概要

欧州連合（以下｢EU｣）2 内で事業活動を行う会社は、その伝統的な日常業務の執行がEUおよびEU加盟国（以下｢加盟国｣）の個人情報保護に関する法律に抵触する可能性があることに注意を要します。EU情報保護指令95/46/EC（以下｢指令｣）は、個人を識別しうる情報（氏名、住所、電話番号、配偶者の有無、給与、賞与、雇用契約条項、勤務評定等を含む。）の収集、使用および移転を規制しています。この規制は従業員に関する情報にも適用され、関連会社間で従業員に関する情報を開示した場合でも、当該従業員へ通知をせず、一定の場合においてはかかる従業員の同意を得ずに行われた場合には、指令および加盟国の法律違反だとされる可能性があります。例えば、英国で事業活動を行う支社が、翌年の給与改定を検討する、などの目的でその従業員に関する情報を日本の本社に開示する場合、当該英国支社は英国の個人情報保護法に従う必要があります。これらの法律を遵守しなかった雇用者の潜在的責任は極めて重いものとなります。

例えば最近スペイン個人情報保護当局は、顧客情報を子会社と共有した会社に840,000ユーロ（約107,270,000円）の罰金を課し、また保護されるべき個人情報を一般に公開した別の会社に対して1,080,000ユーロ（約137,919,000円）の罰金を課しました。EUで事業活動をする会社、特に、人事に関する情報をEU外のデータベースに集約している会社、または定期的にEU外の同社拠点と従業員情報を交換している会社は、社内における従業員情報の収集および使用方法を再考する必要があります。

加盟国内に従業員を有する会社はほとんど全て、指令およびそれを施行する加盟国の法律に従わなければなりません。かかる法律は、ネットワークによるか否か、自動的か否かを問わず、従業員の個人情報を収集、処理および移転する場合に適用されます。雇用者が従業員の個人情報を収集、処理および移転するには、適切な法的根拠が必要です。これは、親子会社等の関係会社間においても例外ではありません。

EU内における個人情報の収集および使用に関する規制に加え、加盟国は、個人情報のEUおよび「十分な」情報保護を与える国以外への移転についての規制を定めるものとされています。指令および加盟国の法律上、具体的に何が｢十分な｣保護に該当するかについては明確にされていません。また、｢十分な｣保護を行っている地域4 以外への個人情報の移転に関するいくつかの例外が指令中に規定されています。このように、個人情報保護に関する規制は広範囲に及び、かつ発展途上にあり、また、その内容は、個々の加盟国により異なります。高額な罰金を課される可能性および、プライバシーを侵害したと公表されたことによりもたらされる営業上の信用や評判への潜在的損害を考慮すると、雇用者が社内個人情報管理体制および実際の運用を再確認した上、適切な措置を講ずることが不可欠です。

雇用者への提案

必要最低限の情報への限定
EU内で事業活動を行う会社は、適用される加盟国の情報保護に関する法律を全て遵守しなければなりません。従って、会社は、まず第一に、収集されている従業員情報の種類、その使用方法、開示を受ける者の範囲、情報移転対象国等について把握し一覧にしておく必要があります。また、センシティブとみなされる情報については、特に慎重な取り扱いが必要とされるため、その収集については、特別な注意を要します。次に、現に収集している情報につき、その収集目的を再検討し、かかる収集が特定の、明白なかつ適法な根拠に基づくものか、各加盟国の規定する要件に該当するかを確認する必要があります。それゆえ、情報の収集が適法となる要件を充足しない、「持っておくと便利」だが必要最低限ではない情報については、収集の対象から早急に除外しなければなりません。

社内の個人情報管理体制の再考
会社は、情報の正確性を担保し、収集の目的に照らして不要となった情報を消去する手続を実施する必要があります。さらに、会社は、従業員の情報を不正な開示およびアクセスから保護する技術的および組織的手段を構築し、また、他の従業員の個人情報にアクセスしうる地位にある従業員に対する適切な研修を行わなければなりません。会社は、その従業員が所在する加盟国の法律により要求されている登録要件を遵守していることを確認する必要があります。

個人情報移転の法的根拠の再考
従業員情報の収集および使用状況の管理の一環として、会社は、従業員情報を日本、および欧州委員会（以下｢EC｣）により個人情報につき｢十分な｣保護を与えているとされていない第三国に移転していないか再度確認すべきです。もし、かかる移転、特に日本に対する移転が行われている場合には、情報の移転に関し、個別契約の締結、モデル契約の締結、同意の取得などの法的根拠を持つ必要があり、それらの法的根拠を遵守することが必要となります。

今後の立法動向への迅速な対応
最後に、ECおよび多くの加盟国において、従業員情報の収集および使用についての重点的な議論がなされている現状に照らすと、会社は、日常的に立法的発展を監視し、社内手続をそれに従い随時調整していくことが肝要となります。

EXECUTIVE SUMMARY

Many foreign companies operating in the European Union (the "EU")1 are unaware that their traditional business practices may violate EU and Member State laws regarding personal data protection. The EU Data Protection Directive 95/46/EC (the "Directive") regulates the collection, use, and transfer of individually identifiable personal information about employees, such as name, address, telephone number, and marital status, as well as information such as salary, bonuses, terms of an employment contract, and performance appraisals. In addition, the transfer of employee information to another entity, even a related corporate affiliate, without providing notice to employees and in some cases obtaining consent from employees may be considered a violation of the Directive and Member State laws. Thus, for example, if a company with operations in England provides information regarding individual employees to the home office in Japan, that company must comply with the U.K. Data Protection law. The potential liability for employers failing to abide by these laws can be quite high.

The Spanish Data Protective Authority, for example, recently fined an organization nearly 840,000 euro (approximately 107,270,000 yen) for sharing customer data with a subsidiary organization and fined another organization 1.08 million euro (approximately 137,919,000 yen) for disclosing protected personal information to the public. Companies with operations in the EU, especially those that centralize human resources information in databases located outside the EU or regularly transfer employee data among offices outside the EU, may have to change the way they collect and use employee data.

Virtually every business with employees in a Member State in the EU must comply with the Directive and Member State laws implementing the Directive. These laws apply to the collection, processing, and transferring of employee personal data, online and offline and manual, as well as automatic. Employers must have appropriate legal grounds to collect and process personal employee information and transfer that data to another entity, even an affiliated organization such as a parent company or a subsidiary.

In addition to specific regulations regarding the collection and use of personal data within the EU, the Directive also requires Member States to restrict the transfer of personal data to only those countries outside the EU that provide "adequate" data protection. "Adequate" is not defined by the Directive or by any of the Member States. The Directive also provides several exceptions that allow for international transfers of personal information where there is no adequacy determination in place for the relevant jurisdiction.3 The rules are extensive and still evolving. They also differ significantly from Member State to Member State. Given the possible fines and potential injury to reputation and goodwill that may result if a serious privacy violation is publicized, it is imperative that employers review and adopt appropriate policies and practices.

RECOMMENDATIONS FOR EMPLOYERS

Limit information to essential information. Any company operating in the EU has to comply with all relevant Member State data protection laws. A company should, therefore, know what employee information it collects, how such information is used, to whom it is disclosed and to what countries it is transferred. Such information and uses should be cataloged by the company. Special attention should be paid to any information collected that is considered sensitive information, because it requires special handling. Once a company understands what data it collects from its employees, the company should examine the purpose(s) for collecting the information to ensure that it has specified, explicit, and legitimate bases for such collection so that the Member State requirements are met. Thus, all information must be tested under these standards and any "nice to have" but unessential information should not be collected.

Review internal procedures. A company must put procedures in place to ensure the accuracy of information and purging of information no longer required for the purposes for which it was collected. Further, the company should evaluate its technical and organizational measures for ensuring that employee information is protected against unauthorized disclosure or access and also ensure that appropriate training is in place for staff that have access to personal data of other employees. The company should ensure that it is in compliance with registration requirements in those Member States in which the company has employees and that require registration.

Review legal basis for transfer of information. As part of its employee data collection and use inventory, a company should review whether it transfers any employee data to Japan or other third countries that have not been declared "adequate" by the European Commission. If a company does, indeed, transfer data to Japan, the company should have a legal basis for the transfer of such information, e.g., ad hoc contracts, model contracts, consent, and bring itself into compliance with the requirements of the chosen basis.

Monitor legislative changes. Finally, given the intense discussion on collection and use of employee information currently underway at the European Commission and many of the Member States, companies should routinely monitor new developments and adjust their procedures accordingly.

 

Introduction

Businesses that collect and use employee personal data in the European Union ("EU") face an extensive legal framework, which, unlike the mostly self-regulatory regimes adopted in Japan, also imposes strict privacy restrictions on employee data. The EU Data Protection Directive 95/46/EC5 ("Directive") applies to both employee and consumer personal information, and the Member States' laws enacted to implement the Directive also apply to employee and consumer personal information. These laws impose substantial requirements on the collection and use of virtually all employee data while those data are in the EU.

In addition, these laws restrict the transfer of that information from the EU to third countries, such as Japan, unless the third country has been found to provide an adequate level of protection or the employer can identify another legal basis for the transfer. Accordingly, any employer operating in the EU must first conform its data practices to the Directive and Member State laws while the data are in the EU. And, when transferring employee data from the EU to third countries, employers must also identify and implement a legal basis for such transfers. Employers operating in the EU that collect or process personal information in the EU without adhering to Member State laws or transfer personal information from the EU to a country without "adequate" protection or a relevant exception may incur substantial legal liability.

The Directive is framework legislation and requires each Member State to enact implementing legislation. All but three Member States (France, Ireland, and Luxembourg) have now done so. The Directive sets a floor for the Member State legislation, and in some instances it may also set a ceiling. It does not, however, prohibit divergences among Member State laws. Accordingly, employers doing business in the EU must inform themselves about and comply with all the terms of the specific Member State data protection laws that are in effect in the countries in which the companies have employees.

This article is intended as a primer for companies with employees in the EU who are evaluating their employee data practices. It provides an introduction for employers to: (i) the Directive; (ii) how human resources data are defined in the EU; (iii) basic EU data protection requirements; (iv) the legal grounds for transferring employee information to countries outside the EU; and (v) practical steps Japanese companies operating in or receiving employee data from the EU should take to ensure compliance with EU legal requirements.

Overview of the Directive; its Application to Employee Data

Consistent with the history of the European legal regime, the Directive sets forth a broad, highly regulatory, and inclusive approach to privacy issues. The primary objectives of the Directive are: (i) to protect individuals with respect to the "processing" of personal information;6 and (ii) to ensure the free movement of personal information within the EU through the harmonization of national laws.7

The Directive is extraordinarily broad in scope. It applies to all processing of data, online and offline, manual as well as automatic, and all organizations holding personal data. Only data used "in the course of purely personal or household activity" are excluded from its reach.8 Thus, an employer's collection and use of employee data clearly falls within the ambit of the Directive. The Directive establishes strict requirements for the processing of personal information. "Processing" of data includes any operations involving personal information, except perhaps its mere transmission. For example, copying information or putting it in a file is viewed as "processing." An employer should keep in mind that "sensitive" data, such as that pertaining to racial or ethnic origins, trade union membership, political or religious beliefs, or health or sex life, may not be processed unless such processing comes within limited exceptions.9

The Directive also requires each Member State to establish an independent data protection authority ("DPA") to supervise the protection of personal data.10 An employer that is processing data must register with (or notify) the DPA prior to processing any data,11 unless the employer fits within an exemption provided under a Member State law.12 This requirement mandates that prior to carrying out any processing, an employer must provide the relevant DPAs with information on the purpose of the processing, the categories of individuals whose data are being processed and the types of data relating to them, the categories of the recipients to whom the data may be disclosed, proposed transfers to third countries, and the security measures in place.

What are "Human Resources Data"?

Despite its applicability to employee data, the Directive does not provide any specific guidance on the processing of data in the employment context, nor does it specifically define human resources data. The definition of "personal data" is extremely broad, however, and, as noted above, encompasses "any information relating to an identified or identifiable natural person .... An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." (Emphasis added.)13

An employer will also find, for the most part, little guidance in Member State laws, which either fail to define human resources data or do so very generally. A definition of human resources data often must be inferred from data protection registration forms that require an employer to provide the purpose of the employee database and its specific use. The inferences that may be drawn from the examples of human resources data on these forms are very broad and suggest that all personal information about employees collected by employers is covered.14 Accordingly, an employer doing business in the EU should assume that any information relating to prospective, present, or past employees collected in any form will be subject to the protections of the Directive and must be handled in a manner compliant with Member State data protection law.

EU Data Protection Requirements Applicable to Human Resources Data

While all the Directive's data protection principles apply to personal data in all contexts, in some instances the principles may apply differently in the employment context than in other contexts. The relevant principles include:

Legitimacy: Establishing the Legal Grounds for Processing Employee Data

An employer must have appropriate legal grounds to process personal information.15 An employer must meet this legitimacy standard for processing employee data, and such processing must be "necessary for the achievement of the objective in question rather than merely incidental to its achievement" ("Working Party Opinion").16 An employer may establish this legitimacy by several means, with the most relevant to the employment context including: (i) processing necessary for performance of the contract between the company and the employee; (ii) processing necessary for compliance with a legal obligation; (iii) processing necessary for purposes of a legitimate interest by the controller; and (iv) processing with employee consent.

Performance of Employment Contract. An employer may process most employee information based on the grounds that the processing is necessary for the performance of a contract to which the employee is party,17 e.g., the "employment contract." The DPAs generally take a fairly strict view of what information is "necessary" for performance of the contract and make their determinations on a case-by-case basis. Data such as name, home address, date of birth, appraisals and promotions, job title, department, terms and conditions of employment, supervisors, salary, promotions, and reviews have been found to be necessary to the performance of an employment contract.18

Compliance with Legal Obligations. An employer may also establish legitimacy if the data processing is "necessary for compliance with a legal obligation."19 For example, an employer may have a legal obligation to provide to government authorities information on tax and social security status and the number of days absent due to sickness. To the extent that such information is sensitive information under Article 8 of the Directive,20 such as data on specific illnesses, under many Member State laws it is also necessary to obtain consent from the individual, despite the existence of the legal obligation.

Legitimate Interests of the Controller. An employer may process data if it is "necessary to meet the legitimate interests pursued by the controller or by a third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject..."21 For example, collection of certain information for employee performance assessment purposes may be considered a legitimate interest of the controller. Employers may not, however, use the data in a manner that would "unjustifiably prejudice the rights and freedoms of the data subject," and care should be taken in utilizing this ground for processing.

Employee Consent. At first, employee consent appears likely to be an employer's simplest option for legitimizing its data processing practices as it could be drafted to cover all uses of the data without question. In most Member States, the consent would be opt-out consent, unless the personal information in question is sensitive, in which case a more onerous opt-in or affirmative consent is required. This method, however, poses significant issues for the employer. Whether "consent" may be freely given in the context of an employment relationship has been the subject of much debate among the Member States. Several Member States maintain the view that an existing employee cannot freely give consent. Moreover, the Working Party Opinion takes the view that where as a necessary and unavoidable consequence of the employment relationship an employer has to process personal data, it is misleading if the employer seeks to legitimize this processing through consent. Reliance on consent should therefore be confined to cases where the worker has a genuine free choice and is subsequently able to withdraw the consent without detriment.22

Accordingly, in the Member States that take this position, an employer who relies on consent to legitimize data processing in the employee context may face significant risks and should consider another ground for processing. In addition, this method may provide at best only a short-lived solution for an employer because employees may withdraw their consent at any time.

Collection and Use of Employee Data

Proportionality. In addition to establishing grounds for legitimate data processing, the employee information an employer collects "must be adequate, relevant and not excessive" in relation to the purposes for which the data are collected and/or further processed.23 Thus, an employer must gather information and use it in the "least intrusive way." The concept of proportionality is closely related to legitimacy.

Finality of Processing. Under the Directive, the employee data an employer collects must be collected for specified, explicit, and legitimate purposes and not further processed in a way incompatible with those purposes.24 Thus, an employer may not use employee information collected for a legitimate purpose for any other "incompatible" purposes without the specific consent of the employee. For example, home addresses collected for payroll purposes should not be used for direct mailings without specific consent. An employer, however, would not be prohibited from using the data for a "compatible" purpose, such as calculating travel allowances.

Notice. The Directive further requires the employer (a data controller) to disclose its identity, the purposes of the processing, categories of recipients of the data, and the right of access and correction.25 Thus, even if an employer's processing is legitimized on the grounds that it is necessary to complete the contract and consent is not necessary, the employer may still have to provide notice to employees about what employee data the employer is collecting, both directly and from other sources, and how the information will be used. Therefore, companies should provide employees with appropriate disclosures about the collection and processing of their personal data.

Accuracy and Retention. Under the Directive, personal data must be accurate and up-to-date.26 To comply with this requirement, an employer must take reasonable steps to ensure that employee data maintained by the employer meet these requirements. Moreover, the employer should not maintain data in a form that identifies specific individuals any longer than necessary for the purposes for which the information was collected or processed.

Security. Under the Directive, an employer must institute technical and organizational measures to ensure that personal data is maintained securely and protected against unauthorized disclosure or access. Thus, an employer wishing to comply with the Directive will need to establish security procedures and access controls for employee data. Some countries have enacted regulations that set forth in great exacting detail the particular technical and organizational security measures that must be implemented.

Employee Access. The Directive requires that an employer provide each employee the right to access and correct information maintained about him or her.27 The Working Party Opinion shed light on this requirement by stating that employers must provide employees with access "without constraint at reasonable intervals and without excessive delay or expense."28 Access includes confirmation about whether data relating to the employee are being processed, the purposes of the processing, the categories of data concerned, and the recipient or categories of recipients to whom the data are disclosed. In addition, the Directive also requires that an employer permit an employee to correct, erase, or block data that do not comply with data protection law, for example, if the data is incomplete or inaccurate. The Article 29 Working Party Recommendation 1/2001 on Employee Evaluation Data,29 which provides that personal data includes "subjective judgments and evaluations," also recommends that employees be provided with notice about and afforded a right of access to such data.

Other Requirements. As noted above, an employer operating in the EU is required to appoint a data controller and register the company's databases with DPAs for the Member State in which it does business. In most Member States, an employer also must inform the DPAs before the company may transfer information outside the EU to countries that do not provide "adequate" privacy protection and also obtain the DPAs' approval. In addition, the Directive sets forth many other requirements that an employer should consider, including prescribing specific rules where personal information has not been obtained from the individual and where automated individual decision-making and direct marketing are involved.

Employer Liability Under EU Law

For the most part, enforcement of Member State privacy laws is complaint driven. Employees who believe the law has been violated may bring a complaint either to the relevant DPA authority or to a court. Given the expense of bringing suit, the lack of contingency fees in EU countries, and obligations in the EU for the losing party to pay both parties' fees, many individuals choose to bring their complaints to their DPAs.

An employer may be liable to an individual for compensatory damages as a result of unlawful data processing.30 Employers' possible liability differs significantly from Member State to Member State. For example, German law allows for a variety of penalties and remedies, including injunctions and orders to comply. The German law also provides for fines up to 255,000 euros (approximately 32,564,000 yen), and criminal penalties in extreme cases. In France, fines may be assessed up to a maximum of 45,000 euros (approximately 5,747,000 yen) and criminal penalties imposed of imprisonment of not more than three years. The UK law provides for a variety of sanctions similar to those described for the German law, including criminal penalties. The maximum fines in Spain are considerably higher and can be as much as 500,000 euros (approximately 63,800,000 yen. In assessing their risks under European privacy laws, employers also should consider injury to reputation and goodwill that may result if a serious privacy violation is publicized.

Transfers of Employee Information to Third Countries

In addition to covering the collection, use, processing, or disclosure of personal data within the EU, the Directive also requires Member States to restrict the transfer of personal data, including human resources data, to countries that provide "adequate" data protection. Neither the Directive nor Member State laws define "adequacy," thus leaving a great deal of uncertainty about whether a particular privacy framework would be deemed "adequate" by the EU and information may continue to be transferred.

Article 26 of the Directive provides several exceptions that allow for international transfers of personal information where there is no "adequacy" determination in place for the relevant jurisdiction. These exceptions are similar to those that are provided by the Directive for legitimizing data processing in general and include situations where: (i) the data subject has given his or her unambiguous consent; (ii) the transfer is necessary for the performance of the contract with the individual; or (iii) the controller has entered into an appropriate contract, which, if individually negotiated, requires approval of the Member State DPA ("ad hoc contracts"), or which incorporates certain standard contractual clauses that have been approved by the European Commission ("model contracts"). Relying on these exceptions in the cross border context has significant drawbacks, however. These drawbacks are discussed below.

Employee Consent for the Transfer of Data

Employee consent for the transfer of personal data outside the EU is distinct from, for example, the consent required to disclose such data to third parties within the EU. Although the Directive requires "unambiguous" consent in both instances,31 if consent is relied on to legitimize disclosures to third parties within the EU, in most Member States an employer need only obtain opt-out consent (unless sensitive information is involved). Where consent is required to legitimize cross border data transfers from the EU to third countries, nearly all the Member States interpret unambiguous consent to require opt-in or affirmative consent. Many Member States also require the employer to inform the employee that the data will be transferred to a country that may not ensure "adequate" privacy.

As previously discussed, the view taken by some Member States that consent from existing employees is either suspect or invalid means that in those countries it is also a risky proposition for employers to rely on even opt-in employee consent for cross border transfers. At a minimum, employers that rely on employee consent will need to examine whether the Member State from which the data are to be exported accepts employee consent as a valid basis for legitimizing such transfers. The Working Party Opinion casts further doubt on the use of employee consent to legitimize transfers of employee data out of the EU. Given the uncertainty of whether employee consent may be relied upon in certain Member States and proposed legislation in others, employers wishing to transfer employee data to Japan (or other countries that do not meet the EU "adequacy" standards) may wish to consider relying on grounds other than employee consent for such transfers.

Information Necessary to Complete the Employment Contract

Employers who transfer employee information on the basis that it is necessary to complete the employment contract are limited in the purposes for which they may use the information once it is transferred out of the EU. Thus far, there has been no detailed discussion in the EU of what would be considered "necessary" in this context. As noted above, many Member States take a fairly narrow view of what is necessary to complete the contract. When relying on this ground for transferring employee information from the EU, employers should be cautious about using such information after it has been transferred to do more than pay employees and provide benefits. Using employee information for purposes such as creating an employee telephone list or tracking employee mobility and travel availability may not be permitted if a company relied on this exception in transferring the data.

The need to transfer for the purposes of performing a contract also extends to those cases where an agreement is concluded between an EU data controller and a non-EU third party involving a transfer to the third party if such transfer is carried out in the interest of the data subject. For example, a Japanese company with offices in the EU could use this as legal grounds to transfer data concerning its EU employees from the EU to a third-party company in Japan to enable such company to provide a health or pension scheme to its EU employees.

Contracts

Ad Hoc Contracts. Ad hoc contracts are individually negotiated contracts and are concluded between the data exporter in the EU and the data importer located outside the EU. In most Member States, these contracts must be approved by the relevant Member State DPA. In the employment context, the contract would be between the employer in the EU and its Japanese affiliate. Ad hoc contracts vary from country to country, but generally provide that the data must be processed consistently with the Directive and, in many instances, with the laws of the Member State from which the data are exported.

A major advantage of ad hoc contracts is that they have served as a legal basis for transferring personal data from Europe for over ten years and, therefore, provide a great deal of legal certainty for companies relying on them. Ad hoc contracts, however, have several significant disadvantages as well. While the purpose of the Directive is to harmonize data protection law throughout the EU, differences still remain among the Member States' data protection laws. Consequently, when an employer relies on ad hoc contracts to legitimize the transfer of data from the EU, the employer or company would need to continue to track data received from the Member States by country of origin to ensure that the data are handled in compliance with the appropriate Member State data protection requirements. In addition, employers considering this option need to consider scheduling requirements because extensive delays may occur due to the approvals of ad hoc contracts that are required in many Member States. Approvals generally take a minimum of one to two months to obtain and may take longer if the DPA has questions about the transfer or the requisite forms were not completed properly in the first instance. Subsequent additional approvals also may be required, for example, if changes are made in the processing of or type of personal information collected.

Model Contracts. The Commission formally adopted model contract clauses for transfers of data from one controller to another controller located outside the EU32 in June 2001, and the clauses went into effect in September 2001. Many had hoped that model contracts, which are intended to provide one form contract useable in all EU countries and require no approval by individual DPAs, would create a workable and substantially more streamlined data transfer process. Unfortunately, it appears that the model contracts' drawbacks may outweigh their advantages.

The model contract clauses approved by the EU allow the data importer three different options. It may elect to comply with (i) the national law of the data exporter, (ii) a set of principles attached to the model contract,33 or (iii) a Commission adequacy decision, provided the company is located in the jurisdiction to which the decision applies and the company also complies with yet other mandatory privacy principles also attached to the model clauses.34 These options leave companies with a burdensome and potentially unworkable scenario. For example, if companies choose to comply with the national law of the data exporter and they have employees in several EU countries, as discussed above, companies may have to comply with multiple legal requirements of different Member States.

If companies elect to abide by the Mandatory Principles, these companies will be required to adhere to a higher standard than is required by the Directive. For example, under the Directive, information may be processed for the use for which it was acquired, as well as for any other compatible uses. The Mandatory Principles, however, more narrowly restrict uses of the information, allowing it to be used only for the specific purpose for which it was collected. Additionally, if companies choose to rely on the terms of a Commission adequacy determination, they have to "top up" and comply with stricter requirements than those set forth in the "adequacy" determinations. In both instances, companies will be limited in their uses of personal information so that it may only be used for the specific purpose for which it was collected, requiring employers to go back to their employees if the companies want to use employee data for additional purposes than those contemplated when the companies collected the data. In both instances, the companies' use of data would be more limited once the data are transferred from the EU than while the data are still in the EU.

The model clauses further require that: (i) the data subject be made a third party beneficiary of the agreement; (ii) the data exporter and data importer be jointly and severally liable for any damages; (iii) the data importer submit to audit by the data exporter or an inspection body selected by the data exporter (and where applicable, in agreement with the DPA); (iv) the data importer have security measures in place that are appropriate to the risk; (v) the data importer warrant that it "has no reason to believe" that the legislation applicable to the data importer prevents it from fulfilling its obligations under the contract; (vi) the governing law of the agreement is the law of the Member State where the data exporter is established; and (vii) the parties agree to the jurisdiction of the relevant Member State courts.

These onerous requirements potentially create a host of difficulties for companies that choose to rely on model contracts. For example, a Japanese company would have to agree to be subject to the jurisdiction of each Member State from which it transfers data. Thus, the model clauses do little, if anything, to provide a less burdensome approach to data transfers from the EU to third countries than the other alternatives provided by Article 26 of the Directive.

Employer Evaluation of Employee Data Practices

Any company operating in the EU has to comply with all relevant Member State data protection laws. A company should, therefore, know what information relating to its employees it collects and how such information is used. Such information and uses should be cataloged by the company. Special attention should be paid to any information collected that is considered sensitive information,35 because it requires special handling. Once a company understands what data it collects from its employees, the company should examine the purpose(s) for collecting the information to ensure that it has specified, explicit, and legitimate purpose(s) for such collection so that the Directive's stringent "necessary" standard is met. Also, an employer should take into account when examining its practices that the proportionality requirement bars collection and use of information that is excessive in relation to the purposes for which it is collected. Thus, all information must be tested under these standards and any "nice to have" but unessential information should not be collected.

A company must put adequate procedures in place to ensure the accuracy of information and purging of information no longer required for the purposes for which it was collected. To comply with the notice requirement, a company should assess its practices and create appropriate descriptions of what the company collects about its employees and how such information is used and disclosed, and provide these descriptions to employees. In certain instances, it may be necessary for an employer to obtain informed employee consent.

Further, the company should evaluate its technical and organizational measures for ensuring that employee information is protected against unauthorized disclosure or access and also ensure that appropriate training is in place for staff members who have access to personal data of other employees. An employer may want to consider employment contracts that include confidentiality clauses for staff members handling employee data.

Finally, the company should ensure that it is in compliance with DPA registration requirements in those Member States in which the company has employees and that require registration.

Assessing the Legal Ground(s) for Transfer of Employee Data from the EU

As part of its employee data collection and use inventory, a company should review whether it transfers any employee data to Japan or other third countries that have not been declared "adequate" by the European Commission.36 If a company does, indeed, transfer data to Japan, the company should determine the most practical ground on which it will transfer such information, e.g., ad hoc contracts, model contracts, or consent, and bring itself into compliance with the requirements of the chosen ground.

Ongoing Considerations

Finally, given the intense discussion on collection and use of employee information currently underway in the EU and many Member States, companies should routinely monitor new developments and adjust their procedures accordingly. For example, responses to the recently issued Consultation Document37 likely will play an important role in shaping an initiative at the Community level and, therefore, affect community employment data practices.

This newsletter addresses recent employment law developments. Because of its generality, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

For more information on this topic, you may also contact one of the following attorneys:

Washington, D.C.
Rachel Howell	202-778-1650	rhowell@mofo.com
New York
Michiko Ito Crampe	212-468-8028	mcrampe@mofo.com
Deborah L. Kefer	212-468-8014	dkefer@mofo.com
Michelle A. Lopez	212-506-7391	mlopez@mofo.com
Joan P. Warrington	212-506-7307	jwarrington@mofo.com
Miriam H. Wugmeister	212-506-7213	mwugmeister@mofo.com
San Francisco
Rufus Pichler	415-268-6625	rpichler@mofo.com
Brussels
Dieter Paemen	32-2-347-0400	dpaemen@mofo.com
Karin Retzer	32-2-347-0400	kretzer@mofo.com
Jenny Romelsjo	32-2-347-0400	jromelsjo@mofo.com
London
Ann Bevitt	44-20-7896-5841	abevitt@mofo.com
Keith Krasny	44-20-7896-5807	kkrasny@mofo.com
Christine Mott	44-20-7896-5804	cmott@mofo.com
David Naylor	44-20-7815-1151	dnaylor@mofo.com
Simeon Spencer	44-20-7896-5843	sspencer@mofo.com
Jane Thatcher-Browne	44-20-7896-5811	jthatcherbrowne@mofo.com
David Warner	44-20-7896-5844	dwarner@mofo.com
Tokyo
Daniel Levison	81-3-3214-6522	dlevison@mofo.com
Fuyuo Mitomi	81-3-3214-6522	fmitomi@mofo.com
Jay Ponazecki	81-3-3214-6522	jponazecki@mofo.com
Ken Siegel	81-3-3214-6522	ksiegel@mofo.com
Toshihiro So	81-3-3214-6522	tso@mofo.com
Hong Kong
Jonathan Lemberg	852-2585-0866	jlemberg@mofo.com
Janet Ng	852-2585-0872	jng@mofo.com