GDPR (EU data protection) from an HR perspective

The GDPR will replace the mixed blend of 28 different EU Member States’ laws with a single, unifying data protection law, which should lead to significantly greater data protection harmonisation throughout the EU.   Its main objectives are threefold:

1. The GDPR increases the rights for individuals.
2. It strengthens the obligations for companies.
3. The GDPR dramatically increases fines in case of non-compliance, up to €20m(£17m) – or up to 4% of total
worldwide annual turnover.

What important changes should be on your HR team’s radar?

1             Consent – Under GDPR an employee’s consent remains a legitimate basis for processing his or her personal data. However, such consent must be “freely given, specific, informed and unambiguous” and clearly “distinguishable” Further it is important that the employee is able to withdraw their consent as easily as they gave it in the first place. In light of the clear stipulations around the form that the employee’s consent must take, it is highly unlikely that blanket data protection consent clauses in contracts of employment and policies will suffice.

2            Subject Access Requests – The right of employees to request information about the personal data processed by the employer remains broadly the same. However, under GDPR the starting position will be that the employer must respond to a request without undue delay. The current 40 days will be replaced by 30 days. The £10 fee some companies levy for making the request will be abolished.

3             New (and enhanced) Rights – GDPR introduces some new employee rights as well as enhancing existing ones. For example, employees will have a new data portability right which will allow them to request that certain personal data is transferred directly to a third party. Further, employees will be armed with a suite of so-called “delete it, freeze it, correct it rights” which are aimed at giving them more control ( in certain circumstances) over how their personal data is processed.

4              Data Breach Notification – In the UK employers must notify personal data breaches to the Information Commissioner’s Office (ICO) with 72 hours of becoming aware of it.  The term ‘personal data breach’ covers a plethora of common workplace mistakes such as a laptop or file left on a train or an e-mail sent to an incorrect address. It is important to remind employees that even apparently minor incidents must be reported internally if data has been lost or compromised.

5             Routine CRB Checks – Enhanced DBS checks will still be permitted, however if employers adopt a routine policy of conducting DBS checks on all employees regardless of role and whether or not there is an English legal requirement to that effect, this may be unlawful under the GDPR.  Although standard and enhanced DBS (Disclosure and Barring Service) checks will still be permitted under GDPR, employers (as it currently stands) will not be able to conduct routine basic DBS checks on all employees (unless their role requires them to be security cleared).

GDPR has already started to appear in CJEU’s (Court of Justice European Union) soft case law (AG Opinion in Manni)
The recent judgment of the CJEU in Case C-398/15 Manni (9 March 2017) brings a couple of significant points to the EU data protection case law:

• The court clarifies that an individual seeking to limit the access to his/her personal data published in a Companies Register does not have the right to obtain erasure of that data, not even after his/her company ceased to exist;
• The court clarifies that the individual has the right to object to the processing of that data, based on his/her particular circumstances and on justified grounds.

Organisations should be checking that all their HR staff are fully engaged on GDPR to ensure there is a comprehensive grasp of the responsibilities and actions required ahead of implementation.  How ready is your HR department?   Let us know.

 

 

Red October For EU After Safe Harbour Decision Collapses Pan Atlantic Agreement

Updating our blog of 9th October, the end of January 2016 will mark the date point where EU data protection regulators could start prosecutions for any erroneous transfer of EU individuals’ personal data from Europe to the US – unless a replacement to the Safe Harbour Agreement is rapidly agreed.

The heat is firmly on in Brussels now to find a workable solution and fast, as the ramifications facing up to 4,500 US companies (not just tech firms) in transferring data across the Atlantic to Europe now means organisations could face 20 or more different sets of national data-privacy regulations to replace the Safe Harbour Agreement which had been in place for 15 years.

The NSA’s mass data collection originally highlighted by the Edward Snowden leaks in a case brought by law student Max Schrems against Facebook, prompted the European Court of Justice (CJEU) court ruling on 6th October 2015.  This now looks set to massively disrupt the international eco system for data transfer, legal adherence and sovereign user assurances.  The regulators emphasised that the question of mass and indiscriminate surveillance was central to the CJEU’s decision and a replacement data transfer agreement would have to provide “stronger guarantees to EU data subjects” accompanied by “clear and binding mechanisms” and “oversight of access by public authorities“.

The main points
•   Individual European countries can now set their own regulation for US companies’ handling of citizens’ data, vastly complicating the regulatory environment in Europe (Russia recently introduced a new data law demanding data on Russian citizens was stored within Russia).

•   Countries can choose to suspend the transfer of data to the US — forcing companies to host user data exclusively within the country.

•   The Irish data regulator (host nation for Facebook and Microsoft’s European data centres), has now agreed they will examine whether Facebook offered European users adequate data protections – and it may order the suspension of Facebook’s transfer of data from Europe to the US if so.

Privacy lawyer Dr Susan Foster of Mintz Levin commented:  “Consent has to be explicit and freely given” — which causes a headache for another key use of Safe Harbour, the transfer of employee data. “In many countries in Europe you can’t rely on consent from employees, because employees are understood not to have free choice.” An employee may feel pressured into consenting, so such a consent would not be a valid basis for the transfer. “A lot of multinational companies with employees in Europe rely on Safe Harbour because they don’t feel they can rely on consent, quite rightly.”

A new dawn awaits data controllers across Europe.  The upshot is likely to be one filled with more model contract clauses and a greater emphasis on risk based analysis surrounding data transfer.  But whatever the outcome, from 1st February 2015, ‘ignorantia juris non excusat’ – roughly translated: ‘ignorance of the law is no defence ‘.  Businesses beware!

SafeHarbor Logo-Lines

Google’s “ne m’oublie pas” hit by Europe’s desist and delist world ruling as “right to be forgotten” issue rumbles on

logo-cnil

France’s privacy regulator, the CNIL, has rejected Google’s request that the “right to be forgotten” ruling on their websites should only remain restricted to Europe domain names, vs applying to all Google websites worldwide.

The decision requires Google to close a loophole that enabled searchers to defeat a judgment by the Court of Justice of the European Union (CJEU) last year, whereupon they removed results from more localised sites such as google.fr, google.co.uk etc, but continued to display disputed links on google.com.   The French regulator stated Google’s various domain names were just “different paths to the same processing operation”, making it easy for users to circumvent the block.

As we widely reported in our blogs in May 2014, the CJEU recognised the right to be forgotten, thus allowing people to ask search engines not to display certain links if they requested, following a search on their name.

Based on the original Spanish ruling, the upshot from the Spanish court was not to erase the original searches, but make them far harder to find.  The desire and drive for data privacy was duly thrown into conflict with the arguments for freedom of speech and public interest.

It’s essentially one of the inevitabilities for society when citizens have access to such an incredibly powerful search tool at our fingertips, which today’s younger generation greedily take for granted.  It’s only a generation ago in pre Google days before 1998, when people would have had to resort to books and library articles to comb paper archives to get the information they wanted.  We move now at such lightning pace with technology that we must always be mindful about some of the downsides of this technology and fully maintain our corporate responsibilities surrounding data privacy, or pay the heavy penalties.

For a business a privacy breach might prompt a penalty of up to 5% of their global profits, however, in the EU regulation ring, there is a seemingly weak trust from the particular CNIL sword.  After four months, the French national threat is limited to “discussing appointing someone to report to its sanctions committee with a view of obtaining a ruling on this matter”.

With 500 million EU citizens, there is a mess of different legal regimes, making it hard for European businesses to work towards.  This is what the new EU Data Protection Regulations hopes to cure, if the EU stakeholders can agree the text.  It would certainly be a stimulant to Google if it knew it had one Euro privacy regulator to deal with and 5% of ITS turnover at stake if it broke the rules.  It seems a long way off, but organisations should consider data security and data protection as amongst their highest priorities looking ahead.