Many international companies wishing to transfer HR data from their European subsidiaries to the United States have found their plans restricted by EU data protection rules. In broad terms, the EU authorities do not regard the United States as having sufficiently tight data protection rules in place to make it a safe destination for such data in the absence of additional safeguards. This is becoming an increasingly pressing issue, given the wish of many multinationals to put in place centralised HR databases, often located in, or accessed from, the United States.
Recent guidance from the EU Commission has firmed up the view that simply obtaining the employees' consent to the transfer of their HR data is unlikely to provide an adequate long-term solution for companies engaged in repeated or structural transfers—precisely the situation that arises with a centralised HR database.
Alternative mechanisms have included the voluntary "Safe Harbor" principles, and contractual safeguards based on the European Union's standard clauses, or "model contract." Adding to the menu of options for multinational organizations, the UK Information Commissioner recently approved General Electric Company's "Binding Corporate Rules" (BCRs), governing transfers of HR data outside the European Union.
Multinational organizations planning EU-US data transfers must consider a growing menu of compliance options.
The Safe Harbor data protection compliance program, operated by the US Department of Commerce, has become a popular device for international companies. The Safe Harbor is open to organisations that are subject to the jurisdiction of the Federal Trade Commission, but some sectors—such as financial services—are excluded. The Safe Harbor requires the US parent to certify to the US government that it will conform to certain EU data protection norms reflected in a set of published Safe Harbor principles. The process is relatively straightforward, but many companies incorrectly assume that registration is the final step in the process. Companies still need to make sure that their processing within the European Union is in compliance with local data protection rules, which vary from country to country.
The Safe Harbor registration will facilitate the data transfer—but additional data regulations may still apply. These may include requirements to notify data protection authorities in individual EU Member States, or to adopt specific or group-wide data protection policies or confidentiality agreements. Further, employees must be given a data privacy notice that explains the nature of the data being transferred to the United States and the purpose of the transfer. Finally, the Safe Harbor is applicable only to data transfers from an EU Member State to the United States. Alternative compliance mechanisms must be used for transfers to corporate data processing centers in other countries.
An alternative compliance approach is the use of the European Commission-approved model contracts. There are currently three forms of available contract:
- 2001 C2C, which governs the international "controller-to-controller" transfer of personal data between contracting entities, where each entity is likely to control and make decisions about how the data would be processed.
- 2001 C2P, which governs the international "controller-to-processor" transfer of personal data between contracting entities, where the exporting entity is effectively outsourcing a process to a data processor. Under this contract, the exporting entity continues to control and make decisions about how the data is processed.
- 2004 C2C, which is a more business-friendly variation of the 2001 C2C for controller-to-controller transfers.
US-based companies that centralize HR data processing in the United States are likely to require controller-to-controller contractual safeguards.
As with BCRs (discussed below), the contracts create third-party rights for EU data subjects, so that the employees can enforce the contracts directly against the employer. Unlike BCRs, however, the details of the privacy policies and practices that may (or may not) underpin the model contracts need not be published.
A drawback to the use of model contracts in a multinational context is that they must be carefully structured and drafted to cover all anticipated data transfers and uses, lest they become unwieldy or outdated. Further, as with the Safe Harbor program, companies still need to ensure that their processing of data in each EU state complies with local data protection laws.
Binding Corporate Rules
BCRs are a relatively recent tool proposed by the European Union's Working Group on Data Protection Policy as a means of achieving group-wide data privacy compliance for international transfers within multinational organizations. The rules themselves amount to a form of code of conduct, binding across the group as a whole, and provide certain specific rights to employees and certain other specified categories of data subjects.
In order to implement BCRs, a company must nominate a lead regulator from within the European Union whose role it is to "broker" the BCRs to its counterparts across the European Union. The rules need to be binding on all EU affiliates and, at a minimum, must give the employees rights to enforce the code of conduct directly against the group if they so wish. Once approved by the relevant EU regulators, the personal data of those data subjects covered by the BCRs may flow relatively freely within the group.
At first blush, the BCRs appear to offer the most comprehensive compliance framework available for multinationals. However, beware of the following:
- The Working Group has cautioned that the substantive rules of BCRs must be uniform throughout the corporate group. This could mean that, even after the lead regulator has approved the rules in principle, there could be a certain amount of amendment to ensure the rules comply with local laws in all affected EU states.
- Although the rules are uniform, enforcement mechanisms may differ across the European Union. Further, the BCRs are underpinned by a detailed compliance programme backed up by audit.
- Finally, the practices concerning BCRs are still new, and it is not yet clear whether their implementation will reduce or increase a company's exposure to claims. Nor is it clear how flexible the other European regulators will be once the lead regulator has approved the BCRs.
Ultimately, BCRs may become a useful compliance tool for multinational companies, once it becomes clearer what standards EU regulators will use to evaluate and approve BCRs. In the short term, however, model contracts or the Safe Harbor registration may offer the most appropriate compliance options.
We have advised numerous clients in relation to the transfer of data from the European Union to the United States and on the data protection issues that can arise when implementing centralised HR systems. We can also assist in the placement of appropriate mechanisms to ensure that data processing being carried on in various EU states complies with local laws.
For more information on this or other labor and employment matters, contact the authors listed above.