New Professional Member Special>>> Save $15 and receive a SHRM tote bag
Many HR pros are surprised to learn that legal protection from retaliation isn’t always guaranteed for them.
Save $15 on a Professional Membership and Receive a FREE Tote Bag.
Get the HR education you need without travel expenses or time out of the office.
We don't just visit a city, we take it over. Join us in NOLA -- June 18 - 21, 2017.
Restricting Data Flow
The European Union's Data Protection Directive turns employee records into a 'controlled substance'
Employee privacy concerns can be subject to conflicting interpretation as well as changing trends, and it can be a challenge for HR to keep up with the latest opinions and regulations. Over the years, for example, questions regarding age, military experience, religion and marital status have gradually dropped off employment applications.
It’s not easy to keep up-to-date on the stream of privacy rules from legislatures, courts, labor officials and human rights commissions, but HR professionals in the United States may find it less challenging than their counterparts in Europe. That’s because the European Union’s Data Protection Directive (DPD) sets stringent restrictions on which personal information can be collected and stored. Compliance requires not only putting in place a few new procedures, but also shifting one’s viewpoint on the entire subject of personal data.
“In the United States we are used to using information as freely as water, but in the [European Union] it is viewed as a controlled substance like a drug,” says Donald F. Harris, Ph.D., president of HR Privacy Solutions Ltd. of New York, who assisted the U.S. Department of Commerce in its data privacy negotiations with the European Union (EU). “HR staff really need to get the viewpoint that they are working with a controlled substance, which is not the American way of thinking about it.”
The Euro Method
The EU is an economic and political union comprising 15 western and southern European member countries representing more than 350 million citizens. That population is set to grow by tens of millions, as 10 additional countries, including former Soviet satellites, are scheduled to join the EU by next year. Two more nations are candidates for inclusion by 2007.
Its roots lie in trade federations formed by six countries (France, West Germany, Belgium, Italy, Luxembourg and The Netherlands) in the 1950s. These federations later merged into the European Economic Community, frequently referred to as the Common Market and later simply called the European Community. In 1993, the members ratified the Maastricht Treaty, which created the European Union with expanded foreign policy and security duties, authorized a central bank and implementation of a common currency, the Euro, for all member states.
The EU is somewhat more similar to the United States than it is to a group such as the United Nations. Its members delegate sovereignty to the EU in certain areas affecting common interests while retaining control over matters within their own borders.
One of the areas in which the member companies have granted authority to the central government is privacy. Out of this came the EU’s DPD, which was passed on Oct. 24, 1995, and went into effect three years later. The directive applies to any individuals, companies or other entities within the EU member countries, and it also regulates the passing of personal information to others outside the EU. Any company that has employees or customers in any of the EU member states must comply with the privacy regulations. For example, if a U.S.-based company has a branch office in France, the law restricts which employee information can be passed from the branch office to headquarters and what the main office can do with the information it receives.
The DPD, like many other European regulations, is different in scope and design from similar regulations in the United States.
“The U.S. approach targets specific areas of information such as financial information, video rentals or Social Security numbers and passes laws concerning those areas that are considered most important at that time,” Harris explains. “The Europeans take the exact opposite approach, passing a law that covers all personal information of any type, processed by anyone in any format no matter the technology used.”
The DPD has two main purposes: to protect personal privacy and to standardize privacy regulations. Standardization makes it easier to pass personal information between entities in different countries.
According to the EU’s Internal Market Commission, which oversees the directive, the four basic provisions ensure that:
In addition, the DPD sets stringent rules relating to sensitive data, which includes “data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning health or sexual preference.”
While the DPD specifies the guidelines for protecting privacy, each member country determines how to implement them. In Germany it is even more complicated as each region sets its own rules. Although the DPD officially went into effect in 1998, not all the individual member countries have finished adopting their own laws regulating the implementation of the DPD.
DPD and U.S. Companies
U.S. firms need to be concerned about how the DPD affects operations in Europe and how it affects information transferred to the United States. Any European offices or branches of U.S. companies must follow the data protection law of the country in which the office is located. In most cases this means that before the company can collect employee information, create a database or process any personal information, it must submit its plan to that country’s Data Protection Authority and receive approval, a process that takes months.
In addition to regulating use of data within the country, the DPD also forbids the sending of personal data in any form to any country that the EU feels does not have adequate data protection laws. The United States is one such country. Needless to say, that provision raised concerns, as it could have prohibited U.S. firms from collecting personal data from their European branches.
The U.S. Department of Commerce negotiated with the EU to create the Safe Harbor program in 2000. Under Safe Harbor, U.S. companies can establish privacy processes that meet the EU requirements, and each year they must file with Commerce a certification form stating their compliance with the regulations. Commerce posts those certifications at
Participating in Safe Harbor offers several advantages. To begin with, when the EU determines that a company has adequate privacy rules, that finding holds for all EU members. It also means that the requirement for prior approval on data transfers is waived or automatically granted so companies no longer have to await approval from a country’s Data Protection Authority.
In its Safe Harbor certification, an organization needs to state that it adheres to the safe harbor principles, which include:
Some 300 companies have participated in the Safe Harbor program, but only about half of these certifications cover HR information.
Instead of joining Safe Harbor, companies have two other options. They can sign a data protection contract between the European and U.S. branches that complies with the terms of a model contract approved by the EU, or they can get approval from the Data Protection Authority of the European country in which they do business.
The DPD is still a work in progress. Several countries just implemented their laws in the past year, and Ireland’s and France’s laws are still under discussion. These national laws are often incompatible and sometimes they create barriers to the free flow of data between member countries. This has limited the ability of European companies to compete, says Frits Bolkestein, a commissioner of the EU’s Internal Markets and Taxation Commission. It makes no sense to create a single European market if companies then have to run separate databases for each country in which they operate, he said, speaking at a conference on the DPD last October.
The commission will be working to further streamline and standardize procedures throughout Europe so the DPD will achieve its desired ends, Bolkestein says. But, in the meantime, such glitches do not excuse companies from compliance with the directive. U.S. companies were given a grace period during the development of the Safe Harbor program, but that has passed. Failure to comply will be met with civil penalties (up to $500,000 in Spain) and criminal penalties (up to three years in France).
“Most international corporations violate the directive every day, faxing things back and forth or talking about personnel over the phone,” says the HR information systems manager of one Fortune 500 firm that is still developing its Safe Harbor compliance procedures. “There are some countries out there that are licking their chops looking for a really good case to grab onto and sue the hell out of somebody.”
Drew Robb is a California-based freelance writer who specializes in technology, engineering and business.
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Choose from dozens of free webcasts on the most timely HR topics.
SHRM’s HR Vendor Directory contains over 3,200 companies