HR Technology

By Bill Roberts May 1, 2008

HR Magazine, May 2008Protecting Employee Data Globally

Knowing the rules can help employers safeguard employee privacy and still keep data flowing.

Employers in Germany must keep track of each worker’s religious affiliation because businesses support churches through payroll deductions. But don’t collect the same information in France: It’s unlawful.

Employers in France keep track of the sick days each worker takes because companies get tax credits for paying sick leave. But in Germany, tracking sick days is strictly verboten.

Nearly any field in an HR database might be illegal somewhere. As U.S. companies set up subsidiaries abroad and hire local talent, they want to transfer common employee data to a central database so they can recruit and manage talent globally. These organizations also might adopt efficiency measures such as single worldwide HR software platforms or shared services centers.

While providing aggregate personnel data such as head counts doesn’t raise privacy issues, collecting and transferring any employee information with names attached across geographic borders is another matter.

“We have to address privacy issues for any new HR process or organizational model that we roll out,” says Bernard Carrot, Paris-based global HR services director for Agilent Technologies Inc., in Santa Clara, Calif. “Dealing with international privacy issues is one step in each project.”

Sorting It Out

Fortunately, today’s enterprise HR management system software is relatively easy to configure for privacy differences. The same database that holds religious affiliation for workers in Germany can be set up to block that data field for employees in France.

But software is the least of HR professionals’ problems. Widely varying laws become the real data privacy hurdle.

“Most companies come to us with a lot of trepidation” about global privacy, says Cecile Alper-Leroux, director of human capital management product strategy for Lawson Software Inc., in St. Paul, Minn., who worked in France, Germany and the United Kingdom for three years for Lawson. Managers “need to educate themselves.”

European workers have higher expectations than employees in other countries when it comes to keeping their personal data private. For example, they are accustomed to giving their consent for information to be held. Consequently, the European Union (EU) has the toughest rules on data privacy. EU nations harmonized some policies with the EU Privacy Directive, spelling out common rules for transferring employee information across borders.

The United States has less stringent employee privacy rules than Europe, with some exceptions. The United States also has notification laws for stolen employee data. Prodded by a recent breach in the United Kingdom, the European Union only now is considering notification.

Many countries, including Canada, China, Japan and several South American nations, have adopted, or soon will adopt, policies similar to the EU directive—but different enough to cause headaches. While a U.S. company that resolves the EU problem has gone a long way toward resolving privacy issues globally, each EU member nation has its own laws.

Handle with Care

Before collecting employee information, employers must be aware of the specific laws governing treatment of data and need to get workers’ consent. It’s good practice to limit the number of common personal data points an employer collects around the globe. Alper-Leroux says most companies address talent management needs with 30 to 50 data points, but they usually start with fewer and increase the number over time.

Although other corporate functions may face data privacy issues, HR often serves on the front lines. “Whether implementing global HR systems or issuing global stock or compensation plans, [companies] need data transfer compliance mechanisms,” says Jim Koenig, a director and privacy consultant with PricewaterhouseCoopers LLP in New York.

U.S. companies have two mechanisms to deal with safeguarding the transfer of employee data: the U.S. Department of Commerce’s safe harbor program and model contracts, which are often used in combination. A third option, called binding corporate rules, is still evolving.

“Whether you choose safe harbor, model contract or corporate rules, the important thing is how you put [them] into operation,” says Amy Yates, former chief privacy officer (CPO) for Hewitt Associates LLC, based in Lincolnshire, Ill. Controls such as safeguards, training, storage, and technical and physical protection are most important.

Getting Certified

After the EU issued its directive, the European Commission and the U.S. Department of Commerce began to negotiate the safe harbor program rolled out in late 2000. Safe harbor covers the transfer of personal data from EU nations to the United States. When a company registers for safe harbor, it must certify compliance with principles including employee notification rules, choice (to opt out), security, data integrity and enforcement—and must be recertified each year. More than 1,200 companies have registered. The Federal Trade Commission has oversight.

Boeing Co., based in Chicago, registered for safe harbor in 2004, says CPO Debra Overlin, a former HR executive. “Safe harbor fit well with what we had in place. We believed we could be fully compliant with it, and it was an accepted practice.”

To comply, Boeing had to strengthen its employee privacy policy, now applied throughout the company. “We tend to err on the side of caution,” says Overlin. “If it is something we do in the EU, it is something we try to do globally.” The company’s policy describes what employee information is collected, where it is kept and how it is used. Boeing held training sessions for managers and others when the policy was new, and the company conducts annual training. As part of its yearly recertification, Boeing formally audits itself, Overlin says. Boeing also audits its HR vendors.

Safe harbor covers the EU, but Boeing still must register in each EU country and tell workers, in their native languages, what personal data it collects and how it uses and protects the data. The company must have a place where workers air questions or complaints in their languages. About 1,400 of Boeing’s 153,000 employees are in EU nations. Boeing has employees all over the globe and strives to be compliant with all privacy regulations.

“If you want to ship personnel data to India, Japan or other countries, safe harbor generally doesn’t work,” says Don Harris, president of HR Privacy Solutions, a consulting firm in Delhi, N.Y. While some companies shy away from safe harbor because of government oversight, Harris says, “Safe harbor is a reasonable solution for companies that do not have complex data flows from the EU to the United States.”

Eastman Kodak Co., in Rochester, N.Y., has been registered with the program since 2002, says Brian O’Connor, chief security and privacy officer, and an attorney with employment law experience. “Safe harbor is our preferred approach. It answers the problems we’ve had because we mainly bring data into the United States from Europe and in general do not send it to other countries. We have vendors who process the data in other countries, but safe harbor covers that as long as the data reside on our servers in the United States.”

Kodak also uses model contracts. “When you have to move data from Europe to another country outside the United States, then a model contract is your only option,” O’Connor says.

Following a Model

Model contracts govern eight aspects of privacy involving transfers between a data exporter and a data importer. A U.S. company would need to have a model contract with each subsidiary. Model contracts are less prescriptive than safe harbor, giving adopters more latitude to cover such things as passing data to third parties after the data reach the United States.

Harris says model contracts are “good for [data] transfers from Europe to anywhere in the world.” They are the only practical way to send employee data from the EU to an outsourcer in India. Whereas safe harbor mandates various employer duties, including training and disciplinary procedures, model contracts do not.

“Our U.S. parent company entered into the same model contract with each of its subsidiaries and affiliates, about 40 in all,” says Yates, who led Hewitt’s privacy program, including the execution of model contracts, for five years before leaving last year. These contracts set out a checklist including all the obligations of the company regarding the data, such as confidentiality and safeguards.

As the number of data relationships grows, model contracts can be cumbersome. “They’re expensive and, like any contract, [they] have to be amended as things change,” Koenig says. “A large company with many partners and a big web of vendors may find model contracts difficult.”

Rules That Bind

Binding corporate rules is a relatively new concept, intended for multinational companies. No company has binding corporate rules that apply globally yet, Harris says, though many businesses are working to put them in place.

Here’s how corporate binding rules work: Through one set of rules, a company agrees to follow the EU directive and individual EU privacy laws on a global basis. In a time-consuming process, the company must go to each EU jurisdiction and get approval.

General Electric (GE) has been working on finalizing its binding corporate rules for three years, Harris says. “On a practical level, getting all 27 member states in the EU to sign off is taking forever. GE hasn’t been able to do this yet but promises to make its rules public when it does succeed. Then it will only be a matter of time before delays in the approval process are streamlined,” Harris says.

GE officials did not respond to a request for an interview.

“The EU is only getting more complex because it adds more members over time,” says Joseph Alhadeff, CPO and vice president of global public policy for Oracle Corp., based in Redwood Shores, Calif. Oracle uses safe harbor and model contracts, says Alhadeff, who manages privacy initiatives and serves as a resource to HR product development teams. He says binding corporate rules can be effective but underscore the need for greater harmonization among EU nations.


In addition to privacy laws, each EU country has labor laws that empower workers in privacy matters, and U.S. companies must deal with foreign subsidiaries’ works councils, which represent workers, when setting up data transfer initiatives. German works councils impose the toughest standards, so some companies find that if they can reach agreement with German councils, it is easier to get workers in other EU subsidiaries to also sign off.

Agilent provides a good example. “We have an HR service center in Malaysia processing data for worldwide employees,” Carrot says. “We negotiated specific agreements with the works councils that allow us to process in Malaysia. The rules are most stringent in Germany, so when we convince Germany, we seldom have problems with the others.”

Carrot and his team have developed a process for getting help from the German works council in pushing deals through in the other 11 EU countries where Agilent has workers. “Working through these matters with the Germans can take two or three months, but if it is something we need right now—say, significant changes to our annual salary increase—we can fast-track it in about a month.”

Although Europeans are more protective of their privacy than U.S. workers, they are also less litigious. With few exceptions, EU privacy regulators prefer to deal with violations quietly and coax the companies to amend their ways.

“In the United States, we would single out an employer and hammer it with fines,” says Harris. “Europe is much more about trying to work things out.”

Bill Roberts is contributing editor for technology at HR Magazine.

Web Extras

Web site:
Safe harbor program
(U.S. Department of Commerce)

Safe Harbor Privacy Principles 

Web page:
Model Contracts for the transfer of personal data to third countries 

Working document:
Applying the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers 


Job Finder

Find an HR Job Near You
Post a Job

Earn a SHRM Talent Acquisition Specialty Credential.

Do you have what it takes to win the war for talent? Find out.



Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect