Tougher Data Privacy Law on the Horizon in Europe

The European Union is poised to adopt a new data privacy regulation that will affect global companies. Here’s how to prepare.

By Bill Roberts Jan 7, 2015


010215_cover.jpgThe European Union (EU) is on the verge of adopting a regulation that will affect how companies protect employee and customer data in all 28 EU member nations.

The final version of the EU’s General Data Protection Regulation is expected in 2015, and it will be followed by a two-year period to comply. It will impose stiffer fines than current rules allow for noncompliance and could result in changes to the U.S. Department of Commerce’s Safe Harbor program, which gives U.S. companies the option to comply with the current EU privacy directive by registering and certifying and then recertifying annually that they are in compliance with the directive’s principles. The Federal Trade Commission (FTC) has come under criticism for lax oversight of Safe Harbor.

There’s no reason for employers to wait for the new regulation or Safe Harbor revisions. HR should act now—along with IT, legal and other functions—to prepare.

Seeking Uniformity

The EU’s new privacy regulation would replace the 1995 Data Protection Directive, which provided a framework of principles that each EU nation individually adopted into law. The draft regulation would impose one law in all 28 nations.

“For HR managers, more uniformity is good news,” says W. Scott Blackmer, founding partner of InfoLawGroup LLP in Salt Lake City, who consults on employee privacy matters.

But uniformity also requires 28 nations to compromise—not an easy task. Not surprisingly, the final version of the regulation has been delayed. The EU Parliament adopted the current draft, comprising 91 articles governing all aspects of data privacy, earlier in 2014 with the expectation that a final version, which requires approval by other EU organizations, would be issued by the end of 2014. The final regulation is now expected late this year.

Not everyone expects the EU to reach a compromise. “They are far from consensus on a number of points,” says Jens-Henrik Jeppesen, director for European Affairs for the Center for Democracy & Technology, an advocacy group. “Some countries have been arguing that it would be better to have a new directive rather than a uniform regulation.”

Although the draft contains several controversial provisions (see sidebar), one proposal in particular would benefit U.S. employers: a single point of oversight, also known as a one-stop shop for compliance. At present, each EU member country’s data protection agency (DPA) enforces data privacy law within its borders. Thus, a company faces oversight from the DPA in each nation in which it has employees or customers.

The most popular approach in the current draft is to designate the DPA of the nation where the company has its European headquarters.

Within the EU, opponents of the one-stop approach—especially Germany, which has the toughest data privacy law—argue that each nation should continue to handle its citizens’ complaints; they say having a single point of oversight could result in more lax attitudes than a particular nation prefers.

According to Omer Tene, vice president of research and education for the International Association of Privacy Professionals and managing director of Tene & Associates, which consults on privacy with governments and businesses, one senior legal advisor to the EU Parliament contends that the one-stop approach may even be unconstitutional because it denies due process.

Storms for Safe Harbor

The fact that the EU draft regulation does not mention the U.S. Department of Commerce’s Safe Harbor program, which governs the transfer of employee and customer data between the U.S. and the EU, has drawn sharp criticism from the American Chamber of Commerce office in the European Union: “The regulation should expressly include the EU-U.S. Safe Harbor program as an appropriate safeguard enabling data transfers,” the Chamber said in a 2012 position statement.

But some say the chances that the program will remain intact are unlikely.

“Safe Harbor will have to change to survive,” says Eduardo Ustaran, a partner in the London office of Hogan Lovells International LLP, a global law firm. “There were already serious concerns by politicians and the private sector about the ability of Safe Harbor to do what it is meant to do.”

Safe Harbor has been criticized for being too easy to disregard after the initial certification and for not being enforced by the FTC. The EU issued a report on the program’s shortcomings in late 2013.

Most concerns are related to supervision and enforcement.

For the first decade of Safe Harbor, there were almost no legal proceedings or sanctions. “Safe Harbor has not gone down well in some quarters in Europe,” Blackmer says. “It is sometimes referred to as ‘EU privacy lite.’ ” For that reason, “whether the EU regulation goes through or not, the EU has been pushing the U.S. to make changes.”

How to Prepare

While the EU final regulation and its impact on the Safe Harbor program are not yet known, companies that already have good data privacy practices in place will be better positioned to deal with new rules.

These practices include the following:

Know your data. Document what data you have, where it resides and who has access to it, including third-party providers, especially payroll processors. The proliferation of cloud-based software-as-a-service for recruitment and other HR applications can make this task more difficult.

“If you don’t know where your data is going, you can’t meet your EU, HIPAA [Health Insurance Portability and Accountability Act] or any other privacy obligation,” says Brent Hoard, manager for health information privacy and security advisory at PricewaterhouseCoopers.

Have privacy governance in place. Written procedures and policies should include plans on how to handle breaches. In a recent survey of 567 U.S. executives, the Ponemon Institute found that 73 percent of their organizations had breach response plans, although 30 percent of respondents believed those plans were inadequate.

Designate a data protection officer. Select someone to coordinate data privacy efforts across departments. “It needs to be cross-disciplinary, and you need a senior person responsible for it,” Blackmer says.

Bill Roberts is technology contributing editor for HR Magazine and is based in Silicon Valley.

Job Finder

Find an HR Job Near You
Post a Job

Apply by October 19

Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.

Apply Now


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect