Cross-border HR data transfers into the United States

Data privacy laws are expanding across the globe, which creates growing obstacles for US organizations with Human Resources (HR) data located in other countries. Employers must process and transfer extensive amounts of HR data relating to job applicants, employees, interns, temporary workers, independent contractors, and retirees to carry out their legal obligations and legitimate business purposes. This data contains personally identifiable information, including names, addresses, social security numbers, phone numbers, dates of birth, payroll information, dependent information, health information, and sensitive information like sexual orientation, race, ethnic status, religious beliefs, and genetic information. ?

When this data crosses a border to the United States, that data transfer could violate that transmitting country's laws if not done correctly. Cross-border data transfers are complicated by the general lack of confidence in the United State's ability to maintain safeguards and protect the data rights of affected individuals. An additional challenge for HR data transfers is that many countries have enacted data localization laws that require organizations to physically store personal data and other information within their national boundaries. For example, using a cloud-based service provider to maintain HR data and operational data for a Chinese subsidiary could be a violation because the data is not physically located in China. Distinct from data protection laws, data localization laws present significant operational challenges and require an independent legal review.?

In the European Union (EU), the General Data Protection Regulations (GDPR) address data transfers and personal data that can directly or indirectly identify a natural person, such as information about job applicants and employees, such as IP addresses, resumes, performance reviews, disciplinary records, and payroll and timecard records. There is a special category for sensitive HR information, such as health data, sexual orientation, racial and ethnic origin, religious beliefs, and union membership. Any high-risk processing, including sensitive information and automated decisions that have a legal effect, require a Data Protection Impact Assessment (DPIA). While consent is not an option for transferring HR data, employers can rely on their legal obligation and legitimate interests for lawful processing. A standard contractual clause (SCC) and a data processing agreement (DPA) likely already exist between the parties, but HR data should never be transferred until these signed documents are confirmed. EU Member States may add additional restrictions in their country to ensure the protection of the privacy and freedoms of individuals.

In the United Kingdom (UK), the Data Protection Act (DPA) and the UK GDPR ?regulate the use of personal data. As typical with data privacy laws, there are more robust protections for special categories of personal data, such as ethnic background, political opinions, religious beliefs, mental and physical health, sexual orientation, and criminal history, all of which may be included in HR data. Organizations can process this data as long as the processing is necessary for exercising obligations conferred by law on the controller in connection with employment. HR professionals should ensure that all data being transferred is relevant to employment under the UK GDPR data minimization requirement. An organization must also perform a Data Protection Impact Assessment (DPIA) with any high-risk processing, including special categories of personal data and automated decisions that have a legal effect, like promotional and pay decisions. SCCs remain the most common alternative to transfer HR data in the UK, and the DPA must also be completed before the parties transfer the data, including a prohibition from further transferring data to a third country or international organization without the authorization of the transferring controller.??

In China, the Personal Information Protection Law (PIPL) focuses on processing personal information within China's territory. Personal information is defined as data that can identify a person, and sensitive data is any information that may cause material harm to an individual if it's leaked or illegally used, including financial account information, biometrics characteristics, medical health, and religious beliefs. For employers with HR data, the PIPL imposes strict requirements on many transfers of personal data, including mandatory security assessments before transferring personal information out of China. Government assessments and approval may also be required depending on the type and volume of data. Data transfers are restricted to those necessary for legitimate business or other needs and require privacy notices. When an organization needs to transfer HR data due to a merger or other reasons, it must inform the individuals of the name and contact information of the recipient of the transferred data. Any change of the original purpose, such as an expansion to an additional insurance provider, or means of processing, such as different software, will require individual consent. However, sensitive personal information transfers require affirmative notices and separate consent from the affected individuals before processing. If HR professionals cannot obtain consent, then the data must stay in China, and other options will need to be determined, such as sharing information through oral communication. Under the PIPL, employers using AI in their recruiting process must also ensure that the processing of personal information through automated decision-making is transparent, fair, and impartial in its results. Individuals have the right to request clarification and refuse the automated decision-making process. China's Data Security Law (DSL) also regulates data processing activities within China that are considered detrimental to its national security, public interests, or citizens' rights and interests. Violations that endanger China's national sovereignty, security, and development interests will be subject to fines, suspension of business operations, revocation of business licenses, and in certain severe cases, criminal liability.?

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) addresses the use of personal information in the course of commercial activities and certain job applicant and employee personal information. Relevant HR data includes age, name, income, performance evaluations and disciplinary actions, medical records, and other employee files. The PIPEDA does not define what constitutes sensitive information but states that certain types of personal data will be considered sensitive and that organizations must exercise heightened care. PIPEDA allows personal data to be transferred domestically and outside the country when specific requirements are met. Canada requires that transferring organizations remain responsible for personal information transferred to third parties, as the information is considered to stay under the control of the transferring organization. Organizations must use contractual clauses or specific data agreements to ensure a comparable level of protection and that information is adequately safeguarded. Otherwise, consent may be required if security cannot be satisfactorily guaranteed.?

In Mexico, there are strict employer obligations under the Federal Law on the Protection of Personal Data Held by Private Parties of 2010 (FLPPDPP) and the Regulations of the Federal Law on the Protection of Personal Data Held by Private Parties enacted in 2011. Personal data is defined as all information concerning an identified or identifiable individual. Sensitive data is personal data touching on the most private areas of the data owner's life or whose misuse might lead to discrimination or involve a serious risk for the data owner, including individual religious, political, and moral beliefs. The FLPPDPP addresses the whole employee lifecycle starting with the recruitment process. Organizations must provide a privacy notice to job applicants and obtain consent before processing job applicants' data and performing background checks. The requirements for cross-border transfers depend on whether the organization controlling the data is exchanging personal data with another controller, a data processor, or a third-party recipient. Data transfer agreements should be executed between the parties before any transfer. A privacy notice is required in the case of controller-to-controller data transfers outside of Mexico, informing the employee of the processing of their personal data, including the purpose and type of data. Consent for these transfers can be waived, including (1) when a transfer is made between a parent company, subsidiaries, or affiliates under common control of the data controller and with the same internal processes and policies; or (2) where the transfer is necessary to maintain a legal relationship between the data controller and the data subject. Consent and privacy notices are not required for controller-to-processor transmissions, but controller-to-third-party transfers must include a data transfer agreement where the scope and purposes of the transfer are established. Organizations are also advised to develop methods to measure effectiveness in protecting data and appropriate corrective measures in the case of breaches or other violations. High-level security measures must be in place to protect sensitive personal data from unauthorized use, processing, or disclosure. If sensitive personal data is concerned, penalties may be doubled. Data subjects may also seek damages in civil courts.

In India, the Information Technology Act of 2000 (the IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules of 2011 under the IT Act provide specific provisions primarily focused on information security. The IT Rules Act defines "sensitive personal data or information" personal data or information of a person means such personal information which consists of information relating to (1) password; (2) financial information such as bank account or credit card, or debit card or other payment instrument details; (3) physical, physiological and mental health condition; (4) sexual orientation; (5) medical records and history; and (6) biometric information, but excludes publicly available data. An organization may collect and transfer sensitive personal data if it is essential and required for a lawful purpose connected with the corporate's functions. The organization must provide a comprehensive privacy policy. Without the individual's consent, an employer may disclose sensitive data only if it is necessary to comply with a legal obligation, applicable law requires the disclosure, or if it involves disclosure to a government agency. However, the entity receiving the data must ensure the same level of data protection as provided under Indian law. While Indian laws do not expressly address data transfer agreements, it is always a sound practice to adopt a data protection agreement (DPA) to ensure safeguards protecting personal information. Penalties for data privacy violations can be very costly from an investment of time needed to respond to inquiries, audits, and penalty notices from regulators and from a financial perspective.?

Regardless of jurisdiction, employers should (1) determine their lawful purpose for the processing and transferring all HR-related data; (2)? complete a Data Protection Impact Assessment (DPIA) or Data Privacy Assessment (DPA); (3) apply the Fair Information Practice Principles (FIPPs); (4) understand each country's requirements; (5) document the entire process; and (6) consult with data privacy professional.