Technology in Total Rewards

Using Technology Outside the U.S.

While the U.S. is considered an “early adopter” of modern technology, many other countries have developed stringent laws that protect data.

The U.S. has several national privacy and data security laws, including those that apply to financial institutions, telecommunications companies, personal health information, credit report information, children's information, telemarketing and direct marketing. There are also numerous state laws such as requirements for safeguarding data, disposal of data, privacy policies, protection of Social Security numbers and even a data breach notification. California now has some of the more stringent privacy and data security laws, including the California Consumer Privacy Act of 2018 (CCPA) that became effective January 1, 2020. The CCPA applies across industry and introduces broad definitions and individual rights. It includes substantial requirements and restrictions on the collection, use and disclosure of personal information.

The EU Charter of Fundamental Rights states that citizens of the European Union have the right to protection of their personal data. In 1995 the European Union (EU) passed a law called the Data Protection Directive, which regulates the processing of personal data within the EU whether or not it is automated. This law was superseded in 2018 by the General Data Protection Regulation (GDPR) which maintains the protections of the previous law such as allowing employees to learn what data is on file about them and, in some cases, allowing them to opt out of “processing” of their data. The law also enforces the deletion of any data that is obsolete. There are strict regulations on processing sensitive information, such as race or ethnicity. In addition, the law limits the ability of employers to transfer the personal data of employees to third party systems, such as providers of payroll services and benefits administration.

The General Data Protection Regulation added new protections. For example, an employee request for personal data or deletion of data must be honored within one month. And, due to a growing concern over privacy issues arising from the use of social networking websites and the ease with which a third party (employer) may directly view a user’s profile, a principle called the “right to be forgotten” has been introduced with the new law, meaning that any individual may delete their profile on a website without any difficulty. It also implements a requirement for organizations of over 250 employees to employ a data protection officer. Employees will be allowed to access their data and file complaints collectively when they are affected by data security lapses.

In the UK, data protection was addressed in 1998 with the Data Protection Act which keeps personal information about an employee confidential between employer and employee. The act includes a variety of directives concerning the use of personal data:

  • The data cannot be excessive, and may only include relevant information in relation to why it is kept
  • It must be accurate and up-to-date
  • The data may not be kept for any longer than it deemed necessary to complete the process for which it was collected

As an EU member state, the UK was originally covered by the EU GDPR but after Brexit, the UK passed its own version of the regulations referred to as the UK GDPR.

DLA Piper’s website on data protection is an excellent resource for data protection laws around the world.