The European Union's Data Protection Directive establishes a standard for protecting personally-identifiable data which is more demanding than currently accepted privacy principles in the United States. See our June 24, 1999 and April 18, 2000 Internet Alerts. The Data Protection Directive also restricts the transfer of EU personally-identifiable data to other countries - such as the United States - which are not deemed by the EU to have adequate privacy laws of their own. Such transfers have become particularly challenging for European subsidiaries of U.S. companies, which must both comply with the Data Protection Directive and at the same time provide human resource ("HR") and other information to their U.S. parent companies in connection with paying EU employees, evaluating their performance and conducting other routine operations. Companies should be aware that breaching the relevant rules in this area exposes them to civil claims as well as the risk of criminal prosecution.
On November 19, Hale and Dorr, in conjunction with Brobeck Hale and Dorr, conducted a seminar in London (with a live video conference link to Boston) that explored how U.K. and U.S. companies are dealing with these new regulatory challenges.
Sarah Harrop of Brobeck Hale and Dorr's London and Oxford offices discussed the implementation of the Data Protection Directive, along with the related Directive on the Protection of Privacy in the Telecommunications Sections (the "ISDN Directive") and the recent Directive on the Protection of Privacy in the Electronic Communications Sector (the "Spam Directive"), which was the subject of our August 12, 2002 Internet Alert. To see Sarah's PowerPoint presentation, click here .
Barry Hurewitz of Hale and Dorr's Washington office then reviewed the various methods by which personally-identifiable data may be transferred from EU countries to the U.S. under the Data Protection Directive. The primary mechanisms for transferring personal data from the EU to the U.S. permit transfers subject to contractual privacy safeguards, transfers necessitated by contractual obligations, and transfers to U.S. companies that have self-certified under the voluntary safe harbor program (see our February 14, 2001 and December 27, 2001 Internet Alerts). To see Barry's PowerPoint presentation, click here.
Finally, Henry Clinton-Davis of Brobeck Hale and Dorr's London Office reviewed, from a U.K. labor law perspective, the HR issues that arise when dealing with personally-identifiable information of U.K. employees. Click here to review a paper discussing data protection principles in the HR context, including special guidelines for sensitive personal data, the U.K. Information Commissioner's employment practices data protection code, proposed additional European privacy legislation, individuals' rights to access data about themselves, procedures for handling medical and sickness records, guidelines for monitoring employees' e-mail and Internet usage, providing access to records of disciplinary investigations, and remedies for privacy violations. To see Henry's PowerPoint presentation on laws and regulations with respect to U.K. HR data and employee monitoring, click here.