A comparative analysis of employee data protection: US vs. EU

March 2024  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2024 Issue


In an era where data privacy continues to be a matter of great concern, with stories emerging with startling frequency of widespread data breaches across the globe, protecting employee data has become a focal point for businesses and policymakers alike.

For the purposes of this article, ‘employee’ data will be broadly categorised to cover the following types of data: name, address, phone number, date of birth, sex, gender, sexual orientation, race, marital and family status, medical information, employment history, results of background checks, performance reviews, disability status and citizenship, as well as any other personally identifying information.

While a thorough study of the approach to employee data protection globally is beyond the scope of this article, a comparative analysis of the regulatory approach taken in the US and the European Union (EU) offers an insight into what an effective employee data protection regime should include to pass muster in each jurisdiction.

Regulatory landscape

Although there have been fitful attempts to craft one, presently the US lacks a comprehensive federal law dedicated solely to data protection. Instead, there is a patchwork of sector-specific federal laws, as well as a small but ever-growing body of more comprehensive state data privacy laws.

The primary federal laws addressing employee data protection are as follows. First, the Health Insurance Portability and Accountability Act (HIPAA) covers personal health information and the manner in which it is shared with an employer. As per the HIPAA, an employer is restricted from obtaining personal information from an employee’s healthcare provider without their knowledge and consent.

Second, the Americans with Disabilities Act (ADA) allows an employer to inquire about an employee’s covered disabilities, and potentially even require the employee to submit to a medical examination to assess whether or how the employer should accommodate the employee’s disability in the workplace. However, the information obtained by the employer must be handled carefully and kept in confidential files, separate from the rest of the employee’s personnel files, with specific restrictions on sharing the information both internally and externally.

Third, the Fair Credit Reporting Act (FCRA) regulates an employer’s use of credit reports or background checks for recruitment and human resources. In particular, the employer must have the applicant or employee’s permission to obtain these reports or background checks. Once the information is obtained, the employer must ensure it is deleted when it is no longer needed for its original purpose.

Apart from these federal statutes, various states have enacted laws that touch, directly or indirectly, employee data. For example, some states limit the handling of an employee’s social security number, while an increasing number of states have introduced measures requiring businesses to destroy documents that contain personal information (not limited to information about employees) when it is no longer needed.

Furthermore, virtually all states have data breach notification provisions that regulate how and when a business that possesses personal information (again, not limited to personal information about employees) must provide notice that a breach has occurred that may have resulted in the release of personal information.

As of the end of 2023, at least 13 states have passed comprehensive data privacy laws. Of these, California, Virginia, Colorado and Connecticut have data privacy statutes that are already in effect. For the purposes of this article, we will only discuss the California Privacy Rights Act of 2020 (CPRA), which amended the California Consumer Privacy Act of 2018 (CCPA).

In the EU, member states implemented a robust and harmonised framework for data protection through the General Data Protection Regulation (GDPR), which took effect in 2018. The GDPR, applicable to all EU member states, provides a comprehensive set of rules governing the processing of personal data of EU residents, including in their capacity as employees (broadly interpreted to also encompass independent contractors).

However, the GDPR is not the sole source of rules within EU member states on employee data protection and rights. Individual member states have the latitude to expand rights and responsibilities beyond those set forth in the GDPR, so an examination of each country’s local laws, though beyond the scope of this article, is essential.

Employee rights

In the US, employee rights, vis-à-vis their data, is largely a function of whether or not the data comes within the scope of specific federal laws, or within the broader protections under state law on data breach notification or data destruction.

The one exception, for now, is for California employees, pursuant to the CPRA. The CPRA’s jurisdiction extends to for-profit employers doing business in California which either earn a gross annual revenue of $25m, buy, sell or share the personal information of 100,000 or more California residents or derive 50 percent or more of their annual revenue from selling consumers’ personal information.

If these criteria are met, the CPRA requires the covered employer to inform individuals residing in California about the personal information the employer collects, and how it is used. In the CPRA, an ‘employee’ is broadly defined to include not just traditional employees, but even job applicants and independent contractors.

Under the CPRA, ‘personal information’ includes an employee’s name, email address, photo, audio or video recording, social security number, passport number, driver’s licence number, credit card information, race, ethnic origin, religious affiliation and genetic data.

In the EU, as with the CPRA, the GDPR grants employees robust rights over their personal data. ‘Personal data’ is similarly broad, encompassing an employee’s application file, personnel file, payroll information, leave records and medical information.

Exercising rights as a ‘data subject’ under the GDPR is time sensitive. These rights include: (i) the right to access their data, including information about what is being collected, how it is being processed and why it is being processed; (ii) the right to object to the processing of the data, if it is being processed for reasons unrelated to the work relationship; (iii) the right to correct the data; and (iv) the right to have the data deleted from the employer’s records if the employee no longer works for the employer and the employer has no ongoing need for the relevant personal data.

Consent and processing requirements

Pursuant to the CPRA, employers are obliged to provide notice to employees, at the time of or before the collection of personal information. This notice must be specific about the personal information the employer collects.

In addition, the notice must inform the employee of the various rights he or she possesses, including: (i) the right to delete the collected personal information (which may be trumped by the employer’s legal obligations); (ii) the right to know what personal information has been collected and how it is being used and shared; (iii) the right to opt out of the sale of the personal information; (iv) the right to correct inaccurate personal information; (v) the right to limit the use and disclosure of the personal information; (vi) the right to seek damages for breach; and (vii) the right not to be retaliated against by the employer for exercising any rights relating to the personal information.

As with the CPRA, the GDPR sets a high standard for obtaining valid consent. Employers must ensure that consent is freely given, specific, informed and unambiguous. Generally, it will not suffice for an employer to simply assert that consent to the processing of personal data is assumed by the employer-employee relationship. In fact, consent is required even before a working relationship has commenced, as it covers interactions between a prospective employer and a job candidate.

Moreover, the GDPR establishes lawful bases for processing personal data, such as to perform a contract or comply with a legal obligation. In the context of employee data, processing justification could also include supporting employee recruitment, ensuring diversity and equality in the workplace, managing the employer’s operations (including protecting its own or customer property), and promoting workforce health and safety.

Employers are expected to protect EU resident employees’ personal data with the following key guiding principles. First, maintain lawfulness, fairness and transparency when handling personal data. Second, limit the storage and processing of personal data to a reasonable bare minimum of what needs to be collected and for how long. Lastly, be accurate when handling personal data, and put systems in place to protect its integrity and confidentiality and to hold the employer accountable for any missteps.

Data breach notifications and other compliance obligations

Within the US, all states have notification laws, each with their own set of requirements and timeframes which apply to a breach of any personal information, not just that of an employee.

In addition, California’s CPRA imposes an additional compliance obligation on covered employers to timely respond to a request made by a covered employee to exercise his or her rights. In particular, an employer is obligated to verify the identity of the person making the request, acknowledge the request within 10 days, and respond to the request within 45 days, with scope to extend the response time.

Furthermore, when a third-party vendor handles an employee’s personal information, the employer is obligated to establish robust, written data processing agreements with the vendor to ensure it acknowledges and abides by the CPRA and will advise the employer if any missteps occur.

Under the GDPR, data controllers must notify the relevant supervisory authority of a data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. If the breach is likely to result in a high risk to individuals, the GDPR requires employers to notify affected individuals without undue delay.

This stringent notification requirement enhances transparency and ensures that individuals are promptly informed about potential risks to their data. This issue is particularly acute with respect to employee data, which often touches on more sensitive items like race or ethnic origin, religious affiliations, genetic information or sexual orientation.

Beyond a data breach, the GDPR expects employers to make data protection a core principle in all activities. This may include encryption tools to protect employee personal data, appointing a data protection officer to oversee the employer’s practices, conducting regular privacy risk assessments of the employer’s data systems, maintaining detailed records of the employer’s data processing activities, and incorporating data protection standards into contracts with third parties exposed to the employees’ personal data.

Vigilance and accountability are touchstones of the GDPR, particularly given the scope of fines for violations, which escalate when handling higher risk data, such as that typically collected about employees. Penalties could rise to 4 percent of an employer’s worldwide annual revenue or €20m, whichever is higher.

Conclusion

Both the US and the EU protect employee data with distinct regulatory frameworks. While the US relies on a patchwork of sector-specific federal laws and a few state laws, the EU has implemented a comprehensive, harmonised system through the GDPR, buttressed with additional laws enacted by individual member states.

The GDPR’s emphasis on individual rights, consent and stringent requirements for processing sets a high standard for data protection in the EU. As businesses navigate the global landscape, understanding and complying with the intricacies of employee data protection in both jurisdictions is crucial to fostering trust and mitigating legal risks.

 

Manjit Gill is a senior attorney advisor at the Bryn Law Group. He can be contacted on +1 (305) 374 0501 or by email: manjit@brynlaw.com.

© Financier Worldwide


©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.