US employers are sometimes required for diversity purposes to collect data regarding the race and ethnicity of their employees. However, collection of such “sensitive” data may infringe EU data protection laws under Article 8 of the EU Data Protection Directive. This blog post is designed to provide some basic information about Article 8 and its exceptions. It relates only to the collection of sensitive data from EU-based employees and does not address cross-border data transfer issues.
Article 8 provides that Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and data concerning health or sex life.
Article 8 is subject to exceptions if one of the following conditions is met:
a. the employee or “data subject” has given his explicit consent to the data collection (although some EU Member States do not recognize consent as a valid exception);
b. processing of sensitive data is necessary to satisfy employment law obligations and is authorized by national law, as long as the employer maintains adequate safeguards;
c. the data subject is physically or legally incapable of giving his consent, but processing is necessary to protect his or another’s vital interests;
d. processing is in furtherance of legitimate activities of a foundation, association or any other non-profit organization involved in political, philosophical, religious or trade-union activities, if processing is secure, limited to such an organization’s members or certain individuals connected to the organization, and the data subject consents to the disclosure to any third parties; or
e. the processing relates to publicly known personal data or is necessary for the establishment, exercise or defense of legal claims.
However, the EU Directive offers only a legal framework and it is incumbent upon the EU Member States to implement and adapt the Directive in their local laws. Generally speaking, these exceptions to Article 8 are very narrowly construed by the EU Member States.
For example, the French Data Protection Agency found in its recommendation regarding diversity published on May 16, 2007 that an employee is not in a position to provide genuine consent given the nature of the employer/employee relationship, i.e., the perceived inequality of bargaining power between the two. Therefore, employers should not rely on the data subject’s consent as sufficient to allow for the collection of sensitive data. A company found to be in violation of the law could be subject to criminal sanctions.
The French Data Protection Agency has recently issued guidelines indicating that a company that intends to measure diversity should use an independent specialized company. This would ensure that:
Ø the processing is realized in a confidential framework (i.e., limited number of persons will have access to the information in a secure environment);
Ø the outcome of the inquiry will be delivered in an anonymized form; and
Ø the data collected will be erased at the end of the inquiry, or archived in a manner such that confidentiality will be preserved.
The French Data Protection Agency also has indicated, among other things, that data subjects should be duly informed of the end-purpose of the inquiry; the recipients of the data; the compulsory or optional nature of the responses; their right to oppose the inquiry; and their right to access and rectify the data.