In a study undertaken on behalf of the European Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee, academics Paul De Hert and Hans Lammerant recommended that a new EU Directive be drafted to set specific rules on data protection in an employment context. (77-page / 1.99MB PDF)
In January 2012 the European Commission outlined proposals for sweeping reforms to the EU's existing data protection framework. It wants to replace the 1995 Data Protection Directive with a new General Data Protection Regulation (GDPR) and a separate Directive specifically governing personal data processing by "competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data".
The Regulation would, if enacted, apply a single data protection law across all 27 EU countries and also impact upon organisations based outside of the trading bloc whether those companies process the personal data of individuals located inside the EU.
EU member states would, though, be able to "adopt specific laws for processing personal data in the employment context" providing the rules are within the bounds of the Regulation.
Under Article 82 of the draft Regulation member states could "adopt by law specific rules regulating the processing of employees' personal data in the employment context, in particular for the purposes of the recruitment, the performance of the contract of employment, including discharge of obligations laid down by law or by collective agreements, management, planning and organisation of work, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship."
The Employment and Social Affairs committee at the European Parliament proposed amendments to the Commission's Article 82 plans. It proposed a number of "minimum standards" for the processing of personal data in an employment context (19-page / 221KB PDF) which member states would have to abide by when setting any specific data protection rules in the employment context.
However, the LIBE-commissioned study questioned whether the Employment and Social Affairs committee proposals would work.
"The proposed minimum standards contain rules on processing with and without the knowledge of the employee, video-surveillance, medical examinations, surveillance of telecommunications, prohibition of blacklists, rights of worker representatives, transfers of information," the study said. "In other words, an attempt is made to turn this article into an extensive framework for data processing in employment context. On the other hand, the whole gives an incoherent and ad hoc impression. It is difficult to squeeze a coherent data protection framework into one paragraph with minimum standards. These amendments also raise the question of whether it is better to provide complementary rules for employment relations by an extra directive."
De Hert and Lammerant said that it was "important" that there is "legal harmonisation" across the EU for data protection in an employment context. It recommended that a new directive, combined with "soft law" guidance from data protection authorities, be developed to achieve that objective.
"An effective approach needs to present a mix of hard and soft law," the study said. "Hard law can create legal certainty, while soft law allows for learning processes and trust-building."
"Article 82 GDPR, including the proposed amendments, reflects the different tensions present in the debate on data protection in employment matters. The underlying tensions can only be resolved properly through a trust-building process, a political process that takes all interests into account. Such a process must involve the social partners more directly," it said.
"The proposed amendments to Article 82 GDPR, which include minimum standards for data protection in employment relations, reflect a wish to develop at least a minimal framework for data protection in employment relations. Although they lack coherence, they can be used as leverage to task the European Commission and the social partners to develop a more coherent framework. A review of Article 82 GDPR is recommended. The Commission should be asked to substitute the minimum standards included in Article 82 with a coherent Directive on data protection in employment relations," the academics recommended.
"An effective application of data protection on new technologies needs to be developed. This justifies consultation on a regular basis between the social partners and the DPAs at national and European level. Such a consultation should create awareness of the impact of new technologies and create the necessary trust to develop common solutions," they added.