Data Breach Notification and the Multinational Employer: Europe and Beyond
By Donald C. Dowling
White & Case LLP
Imagine a serious data security breach that leaks names and private data of a multinational’s employees who are based across a number of countries—including some states in the European Economic Area. The breach might be due to a hacker, to a lost laptop, to data stolen by a rogue departing employee, or to any other security breakdown. Whatever the situation, the legal question quickly becomes: What are a multinational employer’s obligations to notify affected employees, and government data protection authorities, of the fact that human resources data leaked?
The answer depends on “applicable” law. In the human resources data context, the laws applicable can be the laws of all jurisdictions where affected employees are based, because a multinational employer will often be subject to personal jurisdiction in all countries where it employs staff (a multinational often transacts business and serves as a “data controller” in each locale where it employs staff and where it has employees; in addition, a multinational might also be subject to data laws in jurisdictions where is does not have employees, such as where it has servers). As such, although the employment-context security breach itself―the hacking, the lost laptop, the rogue employee data theft―usually occurs in just a single country, the applicable breach-notification requirements will often be the notice mandates (if any) of all jurisdictions where there are affected employees. Complying with applicable law after a data breach that affects employees across a number of countries, therefore, means ascertaining, and following, the notification rules of each of the home jurisdictions of the breach-victim employees. This task is complicated when any affected employees are based in the European Economic Area, because the breach raises difficult issues of European data protection laws.
Speaking broadly, we can address global data breach notification compliance from three geographical perspectives: The United States, the European Economic Area, and the rest of the world.
United States: U.S. state laws regulate breach-notification obligations to U.S. residents, often including employees, whose data get compromised in a breach. (As of mid-2009, federal bills were pending which could preempt this area with federal legislation.) While data protection/privacy in the U.S. generally tends to be regulated less comprehensively than in jurisdictions like the European Union, Canada, Argentina, Honk Kong, and Japan in this specific context—security breach notification—U.S. states impose some of the world’s toughest obligations. Since 2003, when California passed a groundbreaking and influential data security breach notification law, 44 U.S. states have imposed laws requiring breach notice in certain contexts. These laws generally require database owners to notify affected “customers” or other data subjects, including employees, of a breach. Some of these laws also require notice to state attorneys general or credit bureaus. Many of these laws provide a private right of action.
• When a U.S.-based multinational suffers a data security breach that happens within the U.S., most of the affected employees may prove to be U.S. residents. In these cases, U.S. state data-breach obligations may drive the multinational’s global breach-notification strategy: U.S. employees will likely need to be notified of the breach, consistent with U.S. state laws. Human nature being what it is, these employees can be expected to discuss the data breach with co-workers abroad. Notifying all affected employees that a breach of their data occurred is often recommended, even where notice is not legally compelled. Often, a sound human resources strategy will be for the multinational employer to notify all employee breach victims, worldwide—although a key issue can be timing. Breach notices may need to be expedited in some jurisdictions, and delayed in others.
European Economic Area: When some employee victims of a data security breach are based outside the U.S., relevant employer breach-notification obligations become the domestic mandates of jurisdictions beyond the U.S. In many cases the outside-U.S. analysis begins with the European Economic Area, with its especially–stringent data protection laws. But European data law principles are surprisingly sketchy as to specific breach notification mandates. Perhaps ironically, the European Economic Area—which otherwise imposes what are widely recognized as the world’s toughest set of general data-protection laws—has, so far, imposed few specific breach notification requirements (at least outside the telecommunications sector).
• This is probably because the European Economic Area’s tough general data-notification rules (as opposed to its data security rules) are built around notifying “data subjects” and government data agencies up front about data processing systems. In a sense, Europe’s general data notice rules are preventive, in that they try to “close the barn door before the horse gets out.” They focus less on post-crisis breach response―mandating special notices “after the horse gets out.”
This said, expect European employee data subjects and European member state data protection authorities (DPAs) to argue that Europe’s broad general rules requiring “data controllers” to notify data subjects and DPAs about data processing systems somehow encompass a mandate to notify of a specific breach incident. One argument here may be that unless the data controller had previously disclosed (to data subjects and DPAs) that “breaches” are one form of permitted data processing, then the controller must notify data subjects and DPAs after an unanticipated breach occurs. Further, a small but growing number of European states now impose state-specific breach-notification obligations. Norway, for example, expressly requires notifying the Norwegian DPA even if just one Norwegian is affected by a breach. And an incoming German law is expected to mandate breach notification to local German DPAs.
• A publicized data breach risks drawing close scrutiny from European data subjects and DPAs. Indeed, a multinational’s breach-notification strategy in Europe needs to factor in the high stakes. European states can impose onerous penalties for widespread data-law violations, especially where a data-controller is shown not to have followed compliant data processing practices.
In short, breach notification requirements in Europe split into two prongs: First, must the data controller notify affected data subjects? (This prong itself then splits into two halves: notice requirements to “direct data subjects” like employees, versus notice to “indirect data subjects” like employees’ email correspondents.) Second, must the data controller notify the relevant DPAs? Where a multinational employer that suffers a breach of employee data decides, for human resources reasons, to notify all affected staff worldwide about the breach, the issue of whether laws in Europe compel notice to European employees can for the most part drop out, as a practical matter (because the employer complies anyway). This leaves the issue of whether the multinational must notify European DPAs. While a few European states (like Norway and, soon, Germany) do impose clear government-notice mandates, in many cases whether DPA notice is mandatory is a murkier issue. Often the local advice will be that DPA notification is “recommended.”
Beyond the U.S. and Europe: Going beyond Europe and the U.S., the breach notification issue follows a broadly-similar analysis. First ask: What is the applicable law? Then ask: Does each applicable country’s law impose any breach notification obligations? Often it will not. For example, according to the Australian Office of the Privacy Commissioner’s Guide to Handling Personal Information Security Breaches (August 2008, at p.12), Australia’s “Privacy Act does not expressly require…an organisation to notify individuals if personal information is subject to a breach….” Where laws do compel notification, ask: What are the precise obligations to notify both affected data subjects and government agencies?
When a multinational employer makes the business decision to notify all affected employees worldwide, the focus becomes notification obligations to government authorities. Relatively few jurisdictions outside the U.S. and Europe impose direct mandates to notify government agencies about breaches of human resources data, but some may. A chart summarizing breach notification laws around the world appears in a 2009 article by Alana Maurushat, “Data Breach Notification Law across the World from California to Australia” (Univ. of New South Wales Faculty of Law Research Series paper #11). Where laws do not compel notice, ask: What notice is recommended as a matter of good practice? Are there any obligations to third parties affected by the breach, such as employee representatives?
Other legal issues: We have been focusing on data protection and privacy laws, but other legal issues can come into play when there is a data breach. In many jurisdictions, what breach notification mandates apply will depend on the specific facts. For example, where a breach leaks regulated information about publicly-traded securities, securities laws can kick in―such as the stringent notice requirements under Australia’s Corporations Act, mandating notice to the Australian Securities and Investments Commission. In the U.K., a single lost laptop led to a huge fine from the Financial Services Authority, because that laptop contained regulated financial data. In some cases, third party contracts can impose penalties.
Conclusion: Data travel internationally in an instant, and so a single data breach, in an instant, can implicate data subjects across national borders. Where a multinational employer suffers a human resources data breach, breach-response strategy needs to account for the local laws of all jurisdictions of affected employees. Broadly, the geographical analysis breaks down into U.S. versus Europe versus the rest of the world. As to mandatory reporting obligations, the legal analysis breaks down into mandatory notice to affected employees versus notice to data protection authorities. Further, sector-specific mandates and contractual obligations might come into play, depending on the nature of the data breached.