PREPARING TO RESOLVE
U.S.-BASED EMPLOYERS’ DISPUTES
UNDER EUROPE’S NEW
DATA PRIVACY LAW

Donald C. Dowling, Jr.^*
of
Hewitt Associates LLC, Lincolnshire, Illinois

Copyright © 2000 by Donald C. Dowling, Jr.

Cite as 1 ALSB INT'L BUS. L.J. 39

Why Does Europe Regulate Employee Privacy? | How Does a European Union Directive Extend to the European Countries? | What Is the Status of the Directive’s Implementation? | How Does the EU Data Privacy Directive Affect Employers? | What Does the EU Data Privacy Directive Require? | What Does the Data Privacy Directive Mean to Multinational Employers Based in the U.S.? | What Do the Directive’s Dispute Resolution Provisions Mean for U.S. Multinationals

Europe has a new law that broadly protects Europeans’ data privacy. And because the new law does not distinguish personal from personnel data, it has significant impact on employers’ human resources management—and unexpected ramifications for resolving trans-Atlantic employee-data disputes.

The new European data law is forcing employers in Europe to scramble, reviewing all their European personnel practices to ensure none are in violation. And the problem is particularly sticky for multinational employers based in the U.S., because Europe’s data-privacy community distrusts America and fears that personal data, once transmitted to our shores, is unregulated and subject to abuse.

This makes life tough for American multinational employers making worldwide promotion and compensation decisions from U.S. headquarters, and coordinating the human resources function stateside. Think of all the U.S. multinationals granting employee benefits and stock options from headquarters, and administering human resources data (such as via a PeopleSoft system) from computer systems in the states. How will these multinationals function when a data privacy law restricts U.S. human resources from learning even basic information—names, ages, and salaries— about their own European workforce?

Coming up with a workable and legal personnel data-management system is therefore the primary challenge for American companies under the new data law. And perhaps the chief concern in designing such a system is dispute resolution. To U.S.-based multinationals, one of the most vexing aspects of Europe’s data privacy law is its strict dispute resolution requirement.

American employers tend not to share the strong respect Europeans place on personal data privacy. So U.S.-based multinationals forced to set up data-management systems protecting employee privacy are reluctant to include mechanisms allowing an aggrieved employee to sue them. But Europe’s data privacy law specifically grants a private right of action in court for claimants who think their privacy has been invaded, and a separate provision allows for sanctions going beyond damages. European regulators take this access to the courthouse quite seriously.

Yes, there is real irony here. The U.S. has a well-deserved reputation for being litigious—far more litigious than Europe. Normally, it is American laws that give aggrieved individuals a private right of action in court for violations (often with enhanced damages). European law is far more likely to focus on administrative enforcement. Yet data privacy turns this expectation on its head, with the Europeans requiring access to court and sanctions, and Americans arguing for, at most, internal remedies and alternative dispute resolution. Complicating everything, the European data privacy law simultaneously calls for heavy-handed administrative oversight and the creation of new data privacy bureaucracies meant to head off data privacy disputes.¹

How European data privacy dispute-resolution flushes out will have a lasting effect on the way U.S. multinationals process personnel information about their employees in Europe. This topic will effect trans-Atlantic employment-dispute resolution into the new millennium. So employers in Europe and the U.S. need to know: Where is trans-Atlantic data privacy dispute resolution heading?

Wait. First we have to back up. Before analyzing the dispute resolution debate under the European data privacy law and its effect on multinational employers in the states, we have to understand why and how Europe regulates data privacy in the employment context, what the status is of Europe’s data privacy law, how the privacy law affects U.S.-based employers in Europe, and what the law requires. We also need to know how the data law affects multinationals in the U.S. Only then might we understand the direction in which the political debate and the human resources concerns are pushing dispute resolution in trans-Atlantic employee data privacy.

Why Does Europe Regulate Employee Privacy?

In 1998 a U.S. company called "On-Line Investigations, Inc." sent out direct mail advertisements announcing:

• Mr. Johnson was born on November 9, 1962 and has the social security number of
  555-55-5555.

• He has lived at five different addresses over the last 7 years.

• He has an Illinois Driver’s License, number 0316-4987-3426.

• [The advertisements then give other data, such as "Mr. Johnson’s" address, price paid for his house, personal data on his wife, automobile license plate number, and litigation and bankruptcy history.]

YOU CAN DISCOVER ALL OF THIS IN 30 MINUTES FOR $40.00/On-Line Investigations, Inc./Call 1-888-566-8067/MasterCard/Visa²

Like On-Line Investigations, even U.S. governments can be cavalier about disseminating personal data. In 1999 the motor vehicle agencies of Colorado, Florida, and South Carolina sold millions of images of drivers’ license photographs for "a penny apiece" to a for-profit company called Image Data LLC—without seeking permission from or even telling the drivers.³ News of the sale leaked out and touched off a "firestorm" of "livid" complaints "cut[ting] across all boundaries . . . rich and poor." One state legislator had "rarely seen constituents as angry."⁴

On-Line Investigations and Image Data operate legally in the U.S., but they will not be branching out into Europe. In Europe, businesses like these could not legally exist. Culturally, Europeans see personal data as akin to intellectual property: Europeans believe corporations should not traffic in personal information without the consent of its owner. To explain Europeans’ distrust of free transfers in personal information, some have cited the Nazi government’s abuses of personal data to further its aims. Others note Europeans’ distaste at the U.S. fixation on politicians’ sex lives. Europeans, unlike Americans, consider personal information—be it about politicians, employees, or anyone else—private.

In contrast to the U.S. First Amendment environment—where information flows freely, where mailing lists are bought and sold, and where merchants legally mine information about consumers’ purchasing patterns—in Europe, owners of personal information, like owners of intellectual property, have a legal right to keep others from using what is theirs.

While the U.S. has no generally-applicable law restricting transfers of personal data, the European Union [EU] actively restricts many transfers of personal data—transfers like those which On-Line Investigations promises to make to its customers, and like those which the drivers’ license agencies made to Image Data. One benefit: Europeans do not get telemarketing cold-calls during dinnertime. Personal-data-related business practices common in the U.S.—such as maintaining and selling mailing lists and doing automated-decision-making like computerized pre-screening of credit cards, college entrance applications, and job applications—are becoming flatly illegal in Europe.

And while preventing situations like the On-Line Investigations and Image Data scenarios seems a noble goal even to many Americans, the EU’s law—its so-called data privacy directive—extends much more broadly, including into employment law and human relations.

How Does a European Union Directive Extend to the European Countries?

The Brussels-based EU, the political entity that issued the data privacy directive, is a treaty-created body of 15 Western European member states unique under world law. The EU is not a federal government, and the European member states are still in many ways autonomous countries—but they are subject to EU law from Brussels.⁵

An EU "directive" such as the data privacy law is one type of EU "instrument," or statute. But a directive is not a law that applies directly to any private party. Rather, a directive directs each EU member state to clone the directive’s terms into local law. But the clone law need not be an exact replica; it can vary somewhat. That is, a directive usually gives the EU states freedom to localize directive rules by modifying certain of the directive’s terms as each local legislature "transposes" (adopts) the directive into local law. This deference to a member state’s interest in localizing European law is called "subsidiarity."

The data privacy directive is especially respectful of "subsidiarity." While the directive forces each EU country to create its own distinct data law enforced by its own distinct data bureaucracy, it allows each EU state freedom to tweak data privacy rules, and each local state data-privacy bureaucracy is to have its own unique local procedures. So under the directive there will be a distinct Spanish data law and enforcement agency, a French, an English, a Greek, and so on.

What Is the Status of the Directive’s Implementation?

As a directive, the EU data privacy law for most purposes has no "horizontal direct effect" (Euro-speak for a Brussels law which empowers private parties to sue one another).⁶ That is, from the point of view of individuals and private employer companies, the directive has no teeth until a member state implements it. The data directive passed in 1995, but it gave each member state until October 25, 1998 to pass and implement its own data privacy law. Hence October 1998 saw a flurry of publicity, in Europe and in the U.S., on the dawning of the era of European data privacy regulation.

But the member states have less-than-stellar records in implementing directives by their deadlines.⁷ Beneficiaries of a directive in states with no timely transposing law (in this case, employees whose personal data are misused after October 1998 in an EU member state which has not passed a data privacy law) might have a technical legal claim against their employers based on the supremacy of EU law.⁸ But for most practical purposes, the data privacy directive does not come into force in a member state until the member state implements it.

As of the October 1998 deadline, only four member states—Denmark, Greece, Spain, and U.K.—had moved to implement the directive, and not even all four of these laws were then in effect. Other states had pre-existing laws which protected data privacy—but which had not yet been amended to conform to all the terms of the directive.⁹ In 1999, the Commission was being patient with the eleven recalcitrant member states, allowing some time before bringing proceedings for failure to implement the directive.

Yet the member states’ delay in implementing the directive does not imply resistance: The mood in Europe (as opposed to in the U.S.) was by no means antagonistic to the directive’s principles. By 1999, the member states were scrambling to pass implementing laws. Relieving some of the pressure, Brussels "informally suspended" enforcement of the directive as it entered discussions with the U.S. on cross-border data transfers.¹⁰

How Does the EU Data Privacy Directive Affect Employers?

Because the EU data privacy law reaches employee data, the new data privacy laws and procedures that the local EU states are creating under the directive regulate employers’ human resources practices. Regulating data privacy in the European employment context is not entirely new; various EU member states have had data privacy laws on their books for years. These laws first became widespread after the 1980 OECD "Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data"¹¹ and the 1981 "Council of Europe Convention on Data Protection."¹²

But until now, U.S. employers operating in Europe have largely ignored data privacy, because European laws affecting employee privacy were not comprehensive.¹³ U.S.-based multinationals began to focus on cross-border data privacy regulation only in 1998—the year the EU began to implement its new law, the "Directive . . . on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data."¹⁴

An EU Commission agency called "Directorate-General [DG] V" drafts employment-related "social" laws. However, the data privacy directive is the product of a different arm of the EU Commission, "DG XV," which is charged with "Internal Market and Financial Services." Under EU practice, a wide gulf separates DG V social/employment issues from DG XV market/financial concerns. As such, the data privacy directive received little input from Europe’s social/employment community (the so-called "social partners"—employers’ umbrella organizations and organized labor). As of late 1999, there was talk in Brussels of releasing an entirely separate instrument on data privacy in employment, but no such law had yet issued, even in draft form. The original data privacy directive, therefore, by default governs privacy in the workplace and in personnel administration.

Even to this day, the data privacy directive tends not to be one of the issues that those who concentrate on EU social/employment matters focus on. That is, although in practice the data law directly affects human resources operations, within EU circles data privacy is not seen as a social/employment issue. This explains why the human resources departments of U.S.-based companies with operations in the EU were not ready for the directive before 1998—and why many remain unready at the start of the new millennium.

The data privacy directive directly affects the substantive businesses of multinationals in certain specific industries—particularly, pharmaceuticals (drug purchase records), travel (frequent flyer accounts), insurance (actuarial data), telecommunications (telephone call records), financial services (records of purchases, loans, and ATM transactions), and internet commerce (web sites collecting visitor data). But while the directive will have sweeping ramifications throughout Europe for multinationals in these industries, it also will have significant effects on the human resources operations of employers in all industries. In running personnel departments, employers process vast amounts of employee data subject to the directive: performance evaluations; personnel files; attendance records; employee benefit information including health and life insurance; pension information; stock option records and other compensation or benefit accounts; and records disclosing employees’ salary, ethnicity, sexual information, dependents, and trade union membership.

Given that multinational employers tend to centralize human resources data, the directive hampers multinationals’ ability to process personnel information. Indeed, the rise of technological data-processing products like PeopleSoft and even e-mail increasingly tempts multinationals to transfer employee information in ways that might violate the directive. Multinational employers increasingly process personnel information, company-wide, from a mainframe computer located at headquarters.

The problem becomes particularly acute for U.S.-based multinational employers—both because the directive has special restrictions on transferring personal information outside of the EU,¹⁵ and because the directive imposes restrictions which, because they have no U.S. counterparts, run afoul of personnel systems designed in the U.S.

What Does the EU Data Privacy Directive Require?

The directive’s potential to have a significant impact on H.R. is clear. But what, specifically, does the EU data privacy directive tell employers to do?

The directive requires each EU member state to pass a law to "protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data."¹⁶ The directive defines "personal data" to include both computer-stored and paper-document information—"any information relating to an identified or identifiable natural person," who is known as the "data subject."¹⁷ The directive does not directly define "data subject," but, given the reach of the law, in the employment context "data subject" would necessarily include all of a company’s employees physically in the EU—including U.S.-citizen expatriates on assignment in Europe. (Whether the member states implementing the directive will try to reach European citizens on expatriate assignment outside Europe is not clear.)

The directive aims itself at data "controllers"—legal entities such as employers which "alone or jointly with others determin[e] the purposes and means of the processing of personal data."¹⁸ The directive requires each data controller to process personal data so as to ensure five "data quality principles": (1) that personal data are processed "fairly and lawfully"; (2) that data are collected "for specified, explicit, and legitimate purposes and not further processed" so as to violate these purposes; (3) that data are "adequate, relevant, and not excessive in relation to" the purposes they are collected for; (4) that data are "accurate and, where necessary, kept up-to-date," so that "every reasonable step [is] taken to ensure" errors are "erased or rectified"; and (5) that data are "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which [the data] were collected or for which they are further processed."¹⁹

To process data under the directive, the data subject must "unambiguously [have given] his consent," or processing the data must be "necessary for the performance of a contract to which the data subject is a party"; or processing the data must be necessary to comply with the controller’s legal obligations, the data subject’s "vital interest," a task in the public interest, or "legitimate interests" of the controller not "overridden by the . . . fundamental rights and freedoms of the data subject . . . ."²⁰

The directive sets out special considerations for data regarding criminal convictions, and it imposes especially-strict conditions on processing certain sensitive data—data which "reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, [or] health or sex life."²¹ Sensitive data under this definition quite often appear in personnel records, and therefore U.S.-based companies may have on file heavily-regulated data about European employees. Accordingly, U.S.-based multinationals need to review what data they process regarding employees in Europe, purge sensitive data not strictly necessary, and ensure the processing of retained sensitive data complies with the law.

The directive also contains special provisions on data collected from third parties.²² And under the directive, a data controller must "implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access."²³

The directive even envisions the trend toward contracting out (outsourcing) the management of employee data, as it distinguishes "controllers" from "processors" who process data for controllers.²⁴ A "contract or legal act . . . in writing or other equivalent form" must bind a processor to a controller, ensuring the processor complies with the law.²⁵

Especially relevant to dispute resolution, the data privacy directive requires giving data subjects access to data about themselves "at reasonable intervals and without excessive delay or expense,"²⁶ and the directive requires allowing data subjects to challenge or correct wrong information.²⁷ This requirement can of course lead to disputes over what information is wrong, and two articles of the directive cover the data subject’s right to object to data.²⁸ Going further, the directive requires each member state to empower a "Supervisory Authority"—a bureaucracy—to oversee and enforce that state’s version of the law, and to ensure compliance.²⁹ A victim of a violation of a member state’s data privacy laws has to have a right to sue for damages and to bring an administrative proceeding before the Supervisory Authority.³⁰

Even with all these requirements, some U.S. employers might nevertheless assume the directive will not mandate sweeping changes in how they process personnel data. After all, human resources professionals in many U.S. companies believe their data systems are secure from hackers and fairly protect individuals. Some U.S. employers already encrypt personnel data sent across the Atlantic. Therefore (goes the thinking), the directive must not require anything new to a big U.S. employer which already has sophisticated data security systems that respect individual rights.

Unfortunately, this thinking is wrong. Before assuming the directive will not mandate changes, even U.S. companies which respect employee privacy and which enforce good computer security need to ask themselves eight questions:

• Do we religiously delete all employee information as soon as it becomes obsolete or is no longer needed?

• Do we ensure we collect no employee data that are not strictly necessary?

• Do we refrain from all automated decision-making (such as processing job applications, transfer requests, and credit applications by computer)?

• Do we tell employees what information about them we collect, and do we get their consent to process it? (The directive requires this under many but not all circumstances.)

• Do we segregate sensitive personal data, such as data disclosing race and age, and treat it subject to special rules?

• Do we have written contracts (or equivalent protections) in place with our EU subsidiaries which legally bind headquarters to adhere to the EU directive’s terms?

• Do we welcome challenges (disputes) by giving our employees a right of access to information about themselves and a viable way to change it if it is wrong?

• And do we address dispute resolution by giving employees a private right of action to sue us (or an equivalent remedy) for breaches of privacy and errors in processing personnel information?

Any U.S.-based employer with EU operations which cannot answer "yes" to all eight questions likely will have to make changes to its human resources data practices.

What Does the Data Privacy Directive Mean to Multinational Employers Based in the U.S.?

Before making any changes to its employee data systems, an employer based in the U.S. will ask why it even has to worry about a European law, if it is processing data over here, in America. The answer relates to the strong EU interest in preventing U.S.- (and other non-EU-) based multinationals from transmitting personal information outside the EU. Once personal data about Europeans escapes EU soil, Europe cannot police compliance.

Perhaps taking a cue from the U.S. tendency to extend American laws to foreign business (two examples include the Helms-Burton law penalizing non-U.S. companies doing business in Cuba³¹ and the Civil Rights Act of 1991 extending U.S. discrimination laws to U.S. citizens working abroad³²), the EU has found a way to extend its directive to data processing outside of Europe, on Europeans. The directive’s articles 25 and 26—on transfers of personal data outside Europe—impose special conditions on data transfers outside Europe³³ and reach any data processing on Europeans accessible from a corporate headquarters stateside (or elsewhere outside Europe).³⁴

These "extraterritorial" articles 25 and 26 become an issue only when a data controller sends data from Europe to a third country which does not "ensur[e] an adequate level of protection," as "assessed in light of all the circumstances."³⁵ Note the directive requires "adequa[cy]," not "equivalence"—but an adequacy acknowledged by the Europeans. Some non-EU countries—such as Canada, Switzerland, New Zealand, and Hong Kong—have recently passed data privacy laws similar to the EU’s (indeed, actively patterned on the EU’s), so data transfers from Europe to these nations are little problem, because these countries now "ensur[e] an adequate level of protection," in the eyes of Europe.³⁶

Originally, apparently, the EU Commission optimistically assumed the existence of its articles 25 and 26 would spur the U.S. to adopt a comprehensive U.S. data privacy law, so that U.S. companies could freely transfer personal data from Europe. Unlike the other countries which quickly copied the EU law for this reason, though, the U.S. shrugged off the EU’s nudge.³⁷

By 1998, the EU Commission acknowledged the U.S. was unlikely to adopt an "adequate" data privacy law. The Commission, only then, began exploring whether extra-legal protections adopted by U.S. companies might "adequate[ly]" protect personal data transmitted from Europe to the U.S.³⁸ This set into motion a threshold political dispute resolution process: How the U.S. and EU might work out a way for U.S. multinationals to continue receiving personal data about Europeans without America ever passing a law guaranteeing "adequate" protections.

Complicating the resolution of this political dispute between the U.S. and Europe is the fact that on data privacy issues, Europe does not speak with one voice. Due to intra-EU turf battles between Brussels and the member states, the Commission does not even see itself as empowered to negotiate with the U.S. to find a way individual American companies might offer "an adequate level of protection" for European personal data absent a broad-based U.S. data protection law. Yet while not empowered to "negotiate," the Commission did enter into "discussions" to work out a solution.

In these "discussions," the Europeans were frustrated by the fact that their data privacy commissioners had no American counterpart to address them: In the states, the privacy buck stopped nowhere (the U.S. Department of Commerce played a key role, but so did technology czar Ira Magaziner). Indeed, the very lack of a U.S. bureaucratic infrastructure dedicated to privacy highlighted, to the administratively-oriented Europeans, America’s lack of concern for "adequate[ly]" protecting personal data privacy. Acting to dispel this notion, in early 1999 President Clinton appointed a "czar" for data privacy (formally "Chief Counselor on Privacy"), choosing Peter Swire—an academic who, as a law professor at Ohio State University, as co-author of a book on the U.S./EU data privacy debate,³⁹ and as a founder of the influential think-tank Privacy in American Business—was already a prominent name in U.S./EU data privacy.

The U.S./EU "discussions" quickly came to center on a proposed "safe harbor" approach. What if, the Americans wondered, the U.S. does not adopt any data privacy law—but instead, the EU approves a set of corporate-governance principles for data privacy? If such principles respected the content of the data privacy directive and proved acceptable to Europe’s data privacy community, individual multinationals who committed to following safe harbor principles should be able to receive personal data from Europe.⁴⁰ It would be a company-by-company approach.

By September 1998, EU Ambassador to the U.S. Hugo Paeman was able to announce that the EU states were on the road to accepting the "safe harbor" approach.⁴¹ Ambassador Paeman’s remarks indicated that even if the "safe harbor" ended up failing, there was hope for its most viable alternative, the so-called "contract" approach—by which U.S. multinationals receiving European personal data would contract with European entities to bind the U.S. company to the terms of the directive. (Such a contract could, for example, be entered into between a U.S. multinational and its European subsidiaries, or between a provider of outsourced personnel services in the U.S. and its European client.)

But when 1999 dawned, the prospects for a safe harbor agreement looked bleak; press reports on the progress of the U.S./EU "discussions" were pessimistic, and, indeed, the U.S. and EU diplomats continued to postpone their self-imposed deadlines for coming up with a resolution. To fill the void, the think-tank Privacy in American Business⁴² worked on the fall-back model contract—although its draft model contract, issued in mid-1999, proved unpopular with U.S. multinationals, who saw the model contract's concessions to EU privacy regulation as a bad precedent for the U.S./EU safe harbor discussions.

The tide turned again, and later in 1999 those close to the diplomatic "discussions" became optimistic, predicting the safe harbor approach would succeed after all. In August 1999 representatives of both the U.S. and the EU publicly claimed a safe harbor was just around the corner.⁴³ However, little detail was available as to what that safe harbor would look like, or why the diplomats were so optimistic.

What Do the Directive’s Dispute Resolution Provisions Mean for U.S. Multinationals?

At the beginning, this article noted that while coming up with a workable and legal personnel data-management system is the primary challenge for American companies under the new data law, perhaps the chief concern in designing such a system is dispute resolution. Up to now this article has had to focus on how the directive affects U.S. multinationals' personnel data-management systems. But what about dispute resolution?

Seven provisions in the data privacy directive foreshadow, quite clearly, the types of employment-context disputes that will arise regarding European data privacy, and set out the dispute-resolution procedures that will apply. These provisions are the directive’s articles 10, 12, 14, 22, 23, 24, and 28.⁴⁴

Article 10, as applied to the employment context, says that employers will have to: tell their employees that they are collecting personnel data; explain why they are collecting data; tell employees who else (besides the employer) is going to get data; say whether employees must answer each data-collection question posed (and set out consequences of a failure to comply); and tell employees of "the existence of the right of access to and the right to rectify the data." Article 10 is directly relevant to dispute resolution because it requires from the outset (the data-collection stage) that employers alert employees to the concerns of data privacy—and, Miranda-like, inform them of their rights.

Article 12, in the employment context, fleshes out employees’ right of access to personnel data and their right to get a correction. "[W]ithout constraint and at reasonable intervals," employees must get "confirmation as to whether" data about them "are being processed," and get "information at least as to the purposes of the processing…." This provision even gives employees the right to demand that employers justify "the logic involved in any automatic processing of data…." Article 12 also allows for employees to demand "the rectification, erasure or blocking of data the processing of which does not comply with this Directive, in particular because of the incomplete or inaccurate nature of the data." Employees can demand their employer communicate the correction to any third parties who received improper data. Article 12, then, amounts to a first-step employment grievance procedure: An aggrieved employee makes a demand on the employer to right a wrong.

Next, article 14 allows for dispute resolution even in advance, sort of like a restraining order. This article, as applied to employment, would allow employees in certain circumstances to object prospectively to the processing of some data which an employer might otherwise do later, in the future course of human resources operations.

Articles 22, 23, and 24 involve remedies. Each member state must grant a cause of action in court to aggrieved data subjects, "without prejudice" to administrative remedies before the member state data bureaucracies (the "Supervisory Authorities" which the directive’s articles 28-30 tell member states to establish). The cause of action must allow a remedy in damages. And member states "shall" provide for sanctions (going beyond damages judgments paid out in lawsuits), "to be imposed in case of infringement of the provisions adopted pursuant to this directive."

Finally, article 28 requires that each state’s Supervisory Authority be "responsible for monitoring" compliance with the data privacy law, and, specifically, have investigative powers, "effective powers of intervention," and "the power to engage in legal proceedings." Also, each privacy bureaucracy has to have its own administrative dispute-resolution procedure, as each Supervisory Authority must "hear claims for checks on the lawfulness of data processing lodged by any person."

Some U.S. multinationals will see the data privacy directive’s web of dispute resolution mechanisms and overlapping remedies as going too far: Employers have to tell employees what data they are collecting, they have to explain why they are collecting it, they have to give employees a right of access to it, and they have to establish a procedure for correcting or deleting errors and unneeded data. Every time an employer decides to use on-hand employee data for a purpose not disclosed to the employee back at the time of collection, the employer must start the process over again—or at least go through a notice-and-consent process. In collecting data, an employer has to tell employees whether they have to respond to data-collection questions—and what the penalty is for refusing. And employers are open to damages and "sanctions" lawsuits for violations—lawsuits brought by employees or administrative agencies. Plus, each Supervisory Authority has to create yet another layer of dispute resolution: Administrative remedies.

This complex web of dispute resolution mechanisms and overlapping remedies is a wake-up call to U.S. employers. Other European employment-context laws, while setting out sweeping requirements, often pose little threat to even flagrant violators. (One example is the EU directive requiring employers to provide all employees with written individual employment contracts or statements setting out in writing specific terms and conditions of employment.⁴⁵ While this employment-contract directive’s mandate is clear, the remedy for a violation is little more than a requirement that the reluctant employer issue the very document which it should have issued in the first place. As a result, the employment-contract directive commands little concern among U.S.-based multinationals.)

U.S.-based multinationals will find no solace in the fact that they operate from headquarters stateside, away from the jurisdiction of European courts and agencies, because U.S. companies’ European branch operations are vulnerable to data privacy enforcement mechanisms, even for improperly sending employee data to U.S. headquarters.

The key unanswered question relates to Europe's acceptance of a safe harbor or model contract approach. What will happen if a European branch employer properly sends personal data to U.S. headquarters under a safe harbor or model contract arrangement, but then the U.S. headquarters entity breaches its assurances and violates the rights of a European data subject? How can the European make a claim against a U.S. entity, and how is that dispute resolved? This is perhaps the biggest question responsible for the delay in the U.S./EU "discussions" on trans-Atlantic data transmission.

This all causes U.S.-based multinational employers to wonder: How can a U.S.-based multinational administer personnel data without running into disputes under the directive? That question is unanswerable, until the shake-out of the U.S./EU "discussions" on safe harbor, and the exploration of the contract approach.⁴⁶

While a U.S.-based employer of Europeans cannot yet predict precisely what dispute resolution mechanisms and remedies will apply under the data privacy directive, what a U.S.-based employer can do now is set up a method for processing employee data which avoids disputes, to the extent possible. That is, although dispute resolution and remedies issues are not yet entirely clear under the data directive, the law’s data-processing requirements are largely understandable now—if quite burdensome, from a U.S. employer’s point of view.

Even as diplomatic negotiators hammer out fine points of the data privacy directive’s reach into the U.S., U.S.-based multinationals need to ensure, to the greatest extent possible, that their European operations comply with the directive. U.S. companies’ employment operations in Europe not only must protect data, but must give European employees access to their own information on file—and access to internal and external means for resolving disputes about their personnel information.

Copyright © 2000 Donald C. Dowling, Jr.

ALSB International Business Law Journal