The employment law year in review: data privacy
This series of articles looks back thematically at the employment law year, incorporating contributions from Ius Laboris member firms across the alliance. This part covers developments in data protection and privacy.
EU employers are, of course, still getting to grips with the requirements of the GDPR, which has now been in force for 18 months.
Some very significant fines have already been imposed by the Data Protection Authorities (‘DPAs’) in some countries: a EUR 50 million fine on Google LLC in France, and proposed fines of GBP 99.2 million on Marriott and GBP 183.4 million on British Airways in the UK. Although these big fines do not relate to employment data, a major employee data breach could similarly lead to a significant penalty, and it remains critically important to train all staff who handle personal data to ensure compliance with the GDPR.
In contrast, some Eastern European countries have been slower to take significant enforcement action. Although some relatively significant fines have been imposed in Poland and Lithuania, the DPAs in Latvia, Bulgaria, the Czech Republic and Hungary have imposed only very minor penalties so far, and Slovenia has not yet completed the process of implementing the GDPR into national legislation.
There has been a notable rise in data subject access requests in Germany, and employees are using such requests to obtain information for court proceedings without being limited by the usual procedural rules. Lower courts are currently interpreting the employer’s obligations extensively and a case is now pending before the Federal Labour Court.
In the Netherlands, in one of the first decisions there on violation of the GDPR in the context of employment, the Amsterdam District Court ordered an employer to pay damages after it sent sensitive information about an employee’s health to her new employer.
The new data protection law in Spain gives employees a digital disconnection right in order to safeguard their personal and family privacy, as well as their resting time and holidays. During 2019, employers have been drafting internal policies defining how this right should be exercised and providing for employees to have a reasonable use of IT tools.
Switzerland has decided not to adopt the GDPR, but is currently amending existing data protection laws to give greater transparency in data processing and control mechanisms, alongside strengthened supervision and sanctions.
An important EU-level issue to be decided by the ECJ in 2020 is the validity of Standard Contractual Clauses (‘SCCs’). These are used to transfer personal data to non-EEA countries in compliance with GDPR, and became particularly important after the ECJ’s ruling that the Safe Harbor framework for data transfers to the US was not valid. Max Schrems, who brought the Safe Harbor case, subsequently complained to the Irish DPA about Facebook’s use of SCCs, and the issue has been referred to the ECJ. In December the Advocate General delivered an opinion that SCCs are valid, but this will not necessarily be followed by the ECJ.
Countries outside the EU have also been enacting data privacy laws. Perhaps the most significant, from the home of most of the world’s leading technology companies, is the new Consumer Privacy Act in California. This major new law came into effect on 1 January 2020, and implements a raft of new protections for personal data about individuals in California which are similar to the GDPR – including rights to information about data collection and use, deletion of data, and subject access.
Although the Act exempts employee data collected for the purposes of employment, it will be very important for workers who handle personal data to be trained in the new rules if they deal with businesses or individuals in California.
Also in the US, in August 2019, Illinois became the first US state to regulate how employers can use artificial intelligence to assess a candidate’s performance in a video-recorded interview. This was in response to the growing usage of AI-powered tools for evaluating performance by analysing a candidate’s language, tone and facial expressions. Candidates must now be told that AI may be used and how it works, and must give their consent in advance, and have the right to demand that the video is destroyed.
Brazil’s data protection law came into effect in 2019 (having been enacted in 2018). Thailand introduced its first data protection law in May 2019. We are also expecting new data protection laws in the United Arab Emirates and India. A new personal data protection law and a new data security law have been included in the 2020 legislative agenda in China. In combination with existing laws on cybersecurity and e-commerce, these proposed new laws would provide a comprehensive framework for protection of individual data privacy rights at national level. In January 2019, a new framework for mutual and smooth transfer of personal data between Japan and the EU was implemented. The European Commission also adopted an ‘adequacy decision’ accepting that the data protection regime in Japan offers equivalent protection to that available in the EU. In parallel, the Japanese data protection authority designated the EU as having personal information protections equivalent to those in Japan (the first ever such designation in Japan). In 2020 the EU will be required to make a similar adequacy decision about the UK to allow cross border flows of data to continue unimpeded once the Brexit implementation period comes to an end.
KLIEMT.Arbeitsrecht is a member of Ius Laboris, an international alliance of leading law firms providing specialised services in employment law.