Tag: Global

Are UK-to-US employee data transfers sunk by ECJ’s torpedoing of Safe Harbor regime?

So there it is – in a tremendous boost for transatlantic relations, the European Court of Justice has decided that America is not to be trusted with the personal data of EU residents.  That is not exactly the way the decision is phrased, of course, which (so far as relevant to UK HR) is more like this:

Under the Eighth Principle of the UK’s Data Protection Act (and all or most of its EU cousins) the personal data of your employees can be transferred outside the EU only where the recipient country ensures an adequate level of protection for the rights and freedoms of data subject.

Until now an EU employer has been able to rely in this respect on a US company’s registration with the Safe Harbor (sic) scheme, a series of commitments designed to replicate the safeguards of EU law for that data.  As of this week, however, that reliance has been deemed misplaced – the ability and tendency of the US security agencies to access personal data held by US employers has been found to compromise those commitments beyond immediate repair.  In addition, one of the EU “model clauses” which can legitimise international data transfers requires the US recipient to confirm that it is aware of no legislation which could compel it to disclose that personal data to third parties without the employee’s consent.  New US laws enacted to boost homeland security mean that this can simply no longer be said.  Therefore Safe Harbor has been comprehensively blown up and can no longer be used as automatic air-cover for employee data transfers to the US.

This creates two immediate questions for HR in the UK.  First, what exposure do we have for past data transfers to the US on a basis which is now shown to be illegitimate?  Second, what do we do about such transfers starting now?

  • Don’t panic! To make any meaningful challenge out of this issue, the UK employee would need to show some loss or damage arising out of that transfer.  In other words, even if the data has been used in the US as the basis for a negative decision about him (dismissal or demotion or no bonus), the employee would need to show that that decision would have been more favourable to him if it had been taken by the same people based on the same data but physically within the EU.  Clearly a pretty tough gig.

Second, all this case does is remove the presumption that Safe Harbor registrants are safe destinations – it does not prove that they are not, either now or historically.  The question of adequacy of protection is assessed by reference to all the circumstances of the case, including the nature of the personal data sent, why it is sent to the US and what relevant codes of conduct and legislative protections exist there.

Last, Schedule 4 of the DPA disapplies the Eighth Principle where the data subject (the employee) has given his consent to the international transfer, or where the transfer is necessary for the entering or performance of the employment contract between the employee and the UK employer.  It will rarely be the case that neither of these exceptions applies.

If you have not previously had complaints from your UK employees that their personal data has been misused/lost/damaged in the US, nothing in this decision makes that particularly likely now.

  • Still don’t panic.

  • However, do be aware that this case is likely to lead to stricter precautions being required to ensure that what is sent to the US is genuinely only the bare minimum.

  • On its face, Schedule 4 should allow most reasonable international transfers of employee data anyway, pretty much regardless of what level of protection is offered in the destination country. However, there is a strong body of opinion, especially in Continental Europe, that reliance on this provision alone is unsafe and that it is still appropriate for the EU employer to take specific steps (most usually, some form of data export agreement with its US parent) to satisfy itself that a reasonable level of protection for that data exists. It may also wish to be seen to reconsider how far those HR decisions need to be made in the US at all, and whether EU employee data could be kept on an EU-based server if that is not currently the case.

  • To the extent that employment contracts do not already include it, amend them to include an express consent to the transfer of relevant personal data to the US (but do note another possible avenue of attack much mulled-over in Europe, i.e. that consent in an employment contract is not freely given because the job hangs upon it). Last, be seen to prune the UK employee data you do hold in the US back to what is strictly necessary and get rid of stuff which is no longer (if it ever was) relevant to the performance of the employment contract.

Article By David Whincup of Squire Patton Boggs (US) LLP

© Copyright 2015 Squire Patton Boggs (US) LLP

Data Security Breach Alert: 1.5 Million Credit Card Customers Affected

The National Law Review recently published an article regarding A Recent Security Breach written by Adam M. Veness of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.:

Global Payments, Inc. (NYSE: GPN) (“Global”) has reported a significant data security breach for approximately 1.5 million credit card customers.  According to astatement that Global released on Sunday, their investigation has revealed that “Track 2 card data may have been stolen, but that cardholders’ names, addresses and social security numbers were not obtained by criminals.”  Using Track 2 data, a hacker can transfer a credit card’s account number and expiration date to a fraudulent card, and then use the fraudulent card for purchases.

As a result of the breach, Visa has removed Global from its list of companies that it considers to be “compliant services providers.”  In an effort to calm consumers, Global issued a press release today assuring that “[b]ased on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

The incident reinforces the importance of maintaining adequate data security.  Companies must take ample precautions to secure their customers’ data, and if they fail to do so, they may be vulnerable to a serious security breach that could adversely affect their bottom line.  As of the time of this post, Global’s stock price has fallen approximately 12% since the data breach news was announced.  Even when following best practices in data security, companies still may face data security breaches.  Despite these inevitable risks, companies should do everything reasonably required to protect against data breaches.  If a company can show that it has taken the proper precautions, then this may mitigate or reduce potential liability in the event of a breach.  After a breach, companies should ensure that they follow all of the strict legal requirements for notifying customers of the breach and remedying the effects of the breach.  Doing so may greatly reduce a company’s exposure to customer lawsuits and government action against the company.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.