CWS 3.0: November 2, 2011 - Vol. 3.31

Print

Compliance: Bridging US & EU Privacy Laws

As the contingent workforce management industry continues to evolve, U.S.-based vendor management systems and managed service providers are increasingly seeing the need to gather and store data from individuals and organizations based overseas. Much of the data are being stored on servers in the U.S. And companies using their services need to ensure that their vendors are adhering to applicable laws when storing their European Union-based contingents’ data.

The European Commission’s Directive on Data Protection prohibits the transfer of personal data to non-European Union countries that do not meet the EU’s “adequacy” standard for privacy protection. While the U.S. and the EU share the goal of enhancing privacy protection for their citizens, historically the U.S. has taken a different approach to privacy.

Safe Harbor. In order to assist U.S. companies that do not have a tangible presence in the EU bridge these different privacy approaches, the U.S. Department of Commerce has consulted with the European Commission to develop a "Safe Harbor" framework intended to help companies evaluate their compliance. Further, companies can sign up for the U.S.-EU Safe Harbor program, which certifies their compliance.

The EU-U.S. Safe Harbor program provides a number of important benefits and their compliance is often seen as a contractual requirement between EU clients and their U.S. suppliers.

Benefits for participating U.S. organizations include:

  • All member states of the EU will be bound by the European Commission’s finding of adequacy
  • Participating organizations will be deemed adequate, which will facilitate the free flow of data from the EU to the U.S.
  • Member state requirements for prior approval of data transfers either will be waived or approval will be automatically granted
  • All claims (subject to limited exceptions) brought by EU citizens against U.S. organizations will be heard in the U.S.

The Safe Harbor Framework offers U.S.-based VMS and MSP suppliers with a cost- and operationally effective way of complying with the adequacy requirements of EU law.

The Department of Commerce maintains a Safe Harbor List to enable companies with workers in the EU to check whether their U.S.-based VMS or MSP is a participant. The list contains the names of all U.S. organizations that have self-certified to the appropriate Safe Harbor Framework.

Businesses that wish to participate in the Safe Harbor program must comply with the Safe Harbor Framework's requirements and publicly declare they do so. To be assured of Safe Harbor benefits, an organization must self-certify annually to the Department of Commerce in writing that it agrees to adhere to the Safe Harbor Framework's requirements. It must also state in its published privacy policy statement that it adheres to the Safe Harbor Privacy Principles.

Under the EU's Data Protection Directive, personal data must be "processed fairly and lawfully" and be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes". Ensuring your U.S. based VMS & MSP suppliers fully understand their responsibility in this regard is an essential component of any international CW program’s compliance intiatives.

Martin Glick is senior associate of global compliance with Brightfield Strategies LLC, which helps Fortune 500 companies with contingent workforce strategy initiatives such as program design, VMS/MSP sourcing and selection, and global program compliance. He can be reached at mglick@brightfieldstrategies.com.