The problem of the transfer of employee data outside the EEA must affect
most multinationals with operations in the EU to a greater or lesser extent.
However, no one seems to have any easy answers - apart perhaps from ignoring
the problem!

See: http://www.ihrim.org/about/commit/privacy/updates/apr01.cfm#1 for
information about a fine imposed on Microsoft for improperly transferring
employee data from Spain to the US. An article Addressing Workplace Privacy.
Is employee privacy the current "sleeper" issue for business?  c1999
http://www.pwcglobal.com/gx/eng/svcs/privacy/images/Addressing%20Workplace%2
0Privacy.pdf  notes that the 'absence of a framework for protecting employee
data in the US ' may present some of the most significant compliance risks
for US based multinationals'.

The International Association for Human Resource Information Management
(IHRIM) & American Privacy and Business are active in looking for solutions.
The IHRIM in particular has a data protection / privacy committee
http://www.ihrim.org/about/commit/privacy/index.cfm and P&AB an HR
consortium http://www.pandab.org/. But I am not sure if anything concrete
has resulted from these initiatives. Privacy Exchange has some  information
on its web site about transborder transfers see:
http://www.privacyexchange.org/

I would also be interested to hear how other companies are addressing these
issues in practice. I agree with Alasdair that the implied consent suggested
by Tim is rather weak. Does informed consent require that the individual
clearly understands that their data is going to a country where it may not
be protected? It has been argued that blanket consent (as obtained from
employees when their data is collected) may not be sufficient and specific
consent is required for a transfer.

To rely on the performance of a contract (or entering into a contract)
exemption also has its drawbacks. The contract must be between the data
controller and the data subject. Multinationals have complex structures
consisting of numerous legal entities. The employment contract may not be
with the data controller. If it is, the data may not necessarily be exported
for 'the performance of a contract', for example circulating information or
commenting on possible candidates for vacant positions in associated
companies.

Fiona

Fiona Maccoll,
Records Manager,
Rio Tinto plc.,
6 St James's Square,
London, SW1Y 4LD.
Tel: 020 7753 2123
Fax: 020 7753 2211
E-mail: [log in to unmask]







Fiona Maccoll,
Records Manager,
Rio Tinto plc.,
6 St James's Square,
London, SW1Y 4LD.
Tel: 020 7753 2123
Fax: 020 7753 2211
E-mail: [log in to unmask]


> -----Original Message-----
> From: Alasdair Warwood [SMTP:[log in to unmask]]
> Sent: 18 April 2001 17:50
> To:   [log in to unmask]
> Subject:      Re: 8TH PRINCIPLE/SAFE HARBOUR AGREEMENT
>
> Sorry I see absolutely no reason why either
> 1. it is necessary to transfer data to the USA to fulfil an employment
> contract - nice for the employer maybe but necessary -I don't think so.
> the
> sort of necessity the Act has in mind is e.g names for a holiday, credit
> card details for a hotel booking etc.
> 2. why an employee should have to assume his or her data was to be
> transferred and should thus be deemed to have given consent.
> If you are relying on either of these conditions I strongly suggest you
> think again.
>
> Alasdair Warwood
>
> ----- Original Message -----
> From: Wright, Tim M <[log in to unmask]>
> To: <[log in to unmask]>
> Sent: Wednesday, April 18, 2001 1:45 PM
> Subject: Re: 8TH PRINCIPLE/SAFE HARBOUR AGREEMENT
>
>
> > Our company is in a similar position to yours. The generally held view
> in
> > the US (not necessarily our company!) is that Safe Harbor (sic) is too
> > expensive and cumbersome to implement. However if the US company *does*
> sign
> > up to the principles, it's my understanding that you can treat them as
> if
> > they were in the EEA for data protection issues. There are very few
> > companies who have signed up, however.
> >
> > If the transfer of employee information to the US is necessary, then the
> 8th
> > principle doesn't apply anyway: you're covered by the standard
> exceptions
> in
> > Schedule 4 - 2(a) transfer necessary for the performance of a contract
> [of
> > employment] between the data subject and the data controller. Probably
> also
> > 1, data subject given consent. In any case it would be good to cover
> > yourself by getting consent, but I don't believe it's strictly
> necessary.
> I
> > would deem it reasonable for any UK employee of a company with a US
> parent
> > to expect their data to be transferred to the US, so you could at a
> pinch
> > take implied consent.
> >
> > Any other thoughts? Hope you're all enjoying the snow...
> >
> > Tim
> >
> > --
> > Tim M. Wright
> > Director - Technology Audit
> > Charles Schwab Europe
> > Tel:    +44 190 852 7793
> > Mobile: +44 7932 669 074
> > Fax:    +44 190 852 7593
> >
> >
> >                 -----Original Message-----
> >                 From:   Fiona Wilson
> [mailto:[log in to unmask]]
> >                 Sent:   18 April 2001 12:01
> >                 To:     [log in to unmask]
> >                 Subject:        8TH PRINCIPLE/SAFE HARBOUR AGREEMENT
> >
> >                 Apologies if this has recently been discussed - we are a
> UK
> > subsiduary of an
> >                 American company with approximately 550 employees in the
> UK.
> > We do transfer
> >                 the personal data of our employees to the States.  We
> are
> > hoping to adopt
> >                 the Safe Harbour Principles and in the States the Chief
> > Privacy Officer is
> >                 speaking to companies who have already self-certified.
> I
> > was wondering if
> >                 there is anyone from UK/Europe who is able to share
> their
> > experiences of
> >                 compliance with the Safe Harbour agreement with us.
> >                 regards
> >                 Fiona Wilson
> >                 Data Protection Services Manager
> >                 McKessonHBOC
> >                 Tel no: 020 7819 5000
> >                 Fax no: 020 7819 5100
> >                 e-mail: [log in to unmask]
> > <mailto:[log in to unmask]>
> >
> >
> >
> >
> >
> --------------------------------------------------------------------------
> --
> >                 The information contained in this e-mail is confidential
> and
> > is intended
> >                 only for the named recipient(s). If you are not the
> intended
> > recipient you
> >                 must not copy, distribute, or take any action or
> reliance
> on
> > it.
> >                 If you have received this e-mail in error, please notify
> the
> > sender.
> >                 Any unauthorised disclosure of the information contained
> in
> > this e-mail
> >                 is strictly prohibited.
> >
> >
> --------------------------------------------------------------------------
> --
> >
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >                     If you wish to leave this list please send the
> command
> >                        leave data-protection to [log in to unmask]
> >                             All user commands can be found at : -
> >
> www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> >                 all commands go to [log in to unmask] not the list
> > please!
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >
> >
> > _______________________________________
> >
> > WARNING: All e-mail sent to or from this address will be received by
> > the Charles Schwab Corporate E-mail system and is subject to archival
> and
> > review by someone other than the addressee.
> >
> > Charles Schwab Europe.
> > Cannon House, 24 Priory Queensway, Birmingham B4 6BS, United Kingdom.
> >
> > Charles Schwab Europe is a member firm of the London Stock Exchange and
> LIFFE and
> > regulated by The Securities and Futures Authority
> >
> > Registered Office: As Above. Registered in England No. 2092410 VAT
> Registration No. GB 486 894471
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >     If you wish to leave this list please send the command
> >        leave data-protection to [log in to unmask]
> >             All user commands can be found at : -
> >     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> > all commands go to [log in to unmask] not the list please!
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>     If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
> all commands go to [log in to unmask] not the list please!
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
all commands go to [log in to unmask] not the list please!
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^