Data Privacy in the European Union

Data Privacy in the European Union

By Kathryn Chapman

Does your company have Customers in Europe? Do you have any employees there? Do you require your European employees to "blow the whistle" on wrongdoing by fellow employees? Do you monitor the e-mail transmissions of your European employees? If so, you should be aware of the different approach taken by the member states of the European Union ("EU") with respect to data privacy and how that difference may impact your business.

By way of background, it is important to know that while the US takes the approach that the "industry" should self-regulate data protection, in the EU there are specific laws governing the control and processing of "personal" information.

Further, there is distinct historic suspicion in Europe regarding the use of private information for purposes of "profiling". Fascist oppression prior to and during World War II still colors the approach to personal information taken by the EU. Co-workers making anonymous calls reporting bad behavior to a "hotline" conjure up images of collaborators’ denunciation of neighbors, in certain EU countries.

The EU is a union of 25 (27 as of 1st January 2007) independent democratic member states. The European Union's activities cover most areas of public policy. The European Commission is the EU body that proposes and implements legislation. In 1995, the Directive on Data Protection ("Directive") was issued by the European Commission setting forth the key principles for member states to use in adopting their own laws for protecting personal information. The law is not implemented identically in each jurisdiction so one must be aware of any anomalies in the jurisdiction where its company has employees or customers. "Harmonization" of laws among member states is a goal which is not yet complete in the EU.

The Directive and its implementing legislation throughout the EU affects US companies if they collect and/or process information about individuals in Europe. It can apply to customers, suppliers, employees, potential employees – any individual for whom that company collects or processes data. Why is it important to comply with this legislation? There can be adverse implications to non-compliance such as monetary fines for infringement (which vary from jurisdiction to jurisdiction). Employee rights are very important within European countries and violation of employee data privacy can have disastrous effects on workers’ morale (as well as serving as a bargaining tool in negotiations on other worker issues). Noncompliance can result in bad publicity which can damage share prices. If a company is non-compliant in relation to data protection, it may see adverse consequences in pricing discussions when it comes to the sale of a European subsidiary.

Throughout the EU, Data Protection legislation covers personal data, which is defined as any information relating to an identified or identifiable natural person. This means anyone who can be identified, directly or indirectly, in particular by an ID number or by one or more factors specific to the physical, physiological, mental, economic, cultural or social identity of that individual. The laws also apply to two or more pieces of information which, if put together, would make it possible to identify an individual. It covers any possible activity carried out in relation to such personal data, from initial collection to final destruction – whether done electronically or manually. This legislation also applies to customer contact information which reflects personal details, such as the contact’s e-mail address, telephone number, name or photo.

The EU Directive contains special requirements for the control and processing of "sensitive data" which is any information relating to race, ethnic origin, religious or philosophical belief, political opinions, health or sexual life. The restrictions on the collection and use of this data are much tighter and usually require the individual’s specific consent.

The most important restriction for US companies under the EU Directive is the prohibition against transferring personal information out of Europe to countries which do not have adequate or equivalent protection for personal information. The US is not considered to be a country which offers adequate protection. There are a few exemptions to that restriction, with respect to the US:

1. The data subject can consent to the transfer (although in some countries such as France, an employee is not deemed free to give such consent to an employer.)

2. The US transferee of personal data can voluntarily register with the FTC and agree to comply with certain Safe Harbor principles. This process takes time and involves audits, verifications and annual re-registration. About 900 organizations in the US are currently registered for this process.

3. Model clauses have been approved by the European Commission which can be added to transfer contracts to cover the requirement for data protection safeguards. These clauses are more onerous than they may seem on their face.

4. "Corporate Rules" is a new approach that some large companies, such as G.E. have started to take which establishes Corporate Policies which are intended to deal with intragroup transfers (any such proposed policy will require individual approvals by the Euorpean Commission.)

In sum, a US company which has employees, customers, suppliers or other individuals in Europe must be careful about the information it obtains and controls about those individuals. If the information remains in Europe (and is not accessible from the US), the local entity must at least comply with that jurisdiction’s enabling legislation on Data Protection (typically involving, at least, a) registration with appropriate regulatory authorities, b) fair and lawful processing, c) collection of data only which is adequate, relevant and not excessive, d) no retention of data for any longer that necessary for purposes for which it is collected, e) taking of appropriate steps to safeguard against accidental or unlawful loss, alteration or unauthorized disclosure of perwsonal information, f) advising subjects what information the data controller has about them, the purpose of that collection and any information about processing of the information which is relevant, g) giving subjects the right to access information which the organization controls about them).

If the data is to be transfered to the US or made available to individuals in the US electronically (even while the information technically resides on a server in the EU), then the US transferee must meet one of the exemptions to the prohibition against transferring such data to a country without adequate protection for personal data.

Be careful of monitoring e-mail accounts or phone calls which may contain personal information under local rights to privacy in a particular jurisdiction. Make sure employees are aware of potential monitoring . Regarding Section 301 of Sarbanes-Oxley, (the whistleblower protection provision which requires a company to establish procedures for the receipt, retention and treatment of complaints, including fraud and auditing abuse, through an anonymous communication channel), be aware that applying this in France may be problematic. Employees’ use of whistleblowing programs must not be mandatory in France and should be limited to the areas of finance, accounting, banking, or anti-corruption.

For futher information on these areas of data privacy in the EU, please contact Fitzgerald & Hewes.