(normal legal disclaimer bits here….)
I have been interested in the implications of the technology and privacy interaction for the last decade or so, and it amazes me that it isn't more of an issue in sales cycles and software implementations. I wish it was, because German law is quite strict and our enterprisey software does alot to handle the German data protection law that software from across the pond often doesn't have a clue about. (I'll save that rant for another day)
(privacy is in the news at the moment partly because people keep losing laptops with James Bond's details on and the ECJ has ruled on the transfer of airline passenger data to the US, I won't comment on these here)
Why this post?
I received a mail from a US colleague this week, who asked me what to do, as his customer has been told by someone that "under German privacy law it is illegal to have a HR database with Germans on it outside of Germany"
The someone is wrong, but there are a number of buts and myths you need to manage. Privacy law, or Datenschutz is a bigger deal here than it is the US. The German law nowadays is based on the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (not one for pithy law titles, us Europeans)
1. The law doesn't talk about servers. It rambles on for a while about processing. ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;
It has nothing to do with where the hardware sits. The directive was written before the days of SOA, SaaS client server and the like. Someone using a laptop in Kuwait to access a server in Germany is in effect transferring data.
2. The directive is designed to improve the flow of data within the EU, so accessing or moving the data to another EU country shouldn't be an issue. You still need to manage the works council politics carefully though.
3. The directive doesn't like you to transfer data (weird term that) outside of the EU, unless it is to a country with an adequate level of protection.
4. You can transfer the data to another country, even if it doesnt have a adequate level of protection (like the US) only if you follow certain procedures. This is where things can get messy and complicated. The options include:
a. Join the safe harbo(u)r (if you are in the US)
b. develop a binding corporate code This is a relatively new development, and the Schering example here is one of the few publicly accessable examples I could find. The Schering example was approved by the Berlin data protection authorities. GE's code was approved in the UK.
c. use intra-company model contracts (common practice now)
d. use consent (but this has its limits in the employment relationship)
and always treat the data as if it was still in the EU country. (so dont sell it to direct marketers or leave it on the back seat of your car)
I can expand on these in more detail in other posts, and provide a set of more extensive links, just let me know. I'd hate to bore you anymore than I already do.
I would suggest that anyone in the US needing advice on global HR privacy get in touch with Don Harris. He knows his stuff, and is a nice chap too. Ruth Boardman at Bird and Bird, and Christopher Millard at Linklaters are other experts I've worked with in Europe on Data protection issues. Despite being lawyers, they are personable, knowledgeable and a pleasue to work with.
So, if someone says we can't do a global HR system because of German privacy law, they are likely to be wrong, but be prepared for a lot of buts… My advice is to some reading, and get some advice from an expert consultant and a law firm who have real experts in this area.
If you think the Germans are tough on this, check out the Spanish. Linklaters recently reported on this. (if you are interested in more you should check out their site, it is a super example of a law firm using the web effectively to reach clients. The whitepapers are really useful, not just marketing. (software companies could learn from them) It is risky cutting and pasting from a law firm website (see my earlier post on copyright), but here goes….
The fine imposed by the Spanish Data Protection Authority, the AEPD, on Zeppelin in this case is a salient reminder of just how seriously the matter is taken in some parts of the European Union.
Zeppelin is the Spanish producer of the television programme "Gran Hermano", the Spanish version of the popular reality TV format "Big Brother". Internet hackers managed to access details about 1,700 potential contestants on the show, and in some cases the information included details of their mental health, IQs and credit history.
While Zeppelin tried to claim that it was the innocent victim of illegal hacking activity, the incident brought to light various data protection infringements. Zeppelin was the unhappy recipient of a euro 1,081,822 fine, the highest imposed by the AEPD in a single administrative proceeding to date, and the highest anywhere in the European Union.
The breaches of the Spanish DPA committed by Zeppelin were listed as:
- not obtaining their express consent for the processing of sensitive data;
- not fulfilling the requirements for data processing by third parties, it therefore being deemed that a disclosure of data which had not been consented to had taken place; and
- not complying with regulations on security measures.
Serious stuff indeed….