In short, definitely not.
Early days
Data protection has a long history in Europe, and it has consistently been at the forefront of developing and protecting individual rights and controlling the use of data. Events over the history of the region, and in particular in the 20th century, have unsurprisingly been informed the attitudes of key nations within the EU when it comes to data privacy. And it is important to understand and recognize this when attempting to understand the development of data privacy regulation across the EU.
The experiences of European states during World War II and its aftermath are particularly key to understanding the ongoing concerns and sensitivities in relation to data privacy across Europe, and also the high level of awareness and interests in these matters amongst the general population in member states. It is this, more than any other factor, which forms the basis of the current attitudes towards data protection, and in particular the processing of personal data, across much of the EU.
With the development of potentially intrusive technologies (such as cameras recorders etc.) with the potential to facilitate investigation and collection of vast tracts of personal data, alongside the perceived growth in the collection of personal data by government and big business alike during the 1960s, came continued concern across a Europe still living through the aftermath. The development of computers and increased automation of electronic data processing during the 1960s and 1970s, which increased the capacity and speed of data processing, led to increasing citizen concern and calls for regulation of processing of personal data.
Start of formal regulation
It is perhaps unsurprising then that the world's first basic data protection act was adopted by the German State of Hessen in 1970, swiftly followed by a number of other German states and finally by the Federal Data Protection Act in 1977.
Whilst Germany arguably led the way in formally legislating on the processing of personal data driven primarily by citizen concern, there was corresponding pressure throughout the 1970s from businesses demanding clear international standards for personal data processing so as to ensure that developing national laws did not become barriers to the cross-border flow of data.
Alongside initial European-level activity (such as the binding 1981 Council of Europe Convention covering data processing matters), other EU countries, particularly those arguably more driven by the importance of cross-border transfers to their economies than citizen concern, began to implement related legislation; the UK's Data Protection Act 1984 focused primarily on facilitating trade rather than the protection of privacy rights at an individual level.
Whilst European states continued to develop their own approaches to the regulation data processing, the EU came under increasing pressure to ensure free movement of data within its boundaries. Further EU involvement was therefore inevitable. In 1995, the EU adopted a new Data Protection Directive, subsequently followed by supplementary legislation such as the Data Retention Directive (Directive 2006/24/EC).
Road to the GDPR
The 1995 Directive was in many ways a compromise that pleased no one. In theory it imposed harmonization, but implementation requirements were largely left to member states which did little to stem the development of varying approaches to data protection across the EU. EU member states also developed additional legislation in areas not covered by the 1995 Directive, as countries responded (0r did not respond) to the concerns of citizens, political pressure and the development of technologies.
The result of this was a significant ongoing variation in the treatment, regulation and sanction of data processing across EU member states. The Secrecy of Telecommunications Act in Germany, for example, made it a criminal offence for employers to open and review personal emails of employees pre-May 2018, which would have been at the time permitted in other EU member states.
In the intervening years, perhaps inevitably, the European Court of Justice (the CJEU) had to deal with many data protection-related matters. This involved interpreting and balancing domestic legislation and concerns against the overarching principles set out in EU legislation, such as Article 8 of the Charter of Fundamental Rights of the European Union which states that "everyone has the right to the protection of personal data concerning him or her". This also proved problematic.
Further, with the rise of technology in all aspects of our lives and the development of new ways to capture, analyse and interpret personal data, together with the monetization of this, has led both to increased risk and increased awareness. For context, when the EU's Data Protection Directive 1995 was adopted, Mark Zuckerberg was around 11 years old and Google was still 3 years away from incorporation. Given the legislation pre-dates multiple developments in technology and its role in society, there were concerns that the legislation was outdated and unable to keep pace with these developments.
The idea of data protection and what it should encompass has also developed and broadened over the years. Data protection is no longer considered only as a means to protect individuals against public authorities. A consistent level of data protection is also considered as a prerequisite to supporting growth by allowing a free flow of data within the EU.
Individuals have also become increasingly aware, perhaps as a result of high-profile misuse of data, as well as the increasing methods of disseminating information, of the ways in which their data may be collected and (mis)used. This has led to calls for more transparency and regulation of the way in which personal data is used, which has direct implications for the employment sphere and its master-servant relationships, as well as for individuals in their role as consumers.
The General Data Protection Regulation 2016 (GDPR) represents the biggest change to data protection in over twenty years, with the aim of building on the 1995 Directive in modernizing and harmonizing data protection regulation across the EU.
As a regulation (rather than a directive) it has direct effect, meaning it has direct effect and no implementing legislation is required. In theory, this should ensure a (more or less) unified data protection regime. In practice, the GDPR acts as framework legislation and leaves significant details and areas for national legislators to deal with. This is particularly the case for the employment sphere. The GDPR also does not preclude national laws that provide for a stricter standard than GDPR. German legislation is good example of this in practice.
It is important to note that the GDPR applies irrespective of the seat of a company. The GDPR has an expanded geographic scope, applying to non-EU data controllers and processors to the extent they offer goods or services to data subjects in the EU or monitor the behaviour of (or otherwise process personal data relating to) such EU-based data subjects or EU nationals.
As a general comment, the GDPR builds on both the fore-runner legislation and case law developed in the interim. Whilst it retains many of the key concepts, rights and obligations of the 1995 Directive, it also introduces new ones. Key changes include the increased protection of individual rights, tighter requirements for consent, greater transparency and accountability obligations and the obligation to ensure privacy by design and default. The headline-grabbing aspect of the GDPR is arguably the sanctions it imposes, including fines of up to EUR20million or 4% of global annual turnover (whichever is higher), as well as prohibitions on processing activities and suspension of data transfers, all of which could have serious consequences for an employer business.
Ahead of 25 May 2018, as a minimum employers should have audited their processing of employee data, reviewed and amended internal processes as appropriate, implemented new policies and documentation as needed, and trained employees dealing with personal data. In practice, the response from employers has been mixed, with many struggling to understand how to interpret the new regulation and how to translate its requirements into practical actions. The level of compliance is often influenced by a number of factors including the size, structure and location of the employer, the amount of guidance available and the attitude of national supervisory authorities and courts as well as the legislative position pre-GDPR; those operating in Germany, for example, may have noticed less change and development pre-and post-GDPR than those operating solely in other EU member states.
As indicated above, whilst one of the intentions was to create greater harmony across EU member states regarding the treatment of personal data, in practice there is still a significant degree of variation and particularly in the employment sphere. The GDPR allows a significant degree of autonomy for EU member states in the employment sphere, and local practice and customs mean there is clear variation in both the legislation implemented and the interpretation and enforcement action taken by local courts and regulatory bodies. The treatment of criminal record information is an area in which there is clear divergence of the local rules and requirements that will apply.
The short answer would be that this impacts every area of HR and employment matters. It is hard to think of anything related to the employment relationship that does not involve personal data as it is fair to say that all aspects of an employment relationship touch upon personal data.
From the outset, thinking about applications / CVs and the recruitment process, employee management and administration of the ongoing employment relationship through to the treatment of employee data following termination of an employment relationship, it would be difficult to identify a stage in which personal data does not play a key role.
A number of the changes have simply added to the difficulties employers already face. The co-determination requirements for the implementation and use of new technical devices in force in some EU states, for example, have created another battleground for employees and employee representatives, who often point to associated data protection risks as an argument for delaying implementation. Given the particular presence and role of works councils in Germany, Netherlands and France among others, this can have significant implications for employers. In the Netherlands, for example, any contemplated decision to adopt, amend or withdraw a policy aimed at or fit for monitoring the employees' absence, behaviour and performance, is subject to Works Council consent. The requirement for a dedicated data protection officer (a DPO) also adds an additional player in internal communication processes, which can often hinder as much as help matters.
On a practical note, the build-up and publicity surrounding the GDPR coming into force significantly raised awareness of data protection matters and rights. Employees across the EU are now more aware than ever of their rights under the GDPR, and employers have seen an increase in the willingness of individuals to flex their muscles when it comes to such rights, particularly in relation to the right of access - see our article on DSARs here.
The UK and other countries have also seen a number of class actions arising from data breaches, and questions as to the responsibility of employers where such breaches arise out of a rogue employee's actions have been raised without as yet a satisfactory answer for many employers.
The rise of technology in employment relationships adds additional considerations and risk. Whilst the much-hyped risk of wearable tech has so far turned out to be a slight damp squib, ongoing areas of sensitivity include employee monitoring and subject access requests. The use of CCTV systems and electronic time recording systems are still subject to employee suspicion and vulnerable to misuse, and the use of GPS systems in company cars remains a particularly sensitive point. The rise of remote working and the use of mobile devices have created another headache for employers to manage, weighing up the need to protect information and ensure productivity whilst not infringing an individual's data privacy rights. Looking forward, the growth in the use of HR analytics and the application of AI to the employment sphere are likely to be areas of future conflict and risk.
For HR teams covering EU or EMEA regions, the position remains complex despite the GDPR. As noted above, there is still a significant degree of variation across EU member states. A number of countries, France and Germany among them, have implemented or retained standards and obligations that are much more restrictive. The treatment and approach to background checks, and in particular criminal record information, for example, varies significantly across the region as does the regulation of equal opportunities and diversity monitoring. The approach of national supervisory authorities differs significantly as well; whilst most have indicated their intention to take a stricter line post-GDPR, there remains significant variation across the areas of priority and particular issues of concern identified, the resources available, the national sensitivities and the political landscape in which the authorities operate.
The GDPR represents a significant step forward, and a clear move towards harmonisation, in data protection regulation across the EU. Whilst it is fair to say that the GDPR has led to an overall increase of data protection standards, anecdotal evidence suggests that the level of compliance varies across the EU.
Given the nature of employer-employee relations, employers have a particularly tough time in assessing how to comply with the regulation and the level of risk associated with failures to comply. The protection afforded to individuals regarding the processing of their personal data simply adds to the complexities and challenges employers face.
In short, this is very much a moving feast and employers should watch this space.
