Sunday, November 1, 2009

Issue 15

Dear Committee Members,

Welcome to the 15th issue of the
International Employment Lawyer.

This issue, like the one before is still affected by the current financial situation in many countries. In addition, several interesting topics are addressed of interest to the international employment lawyer.

We would like to thank all contributors for making this publication a great success.

We hope to see many of you at the Fall 2009 Meeting in Miami (www.abanet.org/intlaw/fall09)

Best regards,
Anders Etgen Reitz
Editor in Chief

USA

Data Breach Notification and the Multinational Employer: Europe and Beyond

By Donald C. Dowling

White & Case LLP

Imagine a serious data security breach that leaks names and private data of a multinational’s employees who are based across a number of countries—including some states in the European Economic Area. The breach might be due to a hacker, to a lost laptop, to data stolen by a rogue departing employee, or to any other security breakdown. Whatever the situation, the legal question quickly becomes: What are a multinational employer’s obligations to notify affected employees, and government data protection authorities, of the fact that human resources data leaked?

The answer depends on “applicable” law. In the human resources data context, the laws applicable can be the laws of all jurisdictions where affected employees are based, because a multinational employer will often be subject to personal jurisdiction in all countries where it employs staff (a multinational often transacts business and serves as a “data controller” in each locale where it employs staff and where it has employees; in addition, a multinational might also be subject to data laws in jurisdictions where is does not have employees, such as where it has servers). As such, although the employment-context security breach itself―the hacking, the lost laptop, the rogue employee data theft―usually occurs in just a single country, the applicable breach-notification requirements will often be the notice mandates (if any) of all jurisdictions where there are affected employees. Complying with applicable law after a data breach that affects employees across a number of countries, therefore, means ascertaining, and following, the notification rules of each of the home jurisdictions of the breach-victim employees. This task is complicated when any affected employees are based in the European Economic Area, because the breach raises difficult issues of European data protection laws.

Speaking broadly, we can address global data breach notification compliance from three geographical perspectives: The United States, the European Economic Area, and the rest of the world.

United States: U.S. state laws regulate breach-notification obligations to U.S. residents, often including employees, whose data get compromised in a breach. (As of mid-2009, federal bills were pending which could preempt this area with federal legislation.) While data protection/privacy in the U.S. generally tends to be regulated less comprehensively than in jurisdictions like the European Union, Canada, Argentina, Honk Kong, and Japan in this specific context—security breach notification—U.S. states impose some of the world’s toughest obligations. Since 2003, when California passed a groundbreaking and influential data security breach notification law, 44 U.S. states have imposed laws requiring breach notice in certain contexts. These laws generally require database owners to notify affected “customers” or other data subjects, including employees, of a breach. Some of these laws also require notice to state attorneys general or credit bureaus. Many of these laws provide a private right of action.

• When a U.S.-based multinational suffers a data security breach that happens within the U.S., most of the affected employees may prove to be U.S. residents. In these cases, U.S. state data-breach obligations may drive the multinational’s global breach-notification strategy: U.S. employees will likely need to be notified of the breach, consistent with U.S. state laws. Human nature being what it is, these employees can be expected to discuss the data breach with co-workers abroad. Notifying all affected employees that a breach of their data occurred is often recommended, even where notice is not legally compelled. Often, a sound human resources strategy will be for the multinational employer to notify all employee breach victims, worldwide—although a key issue can be timing. Breach notices may need to be expedited in some jurisdictions, and delayed in others.

European Economic Area: When some employee victims of a data security breach are based outside the U.S., relevant employer breach-notification obligations become the domestic mandates of jurisdictions beyond the U.S. In many cases the outside-U.S. analysis begins with the European Economic Area, with its especially–stringent data protection laws. But European data law principles are surprisingly sketchy as to specific breach notification mandates. Perhaps ironically, the European Economic Area—which otherwise imposes what are widely recognized as the world’s toughest set of general data-protection laws—has, so far, imposed few specific breach notification requirements (at least outside the telecommunications sector).

• This is probably because the European Economic Area’s tough general data-notification rules (as opposed to its data security rules) are built around notifying “data subjects” and government data agencies up front about data processing systems. In a sense, Europe’s general data notice rules are preventive, in that they try to “close the barn door before the horse gets out.” They focus less on post-crisis breach response―mandating special notices “after the horse gets out.”

This said, expect European employee data subjects and European member state data protection authorities (DPAs) to argue that Europe’s broad general rules requiring “data controllers” to notify data subjects and DPAs about data processing systems somehow encompass a mandate to notify of a specific breach incident. One argument here may be that unless the data controller had previously disclosed (to data subjects and DPAs) that “breaches” are one form of permitted data processing, then the controller must notify data subjects and DPAs after an unanticipated breach occurs. Further, a small but growing number of European states now impose state-specific breach-notification obligations. Norway, for example, expressly requires notifying the Norwegian DPA even if just one Norwegian is affected by a breach. And an incoming German law is expected to mandate breach notification to local German DPAs.

• A publicized data breach risks drawing close scrutiny from European data subjects and DPAs. Indeed, a multinational’s breach-notification strategy in Europe needs to factor in the high stakes. European states can impose onerous penalties for widespread data-law violations, especially where a data-controller is shown not to have followed compliant data processing practices.

In short, breach notification requirements in Europe split into two prongs: First, must the data controller notify affected data subjects? (This prong itself then splits into two halves: notice requirements to “direct data subjects” like employees, versus notice to “indirect data subjects” like employees’ email correspondents.) Second, must the data controller notify the relevant DPAs? Where a multinational employer that suffers a breach of employee data decides, for human resources reasons, to notify all affected staff worldwide about the breach, the issue of whether laws in Europe compel notice to European employees can for the most part drop out, as a practical matter (because the employer complies anyway). This leaves the issue of whether the multinational must notify European DPAs. While a few European states (like Norway and, soon, Germany) do impose clear government-notice mandates, in many cases whether DPA notice is mandatory is a murkier issue. Often the local advice will be that DPA notification is “recommended.”

Beyond the U.S. and Europe: Going beyond Europe and the U.S., the breach notification issue follows a broadly-similar analysis. First ask: What is the applicable law? Then ask: Does each applicable country’s law impose any breach notification obligations? Often it will not. For example, according to the Australian Office of the Privacy Commissioner’s Guide to Handling Personal Information Security Breaches (August 2008, at p.12), Australia’s “Privacy Act does not expressly require…an organisation to notify individuals if personal information is subject to a breach….” Where laws do compel notification, ask: What are the precise obligations to notify both affected data subjects and government agencies?

When a multinational employer makes the business decision to notify all affected employees worldwide, the focus becomes notification obligations to government authorities. Relatively few jurisdictions outside the U.S. and Europe impose direct mandates to notify government agencies about breaches of human resources data, but some may. A chart summarizing breach notification laws around the world appears in a 2009 article by Alana Maurushat, “Data Breach Notification Law across the World from California to Australia” (Univ. of New South Wales Faculty of Law Research Series paper #11). Where laws do not compel notice, ask: What notice is recommended as a matter of good practice? Are there any obligations to third parties affected by the breach, such as employee representatives?

Other legal issues: We have been focusing on data protection and privacy laws, but other legal issues can come into play when there is a data breach. In many jurisdictions, what breach notification mandates apply will depend on the specific facts. For example, where a breach leaks regulated information about publicly-traded securities, securities laws can kick in―such as the stringent notice requirements under Australia’s Corporations Act, mandating notice to the Australian Securities and Investments Commission. In the U.K., a single lost laptop led to a huge fine from the Financial Services Authority, because that laptop contained regulated financial data. In some cases, third party contracts can impose penalties.

Conclusion: Data travel internationally in an instant, and so a single data breach, in an instant, can implicate data subjects across national borders. Where a multinational employer suffers a human resources data breach, breach-response strategy needs to account for the local laws of all jurisdictions of affected employees. Broadly, the geographical analysis breaks down into U.S. versus Europe versus the rest of the world. As to mandatory reporting obligations, the legal analysis breaks down into mandatory notice to affected employees versus notice to data protection authorities. Further, sector-specific mandates and contractual obligations might come into play, depending on the nature of the data breached.

Italy

Transfer of businesses in "Critical difficulties": Italian law does not comply with EU law


By Vittorio Pomarici, Marco Sartori
Bonelli Erede Pappalardo - Studio Legale


The EU Court of Justice, in its Judgment of 11 June 2009, C- 561/07, stated that Italy has failed to fulfill its obligations in terms of Council Directive 2001/23/EC, which safeguards employees’ rights in the event of transfers of undertakings, businesses or parts of undertakings or businesses.


The Directive provides for two fundamental principles in the event of a transfer of an undertaking: the transferor’s rights, and the obligations arising from any employment contract relationship that exist on the date of a transfer, must, by reason of the transfer, be transferred to the transferee (Sect. 3); the transfer of an undertaking does not in itself constitute grounds for dismissal of an employee by the transferor or the transferee (Sect. 4).


Member States may provide a derogation to the guarantees laid down in Sect. 3 and Sect. 4, when the transferor is the subject of bankruptcy proceedings or any analogous insolvency proceedings which have been instituted to liquidate the assets of the transferor, and are under the supervision of a competent public authority (Sect. 5).


Accordingly, if a proceeding is designed to liquidate the debtor’s assets in order to satisfy creditors, the transfer effected under this legal framework is not subject to Sect. 3 and Sect. 4. Conversely, when the purpose of the proceeding is primarily to safeguard the assets and, where possible, to continue the business, then Sect. 3 and Sect. 4 are applicable.


Presently, Article 47(5) and (6) of Italian Statute No. 428 of 29 December 1990 allows the transferor and the transferee, where an agreement with the trade unions has been reached in the context of the information and consultation procedure, to be exempted from the application of Sect. 3 and Sect. 4, provided that the concerned undertaking has been declared to be in «critical difficulties» by certain Italian competent authorities.


But the EU Court of Justice has stated that the above exemption is not in compliance with the Directive as the declaration of «critical difficulties» under Italian Law cannot be regarded as pursuing an outcome analogous to that of insolvency proceedings. In fact, according to the Court decision, this procedure is designed to promote the continuation of the business with a view to its subsequent recovery, and does not involve any judicial supervision or any measure whereby the assets of the undertaking are put under administration.


As a consequence, the Republic of Italy must take the necessary measures to carry out the EU Court decision in order to avoid the relevant penalties related to the breach committed.


In the meantime, Italian Courts could decide to directly apply Sect. 3 and Sect. 4 in the relevant case, according to the principle of primautè of EU law, instead of Article 47(5) and (6) of Italian Statute No. 428 of 29 December 1990. Moreover, any individual may file a claim against Italy for any damages suffered because of this EU law violation.

Poland

Act on Reducing Results of the Economic Crisis for Employees and Entrepreneurs 

By Krzysztof Nowicki
Magnusson

The risk of extension of the global financial crisis led in Poland inter alia to introduction of the Act on Reducing Results of the Economic Crisis for Employees and Entrepreneurs. The new law, which came into force on August 22, 2009 provides more elastic working regulations, which eventually should lead to protection of Polish labor market against massive layoffs. The anti-crisis regulations generally concern entrepreneurs facing financial problems, however, there are also changes which provide facilitation for every entrepreneur operating in Poland. Below, we focus on the changes concerning all entrepreneurs. 

Until the end of 2011, each employer will be allowed to extend the work time settlement period up to 12 months and in this 12 month settlement period the employer will be entitled to manage employees’ work time in a more elastic manner, depending on a market situation and the current work demand. Thanks to that, the employer may in some periods increase the daily work time (but with its reduction in other periods). Introduction of the elongated work time system shall require preparation of a time schedule. The employees’ work time schedule does not, however, need to cover the whole 12 months; it is sufficient to elaborate a schedule covering at least 2 months. Additionally, apart from changes concerning the work time system, the Act offers a possibility to arrange individual work hours at which the employee shall begin/finish his/her work each day. In such cases, the employer is not obliged to pay any additional remuneration for overtime, if the performance work ends and later on starts on the same day.

The Act provides, however, for certain restrictions concerning the above, i.e. the new work time cannot deprive the employees of their right to an 11-hour daily break and a 35-hour weekly break. Moreover, during the elongated work time system the employees’ monthly remuneration cannot be lower than the minimal statutory remuneration. Furthermore, introduction of the elongated time system and individual work time requires negotiations with trade unions operating within the employer’s enterprise and introduction of changes to the collective labor agreements, if any, or if there are no trade unions active within the employer’s enterprise, consultations with the representatives elected by the employees.

The other solution refers to the employment agreement for a fixed term. Previously, the law did not specify any maximum duration period of such contract. Now it can be established for a period not exceeding 24 months (including subsequent agreements if the interval between the termination of one employment contract and entering into the subsequent one was not longer than 3 months). Also, a rule stating that once the third subsequent fixed term employment contract is signed, it is deemed to have become an indefinite term employment contract, is no longer valid. The employers may enter into several subsequent fixed term employment contracts and it will not automatically lead to the establishment of an employment relationship for an indefinite period. This regulation shall be valid till the end of 2011.

South Africa

The importance of Immigration Compliance

By Zahida Ebrahim 
Edward Nathan Sonnenbergs

As a result of the growing international focus on security risks and with most countries enforcing stricter and, often more complicated, immigration policies as a result of the global increase in staff mobility, the issue of legal compliance has become increasingly important.



Although there are some fundamental principles common to most jurisdictions, the law governing immigration can differ substantially from jurisdiction to jurisdiction, making compliance with domestic laws an administrative nightmare for a Human Resources Department without the specialist training required to deal with the complexities of the specific legal system. This results in multinational employers spending copious amounts of money, time and resources on remedying their compliance problems.


To avoid the compliance risks inherent in multi-jurisdictional employment, mitigating compliance risks must be a core focus when planning expatriate employment strategies. Particular emphasis needs to be placed on compliance in areas of tax, exchange control, employment law, payroll regulation and, of course, immigration law, which we focus on here. Ironically though, most information pertaining to immigration compliance can also be applied to other areas of legal compliance.


Aside from the administrative headaches that result from adhering to compliance requirements, the effect of non-compliance can be quite far-reaching with potential consequences of fines, penalties and even criminal sanction for both employer and employee; damage to employer/employee relationships; future migration difficulties; delays in time-sensitive projects as a result of refusal of entry or deportation of expatriate employees; damage to individual and company reputation; and, as a result, loss of productivity and revenue.


The key factors in establishing an effective system of immigration compliance in multi-jurisdictional transfers include identifying areas of compliance risk; implementing specific internal controls to address these risks; and adhering to a codified internal practice which encompasses effective processes, such as creating a basic reporting procedure applicable to all expatriates as well as their accompanying family members; adopting a consistent approach and establishing uniform processes by determining which issues affect an expatriate in any jurisdiction;


  • ensuring HR Managers are trained to determine, enforce and monitor legislative and regulatory compliance;
  • developing policies setting out guidelines for HR managements of different types of assignments in each jurisdiction;
  • ensuring synergy between business units such as HR and Legal Compliance;
  • creating awareness with division/line management of the importance of making HR aware of regular travellers;
  • Implementing measures and securing professional support to keep HR and expatriate employees abreast of changes in laws and regulations;
  • Implementing document checking and formalizing record-keeping procedures in accordance with regulation;
  • And, lastly, monitor the expiry dates of permits.


Another key factor includes Outsource specialist functions. Although fees will be incurred, these will often be less substantial than the costs of non-compliance. It is wise to weigh up the cost of effective external management against internal management costs and even companies who wish to administer the process in-house must at least consider outsourcing complex compliance aspects to professionals who are familiar with potential pitfalls peculiar to the jurisdiction. By outsourcing specialist functions, it ensures accurate and timeous information transfer to professional support and that all facts are relayed in as much detail as possible as even seemingly unimportant facts can have dire consequences;


It is important to secure services from professionals who can assist with all areas of legal compliance as a 'one stop' approach is often less time-consuming and less expensive.


The one common factor in the different jurisdictions is the severe sanctions imposed for non-compliance, whether in the form of fines, penalties, blacklisting or criminal sanctions. This all proves that while compliance can be costly, non-compliance can prove to be extremely expensive!

United Kingdom

New Equality Law 

By Sarah Gregory
Baker & McKenzie LLP

The UK Government has recently published the Equality Bill (the Bill), draft legislation with the aim of consolidating, simplifying and harmonizing all existing UK discrimination legislation. The Bill also contained a number of surprises - some of which have not been welcomed by employers.

The Bill still has to be approved by Parliament and will inevitably undergo some amendment over the next few months. However, it is anticipated that the majority of the Bill as currently drafted will make it to the statute book and will eventually be implemented in autumn 2010.

Overview
Under the Bill it will be unlawful to discriminate because of age, disability, gender reassignment, marriage or civil partnership status, pregnancy and maternity, race, religion or belief, sex and sexual orientation (the "protected characteristics"). These reflect the existing law. Despite earlier talk of specific protection because of genetic predisposition, and for parents and carers, these categories are not included.

Key Changes

Public sector equality duty. Certain public bodies will be under a specific duty, when carrying out their functions, to have regard to eliminating unlawful discrimination and advancing equality of opportunity for those with a protected characteristic. This duty will inevitably impact on procurement practice.

Gender pay gap information. A new and unexpected provision will enable the Government to order all employers with more than 250 employees to publish information about gender pay gaps. However, the Government has said that this power will not be exercised before 2013 and only then if there has been insufficient progress in employers providing such information voluntary. It remains to be seen whether this power is ever invoked, particularly if there is a change in Government.

Pay secrecy clauses. A new provision will, to a limited extent, make pay “gagging” clauses (those preventing employees from discussing their pay) unenforceable. This is designed to end secrecy about pay but will apply only to employees’ discussions about pay with colleagues in connection with potential discrimination. Pay secrecy clauses in themselves are not banned and can still be enforced if the discussion between colleagues was for some other reason. The impact of this provision is therefore much narrower than at first glance.

Positive action. There will be new (voluntary) rights for employers to take "positive action". This will apply to recruitment or promotion, where the employer “reasonably thinks” that people who share a protected characteristic are disadvantaged or that a protected group is disproportionately badly represented. The employer may only rely on this provision if A is “as qualified” as B and the employer does not already have a policy of treating people in the protected group more favourably.

This is a completely new concept. The Bill does not address how employers can assess when two people are “as qualified” as each other. Employers will be concerned that they could face discrimination claims from the unsuccessful candidate if they rely on this provision, at least in the absence of clear guidance.

Multiple Discrimination. The Bill introduces a new concept of "multiple" discrimination, enabling an employee to bring a discrimination claim on two combined grounds. This is difficult under existing legislation because the employee must show that the reason for the discriminatory conduct was the relevant protected characteristic, which may not be the case where there are two such reasons.

Comment The Bill as currently drafted is a useful codification of existing UK discrimination law and, as such, employers should already be familiar with the vast majority of the obligations it imposes. However, there will be a number of new provisions with which employers will need to become familiar - such as those relating to multiple discrimination, positive action and gender pay gaps. To assist employers, we expect further guidance to be provided on these areas in advance of the Bill being implemented.