally set for mid-2001, the date
for reviewing this standstill has been postponed – possibly until October,
according to Hennesbaugh. "As far as I know, there are some cases brewing
out there and the Information Commission is waiting for the standstill to be
over," he says.

UK
firms have been given until 24 October 2001 to get their houses in order to
meet the DP Directive’s adequate protection principle, Principle 8 of the UK
Data Protection Act 1998 – unless they are putting new systems in place.
Companies are entitled to run their own privacy policies, as long as they
satisfy legal requirements. Data can, in any case, be transferred in certain
circumstances, such as if the individual has given unambiguous consent, or if
the transfer is necessary for the performance of a contract between the individual
– the data subject – and the data controller.

Compaq
(before its merger with Hewlett-Packard) is currently evaluating whether to
register under Safe Harbor. It has used the agreement as a guideline for its
policies and procedures for the generation, transmission and use of employee
data. An internal review showed that its employee data flows are already in
compliance with Safe Harbor principles.

"As
a global company, we recognise that there are inherent complexities in ensuring
compliance with laws in various countries and geographies, but Compaq has
devoted, and continues to devote, substantial resources towards maintaining
compliance with these laws," says Dan Swartwood, corporate data privacy
manager at Compaq in Houston, Texas.

Compaq
works closely with representatives from European works councils and any
employee who will have access to worldwide staff data is given training in its
appropriate use. The IT firm carries out periodic audits.

The
EC may soon give the all-clear to more countries on the adequate protection
front. It is currently examining the data protection laws of a number of non-EU
countries to see if they provide adequate protection for personal data
transferred from the EU. So far, Switzerland and Hungary have passed muster and
Canada is next under the microscope. The EC has powers to prohibit data flows
to countries whose privacy regimes are not deemed adequate, requiring
individual organisations to show they provide adequate privacy protection.

Another
alternative to Safe Harbor is the EC’s voluntary model contract – it published
a draft in June. It contains a legally enforceable declaration by both the data
importer and exporter that they will process data according to basic data
protection rules.

Matsushita
Electric Europe currently has a team in Brussels looking closely at the ins and
outs of the EC model contract and could soon adopt it. Although the holding
company for Panasonic and JVC mostly sends out data on employees within the EU,
it also transfers data to Japan, although mainly on Japanese staff and with
senior employees’ written consent.

Tim
Watmuff, general manager for pan-European personnel at Matsushita in London,
says, "One of the difficulties with Japan is that it has a totally
different culture, and if we do go down the model contract route, as I suspect
we will, it will be our responsibility to make sure data is processed
correctly."  

The
principles of the model contract are very strict compared to Safe Harbor. The
access principle, for example, means giving access to all data on an
individual, whereas Safe Harbor has a let-out clause. Also, the model contract
needs to be put on file with the local data protection authorities. "This
requires a lot of paper and is cumbersome and intrusive," says Hennesbaugh.

"People
are scared by the model contract and there are lots of provisions they don’t
like, such as the joint and several liability clause, as people don’t want to
be held accountable for what other parties do. Any individual can sue a company
for violation of principles in a European court, and the US will have to abide
by their advice, which is very open-ended and scary," says Hennesbaugh.

The
joint and several liability clause means that when data subjects have suffered
damage as a result of their rights being violated, they can claim compensation
from both the data exporter and the importer, as it is often difficult to know
who is responsible for the violation. But the data exporter does have the right
to recover compensation from the importer for any compensation it has had to
pay to the data subject.

The
issue of employee consent is central to employers’ data protection policies and
many companies, such as BT, build something into employment contracts. Matsushita,
which employs 300,000 staff worldwide, has a clause in its employment contract
describing its data protection policy, which adheres to the DP Directive’s
principles. Compaq’s European employment contracts typically include an
authorisation by the employee for use of their data for appropriate purposes.

Sidkin
says, "There should be suitable reference made in employment contracts
about the use of personal data and the fact it may be sent outside the
EU." But he says, "I must emphasise that this is only part of the
equation, and for the employer to sit back and think that is enough would be
very dangerous."

Obtaining
consent from employees every time data is transferred can be highly tortuous.
Phil Coater, spokesman for AT&T, says, "We address data protection by
getting either implied or implicit consent from employees. As a global company,
we aim to get single standard ways of doing business, but you run up against
local circumstances. In the telecommunications industry, this is complicated by
the fact that having homeworkers and so many mergers and acquisitions with
different people coming and going."

Hennesbaugh
warns that the issue of consent can become tricky, depending on the
jurisdiction. "Companies should take a careful look at where they are doing
business, as problems can arise as to whether consent was really given and also
works councils rear their heads."

So
is there a universal panacea to data protection quandaries? "Employers are
really grappling with how to handle this, looking at what is best for whom. If
you’re a smallish employer dealing with senior executives, the consent route is
attractive to avoid all the paperwork needed for Safe Harbor, and there
shouldn’t be problems of validity of consent," says Hennesbaugh.

"But
if you’re a large firm with lots of factory workers, even if consent is freely
given, the chances are there will be a 5 per cent drop-out. All things being
equal, if a company is going to be doing data transfer to the US, Safe Harbor
is the best route. But if also transferring from the EU to India and Japan,
Safe Harbor only answers one tiny piece and so companies might want to think
about the model contract route or processing data locally, or might have to be
creative," says Hennesbaugh.

The
prospect of a brave new world, in which global company databases are
commonplace and data flows like water worldwide, still seems far off.

 "We’re up to speed with how the European
directive applies in Europe, but it’s a different matter with transfer outside
the EU. Although I believe there should be restrictions, they mean we’re
struggling with how to adopt a state-of-the-art global personnel
function," says Watmuff. "Local legislation can be a barrier to
having pan-European or global HR databases, especially if you need every individual’s
signature for consent each time a transaction occurs. I expect things will
change, but I’m not sure how," he says.

Safe
harbour principles

1          Notice should be given to users of
the use to which information is put

2          Choice with opt-out for users of
secondary use of data on them and opt-in for use of sensitive information, such
as race

3          Access of individuals to personal
information, with chance to make corrections

4          Security of data guaranteed including
access controls and encryption

5          Enforcement in place for when
principles are not followed

6          Onward transfer of personal data
should be according to notice and choice principles

7          Data integrity with steps taken to
ensure reliability and accuracy

Data
protection worldwide

Austria             Abides
by EC Data Protection directive

Belgium            "

Canada
           EC currently examining new
privacy law to establish if provides adequate protection

Denmark          Abides by EC Data Protection directive

Finland             "

France              "

Germany          "

Greece             "

Hungary           On EC’s approved adequate protection
list       

Ireland              Abides by EC Data Protection directive

Italy                  "

Luxembourg     "

Netherlands      "

Portugal            "

Spain                "

Sweden            "

Switzerland       On EC’s approved adequate protection list

UK                  Abides
by EC Data Protection directive

US                   Self-regulatory framework. Employers dealing with
the US should proceed carefully. Some firms have signed EC- approved Safe
Harbor agreement, others looking at EC model contracts or have their own policy
which satisfies EC requirements

Further
information

The
European Union: www.europa.eu.int

The
US Department of Commerce: www.export.gov/safeharbor

Legal
Links

McDermott
Will & Emery: www.mwe.com

Baker
& McKenzie: www.bakernet.com

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

Email(Required)

OptOut

From time to time, we will send you emails about selected products, events and services from Personnel Today and OHW+ - but you can choose to opt-out at any time. If you do not wish to receive these emails, please tick this box.

Name

This field is for validation purposes and should be left unchanged.

Δ

Fox
Williams: www.foxwilliams.com

Pinsent
Curtis: www.pinsents.com