Many U.S. Multinationals Doing Little to Meet Overseas Employee Data Privacy Rules

    Although U.S. law is relatively quiet on the topic, a thicket of rules in Europe and other countries govern privacy issues. They include rules on what sort of information employers can collect from their workers, the rights employees have regarding that data, and how the information can be transferred to other regions of the world.

    Those rules are looming larger these days because ever-more international firms are seeking to consolidate their workforce data and use it to make better decisions. What’s more, the rise of outsourcing has increased the amount of employee data zapped outside of companies and countries.

    While some multinationals take employee data guidelines seriously, many firms haven’t done much to meet privacy law, analysts say. And employee privacy is more than a mere compliance matter, says Nuala O’Connor Kelly, chief privacy leader at General Electric. A breach of employee data could be as damaging to a company’s reputation as a consumer data breach, she says. General Electric is in the midst of getting European approvals for a worldwide employee privacy policy it has drawn up—a policy that could serve as a model for other firms.

    "Privacy is to the information age what the environment was to the industrial age," O’Connor Kelly says.

Varying standards
    Employee data privacy as an issue dates largely to 1995. That’s when European Union leaders issued a directive on the processing and transfer of personal data. In the wake of that edict, individual European countries have passed related privacy laws. Among other things, the 1995 directive gives individuals rights to access and correct data concerning them. It also restricts transfers of personal data to countries that do not ensure "an adequate level of protection."

    The European Commission, which enforces European law, has not declared that the United States is out of compliance with Europe’s standard for data protection. But neither has it said that the U.S. overall has met the standard.

    Nevertheless, there are ways for companies to send personal data from Germany, France and other European countries to U.S. locations. Among these is the "Safe Harbor" program developed by the U.S. Department of Commerce. Through the program, U.S. organizations pledge to abide by a set of privacy principles.

    More and more companies are toeing the line when it comes to European privacy regulation, says Donald Harris, president of consulting firm HR Privacy Solutions. Even so, Harris says many businesses break the law restricting transfers of employee data outside of the European Union.

    Canadian privacy laws also are important for many U.S.-based companies, says Brian Hengesbaugh, a Chicago-based attorney with the law firm Baker & McKenzie. America’s biggest trading partner, Canada has both federal rules and provincial ones that can take precedence. "It’s a very complicated set of laws," says Hengesbaugh, who helped craft the Safe Harbor program.

    Among Canadian federal laws is one that says companies in certain sectors such as banking and aviation must have a legitimate purpose for collecting, using and disclosing employees’ personal information. Thanks to this rule, firms may decide they should not collect data about race and ethnicity that they’re used to capturing in the U.S., Hengesbaugh says.

    Establishing sound global practices for employee and consumer privacy can run into the hundreds of thousands of dollars, including legal fees and new technology, Hengesbaugh says. He estimates that about half the Fortune 500 have taken significant steps toward compliance with employee privacy rules around the world.

    One firm wrestling with employee privacy compliance is Baker Hughes, a Houston-based company that provides products and services to the oil and natural gas industry. A committee of senior executives meets regularly to discuss changes in requirements related to employee data privacy, says company spokesman Gary Flaharty. At the same time the company, which operates in more than 90 countries and employs 30,000, is seeking to consolidate its employee data, he says.

    "We’re trying to do it as efficiently as we can and stay in compliance with all the laws," he says.

    Baker Hughes is studying whether its practices abide by Canadian data privacy law, and if not, how it must change, Flaharty says. "We’re in the process of verifying whether we’re in compliance," he says. The company currently does not collect nationality information on Canadian employees, he says.

    Flaharty said Baker Hughes has not directly communicated with the Office of the Privacy Commissioner of Canada, which investigates complaints under federal privacy law. But he said the company may do so.

    Florence Nguyen, spokeswoman for the Canadian privacy office, invited Baker Hughes to consult with her agency. Nguyen said the office prefers to work with companies that may be out of compliance before bringing suit against them.

    European governments also tend to negotiate with firms to get them square with the law, rather than immediately prosecute or fine them in a showy display.

    Even so, some cases in Europe have garnered attention. Spain has a reputation as the most aggressive country when it comes to fining companies over data privacy violations, including employee matters, says Don Dowling, an attorney with New York City-based law firm Proskauer Rose. And he also notes that last year French authorities denied McDonald’s and another company permission to operate whistle-blower hotlines.

   The anonymous hotlines were designed to comply with the U.S. Sarbanes-Oxley Act, but they threatened to violate the data rights of people accused of wrongdoing, says Dowling, who specializes in international labor law. The incident shows how much employee privacy matters to Europeans, he says

    "Employee privacy issues are a white-hot issue to many European workers," Dowling says.

Codes of conduct
    But that white-hot issue runs headlong into a pressing strategic imperative for many companies: mining employee data to guide decisions about topics such as hiring, firing and succession planning. For multinational companies, a starting point for that analysis is getting a firm grasp on their entire worldwide workforce.

    Along these lines, GE keeps information about its employees around the world in a single Oracle HR application. The industrial and technology giant also aims to manage that global workforce consistently, which is a major reason it formulated a privacy code of conduct, O’Connor Kelly says.

    Such policies can be an alternative to the Safe Harbor program and to individual contracts that organizations can sign when they wish to send personal information out of Europe. An EU advisory group has given its blessing to the concept of company codes that describe safeguards for protecting personal data transferred outside of Europe. Known in European parlance as "binding corporate rules," the policies must be approved by officials in individual European countries for data transfers out of those countries.

    The use of binding corporate rules is in the early stages. GE is among the first to seek acceptance of a corporate privacy policy. It has won approvals in half a dozen European countries and plans to publish its code after securing green lights from several others, possibly by the end of June, O’Connor Kelly says.

    Binding corporate rules promise to put data policies in easy-to-understand language rather than legalese, O’Connor Kelly says. In effect, the codes allow employees in a wide range of jobs to grasp and practice a company’s methods for collecting, protecting, disclosing and disposing of employee information, she says.

    GE’s code has attracted the interest of Asian countries interested in forming regulations on binding corporate rules, O’Connor Kelly says. Consultant Harris predicts the publication of GE’s policy will trigger greater interest in binding corporate rules as a privacy tool. "Everyone looks to GE," Harris says. "That will be very influential."

Outsourcing concerns
    The rise of HR outsourcing also is intensifying the debate about employee privacy. Controversy has swirled around a contract between the state of Florida and a unit of outsourcing firm Convergys for services including payroll, benefits and human resource administration. Florida’s Department of Management Services says a Convergys subcontractor used two or more companies in India to index state employee personnel files and that the offshoring was "inappropriate."

    There’s no evidence that state employee personnel data has been compromised by the overseas work, according to the department. But Convergys has provided a credit protection service to Florida state employees.

    In addition, the Florida Attorney General’s Office is conducting a probe related to claims that Convergys employees wrongly accessed state employee personnel data.

    Convergys spokeswoman Patricia John­son says the company is cooperating with that investigation. She also says Convergys no longer uses the subcontractor accused of shipping work to India, and that Convergys has abided by the contract with the state.

    Meanwhile, attention to consumer privacy violations in the U.S. is spurring state legislation that can spill over to workplace settings, attorney Hengesbaugh says. "If you have a security breach with employee data, you may very well have obligations to notify those employees," he says. He points to a Michigan law requiring companies that collect employee Social Security numbers to create a data protection policy.

    Carolyn Anker, a privacy specialist at pharmaceutical firm Eli Lilly and Co., calls HR privacy "the sleeping giant of privacy issues." Before that giant wakes up and starts smashing corporate reputations, companies would be wise to prepare.

Workforce Management, May 8, 2006, pp. 48-51 -- Subscribe Now!