New EU data protection requirements pose challenges

Employers in the United States contend with a variety of federal and state laws related to protecting employees’ personal data, while employers in European Union member countries face even more complex and far-reaching obligations in this area.

Until recently, it was unclear whether U.S. employers that employ citizens of EU countries were required to comply with the EU’s more extensive data protection guidelines. As of May 25, however, when the EU’s General Data Protection Regulation goes into effect, those U.S. employers will be under a specific obligation to follow EU data protection laws.

For the many U.S. employers that employ citizens of EU countries and, accordingly, will be covered by the GDPR, now is the time to put a compliance plan in place.

EU data protection laws

For decades, the European Union has been a world leader in protecting the privacy rights of its citizens. Subject to certain restrictions, Article 8 of the European Convention on Human Rights recognizes a right to respect for an individual’s “private and family life, his home and his correspondence.”

Subsequent court cases and statutes — including, most notably, the 1995 EU Data Protection Directive — have expanded on this right to privacy, particularly in the area of “personal data.” The DPD broadly defines personal data as “any information relating to an identified or identifiable natural person,” or “data subject.”

A data subject, in turn, is “one who can be identified, directly or indirectly, in any particular by reference to an identification number or to one or more factors specific to his physical, psychological, mental, economic, cultural, or social identity.” Personal data includes information such as an address, ID number, bank record, criminal record, IP address, location data, or an online identifier (such as a user name).

Like the new GDPR, the DPD required that those who process or control the personal data of EU citizens follow certain guidelines when processing personal data of any data subject. However, the DPD did not unambiguously apply to U.S. employers that processed the personal data of EU citizens living and working in the United States. Therefore, at least for purposes of employment law, many U.S. companies simply did not concern themselves with the DPD.

What the GDPR means for U.S. employers

The GDPR replaces the DPD, most notably by expanding the territorial scope of existing EU data protection laws. Among other things, the GDPR dictates how companies with no physical presence in the European Union must collect, store, process and destroy the personal data of EU citizens who work (or apply to work) outside the EU. The GDPR also provides that employers that do not comply with the GDPR may be subject to fines up to 4 percent of annual global “turnover” — a term used in Europe and Asia that is synonymous with “revenue” — or 20 million euros (whichever is greater).

The GDPR gives EU data subjects greater rights regarding their ability to access and control their personal data, while also imposing certain requirements on entities — including employers — that maintain or process personal data. Those requirements include, by way of example, the following:

• Legal basis for processing data. To the extent that covered employers process the personal data of covered employees, they must have a specified, legal basis for doing so. The most common of these legal bases is consent. However, the GDPR defines consent narrowly, requiring, among other things, that consent to processing personal data be revocable and freely given for a specific purpose. Additionally, in the employment context, consent will be deemed freely given only under exceptional circumstances, given the imbalance of power between the parties. Therefore, employers may have to rely on one of the other five specified bases for processing personal data — for example, when processing is necessary for the legitimate interests of the business or the performance of an employment contract.
• Evidence of compliance. Organizations may be required to demonstrate their compliance with the GDPR by maintaining and proper documentation regarding their data protection standards.
• Notification in case of breach. In the case of a security breach involving the personal information of an EU data subject, the organization that was the subject of the breach must notify the Information Commissioner’s Office within 72 hours.
• “The right to be forgotten.” Upon the individual’s request, an organization must delete “without undo delay” all information from its servers related to any data subject who meets any one of several very broad criteria — for instance, when the personal data is no longer necessary for the purposes for which it was collected or otherwise processed.

The GDPR gives EU data subjects greater rights regarding their ability to access and control their personal data, while also imposing certain requirements on entities that maintain or process personal data.

Enforcement issues

To aid in the enforcement of these new requirements against entities that do not have a physical presence in the EU, the GDPR provides that businesses that knowingly and actively conduct business in the EU must designate a representative with a physical presence in an EU country. (This is similar to the way U.S. states require out-of-state corporations to have a resident agent for service of process.)

This requirement, however, likely would not apply to U.S. companies that do not conduct business in the EU but simply hire individuals who happen to be EU citizens. In that scenario, questions remain as to how the EU might seek to enforce fines against employers that do not comply with the GDPR.

Multiple options could be available to the EU, such as relying on existing treaties between the U.S. and EU nations, requesting the aid of U.S. law enforcement agencies, or obtaining a judgment in an EU court and petitioning a U.S. court to enforce the judgment.

Compliance steps for employers

Realistically, given that the new data privacy guidelines take effect in late May, employers that have not yet considered the potential impact of the GDPR may not be able to reach full compliance by the deadline.

Nonetheless, employers would be wise to get started on this process promptly. At a minimum, we recommend that employers employing EU citizens consider the following.

• Perform a risk assessment. First, an employer should consider, relative to its workforce, whether it meets the definition of a “data controller” or a “data processer” under the GDPR. Next, the business should identify all the ways in which it collects, stores, processes, shares and destroys personal information. Wherever possible, this assessment should include representatives from all relevant departments, as well as legal counsel familiar with EU data protection guidelines.
• Rethink policies and procedures. Depending on the results of its risk assessment, an employer should then revisit relevant policies and procedures related to data protection. For example, an employer should consider revising policies related to the types of personal data it collects, the reasons for collecting that data, and who within the company has access to personal data.

Further, employers should consider whether the ways in which they currently ask employees to consent to the use of personal data will be considered valid under the GDPR, or, if not, what other basis for use they might have that would be consistent with the GDPR’s requirements. Employers should make sure that they have GDPR-compliant procedures for handling a data breach involving a data subject covered by the GDPR. Finally, employers should rethink how they train employees regarding the proper handling of personal information.

• Consider whether to apply EU-compliant policies to all employees. In the employment context, U.S. companies will be directly subject to the GDPR only if they have employees, prospective employees, or former employees who are considered “data subjects” under the GDPR. For most U.S. employers, this will likely be a only a small percentage of their total workforce — namely, those employees who are EU citizens and/or work in the EU.

However, given that the GDPR is more comprehensive than most U.S. data protection guidelines, employers might consider whether it would be most efficient to apply the GDPR’s safeguards to their entire workforce. This would avoid the confusion that might occur from having different standards apply to the personal data of different groups of employees.

Employers with questions regarding their obligations under the GDPR are advised to consult with legal counsel familiar with EU data protection laws.

Gary D. Finley is an attorney at Schwartz Hannum in Andover, Massachusetts, which represents management in labor and employment law matters, including litigation and counseling, and educational institutions in these and education law matters.