Transatlantic and EU regulation changes move data protection up the HR agenda

Self-certification involved publicly declaring that the organisation complied with the data protection requirements through the Safe Harbor website or informing the US Department of Commerce of the company’s intention to comply.

In the Schrems case, the CJEU decided the Safe Harbor regime was invalid following worries about US surveillance of EU citizens’ personal data. Its proposed replacement, the Privacy Shield, imposes stronger obligations on US companies to protect EU citizens’ personal data and includes an assurance from the US regarding access to data by public authorities, and channels for individuals to seek redress. The details are being analysed at the moment by the European Commission but it is likely the Privacy Shield will be implemented in some form.

In principle, organisations can continue to use standard contract clauses and binding corporate rules, although arguably their long-term future is in doubt for the same reason as Safe Harbor. In the meantime, businesses should ensure they understand the basis of any transfers and monitor developments.

There are also challenges on the horizon from changes arising from the proposed EU General Data Protection Regulation due to come into effect in 2018. As a regulation rather than a directive, it will automatically become part of UK law and should result in a common set of rules across the EU. However, member states can legislate domestically in the area of employment so uncertainty remains for employers over the extent to which member states (including the UK) do this.

The EU regulation proposes increased penalties for non-compliance and changes to consent. It is already recognised that consent given in employment contracts is generally not sufficient to process employees’ personal data because most employees have no real choice over their contractual terms. The regulation sets out additional conditions for consent and makes it clearer that consent in employment contracts will not be sufficient. Employers will have to rely on another justification for the processing, such as their “legitimate interests” or processing being a necessary part of the employment contract.

The period for complying with data subject access requests will reduce from 40 days to one month, with a possibility of a two-month extension. Data controllers will also be able to charge a reasonable fee or refuse to comply with the request where it is “manifestly unfounded or excessive”. These changes should make it easier for employers to deal with requests but they will have to provide employee data subjects with extra information, including details of data retention periods and rights to have inaccurate data corrected.

The regulation will also provide the right to be forgotten and the right to rectification. It remains to be seen how commonly these rights are enforced in practice or used as leverage in employment disputes.

Whether the UK will still be subject to European data protection laws after the Brexit vote on June 23 remains to be seen. But HR should be considering now what resources they will need to allocate to data protection in the future.