The E.U. Data Protection Law

On Jan. 25, 2012, the European Union (E.U.) Commission published a draft Regulation that is aimed at replacing the currently applicable E.U. Directive of Oct. 24, 1995 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The Directive, and the legislation of each E.U. Member State that resulted from it, are of high relevance for any employer employing personnel in any E.U. Member State. The changes to the existing framework, as currently contemplated by the E.U. Commission, will be of equal importance, in particular because these changes provide for a significant increase of sanctions in the event of breach.

Doing Business in an E.U. Member State

The Example of France

While the E.U. Directive of Oct. 24, 1995 provides for harmonized rules across all E.U. Member States, implementing legislation of Member States may still differ, and the administrative practice with which the local data protection authorities enforce such legislation differs even more. France, along with some other countries, is known for rather strict enforcement. Controls, “dawn raids” and other enforcement initiatives of the French data protection authority, CNIL, have consistently increased over the past several years. CNIL also achieved certain notoriety, including in the U.S., when it decided in May 2005 that certain SOX-type whistleblower alert lines were impermissible under French law. This placed hundreds of U.S.-listed companies with operations in France between a rock and a hard place, having to choose between compliance with U.S. SEC requirements and CNIL's then-interpretation of French law. A few months later and after consultation with interested parties, CNIL adopted a more pragmatic approach. On Dec. 8, 2005, it implemented a so-called “unique authorization” ' a web-based self-certification procedure by which companies operating an internal alert line could register and agree to a restrictive regulatory framework pursuant to which the operation of such alert lines is now legal in France. The restrictive regulatory framework was last changed by a decision of Dec. 8, 2010 to take into consideration new employment case law. Companies that signed up for the self-certification procedure before that date should verify that their alert line is still compliant with the changed regulations.

SOX alert lines are far from the only context in which employers with operations in France need to take active steps to assure that they are in, and remain in, compliance with French data protection and employment laws. Use of a simple H.R. database, which allows H.R. data to be accessed from relevant departments around the world, may require the employer to provide prior information to its works council, and also requires prior acknowledgement by CNIL. Transmission of personal data to a location outside the E.U. that is considered as not having “an adequate level of personal data protection rules” according to the Directive's standards, constitutes a data export. It then becomes subject to CNIL review and approval of a framework that assures that such data, once outside the E.U.'s jurisdiction, will remain adequately protected.

The U.S. is considered to be one of the territories lacking adequate data protection rules. One of the ways of achieving such protection, and thus getting CNIL's approval, is to have the data exporter (in the E.U.) and the data importer (for example, the U.S. parent company) sign a data transfer agreement (or so-called “standard contractual clauses” as approved by the E.U. Commission) by which the data importer subjects itself contractually to a set of rules that is deemed “adequate.” Any transfer of personal data outside the E.U., in breach of such rules, is sanctionable, including on criminal grounds. While the criminal fines can reach ' 1.5 million for a legal entity (and theoretically even imprisonment for the responsible manager), the administrative practice of CNIL with respect to illegal data transfers to the U.S. without prompt remedial action, when discovered, has been more moderate: sanctions of approximately ' 40,000, and issuance of press releases by CNIL in accordance with the “name-and-shame” principle.

The use of personal data files for employee surveillance and disciplinary purposes is another area of potential exposure for employers. Use of such procedures must not only undergo the relevant prior procedure at the CNIL, but in general must also be made subject to a prior works council consultation. If either of these prerequisites is ignored, criminal sanctions may apply, and the evidence found of potential employee misbehavior ' even if serious ' might be rejected in court as obtained through an illegal procedure. As a consequence, an employee, even if he or she has committed serious misbehavior, may be successful in claiming unfair dismissal, and be awarded substantial damages by a court. Accordingly, companies would be well advised to bring existing systems into compliance now (which can be a lengthy process), rather than waiting until they are confronted with an urgent employee issue which they cannot address, due to the lack of legally obtained evidence.

Key Aspects of the Expected Reform

The Oct. 24, 1995, Directive will soon become obsolete; that is what the European Commission wanted when it announced, on Jan. 25, 2012, a proposal for the establishment of a general regulation on the protection of personal data and a directive on the protection of individuals with regard to the processing of personal data by so-called “competent authorities.”

The new proposal is the result of two years of consultations and dialogues initiated by the Commission with the key stakeholders and the national authorities for data protection. These exchanges revealed that the 1995 text was not only considered as outmoded (since it was developed at the early stages of the Internet) and often inadequate to answer the problems encountered, but also that it did not succeed in harmonizing the corollary national regulations. The resulting regulatory inconsistency created legal uncertainty and unnecessary costs and administrative expenses for companies (estimated by the Commission to equal approximately ' 2.3 billion per year). Based on these observations, the Commission claims that it intends to provide the E.U. with a new “robust, clear and uniform” framework in addition to being “fit to face the 21st century's challenges.” The new general framework will not allow excessive flexibility to Member States, but will instead impose terms through a directly applicable regulation.

The proposals made by the Commission will now be submitted to the European Parliament and to the Member States for examination and debate. The Commission wants the new framework to be adopted by the end of 2012. It will become effective two years after its adoption.

On the merits, the reform includes two main goals: First, the regulation includes simplification measures. The objective is to reduce administrative expenses by suppressing, apart from specific cases, general notification requirements. Thus, the preliminary formalities are replaced by a duty, held by both the data controller and the data processor, to keep a documentary record describing the processing carried out, and a second duty to forward such documentation to the supervisory authority upon request (article 28). In regard to the processing of data likely to create specific risks for individuals because of the nature, extent or purpose (for instance, health data), the data controller or the data processor must perform a preliminary impact analysis. This step will result in a consultation with the authority if, and only if, it reveals the existence of a high risk (articles 33 and 34). By contrast, preliminary review of the authority remains mandatory in certain cases, such as the use of binding corporate rules (consent required), contractual clauses other than the standard ones to permit a transfer of data to a country outside the E.U. (consent required) or data processing considered to infringe the freedoms that will be listed by the authority (consultation required).

Simplification is also achieved through the implementation of a “one-stop-shopping” approach within the E.U.: If a company has establishments in several Member States, the data controller will only have a single supervisory authority ' generally, the authority of the State in which its main establishment is located (article 51).

Second ' and this is the main goal of the reform ' the regulation considerably increases the duties of data controllers and the resulting risks. For example:

• The regulation introduces a general notification requirement regarding data violations (articles 31 and 32) on the grounds that such violations could generate “substantial economic loss and significant social harm, including identity theft.” Such violations must be reported within 24 hours to the supervisory authorities (after this delay, there must be a justification). If the violation is likely to infringe the data protection or the private life of individuals, the affected individuals must also be notified.
• Companies with more than 250 employees and those using processing likely to be risky because of its nature, extent or purpose, have the duty to designate a Data Protection Officer (articles 35 to 37). This Officer, who must execute his duties with full independence, will also have responsibility for the implementation and application of rules related to the processing of personal data within the company.
• The supervisory authorities' powers are significantly strengthened. They will now have inquiry and investigation powers (articles 52 and 53); since 2004, the CNIL has had similar powers, and their use has been increasing every year. The authorities of the different Member States will be able to provide assistance to each other and even to conduct joint operations (articles 55 and 56). Also, the authorities will receive sanctioning powers ranging from a simple warning to the imposition of monetary sanctions (article 53). Thus, they will be able to impose fines, to be determined according to each specific situation (including nature, length, seriousness of the offense), which can reach ' 250,000 or 0.5% of the annual worldwide turnover (for example, for failure to implement mechanisms enabling individuals to exercise their rights, such as the right of access), ' 500,000 or 1% of the annual worldwide turnover (for example, for failure to keep updated documentation of the processing carried out or failure to communicate required information to the individuals involved) and up to ' 1 million or 2% of the annual worldwide turnover (for example, for failure to give notice of a data violation, designate a Data Protection Officer or to implement an impact analysis). These penalties can be imposed regardless of whether the breach was intentional or simply due to negligence (article 79).
• The territorial scope of the European rules is broadly interpreted (article 3). On the one hand, any processing activities affecting a data controller or a data processor located within the E.U. are subject to the regulation, whether the processing occurs within the E.U. or not. On the other hand, data controllers established outside the E.U. are also subject to the regulation as soon as they offer products or services to individuals whose residence is within the E.U. or analyze the behavior of these individuals (for example, by profiling over the Internet).
• The consent of the individuals whose data are processed remains the touchstone to determine the legality of the process. In this respect, the regulation specifies that the consent shall be indicated by a declaration or an unequivocal positive act (article 4). Passive or tacit consent is not allowed, and the burden of proof rests on the data controller (article 7) to prove consent. Furthermore, the data controller must expressly inform the individual of his or her right to contact the supervisory authorities in case of any claim, and must provide the individual with any useful information related to the processing (article 14).

Conclusion

The new regulatory framework is certain to impose substantial new duties and new risks for data processors, including employers. Discussion of the Commission's proposals is expected to be particularly animated, and multinationalemployers will need to pay close attention to assure that they are in compliance with the resulting rules.

John D. Shyer is a labor and employment law partner in the New York office of Latham & Watkins LLP. Matthias Rubner is an employment law partner in the firm's Paris office.

On Jan. 25, 2012, the European Union (E.U.) Commission published a draft Regulation that is aimed at replacing the currently applicable E.U. Directive of Oct. 24, 1995 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The Directive, and the legislation of each E.U. Member State that resulted from it, are of high relevance for any employer employing personnel in any E.U. Member State. The changes to the existing framework, as currently contemplated by the E.U. Commission, will be of equal importance, in particular because these changes provide for a significant increase of sanctions in the event of breach.

Doing Business in an E.U. Member State

The Example of France

While the E.U. Directive of Oct. 24, 1995 provides for harmonized rules across all E.U. Member States, implementing legislation of Member States may still differ, and the administrative practice with which the local data protection authorities enforce such legislation differs even more. France, along with some other countries, is known for rather strict enforcement. Controls, “dawn raids” and other enforcement initiatives of the French data protection authority, CNIL, have consistently increased over the past several years. CNIL also achieved certain notoriety, including in the U.S., when it decided in May 2005 that certain SOX-type whistleblower alert lines were impermissible under French law. This placed hundreds of U.S.-listed companies with operations in France between a rock and a hard place, having to choose between compliance with U.S. SEC requirements and CNIL's then-interpretation of French law. A few months later and after consultation with interested parties, CNIL adopted a more pragmatic approach. On Dec. 8, 2005, it implemented a so-called “unique authorization” ' a web-based self-certification procedure by which companies operating an internal alert line could register and agree to a restrictive regulatory framework pursuant to which the operation of such alert lines is now legal in France. The restrictive regulatory framework was last changed by a decision of Dec. 8, 2010 to take into consideration new employment case law. Companies that signed up for the self-certification procedure before that date should verify that their alert line is still compliant with the changed regulations.

SOX alert lines are far from the only context in which employers with operations in France need to take active steps to assure that they are in, and remain in, compliance with French data protection and employment laws. Use of a simple H.R. database, which allows H.R. data to be accessed from relevant departments around the world, may require the employer to provide prior information to its works council, and also requires prior acknowledgement by CNIL. Transmission of personal data to a location outside the E.U. that is considered as not having “an adequate level of personal data protection rules” according to the Directive's standards, constitutes a data export. It then becomes subject to CNIL review and approval of a framework that assures that such data, once outside the E.U.'s jurisdiction, will remain adequately protected.

The U.S. is considered to be one of the territories lacking adequate data protection rules. One of the ways of achieving such protection, and thus getting CNIL's approval, is to have the data exporter (in the E.U.) and the data importer (for example, the U.S. parent company) sign a data transfer agreement (or so-called “standard contractual clauses” as approved by the E.U. Commission) by which the data importer subjects itself contractually to a set of rules that is deemed “adequate.” Any transfer of personal data outside the E.U., in breach of such rules, is sanctionable, including on criminal grounds. While the criminal fines can reach ' 1.5 million for a legal entity (and theoretically even imprisonment for the responsible manager), the administrative practice of CNIL with respect to illegal data transfers to the U.S. without prompt remedial action, when discovered, has been more moderate: sanctions of approximately ' 40,000, and issuance of press releases by CNIL in accordance with the “name-and-shame” principle.

The use of personal data files for employee surveillance and disciplinary purposes is another area of potential exposure for employers. Use of such procedures must not only undergo the relevant prior procedure at the CNIL, but in general must also be made subject to a prior works council consultation. If either of these prerequisites is ignored, criminal sanctions may apply, and the evidence found of potential employee misbehavior ' even if serious ' might be rejected in court as obtained through an illegal procedure. As a consequence, an employee, even if he or she has committed serious misbehavior, may be successful in claiming unfair dismissal, and be awarded substantial damages by a court. Accordingly, companies would be well advised to bring existing systems into compliance now (which can be a lengthy process), rather than waiting until they are confronted with an urgent employee issue which they cannot address, due to the lack of legally obtained evidence.

Key Aspects of the Expected Reform

The Oct. 24, 1995, Directive will soon become obsolete; that is what the European Commission wanted when it announced, on Jan. 25, 2012, a proposal for the establishment of a general regulation on the protection of personal data and a directive on the protection of individuals with regard to the processing of personal data by so-called “competent authorities.”

The new proposal is the result of two years of consultations and dialogues initiated by the Commission with the key stakeholders and the national authorities for data protection. These exchanges revealed that the 1995 text was not only considered as outmoded (since it was developed at the early stages of the Internet) and often inadequate to answer the problems encountered, but also that it did not succeed in harmonizing the corollary national regulations. The resulting regulatory inconsistency created legal uncertainty and unnecessary costs and administrative expenses for companies (estimated by the Commission to equal approximately ' 2.3 billion per year). Based on these observations, the Commission claims that it intends to provide the E.U. with a new “robust, clear and uniform” framework in addition to being “fit to face the 21st century's challenges.” The new general framework will not allow excessive flexibility to Member States, but will instead impose terms through a directly applicable regulation.

The proposals made by the Commission will now be submitted to the European Parliament and to the Member States for examination and debate. The Commission wants the new framework to be adopted by the end of 2012. It will become effective two years after its adoption.

On the merits, the reform includes two main goals: First, the regulation includes simplification measures. The objective is to reduce administrative expenses by suppressing, apart from specific cases, general notification requirements. Thus, the preliminary formalities are replaced by a duty, held by both the data controller and the data processor, to keep a documentary record describing the processing carried out, and a second duty to forward such documentation to the supervisory authority upon request (article 28). In regard to the processing of data likely to create specific risks for individuals because of the nature, extent or purpose (for instance, health data), the data controller or the data processor must perform a preliminary impact analysis. This step will result in a consultation with the authority if, and only if, it reveals the existence of a high risk (articles 33 and 34). By contrast, preliminary review of the authority remains mandatory in certain cases, such as the use of binding corporate rules (consent required), contractual clauses other than the standard ones to permit a transfer of data to a country outside the E.U. (consent required) or data processing considered to infringe the freedoms that will be listed by the authority (consultation required).

Simplification is also achieved through the implementation of a “one-stop-shopping” approach within the E.U.: If a company has establishments in several Member States, the data controller will only have a single supervisory authority ' generally, the authority of the State in which its main establishment is located (article 51).

Second ' and this is the main goal of the reform ' the regulation considerably increases the duties of data controllers and the resulting risks. For example:

• The regulation introduces a general notification requirement regarding data violations (articles 31 and 32) on the grounds that such violations could generate “substantial economic loss and significant social harm, including identity theft.” Such violations must be reported within 24 hours to the supervisory authorities (after this delay, there must be a justification). If the violation is likely to infringe the data protection or the private life of individuals, the affected individuals must also be notified.
• Companies with more than 250 employees and those using processing likely to be risky because of its nature, extent or purpose, have the duty to designate a Data Protection Officer (articles 35 to 37). This Officer, who must execute his duties with full independence, will also have responsibility for the implementation and application of rules related to the processing of personal data within the company.
• The supervisory authorities' powers are significantly strengthened. They will now have inquiry and investigation powers (articles 52 and 53); since 2004, the CNIL has had similar powers, and their use has been increasing every year. The authorities of the different Member States will be able to provide assistance to each other and even to conduct joint operations (articles 55 and 56). Also, the authorities will receive sanctioning powers ranging from a simple warning to the imposition of monetary sanctions (article 53). Thus, they will be able to impose fines, to be determined according to each specific situation (including nature, length, seriousness of the offense), which can reach ' 250,000 or 0.5% of the annual worldwide turnover (for example, for failure to implement mechanisms enabling individuals to exercise their rights, such as the right of access), ' 500,000 or 1% of the annual worldwide turnover (for example, for failure to keep updated documentation of the processing carried out or failure to communicate required information to the individuals involved) and up to ' 1 million or 2% of the annual worldwide turnover (for example, for failure to give notice of a data violation, designate a Data Protection Officer or to implement an impact analysis). These penalties can be imposed regardless of whether the breach was intentional or simply due to negligence (article 79).
• The territorial scope of the European rules is broadly interpreted (article 3). On the one hand, any processing activities affecting a data controller or a data processor located within the E.U. are subject to the regulation, whether the processing occurs within the E.U. or not. On the other hand, data controllers established outside the E.U. are also subject to the regulation as soon as they offer products or services to individuals whose residence is within the E.U. or analyze the behavior of these individuals (for example, by profiling over the Internet).
• The consent of the individuals whose data are processed remains the touchstone to determine the legality of the process. In this respect, the regulation specifies that the consent shall be indicated by a declaration or an unequivocal positive act (article 4). Passive or tacit consent is not allowed, and the burden of proof rests on the data controller (article 7) to prove consent. Furthermore, the data controller must expressly inform the individual of his or her right to contact the supervisory authorities in case of any claim, and must provide the individual with any useful information related to the processing (article 14).

Conclusion

The new regulatory framework is certain to impose substantial new duties and new risks for data processors, including employers. Discussion of the Commission's proposals is expected to be particularly animated, and multinationalemployers will need to pay close attention to assure that they are in compliance with the resulting rules.

John D. Shyer is a labor and employment law partner in the New York office of Latham & Watkins LLP. Matthias Rubner is an employment law partner in the firm's Paris office.