As with many areas of government regulation, the European Union has more stringent rules than the U.S. regarding the privacy of personal data. The EU Directive on Data Protection includes privacy principles that are similar in many ways to the GAPP we’ve discussed in previous posts. However, they are backed by the law in the EU rather than simply being suggestions. The U.S. Department of Commerce collaborates in communicating these standards and instructions to U.S. companies to foster better business relationships with EU nations.
Safe Harbor Applies to HR Data
One aspect of the Directive that’s of special interest to U.S. employers is the Safe Harbor provision. This regulatory standard is designed, in part, to ensure that American businesses with European subsidiaries handle all identifying employee data appropriately in accordance with the data protection laws that cover all EU citizens. Employers who fail to follow this standard for administering HR data for EU workers could face consequences up to and including not being permitted to operate in EU countries.
Most U.S. based multi-national corporations routinely transfer employee data into the U.S. for HR administration at a central location. This is becoming even more common with the use of web based applications like Universal Onboarding that allow collection of new hire data from any location in the U.S. and abroad. The transmission, storage, and use of such identifying information must be performed following Safe Harbor principles when EU workers are involved. However, there is no one set way of achieving these standards. Instead, the principles serve as minimum guidelines. Employers may combine any number of products, services, and procedures to address the privacy needs of their business in a way that complies with Safe Harbor rules.
Compliance is Sketchy
Participation by U.S. companies in Safe Harbor compliance is promoted by the Department of Commerce. However, the U.S. government does not force any business to participate. The regulatory purview of the DOC extends only as far as requiring that companies which claim to be Safe Harbor compliant are, in fact, following Safe Harbor privacy practices.
As of 2010, the Department is still facing resounding criticism for its failure to meaningfully enforce compliance by auditing participants and holding them accountable. This lack of follow through means that U.S. employer claims of Safe Harbor compliance are a little difficult for EU countries to take at face value. Businesses may want to consider providing assertion documents that outline exactly how their company complies with Safe Harbor principles in the event that this question is raised.
In the next post in this series, we’ll take a look at how Safe Harbor is being used and abused by U.S. companies that don’t do business in Europe.