On October 6 Europe’s highest court struck down an international agreement (Safe Harbor) that has allowed thousands of companies to easily transfer personal data from Europe to the U.S. since 2000.
The case in this ruling was brought to court by an Irish citizen’s concerns with how Facebook handled his personal account. Europe have always felt uneasy about the Safe Harbor agreement. This lawsuit appeared to be the “final straw” in a string of incidents involving data privacy beginning in 2013 with the revelation that American intelligence agencies had access to people’s online activities.
The ruling highlights the different views towards online data protection. In the United States, privacy is viewed as a consumer protection issue; in Europe, privacy is guaranteed as an individual right in the Charter of Fundamental Rights of the European Union, which puts it on a par with freedom of speech in the U.S. Super critical.
Under Safe Harbor more than 4,000 American companies were expected to treat information moved outside the European Union (EU) with the same privacy protections the data had inside the EU. It allowed these companies to self-certify that they were abiding by EU data protection standards. It was pretty much an honor system. In lieu of Safe Harbor, each of the EU’s 28 country data protection agencies (DPA’s) will now have to decide how companies will be able to collect and use online information. Instead of one set of regulations, there could be 28 sets.
Note: This ruling does not apply solely to tech companies. It affects any company with international operations. It includes such data as global employee databases, payroll information from external providers, and other transactions where employee data is transferred across the “pond”.
And that is where Compensation professionals need to be knowledgeable and involved. In many companies Compensation has responsibility for overseas payroll for local nationals as well as employee benefits.
So what should Compensation professionals be doing?
1) Identify all the different pieces of employee data that are collected and the processes used for collection and distribution.
2)Identify all the vendors used --- survey providers, insurance companies, brokers, payroll providers, HR outsourcing firms, benefit administration vendors, etc.
3)Work with corporate legal to identify the best alternative(s) for data transfer.
There are several alternatives to Safe Harbor:
1) Standard Contracts or Model Clauses approved by the European Commission. These can be used for transfers to U.S.-based service providers (such as outsourcing and global payroll providers), as well as for transfers to U.S. companies that use the data for their own purposes.
2) Obtaining permission from all European employees for their data to be transferred to the U.S. For large companies this would require a Herculean effort and probably should not be considered unless all other options are not viable.
3) Binding Corporate Rules (BCR’s). This is appropriate for intra-company transfers only and cannot be used for transfers to third parties.
Keep in mind requirements may be different for each of the DPA’s (28 EU countries) and will need to be approved by each country DPA involved.
The U.S. and the EU have been trying to reach a new Safe Harbor deal since 2013 after the Snowden incident. The new court ruling has intensified pressure on those negotiations, but there are some big sticking points left to be resolved. The EU wants Europeans whose data is misused to be able to bring legal action in the U.S. They also want to limit the ability of American intelligence agencies to access European citizens’ data. A bill to provide legal recourse by Europeans is being debated in Congress as we “speak.”
Since negotiations have been ongoing for two years, it looks to me like things are at an impasse. Be prepared for a long wait for resolution on this one.
A final note: Recognize anyone in the lifeboat?
Jacque Vilet, President of Vilet International, has over 25 years’ experience in Human Resources. In her current role she works with start-ups and multinationals on both domestic and international HR issues. Jacque has an M.S. in Psychology and an MBA from Southern Methodist University. She speaks at conferences in the U.S. and overseas, contributes to various HR and talent management publications and conducts frequent webinars.