HR Technology

By Drew Robb Apr 1, 2003
Reuse Permissions

HR Magazine, April 2003Restricting Data Flow

The European Union's Data Protection Directive turns employee records into a 'controlled substance'

Employee privacy concerns can be subject to conflicting interpretation as well as changing trends, and it can be a challenge for HR to keep up with the latest opinions and regulations. Over the years, for example, questions regarding age, military experience, religion and marital status have gradually dropped off employment applications.

It’s not easy to keep up-to-date on the stream of privacy rules from legislatures, courts, labor officials and human rights commissions, but HR professionals in the United States may find it less challenging than their counterparts in Europe. That’s because the European Union’s Data Protection Directive (DPD) sets stringent restrictions on which personal information can be collected and stored. Compliance requires not only putting in place a few new procedures, but also shifting one’s viewpoint on the entire subject of personal data.

“In the United States we are used to using information as freely as water, but in the [European Union] it is viewed as a controlled substance like a drug,” says Donald F. Harris, Ph.D., president of HR Privacy Solutions Ltd. of New York, who assisted the U.S. Department of Commerce in its data privacy negotiations with the European Union (EU). “HR staff really need to get the viewpoint that they are working with a controlled substance, which is not the American way of thinking about it.”

The Euro Method

The EU is an economic and political union comprising 15 western and southern European member countries representing more than 350 million citizens. That population is set to grow by tens of millions, as 10 additional countries, including former Soviet satellites, are scheduled to join the EU by next year. Two more nations are candidates for inclusion by 2007.

Its roots lie in trade federations formed by six countries (France, West Germany, Belgium, Italy, Luxembourg and The Netherlands) in the 1950s. These federations later merged into the European Economic Community, frequently referred to as the Common Market and later simply called the European Community. In 1993, the members ratified the Maastricht Treaty, which created the European Union with expanded foreign policy and security duties, authorized a central bank and implementation of a common currency, the Euro, for all member states.

The EU is somewhat more similar to the United States than it is to a group such as the United Nations. Its members delegate sovereignty to the EU in certain areas affecting common interests while retaining control over matters within their own borders.

One of the areas in which the member companies have granted authority to the central government is privacy. Out of this came the EU’s DPD, which was passed on Oct. 24, 1995, and went into effect three years later. The directive applies to any individuals, companies or other entities within the EU member countries, and it also regulates the passing of personal information to others outside the EU. Any company that has employees or customers in any of the EU member states must comply with the privacy regulations. For example, if a U.S.-based company has a branch office in France, the law restricts which employee information can be passed from the branch office to headquarters and what the main office can do with the information it receives.

The DPD, like many other European regulations, is different in scope and design from similar regulations in the United States.

“The U.S. approach targets specific areas of information such as financial information, video rentals or Social Security numbers and passes laws concerning those areas that are considered most important at that time,” Harris explains. “The Europeans take the exact opposite approach, passing a law that covers all personal information of any type, processed by anyone in any format no matter the technology used.”

The DPD has two main purposes: to protect personal privacy and to standardize privacy regulations. Standardization makes it easier to pass personal information between entities in different countries.

According to the EU’s Internal Market Commission, which oversees the directive, the four basic provisions ensure that:

  • Personal data is only collected for “specified, explicit and legitimate purposes,” which include the performance of a contract to which the person is a party, compliance with a legal obligation or unambiguous consent. It should be noted, however, that some countries do not consider an employer and employee to have equal bargaining power, so consent from the employee is not, by itself, adequate authority for keeping information.

  • Any person on whom data is kept receives information about who is processing that information (referred to as the data controller) and the specific purposes for which the data is being gathered.

  • Any person has the right to access any data being kept on him or her and to change or delete incorrect information.

  • People have the right to pursue remedies through the court system for misuse of personal data.

In addition, the DPD sets stringent rules relating to sensitive data, which includes “data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sexual preference.”

While the DPD specifies the guidelines for protecting privacy, each member country determines how to implement them. In Germany it is even more complicated as each region sets its own rules. Although the DPD officially went into effect in 1998, not all the individual member countries have finished adopting their own laws regulating the implementation of the DPD.

DPD and U.S. Companies

U.S. firms need to be concerned about how the DPD affects operations in Europe and how it affects information transferred to the United States. Any European offices or branches of U.S. companies must follow the data protection law of the country in which the office is located. In most cases this means that before the company can collect employee information, create a database or process any personal information, it must submit its plan to that country’s Data Protection Authority and receive approval, a process that takes months.

In addition to regulating use of data within the country, the DPD also forbids the sending of personal data in any form to any country that the EU feels does not have adequate data protection laws. The United States is one such country. Needless to say, that provision raised concerns, as it could have prohibited U.S. firms from collecting personal data from their European branches.

The U.S. Department of Commerce negotiated with the EU to create the Safe Harbor program in 2000. Under Safe Harbor, U.S. companies can establish privacy processes that meet the EU requirements, and each year they must file with Commerce a certification form stating their compliance with the regulations. Commerce posts those certifications at

Participating in Safe Harbor offers several advantages. To begin with, when the EU determines that a company has adequate privacy rules, that finding holds for all EU members. It also means that the requirement for prior approval on data transfers is waived or automatically granted so companies no longer have to await approval from a country’s Data Protection Authority.

In its Safe Harbor certification, an organization needs to state that it adheres to the safe harbor principles, which include:

  • Notice. The company must notify individuals about the information collected, what it is used for, any third parties to which it sends information, options for limiting use of information and whom to contact for questions or complaints.

  • Choice.Individuals must have the option of refusing any disclosure of their data to a third party or the use of their data for purposes other than that for which it was originally collected. If the data is sensitive, the individual must give permission before it can be used.

  • Onward transfer. When transferring data to another organization, that organization must be subject to the DPD, participate in Safe Harbor, or enter into a written agreement to protect the data.

  • Access. Individuals can access their personal information and correct or delete inaccuracies.

  • Security. Organizations must protect against loss, destruction, unauthorized access or misuse of personal information.

  • Data Integrity. Personal information must be relevant, accurate, complete and current.

  • Enforcement.Companies must make available an independent recourse process and remedy any breaches of the Safe Harbor principles. Companies can use a dispute resolution service such as the Better Business Bureau for most complaints, but for employment issues they must yield to the jurisdiction of the Data Protection Authority in the country in which the employee works.

Some 300 companies have participated in the Safe Harbor program, but only about half of these certifications cover HR information.

Instead of joining Safe Harbor, companies have two other options. They can sign a data protection contract between the European and U.S. branches that complies with the terms of a model contract approved by the EU, or they can get approval from the Data Protection Authority of the European country in which they do business.

Looking Ahead

The DPD is still a work in progress. Several countries just implemented their laws in the past year, and Ireland’s and France’s laws are still under discussion. These national laws are often incompatible and sometimes they create barriers to the free flow of data between member countries. This has limited the ability of European companies to compete, says Frits Bolkestein, a commissioner of the EU’s Internal Markets and Taxation Commission. It makes no sense to create a single European market if companies then have to run separate databases for each country in which they operate, he said, speaking at a conference on the DPD last October.

The commission will be working to further streamline and standardize procedures throughout Europe so the DPD will achieve its desired ends, Bolkestein says. But, in the meantime, such glitches do not excuse companies from compliance with the directive. U.S. companies were given a grace period during the development of the Safe Harbor program, but that has passed. Failure to comply will be met with civil penalties (up to $500,000 in Spain) and criminal penalties (up to three years in France).

“Most international corporations violate the directive every day, faxing things back and forth or talking about personnel over the phone,” says the HR information systems manager of one Fortune 500 firm that is still developing its Safe Harbor compliance procedures. “There are some countries out there that are licking their chops looking for a really good case to grab onto and sue the hell out of somebody.”

Drew Robb is a California-based freelance writer who specializes in technology, engineering and business.

Reuse Permissions


HR Education in a City Near You

Find a Seminar

Job Finder

Find an HR Job Near You


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect