Home > Data Protection Act, Global Mobility, Personal Privacy > EU Data Protection Proposals: Outsourcing and Employee Data Issues

EU Data Protection Proposals: Outsourcing and Employee Data Issues

The following article by  Matthew Howse, Partner, and Celia Kendrick, Associate, at Morgan Lewis should serve as a great primer for US as well as other multinational organizations that deal with human resource data of EU citizens. The EU’s proposed new revisions to data privacy could have broad ramifications for the unwary.

Outsourcing arrangements often require the transfer of employees’ personal data from the customer to the supplier or vice versa.  For example, an outsourcing of payroll functions will involve the transfer of employee data.

Particular issues arise if the data is to be transferred outside of the EU.  In addition, notwithstanding that most data protection legislation within the EU derives from the EU Data Protection Directive, there are important differences between countries on how personal data can be processed.  The UK rules are currently contained in the Data Protection Act 1998.

In January 2012, the European Commission published its proposal for a new General Data Protection Regulation.  The extensive proposals would overhaul this area of law and significantly increase data protection across Europe.

The key proposals are:

Harmonization: A single set of rules will apply across Europe.

Scope extends beyond Europe: The new rules will apply to EU businesses and businesses based outside the EU that process European citizens’ personal data for the sale of goods or services or the monitoring of behavior.

Fines: Penalties for non-compliance will be significant, with businesses facing proposed fines of up to €1 million or up to 2% of their annual worldwide turnover (depending on whether the organization is an ‘enterprise’).

Explicit consent: The new definition of “consent” will include a requirement that individuals’ consent must be explicitly obtained; it cannot be assumed.

Notification requirements: Organizations will be required to notify their supervisory authority of a security breach without undue delay, meaning within 24 hours if that is feasible.  If not, the notification must be accompanied by a reasoned justification.

Right to be forgotten: Individuals will be able to ask to be forgotten and have their data deleted unless there is a legitimate ground for keeping it.

Data protection officers: Organizations with over 250 employees will be required to have a designated data protection officer who will have specific duties in relation to monitoring and advising the organization.

These changes are probably long overdue – the current law was drafted when recent technological advances could not have been contemplated.  However, preparing for the changes and ensuring compliance will place a large administrative and financial burden on businesses with a European presence, including businesses involved in outsourcing.

The next step is for the proposed Regulation to be considered by the European Parliament and Council.  It is expected there will be widespread debate on the proposals, and that the Regulation will be amended.  Once the Regulation is approved, it is likely to be a further two years before it comes into force.

If the current drafting of the Regulation is approved, there will be a significant change in data protection obligations for both customers and suppliers.  Under the current law, only data controllers – organizations that control the purposes and manner for which personal data is processed – are subject to the obligations and restrictions on personal data.  Most suppliers are data processors as they process personal data on behalf of the customer (the data controllers).  However, the proposal is to impose restrictions and obligations directly on data processors (i.e. suppliers) for the first time.

Currently, it is important for all parties to establish who the data controller is and for the data controller to impose contractual obligations on the other party to ensure compliance with data protection legislation.  It is also key to ensure that, if personal data will be moved outside of the EU, this is done in compliance with the strict restrictions on exporting data.  Arguably, by extending the scope of data protection legislation to cover data processors and organizations based outside the EU which process EU citizens’ data, these considerations will become less significant for EU-based data controllers (i.e. customers).  However, the effect on data processors and international organizations will be much more significant.  The more stringent rules will place a tougher administrative burden on suppliers, which could lead to an increase in the overall cost of outsourcing.

Organizations that are about to enter into new outsourcing arrangements should be aware that their data protection obligations may change during the course of the arrangements.  Contractual provisions should be drafted accordingly, for example to make data protection provisions subject to amendment to comply with legislative changes.

The key message for customers and suppliers is: watch this space.  It will be some time before the measures are implemented, but the scope and effect of data protection legislation is likely to change significantly.

As published by © 2012 sourcingfocus.com

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: