On Oct 24 2019 by Michele G. Madera
Cross-Border Employers Face Critical GDPR Risks
By Michele Madera and Jordan Fischer
In today’s world, technology and data are evolving at an increasingly rapid rate. Daily, we transact in more and more data: emails, text messages, phone calls, even clicks on a website. And, within this ever-changing digital environment, we are becoming an increasingly global workforce, transitory across different countries and even continents.
While people move across borders to meet their employer’s global workforce needs, their personal data is often moving with them. This can be in various forms, including for payroll, immigration, tax, relocation and insurance, among others.
With data and people moving across borders, the legal world is evolving too. In the past 24 months, numerous regions have passed, are passing or are considering passing data protection legislation. This legislation can take many forms: broadly protecting any personal data, protecting subsets of personal data, or a hybrid approach.
Employers now need to consider the move of the person and their employment, but also how their data will move and ensure its security through each phase of the process.
Against this backdrop, one of the most influential data protection regulations to enter into force is the European Union’s General Data Protection Regulation. The GDPR was adopted in April 2016 and went into effect on May 25, 2018. The GDPR builds upon a privacy-oriented infrastructure within Europe.
Prior to the adoption of the GDPR, the EU already maintained EU-level data protection legislation in the form of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The directive laid out the initial data protection framework for the EU, but gave deference to each member state to adopt more extensive data protections.
The aim of the GDPR is not to prevent the use of personal data. Instead, its objective is to provide individuals with increased transparency and control over the explosion of data being collected at an alarming rate.
It creates a high level of accountability on the part of collecting entities to only use personal data for legitimate reasons, and only for reasons articulated to the individuals whose data is impacted. The GDPR also emphasizes data minimization: the practice of collecting the least amount of data needed to perform the task, action or service for which the data was initially collected. This limited data retention directly combats the data hoarding mentality under which many companies currently operate.
The GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services … to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
On Nov. 16, 2018, the European Data Protection Board, or EDPB, adopted preliminary Guidelines 3/2018 on the territorial scope of the GDPR. The guidelines break Article 3 into two main criteria for determining whether the GDPR applies: “the ‘establishment’ criterion, as per Article 3(1), and the ‘targeting’ criterion as per Article 3(2).”
Under the establishment criterion, the EDPB emphasizes that determining the role of the parties involved (i.e., controller, processor, etc.) is key to any jurisdictional analysis (see below for further information on these GDPR roles). Further, whether an entity is “established” within the EU is not determined by physical presence within the EU; the focus is on “both the degree of stability of the arrangements and the effective exercise of activities in that Member State.”
Turning to the second criterion, the targeting criterion, the EDPB states that the focus is on “what the ‘processing activities’ are ‘related to’”. The EDPB emphasizes that the GDPR is meant to be all encompassing and not limited by citizenship, residence or any other legal status of the data subject. The trigger is a data subject’s location within the EU at the time the activity takes place.
Further, there must be some element of “targeting” data subjects within the EU:
[T]he processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, as long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behaviour in the Union.
When turning to the Article 3(2) monitoring of the behavior of a data subject, the EDPB outlines the trigger as “the behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the Union.”
The territorial scope of the GDPR is a key analysis that any U.S.-based employer must make regarding their employees and the corresponding personal data.
First, where is the employee located? If the employee is located within the EU, then the GDPR applies to the processing of that employee’s personal data.
Second, is the employer using tools to monitor its employee’s behavior? And, is that employee located in the EU. If the answer is yes, then the GDPR will apply to the monitoring of that employee.
For instance, if a U.S. citizen is living and working within the EU, then they are present in the Union for the purpose of the GDPR, and all of that employee’s data related to her behavior is also within the EU. As such, it is likely that both of these sources of personal data (the employment itself and the monitoring) would be impacted by the GDPR.
Conducting this territorial scope analysis is the first consideration an international employer should make when considering its obligations for compliance.
Next, an employer must understand its role under the GDPR to determine how to ensure its compliance with the regulation. The GDPR applies to the processing and free movement of personal data, both of which are broadly defined.
When determining what information will constitute personal data, it is important to understand that this information encompasses “any information relating to an identified or identifiable natural person (‘data subject’)” which includes a data subject “who can be identified, directly or indirectly.” This goes beyond the approach generally taken in the United States when defining personal data, where most states require a combination of specific information in order to reach the definition of personal identifiable information, such as a name plus a social security number.
Further, the GDPR delineates key roles regarding the processing of personal data.
A data controller is the entity that “determines the purposes and means of the processing of personal data.” In addition to the data controller role, the GDPR also recognizes instances where a joint-controller may exist. A joint-controller is “[w]here two or more controllers jointly determine the purposes and means of processing.”
The GDPR requires data controllers to implement appropriate measures to ensure and be able to demonstrate compliance with the GDPR, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons.” These “appropriate measures” include those that are “designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing” to meet the GDPR’s requirements.
These measures also must include “by default” mechanisms to ensure that “only personal data which [is] necessary for each specific purpose of the processing are processed.” Ultimately, the data controller is responsible for its compliance with the GDPR and the compliance of any third-parties it uses to provide it data related services.
During the relocation process for an employee, an employer may be considered a data controller. The employer could be determining the purposes and means of processing personal data for the employee — including providing it to third party vendors on behalf of the employee. If the employer is a data controller, it is held to the highest standards under the GDPR and needs to ensure that the aforementioned safeguards are in place for this highly personal data.
Another role under the GDPR is a data processor. This is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Liability under the GDPR flows to all parties in the chain of data, which includes data processors. Processors are required to enter into a contract or other legal arrangement “that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
The selection of data processors under the GDPR is very important. The GDPR expressly requires data controllers to “use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” Therefore, the GDPR due diligence is a key component to address prior to engaging with any third-parties who will have access to or process personal data.
The GDPR impacts every aspect of a business, both internal and external to the company. Data drives most business processes, and to the extent that data identifies an individual, it could be considered personal data. Under the GDPR, data protection has become a daily concern, to be addressed by all levels of employment.
When an employer is considering transferring an employee from the EU to another location, or vice versa, it needs to consider all the data that will move through its organization and its third-party vendors. Some of this data is highly sensitive — including data about sexual orientation, race and religion — which also requires greater controls under the GDPR.
By mapping out the flow of data and what data is required for the immigration, tax, relocation, etc., the employer will have a better sense of the personal data it maintains and ensure its compliance, along with the compliance of its vendors.
Ultimately, companies need to determine (1) whether and to what extent their personal data is impacted by the GDPR and (2) how to bring their systems, processes and governance into compliance.
As the GDPR becomes more established, companies are facing liability from a variety of fronts: regulatory actions, private actions brought by individuals and a combination of both. And, the personal data involved in the global movement of employees is some of the most sensitive information, raising the stakes for the companies involved.
The material contained in this article does not constitute direct legal advice and is for informational purposes only. An attorney-client relationship is not presumed or intended by receipt or review of this presentation. The information provided should never replace informed counsel when specific immigration-related guidance is needed.
Reprinted with permission from the October 17, 2019 edition of the Law360.com. Further duplication without permission is prohibited.