Four years in the making, the European Union’s (EU) General Data Protection Regulation (GDPR) represents the most dramatic change in EU data protection law since the current framework document, the Data Protection Directive, was adopted in 1995. Once in effect, the GDPR will regulate the processing (e.g., collection, use, disclosure, transfer, storage and destruction) of personal data collected from, or about, every EU-based employee of a U.S. multinational for purposes of human resources administration.
This Q&A, between Corporate Compliance Insights’ Founder and CEO, Maurice Gilbert, and Philip Gordon, Co-Chair of the Privacy and Background Checks Practice Group at Littler Mendelson, provides U.S. multinational employers with some general background on the GDPR and its importance to global compliance efforts, identifies key compliance requirements and suggests practical steps to fulfill those requirements.
Maurice Gilbert: What exactly is the GDPR?
Phil Gordon: The GDPR is the EU’s new framework document regulating data protection. The GDPR repeals and replaces the current framework document, the Data Protection Directive. Because the GDPR is a “regulation,” under EU law, it applies uniformly in all 28 EU Member States without the enactment of any national implementing legislation. As a result, the GDPR is expected to eliminate country-specific differences in data protection requirements that increase compliance burdens.
The GDPR is also designed to update the current data protection regulation to address the rapidly expanding digital economy by, for example, establishing the new right of data portability and right to be forgotten.
MG: Why is compliance with the GDPR important for U.S. multinational employers?
PG: Most fundamentally, the GDPR substantially increases the administrative fines that data protection authorities (DPAs) are authorized to impose. The maximum penalty for most violations is the greater of 4 percent of worldwide gross annual revenue for the corporate group, or €20 million — even if the entity responsible for the violation is a subsidiary with only a few employees. The DPAs are also empowered to bar data transfers from the EU to the U.S. parent corporation.
While the risk of these draconian sanctions for a U.S. multinational with a relatively small EU presence is low, the risk of an enforcement action under the GDPR will increase for at least two reasons: First, the media attention surrounding the GDPR (as well as the Snowden leaks and the European Court of Justice’s invalidation of the U.S.-EU Safe Harbor Framework in October 2015) has heightened EU employees’ concerns about the collection, use and disclosure of their personal data locally and the transfer of their personal data to the U.S. parent corporation. Second, the GDPR introduces mandatory notification to the DPA of a security breach. Post-notification investigations by DPAs likely will examine the reporting entity’s overall compliance with the GDPR, not just the breach itself.
MG: What is the deadline for compliance with the GDPR?
PG: The compliance deadline is May 25, 2018.
MG: What are the GDPR’s key compliance requirements for the processing of employees’ personal data?
PG: The key compliance requirements include the following:
- Identify permissible purpose(s) for data processing: Under the GDPR, an employer (the local subsidiary or branch office) is prohibited from processing employees’ personal data unless the employer has a permissible purpose for doing so as defined by the GDPR. While consent often is invoked in other contexts, the DPAs take the position that employees generally cannot validly consent to their employers’ processing of their personal data because of the hierarchical nature of the employment relationship. Consequently, EU employers will be required to rely on other grounds, such as (a) the processing is required by local labor laws, (b) the processing is necessary for the performance of the employment contract or (c) the processing is necessary for the legitimate interests of the employer. These grounds likely will be narrowly construed.
- Provide employees with a data processing notice: EU employers are required to provide a notice of data processing to employees when the employer first collects personal data from them. The GDPR lists 10 required elements for these notices, including, for example, (a) the personal data to be collected, how it will be used and to whom it will be disclosed; (b) whether the personal data will be transferred outside the EU, to whom and why; and (c) how employees can exercise their individual rights under EU law.
- Establish procedures for employees to exercise their rights: The GDPR confers on all data subjects, such as employees, the right to access their personal data, to correct personal data that is inaccurate or incomplete, to object to the processing of their personal data and to request the erasure of their personal data (the “right to be forgotten”). The GDPR prescribes specific procedures to implement these rights. The EU employer must comply with those procedures regardless of whether the personal data falling within the scope of any employee’s request resides in the EU, the U.S. or elsewhere.
- Develop a written information security program and a security incident response plan: The GDPR requires that EU employers implement administrative and technical safeguards as appropriate to mitigate the risks to personal data, but it does not prescribe specific safeguards that must be implemented. Nonetheless, the U.S. parent corporation should confirm that its EU subsidiaries are establishing and implementing a written information security program to reduce the likelihood of a security breach.Under the GDPR, a data controller (i.e., the employer with respect to employee data) is required to report a breach to the relevant DPA within 72 hours of discovery. The data controller also may be required to notify affected individuals by order of the DPA or if the breach is “likely to result in a high risk” of harm to affected employees. Although the GDPR does not expressly require a security incident response plan, having one in place will help the local subsidiary respond more effectively to a security breach.
- Vet vendors and enter compliant vendor agreements: Under the GDPR, the data controller is required to vet vendors to confirm that they can (a) adequately safeguard personal data and (b) support the data controller’s obligation to fulfill requests by data subjects to exercise their individual rights. In addition, the GDPR requires the data controller to enter into a service agreement that includes a long list of provisions bearing on data protection. Either the local employer or the U.S. parent corporation on its behalf will be required to fulfill these requirements when they engage a vendor to process EU employees’ personal data.
MG: How does the GDPR affect transfers of EU employees’ personal data to the U.S. parent corporation?
PG: The GDPR establishes a cross-border data transfer scheme substantially similar to that under the Data Protection Directive. In particular, the GDPR generally prohibits transfers of personal data outside the EU unless the recipient country “ensures an adequate level of protection” for the personal data. If the European Commission has not issued an “adequacy determination” for a third country, the data exporter (i.e., the EU employer) must implement an approved data transfer mechanism unless an exception to the general prohibition applies. The GDPR recognizes standard contractual clauses approved by the European Commission and “binding corporate rules” (a set of legally enforceable rules for personal data transfers within the corporate group) as acceptable data transfer mechanisms.
Another possible mechanism for transferring personal data of EU employees to the U.S. parent corporation may be the U.S.-EU Privacy Shield, which was negotiated to replace the now-invalidated Safe Harbor Framework. However, the Privacy Shield will not be the subject of an adequacy determination by the European Commission until after EU data protection regulators complete their ongoing review. In addition, this adequacy determination likely will be subject to litigation in the European Court of Justice. Consequently, the Privacy Shield may not be a reliable data transfer mechanism for the foreseeable future.
MG: What else should U.S. multinational employers be doing during the two-year grace period?
PG: U.S. multinational employers should watch for guidance from EU regulators who have announced their commitment to issue supplemental guidance before the GDPR goes into effect. U.S. multinational employers should also watch for changes in labor laws in response to the GDPR in the EU Member States where they have employees. The GDPR’s harmonization does not override local labor laws. Finally, U.S. multinational employers should consider to what extent and how they will extend the policies and procedures designed to comply with the GDPR to the personal data of employees located in countries outside the EU that have adopted broad data protection laws, often based on the EU model.
Philip Gordon is the Co-Chair of the Privacy and Background Checks Practice Group at Littler Mendelson, where he handles a wide range of employment issues with a focus on those related to workplace privacy and information security.