Companies today increasingly employ workers across multiple jurisdictions. For the sake of equality and efficiency a multinational prefers to apply a single uniform set of human resource (“HR”) standards to its entire global employee base. However, HR uniformity becomes difficult when different countries impose different HR laws. These dilemmas are especially troubling in the realm of employee privacy.
This article outlines the approaches to employee privacy pursued in the United States and European Union. Following that is a snapshot of employee privacy in India, which has not yet committed to the U.S. or EU approach. The discussion will examine which policy direction would be most beneficial for India. It will be shown that on balance, India’s best interests will be served by following the U.S. model, which fully protects employee privacy while preserving the regulatory flexibility India needs to attract and retain foreign direct investment.
Divergent Approaches to Privacy: European Union and United States
The European Union’s policy stance is clear: privacy is a human right and government involvement is a must. The European Privacy Directive of 1995 is a guidance document for the 26 EU nations, which all now have their own laws and enforcement arms—Data Protection Authorities. This heavily regulated approach, which requires companies that process data to register their activities with the government, creates serious concerns for multinational companies from the U.S. that operate under a much different, and perhaps more practical, approach.
Nuances between EU countries exist, but generally speaking in Europe employers cannot read workers’ private e-mails, and personal information cannot be shared by companies or across borders without express permission from the data subject. These types of regulations hamstring companies doing business in Europe with unending red tape that may or may not have any actual impact on the given individual, known in E.U. privacy parlance as the “data subject.” In fact, a study from the Ponemon Institute showed that despite the absence of stringent privacy laws in the United States, “U.S.-based multinational firms scored higher than their European counterparts on five of eight common privacy practices, including having a dedicated privacy officer and better data security.”
Data privacy in the United States is regulated in a sector-specific manner. The Federal Trade Commission (FTC) is the lead regulatory agency tasked with protecting consumer privacy rights through its authority to prohibit unfair or deceptive acts or practices. Laws are on the books that do require prior consent for certain personal information. For example, a U.S. employer must obtain the prior written consent of a job applicant to access the applicant’s credit report for purposes of completing the background investigation stage of the hiring process.
The current legal framework surrounding employment privacy law, including the National Labor Relations Act (“NLRA”), helps to refine HR privacy policies and provides ample safeguards against corporate abuse of private, or personal, information. And without a broad-based policy directive from the government, U.S. companies can do a more efficient and effective job of moderating how, when, why and what sensitive personal information is used.
For example, the National Labor Relations Board (“NLRB”) recently released its second report to help guide HR departments when crafting their social media/privacy policies. One point emphasized that such policies must be “narrowly tailored” so as not to prohibit union organizing activity protected under the NLRA. This means that even though the employee may surrender his or her privacy rights to certain information, the way in which the company can use such information is limited.
In the U.S. employee privacy is protected not only by the U.S. Constitution and federal statutes but state constitutions and state statutes. For example, states grapple with the subtleties of when and how an employer may interview job applicants and monitor employee email, Internet use, and physical space.
In the U.S. more than in the E.U., employers have legal obligations that compel them to engage in employee monitoring. For example, a U.S. employer may need to investigate the transmission of an item of sexually-oriented Internet humor among its employees to defend against claims of a “hostile work environment.” Alternatively, an employer may need to install a surveillance camera at a worksite parking lot to guard against potential liability from “security negligence” (the failure to ensure security for employees and others in the workplace).
Even when employer monitoring is not legally required it can be a necessary business practice. Banks commonly use surveillance cameras to guard against robberies. Companies in the business of transporting goods may need to track their vehicles with GPS location monitoring systems.
The U.S. government takes privacy seriously, but its approach differs from the European approach in large part because it relies more on self-regulating corporate codes of conduct. Only when a company deviates from an applicable code will a U.S. government agency intervene with an enforcement action. That way companies have the flexibility they need to adopt privacy policies appropriate for their particular situations.
India’s broader privacy framework
In an attempt to broaden the enforcement scope of the law, India passed the IT (Amendment) Act of 2008, which incorporates two new sections of the IT Act: most notably, Section 43A to provide a remedy for persons whose personal data is compromised by a security breach.
Under section 43A, “bodies corporate,” which includes a corporation[s], firm[s], association[s], sole proprietorship[s], and any other associations or individuals engaged in “commercial or professional activities,” can be liable for failing to maintain “reasonable security practices and procedures” to protect “sensitive personal data and information.” “Sensitive personal data” was not defined in this Amendment. Furthermore, absent a contract, reasonable security practices and procedures were also not specifically defined and were left for the central government to prescribe. Following these Amendments, Section 43A fell under criticism for its broad definition of “body corporates” and absence of clarity on several other fronts, such as whether an Indian call center was required to obtain a foreign customer’s consent before collecting the individual’s personal data (the answer turned out to be no).
The latest announcement attempted to address some of this criticism, when in August 2011 the Government of India issued the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“Data Privacy Rules”).
First, in order for a body corporate to comply with India’s privacy regime, it must implement security practices and procedures which include a “comprehensive documented information security programme and information security policies.” Such policies must contain managerial, technical, operational, and physical security control measures commensurate with the information assets being protected.
Second, the Data Privacy Rules define “sensitive personal data and information” to include:
- financial information such as bank accounts, credit and debit card details;
- physiological and mental health condition, medical records;
- biometric information;
- information received by body corporate under lawful contract or otherwise;
- user details as provided at the time of registration or thereafter; and
- call data records.
And lastly, India’s Data Privacy Rules also clarify that a body corporate must get the consent from the provider of information and identify the purpose for collecting such data.
Although India has made strides in clarifying its data protection and privacy policies, these efforts are far from complete and comprehensive given the challenges jurisdictions must face with international information exchange through social media and cloud computing. First and foremost, the Data Privacy Rules are to include Indian companies only. Furthermore, an exemption was added for Indian outsourcing entities under contract with a legal entity outside of India.
Additionally, India’s definition of “sensitive personal data and information” is defined narrowly, and does not include information in the public domain or information accessible under the Right of Information Act. The Data Privacy Rules’ consent requirement is also less stringent than it appears at first glance. Under the rules, a body corporate must only receive consent from the person or entity that provided the information, not from the individual to whom the information relates.
The result is an Indo-centric policy that does not quite yet affect cross-border communication of multinationals. The Data Privacy Rules could be read as the Government of India’s attempt to demur on the issue of privacy protection in the global context. It is no surprise to see India take this stance given the impact such policies have on business, especially multinational companies that exchange information and data on a daily basis from one country to another. If a multinational with operations in a dozen countries were required to comply with a dozen different sets of privacy laws the potential liability and administrative burden would be potentially enormous. The risks may well discourage the company from investing in a certain nation.
India requires a high level of foreign investment to maintain adequate GDP growth. Any new layer of regulation that discourages such investment could be damaging to its overall economy. Therefore it would be strategically wise for the Indian government to keep regulatory burdens such as privacy laws as flexible and streamlined as possible.
In the United States, by contrast, the culture is relatively more supportive of free enterprise and distrustful of government. Efforts to restrain government power can be traced as far back as the Federalist Papers. Consequently, expectations of workplace privacy are viewed in a different light in America. For example, an American employer can be found liable for not investigating a claim of sexual harassment by one employee against another. In the context of an employee’s Internet privacy, the expectation is that emails, Facebook posts and Tweets from company computers are not private, and that work computers and mobile devices are monitored. On the other hand, American employers are legally required to maintain strict confidentiality for employee data such as credit reports and health care information, which could be damaging to workers if inappropriately accessed or misused.
So far India’s treatment of privacy protection has not followed the rigid, pervasive, pro-employee regulatory approach of the E.U. This may reflect a cultural preference for the more flexible, contextual, balanced approach of the U.S. If so, India’s instincts are good. As explained above, a fast-growing emerging economy is better positioned to attract foreign investment if it adopts legal standards that investors can readily meet. One way a nation can maintain such reasonable standards is to preserve flexibility in its privacy laws.
Technologies such as mobile telephones, cloud computing, and social networking have blurred the line between workplace and personal activity. As a result, it is now more difficult to safeguard employee privacy while protecting business interests.
One way to resolve this policy challenge is to adopt laws that definitively favor one side or the other. The EU approach does this by favoring employee rights through a strict and highly regulated privacy regime. However, this approach could rapidly multiply a company’s liability without necessarily producing any practical benefits for employees. At the same time, such an approach could discourage companies from investing in the employee-biased countries.
Given the fluid nature of the above technologies and the novel nature of the related issues of workplace privacy, it will take time and thoughtful discussion to strike the right balance between the privacy interests of labor and the business interests of management. In this complex and subtle legal environment a flexible approach would be more accommodating. Self-regulatory corporate codes of conduct, backed by the threat of government enforcement, have worked well to protect privacy so far. As long as these codes are permitted to evolve with changing business needs and privacy expectations they will likely continue to serve us well in the future.
For this reason the U.S. approach seems preferable for a country such as India. By relying on self-regulation implemented through HR policies, India may find that its employees enjoy just as much privacy protection as their counterparts in the EU. At the same time, India would not need to risk alienating foreign investors. Indeed, American and European companies alike could continue to invest in India without fear of increasing their India-based liability or triggering conflicts with their home country laws.
Michael Green is a Manager at the U.S.-India Business Council (USIBC) responsible for the Life Sciences and Legal Services portfolios. Michael can be contacted at email@example.com.