U.S. law may require your company to collect employee and contractor data in a manner that on its face would run afoul of GDPR requirements in Europe. VIAVI Solutions’ Matt Silverman explains how firms can successfully perform this high-wire act.
U.S. export laws regulate more than just the shipment of tangible goods from one country to another: They control the transfer of U.S. technology to foreign nationals, including foreign nationals within the U.S.
This concept, known as the deemed export rule, is unique to U.S. law and requires companies with U.S.-controlled technology to collect and maintain data relating to the nationality of its employees and contractors who require access to such technology.
The EU and its collective countries do not have the concept of a deemed export within their laws. Export controls under EU law are based on geographic location, not the nationality of recipients. The EU does, however, have some of the strictest data privacy laws in the world — namely the General Data Protection Regulation (GDPR).
Understanding that the U.S. deemed export rule requires access to nationality information and that the purpose of GDPR is to protect and often restrict access to personal data, the question often presented to trade compliance and data privacy professionals alike is: can you comply with both?
The short answer is yes, but not without qualification, as I’ll discuss. However, having worked in global trade-compliance for two European-based companies, when our department would attempt to enforce a policy or issue guidance that required the collection of and access to nationality data of EU employees, the initial response received was often, “You can’t do that; it’s illegal under GDPR.”
So, to provide greater clarity, here is an explanation of how to navigate this seemingly fine line and where to find common ground to ensure compliance with both regulations.
What GDPR requires
GDPR outlines various rules regarding the processing — collection, storing and deleting — of personal data of EU citizens, both within and outside the EU. Personal data under GDPR is defined as “any information relating to an identified or identifiable person.” This definition is intentionally broad; if there’s a way that a piece of data can be associated with a person, GDPR likely applies.
Therefore, nationality information of EU citizens is undeniably included within the GDPR definition of personal data. But GDPR doesn’t have any carve-outs or exceptions for nationality data, nor does it require any higher level of security or protection as compared to other forms of personal data.
Under GDPR, companies processing personal data (including nationality data) of EU citizens must: “Implement appropriate technical and organizational measures, in relation to the nature, scope, context and purposes of their handling and processing of personal data.”
As provided in GDPR and as outlined below, this requires consent and transparency, as well as a lawful and specific purpose for the data processing. Finally, policies and procedures should be enforced to secure such data.
Consent and transparency
Under GDPR, consent must be provided by the person whose data is being processed. Consent doesn’t need to be explicitly given; rather, it can be implied, such as by the nature of employment. Employees who consent to their personal data being processed should be able to know how their data is being processed and secured. While an employee may have the right to refuse consent, such refusal may mean that their ability to access U.S.-controlled technology will be restricted or prohibited.
A lawful and specific purpose
Assuming there is consent (explicit or implicit), GDPR further requires that there be a lawful basis for processing personal data. Companies that process personal data of EU citizens must be able to demonstrate the legal basis for doing so, and that basis should have a specific purpose.
A lawful and specific purpose could be based on a contractual agreement, a regulatory obligation, a vital public interest or other reasoning. Such reasoning could and has included fraud detection, law enforcement and watchlists, cybersecurity, IP security and employment-related issues.
Because U.S. export laws carefully regulate the transfer of U.S.-controlled technology to foreign nationals, a company in the U.S. or EU may have a lawful interest in processing the nationality data of employees (including EU citizens) who require access to such technology. Thus, the processing of nationality data provides the legal basis required to pass GDPR scrutiny.
However, even if the basis for processing nationality data is legal, there must be a specific purpose for doing so. Therefore, a company that decides, for example, to process the data of all of its employees in Europe (HR personnel, finance staff, janitorial workers, etc.), including those who have no reason or need to access U.S.-controlled technology, may be in violation of GDPR requirements.
Trade-compliance officers should ask themselves: Is the processing of this specific person’s nationality data justified? If the answer is no, they should consider narrowing the scope of their efforts.
Policies and procedures
Effective policies and procedures must be written and enforced to ensure compliance with GDPR. This includes policies and procedures relating to the above-mentioned requirements, as well as those that relate specifically to data security and breach mitigation/prevention. Examples of best-practice policies and procedures relating to GDPR compliance and the processing and security of personal data (including nationality data) may include those that:
- Ensure personal data is processed only for authorized purposes — e.g., lawful and specific, as described above.
- Ensure the accuracy and integrity of the data being processed.
- Minimize the exposure of the subjects whose data is being processed.
- Implement strong data security measures.
- Include a process for the deletion/expungement of personal data when it is no longer required. (Note: recordkeeping requirements under the U.S. export laws may compel company to retain nationality data even after the employee has left the company or no longer requires access to U.S.-controlled technology.)
- Assess risks to privacy and security and demonstrate that such risks are being mitigated.
- Explain the requirements in the event of a security breach, including notification of the authorities and the subjects.
Finally, for companies that are not processing nationality data and other personal data directly but are using a third-party service provider, contractual language may be necessary to mitigate GDPR violations. Such language might cover the type of data that will be collected, the legal justification for the collection of such data, how and when the data will be processed and the processor’s responsibility as to the accuracy, security and eventual destruction of such data.
While there appear to be conflicting interests between EU privacy laws and U.S. export controls, compliance with both regulatory regimes can be satisfied when companies take proactive measures.
With policies and procedures in place and enforced to ensure the legality, legitimacy and security of nationality data that is being processed, a compliance compromise of sorts between the two regulations can be achieved.
Companies on either side of the Atlantic that are looking for further guidance on this topic may consider joining the Privacy Shield framework (www.privacyshield.gov), a collaborative effort among the U.S., EU and Swiss authorities designed to provide a mechanism to ensure compliance with the data protection requirements of GDPR.