Data Privacy Law in the UK, Part II: Data Security and Restrictions on Data Transfers for U.S. Employers

by Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

The European Court of Justice’s decision in the Google case that it was required to remove links to “outdated” or “irrelevant” information about an individual has brought EU data privacy laws to the forefront of public consciousness. In part one of this three-part series, we looked at the core principles of data privacy law in the United Kingdom (UK) that employers need to know, including the meaning of personal data and the first five data protection principles, such as the need for data to be accurate, relevant, not excessive, and obtained only for specified lawful purposes. Today, in part two, we cover the remaining three data protection principles—in particular, the need for employers to take appropriate security measures, and the restrictions on the transfer of data outside the European Union (EU).

Data Protection Principles 6 through 8 are set forth below:

6. Process data in accordance with data subjects’ rights. The most important element of this principle is the right of subject access. Individuals have a right to see all of the data held about them within 40 days of a valid request, subject to a few exemptions. Complying with this right can sometimes be a time-consuming and expensive task.

Employers may rely on several key exemptions from the duty to disclose information in response to a valid request from a data subject. One exemption is for information that relates to a third party. (This exemption allows employers to legitimately refuse to supply details of an employment reference as this disclosure reveals information about the third party’s opinions.) Another is for information about negotiations with the individual. (Employees, therefore, cannot use this right to obtain information about negotiations concerning their own severance payments.) Finally, information for management forecasting and planning is exempt from disclosure (so employers need not reveal information about planned reorganizations involving a reduction in force). Note, however, that this last exemption may cease to apply once the reorganization has been implemented, so it may not remain secret forever!

7. Take appropriate technical and organizational measures against accidental loss or destruction of data. Employers have a duty to ensure that personal data is not accidentally or negligently lost, disclosed, or destroyed. Accordingly, employers must establish appropriate policies and internal processes , which limit access to employee data to those who truly need that access and should ensure that electronic information is properly encrypted and password protected. On an even more basic level, employers should require that employee records be kept in locked filing cabinets and not left lying around on desks or taken home. The largest fines for a breach of this principle have been awarded against municipal authorities that have lost laptops or USB flash drives containing highly confidential information about the public (although private entities have been heavily fined as well). The maximum penalty that can currently be levied against employers for the loss or destruction of data is $825,000. In ensuring compliance with this principle, employers should also consider the reputational damage that could ensue when a company loses or destroys sensitive data. Finally, employers should keep in mind that plans for a new EU-wide data protection regulation promise much higher penalties.

8. Restrictions on transfers of data outside the EU. A real challenge for U.S. employers is that EU employers may not transfer data outside the EU if the recipient country does not ensure “an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” The EU has declared that the United States is one of the countries that does not provide adequate protection. Thus, an employer would be breaching the law by sending any personal data to the U.S. unless one of the data transfer solutions outlined below are put in place. This means, for example, that UK employees cannot be placed on an HR or talent management system unless the rules have been complied with.

Solutions for Transfer of Personal Data Outside the EU

U.S. employers wanting to receive personal data from their European subsidiaries will have to adopt one of the following options:

a. Sign up for the Safe Harbor Program. A company can agree to adhere to the data protection standards established by the U.S. Department of Commerce Safe Harbor Program, a framework which has been recognized by the European Commission as providing adequate protection in connection with the transfer of personal data to signatories of the scheme in the USA. The program is not available to companies in the telecommunications or financial services sectors.

b. Use model contract clauses. A company can agree contractually to take steps to protect personal data. The European Commission has authorized the use of standard contract clauses which, if agreed upon and followed in their entirety between the transferring and receiving entities, will not require each to separately assess the “adequacy” of the arrangements.

c. Agree to Binding Corporate Rules. Binding Corporate Rules (BCRs) are internal rules used by multinational companies to define their global policy on the international transfers of personal data. BCRs are used for multinational organizations that need to make intra-organizational transfers of employee data between numerous entities, including to entities in countries that do not provide an adequate level of protection. Once a company establishes a framework of data security and compliance with EU privacy laws, no further authorization is required for the company to transfer data, although the company must monitor and audit compliance. Companies must seek approval for their BCRs from a lead data protection authority that coordinates the views of other applicable authorities before granting approval.

None of these options are easy and each requires that companies take significant technological and organizational steps to ensure the protection of personal data. However, data privacy regulation is increasing worldwide, including in the United States, so compliance should be regarded as a necessary cost and condition of doing business globally in the future.

In the final part of this three-part series, “Data Privacy Law in the UK, Part III: Employment Background Checks and Monitoring,” we will look at the practical implications for data privacy as it relates to monitoring and background checks.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ogletree, Deakins, Nash, Smoak & Stewart, P.C. | Attorney Advertising

Written by:

Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

Ogletree, Deakins, Nash, Smoak & Stewart, P.C. on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.