Edward Snowden, the CIA and HR

Article Index

It is a plotline that could almost belong in a movie. Following the Edward Snowden revelations about US surveillance, a plucky student brings a legal case about preventing data being sent to the US. When the student initially loses, following US government intervention and with Facebook and Google ranged against him, he appeals all the way to the European Court of Justice (ECJ), where he wins. Probably a made-for-TV movie or ITV drama, but an entertaining hour or so. But that is exactly what has happened in a recent data protection decision before the ECJ. 

Previously, transfer of data to the US was permitted under data protection legislation on the basis that so much flows to the US naturally; think Facebook and Google, but in relation to HR for global employers think about centralised HR systems, benefits, diversity information, etc. Even for non-global employers, payroll systems, insurances and some pensions data often flows to the US. This was permitted and lawful provided that the data recipients in the US established adequate protection of that data – this was referred to as the US recipient creating a “safe-harbour” for the data. 

The recent decision of the ECJ in Schrems v Data Protection Commissioner concluded those safe harbours were far from being safe from exploitation by US authorities such as the CIA. It also concluded the mechanism for setting up the safe harbours was not sufficiently robust to protect data and it left EU citizens with inadequate rights against any disclosure of their data. 

Why this might matter for HR

Global employers are clearly going to need to transfer data about their employees outside the EU. As mentioned above, even UK employers may rely upon HR IT systems that run through the US. The ‘internet of things’ has connected many systems and countries in ways that can be difficult initially to determine. 

This decision has been widely reported and European employees may be concerned about the protection of their data. British HR professionals may be surprised how important this can be to employees. It should be noted, for example, that according to studies German and Eastern European employees are significantly more concerned about government bodies having access to their data than British employees. In the event that data sent outside the EU is accessed by other parties, employees could have a claim against their employer and/or the Information Commissioner could impose fines.

HR will need to be in a position to communicate the organisation’s approach to data in light of employee concerns. Any transfer outside of the EU must now mean alternative arrangements other than safe harbours are put in place and these are communicated to employees. While the exact nature and adoption of those alternative arrangements may be a matter for other colleagues in compliance functions, global employers may need to exercise immediate care and caution. The obvious example relates to if a colleague in a different country wishes to know, for example, appraisal or pay data on employee X. To the extent to which HR, inadvertently or otherwise, misleads employees as to the protections around their data, additional liabilities could arise. 

Employers can make alternative arrangements to transfer data. Many employers will probably adopt ‘model clause’ agreements between the EU employer and whoever is to receive the data. These model clauses have been approved by the EU Commissioner. The other key issue for HR is that almost certainly existing data protection policies and consents will not reflect the new arrangements of an employer, model clause or otherwise. 

Finally, HR colleagues should also note that the world of employment law is one of frequent change - the law of data protection less so. Compliance colleagues might, therefore, portray this as a bigger issue than HR colleagues, who are more used to change, would consider proportionate. Be kind to them. 



# cctv camera dealers 2017-03-21 12:59
Welcome to esync security solutions in India. CCTV Manufacturing company in Chennai( Surveillance Security Cameras ), Commercial building and so on. Installations and Maintenance with industrial Standardised Documents. E-Sync Security CCTV Camera Manufacturer and Suppliers in Chennai. Best Price Electronic Security Systems. Call: 04460508010
# masters education 2017-04-06 00:31
I always emailed this web site post page to all my friends, as if like to read it after that my contacts will too.

Add comment

Security code

Forgotten your password?

I'd like to subscribe
Subscribers only - te law will answer your employment law queries. Find out more about our email support

Now there's more ways to stay in touch

Join Us on Linked in Become our Fan on Facebook Follow us on Twitter