Recruitment practices versus privacy and anti-discrimination laws Romain

Recruitment practices versus privacy and anti-discrimination laws Romain Robert Avocat ULYS romain. robert@ulys. net

Introduction 1. General principles of privacy law 2. Anti-discrimination laws in Europe 3. Application to recruitment procedures 4. Whistleblowing and privacy

1. General principles of privacy law European legal framework: – Directive 95/46/EC on the protection of individuals with regard to the processing of personnel data and on the free movement of such data – Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communication sector (Directive on privacy and electronic communications)

1. General principles of privacy law Obligation to notify the processing to the national privacy commission Where ? -if the Member State where the processor is established (can be one country or more) - if established outside EU: use of equipment in a Member State (except for transit purpose)

1. General principles of privacy law What is a « Personal data » ? « any information relating to an identified natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specifics to his physical, physiological, mental, economic, cultural or social identity » (ex: IP, cookie, rare know-how, name, email, . . )

1. General principles of privacy law PERSONAL DATA MUST BE (cf. Directive): PERSONAL DATA MUST BE (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; (c) adequate, relevant and not excessive in relation to the purposes for which they are processed; (d) accurate and, where necessary, kept up to date; (e) not be kept longer than is necessary for the purposes for which the data were processed.

1. General principles of privacy law CRITERIA FOR MAKING DATA PROCESSING LEGITIMATE (a) the data subject has unambiguously given his consent (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection

1. General principles of privacy law SENSITIVE PERSONAL DATA • • revealing racial or ethnic origin political opinions religious or philosophical beliefs trade-union membership physical or mental health sexual life data relating to offences or alleged offences, criminal convictions or security measures Extra protection (in principle: no process allowed – some exceptions) These data are very similar to the ones used as a basis for anti-discrimination laws

1. General principles of privacy law INFORMATION TO BE GIVEN TO THE DATA SUBJECT (a) identity of the controller (or his representative) (b) the purposes of the processing for which the data are intended (c) any further information such as - the recipients or categories of recipients of the data, - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, - the existence of the right of access to and the right to rectify the data concerning him

1. General principles of privacy law THE DATA SUBJECT'S RIGHT OF ACCESS TO DATA – Right of access – Right to prevent processing where there is justified objection – Right to prevent processing for the purpose of direct marketing – Right in relation to automated decision-taking – Right to take action to block, rectify, destroy or erase inaccurate data

1. General principles of privacy law SECURITY OF PROCESSING • appropriate technical and organizational measures to protect personal data against – accidental or unlawful destruction or access – accidental loss, destruction or damage – alteration, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. • level of protection depending on: – art and the cost of their implementation – risks represented by the processing – nature of the data to be protected.

1. General principles of privacy law TRANSFER TO THIRD COUNTRIES Interdiction of such transfer Main exceptions: • • Countries providing an adequate level of protection Consent of the data subject Appropriate contractual clauses Binding corporate rules (BCR)

2. Anti-discrimination laws European legal framework: • « Racial Equity Directive » (COUNCIL DIRECTIVE 2000/43/EC of 29 June 2000 implementing the principle of equal treatment between persons irrespective of racial or ethnic origin ) • « Employment framework Directive » (COUNCIL DIRECTIVE 2000/78/ECof 27 November 2000 establishing a general framework for equal treatment in employment and occupation)

2. Anti-discrimination laws The Racial Equality Directive 2000/43/EC • equal treatment between people irrespective of racial or ethnic origin. • protection: – in employment and training, education, social protection (including social security and healthcare), social advantages, membership and involvement in organisations of workers and employers and – access to goods and services, including housing. • definitions of direct and indirect discrimination and harassment • prohibits the instruction to discriminate and victimisation • allows for positive action measures to be taken, in order to ensure full equality in practice.

2. Anti-discrimination laws • complaint through a judicial or administrative procedure, associated with appropriate penalties for those who discriminate. • limited exceptions to the principle of equal treatment (e. g. where a difference in treatment on the ground of race or ethnic origin constitutes a genuine occupational requirement) • Shares the burden of proof between the complainant : – an alleged victim establishes facts from which it may be presumed that there has been discrimination – it is for the respondent to prove that there has been no breach of the equal treatment principle. • Establishment in each Member State of an organisation to promote equal treatment and provide independent assistance to victims of racial discrimination.

2. Anti-discrimination laws Employment framework Directive 2000/78/EC • equal treatment in employment and training irrespective of – – religion or belief, disability age sexual orientation • Protection in employment, training and membership and involvement in organisations of workers and employers (narrower scope than racial Equality Directive)

2. Anti-discrimination laws • Identical provisions to the Racial Equality Directive on definitions of discrimination and harassment, the prohibition of instruction to discriminate and victimisation, on positive action, rights of legal redress and the sharing of the burden of proof. • Requires employers to make reasonable accommodation to enable a person with a disability who is qualified to do the job in question to participate in training or paid labour. • limited exceptions to the principle of equal treatment (e. g. where the ethos of a religious organisation needs to be preserved, or where an employer legitimately requires an employee to be from a certain age group to be recruited)

2. Anti-discrimination laws FRANCE Legal framework : • Criminal Code: discrimination is set out as a criminal offense • Loi n° 2001 -1066 of 16/11/2001 (for work relationships) • Loi n° 2004 -1486 of 30/12/2004 (broader scope e. g. housing)

2. Anti-discrimination laws Criterias upon which discrimination is assessed: Age, sex, origin, marital status, sexual orientation, sex life, moral standards, genetic characteristics, effective or supposed ethnic origin, nation, or race, physical appearance, handicap, health condition, patronymic name, political or religious beliefs, membership to a work a union close to sensitive data as defined under Data Protection Directive

2. Anti-discrimination laws National body for anti-discrimination: HALDE (Haute Autorité de Lutte contre les Discriminations et pour l’Egalité)

2. Anti-discrimination laws BELGIUM Legal framework: • Loi du 25 février 2003 tendant à lutter contre la discrimination • Convention Collective n° 38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleurs • Loi du 30 juillet 1981 tendant à réprimer certains actes inspirés par le racisme ou la xénophobie • Interdiction de fixer une limite d’âge lors du recrutement et de la sélection (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi) • Regional decrees

2. Anti-discrimination laws Convention Collective n° 38 du 5 décembre 1983 concernant le recrutement et la sélection des travailleurs: - Information regarding the proposed job: - Nature and function - Requirements - Location - Intention to create a recruitment database (for the future) - The solicitation mode - Obligation to respect privacy rights (including the interdiction to ask questions not relevant with the function) - Obligation of confidentiality

2. Anti-discrimination laws Interdiction to impose a limitation of age for the recruitment (Chapitre II de la loi du 13 février 1998 portant des dispositions en faveur de l’emploi) Some exceptions : - legal basis - Royal Decrees

3. Application to recruitment procedures A. Recruitment and selection B. Privacy law principles C. Anti-discrimination policy

A. Recruitment and selection See Employment Practice Code (Information Commissionner’s Office - UK) • Advertising • Information of the individuals who will provide the information – – of the name of the organisation in the recruitment advertisements how the information will be used (unless it is self-evident) • Recruitment agencies should identify themselves and mention how the information will be disclosed and to whom • When receiving the information about a individual, ensure that the applicants are aware of the name or the organisation holding their information

A. Recruitment and selection 2. Applications • Application forms: state to whom the information will be provided and how it will be used • Only seek personal information that is relevant to the recruitment decision to be made

A. Recruitment and selection CNIL deliberation 21 March 2002 on the collection of personal data in a recruitment procedure: • Elaboration with Syndicat du Conseil en recrutement Syntec: standard questionnaire (model for recruitment sector professionals) • The Commission established a list of personal data that should not be considered as adequate and proportionate (according to Privacy law) :

A. Recruitment and selection • • • • date of arrival in France date of naturalization how the nationality was acquired prior nationality social security number military status prior address familial surrounding health condition, weight, view, height housing details (landlord, occupant) involvement in an association automatic bank orders loans

A. Recruitment and selection • Explain the sources from which information may be obtained about the applicant in addition to the information directly supplied • When collecting sensitive data: – Ensure the purpose satisfies one of the sensitive data conditions – Assess whether the information is relevant or not – Assess whether the information is necessary at this stage of the recruitment process – According to CNIL: event the consent is not enough if the data are not necessary • Provide a secure method for sending applications – E. g. : limit the number of people able to receive the information

A. Recruitment and selection 3. Information of the applicant (cf. CNIL) • indicate whether replies are mandatory or voluntary and the consequence of the failure to reply • period of conservation of the data • whether the information will to communicated to a third party and the name of this party (e. g. anonymous employer) – Information and consent of the applicant is mandatory in this case • what are the recruitment methods used. The results must be kept confidential.

A. Recruitment and selection 4. Verification of the information • Explain the nature of the verification of the information and the methods used to carry it out – E. g. indicate what external sources could be used (current employer) • Restrict the use of a disclosure from Criminal record – Only if necessary to protect business, customers, clients or others – Only at a advanced stage when the applicant is about to be appointed • • • Ensure to have the applicant’s consent to obtain documents from external sources Give the applicant the opportunity to explain about the eventual inconsistencies that are discovered According to CNIL: obtaining information from current employers can be carried out if the applicant is informed

A. Recruitment and selection 5. Short-listing • Be consistent with the applicable rules with regard to selection and recruitment (see above) • If an automated short-listing system is used: – inform the applicant – give him the right to represent

A. Recruitment and selection 6. Interviews • Inform the applicant that they can have access to their interview notes • Destroy notes after reasonable time • Inform the applicant on how the information and notes will be stored

A. Recruitment and selection 7. Vetting ( privacy intrusion) • Only if significant risk involved – vetting must be justified – no justified for any job: selection case-by-case – only at a late stage • Inform the applicant – of the vetting procedure – make clear to which extent information about the applicant will be released

A. Recruitment and selection 8. Retention of recruitment records • Establish a retention period for recruitment records based on a clear business need • Regularly destroy information obtained from a recruitment process if not needed • Inform the applicant that the collected information can be retained for future vacancies (if appropriate) and ask for the applicant’s consent • Ensure that the information is securely stored or are destroyed

B. Privacy law principles (See CNIL recommendation) Access right: the applicant has the right to ask Access right to access the information collected about him Right to rectify the data: if the data are not Right to rectify the data correct or have changed, the applicant has the right to ask for the rectification

B. Privacy law principles Prohibition to use the data for other purposes than recruitment e. g. : no commercial purposes without applicant’s consent no emailing without opt-in no transfer to third parties

B. Privacy law principles Notify the processing to the national authority No decision based solely on automated processing of data human intervention + inform the applicant of the reasoning

B. Privacy law principles Interdiction of transfer to third countries Main exceptions: • • Countries providing an adequate level of protection Consent of the data subject Appropriate contractual clauses Binding corporate rules (BCR)

B. Privacy law principles Binding Corporate Rules (BCR) 2 WP 29 documents were adopted on 14 April 2005 “Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules”

B. Privacy law principles “Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules” • Recognizes BCR as a appropriate mean for protection of personal data • Authorization has to be filed with one national authority – Several criterias to determine the most appropriate authority – Mains criteria: establishment of the operational headquarter • Several information has to be supplied – Contact detail – Justification of the choice of the data protection authority – Binding corporate rules

B. Privacy law principles • Evidence that the measures are legally binding – Within the organisation (codes, corporate or contract rules, statutory codes, employment contract, …) – Externally for the benefit of individuals • Effective judicial remedy in one Member State • Effective financial resources if breach of the BCR

B. Privacy law principles • What the BCR should contain and provide – Nature of the data – Purpose of the process – Extent of the transfer • Identify any member of the group from which and to which data can be transferred – – – Transparency and fairness to data subjects Purpose limitation Data quality Security Right of access, rectification and objection

C. Anti-discrimination policy See CNIL 9/7/2005 Internal anti-discrimination policy may be a legitimate purpose e. g. : statistical tools/surveys regarding diversity in a company

C. Anti-discrimination policy What data may be collected for this purpose ? • Name and surname • Nationality • Prior nationality • Place of birth • Nationality of the parents • Address • NOT ethnic or racial information

C. Anti-discrimination policy Internal policy to be discussed applying relevant legislation defining criterias

C. Anti-discrimination policy Conditions: • Sole purpose: anti-discrimination policy • Prohibition to search and find out the ethnic-racial origin !!! • Information of the employees about the purposes, the means, their rights • Processing by a limited number of people and with a secured computer environment • Statistical and anonymous data • Destruction after obtaining statistical results

C. Anti-discrimination policy Anonymous CV French act on Equal opportunity (loi n° 2006 -396 du 31 mars 2006) • Imposes the use of anonymous CV for company of more than 5 O employees • Data such as name, surname, email, pictures, sex, age, address • The data will be processed and the first contact will be made via a third party (independent agency of internal entity)

4. Whistleblowing and privacy Whistleblowing schemes are imposed by several laws with respect to accounting, auditing matters, fight against bribery, banking and financial crime Present in several European national laws (fight against fraud) but main act : Sarbanes -Oxley Act

4. Whistleblowing and privacy SOX: – “procedures for the receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls or auditing matters; and the confidential, anonymous submission by employees of the issuers of concerns regarding questionable accounting or auditing matters” – protection of the employees of publicity traded companies who provide evidence of fraud from retaliating measures taken against them Applicable to All US companies and EU-based affiliates Provisions mirrored in the NASDAQ and NYSE rules.

4. Whistleblowing and privacy SOX vs. privacy: • “Document d’orientation” adopted by CNIL (10 November 2005) • Opinion 1/2006 of Article 29 working party on the application of EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against bribery, banking and financial crime

4. Whistleblowing and privacy Legitimacy of whistleblowing systems ? • legal obligation to which the controller is subject (article 7 c Directive) – Only by virtue of EU legislation or EU Member State : several national legislation on combating bribery, … – SOX may not be considered as a legitimate basis on thi basis for legimitacy of the purpose

4. Whistleblowing and privacy • Purpose of legitimate interest pursued by the controller (article 7 f Directive) – For the Members States where no whistleblowing obligations are imposed, good corporate governance is considered as a legitimate interest of the companies (see OECD, EU positions) – However, article 7 f requires a struck between the legitimate interest of the processor and the fundamental rights of the data subject balance of interests

4. Whistleblowing and privacy Adequacy, proportionality and quality of the data ? • Possible limitation of the numbers of people entitled to report alleged improprieties or misconducts through whistleblowing schemes • Possible limitation of the numbers of people who may be incriminated through whistleblowing schemes

4. Whistleblowing and privacy Anomymous reports • Not encouraged: – Does not prevent to guess who raised the concern – Harder to investigate: no follow-up – Whistleblower already protected – May deteriorate social climate

4. Whistleblowing and privacy Recommendations about anonymous reports: • data should be collected fairly: only identified reports should be allowed: • But GR 29 accepts anonymous reports under some conditions : – Not encourage neither advertise anonymous reports possibility – Advertise the protection offered by the scheme • If, despite of this information, the person reporting still wants to remain anonymous, the report will eb accepted • Difference in investigating the anonymous report ?

4. Whistleblowing and privacy Proportionality and accuracy of data collected and processed • Should be restricted to the minimum and to what is necessary under the relevant obligation • If data out of the scope of whistelblowing: find another basis for legitimate purpose • See “document d’orientation” of CNIL: some data are subject to a “décision d’autorisation unique”. If the purpose, the data or the process is out of the scope of the document standard rules apply

4. Whistleblowing and privacy Strict data retention period Recommendation: 2 months after completion or investigation Can be longer if : – legal proceedings of the incriminated person or the whisteblower – National rules relating to archiving of data

4. Whistleblowing and privacy Information about – the existence, purpose and functioning of the scheme – the recipients of the reports and the right of access rectification and erasure – confidentiality of the person reporting – Possibility of a sanction if abuse

4. Whistleblowing and privacy Information of the data subject • Entity responsible for the whistleblowing scheme • The facts he is accused of • The department or services which might receive the report within his own company or in other entities or companies of the group of which the company is part • How to exercise his right of access and rectification

4. Whistleblowing and privacy PROBLEM That would jeopardize the ability of the company to effectively investigate or gather the necessary evidence SOLUTION The information of the incriminated individual may be delayed as long as such risk exists

4. Whistleblowing and privacy Right of access, rectification and erasure Here again, these rights may be restricted in order to ensure the protection of the people involved in the scheme on a case-by-case basis Under non circumstances can the person accused obtain information about the whistleblower on the basis of his right of access, except in case of false statement !!

4. Whistleblowing and privacy All reasonable technical and organizational measures to preserve the security o the data Confidentiality of reports must be guaranteed Use of dedicated means in order to prevent any diversion from is original purpose

4. Whistleblowing and privacy a) Specific internal organization • • • dedication of a group or department to handling whistleblowing and leading investigation the system should be strictly separated from other departments information only transmitted to other people specifically responsible

4. Whistleblowing and privacy b) Possibility of using external providers • Possible use of external providers (specialised companies, call centers, law firms) • Companies still remain responsible for the processing of the data • Obligation of a contract containgin specific clauses for compliance with the principles of the Directive

4. Whistleblowing and privacy c) Principle of investigation in the EU companies and exceptions • Proportionality principle: take the nature and seriousness of the alleged offense to determine at what level, and in what country assessment of the report should take place • As a rule, art 29 WP believes that groups should deal with reports locally • Some exceptions however: data received through a whistleblowing system may be communicated within the group – if such communication is necessary for the investigation, – depending on the nature or the seriousness of the reported misconduct or results from how the group is set up

4. Whistleblowing and privacy Transfer to third countries Transfer are likely to occur for EU affiliates of third country companies General principle: transfer only allowed to a country with adequate level of protection

4. Whistleblowing and privacy What if the third country does not ensure an adequate level of protection ? data may be transferred on the following grounds: [1] where the recipient of personal data is an entity established in the US that has subscribed to the Safe Harbor Scheme; [2] where the recipient has entered into a transfer contract with the EU company transferring the data by which the latter adduces adequate safeguards, for example based on the standard contract clauses issued by the European Commission in its Decisions of 15 June 2001 or 27 December 2004; [3] where the recipient has a set of binding corporate rules in place which have been duly approved by the competent data protection authorities. [4] binding corporate rules

CONCLUSION Assessment of privacy laws vs. whistleblowing laws on a case by case basis Different approach in each country towards combinations of privacy and recruitment rules Orientation papers: CNIL, WP 29, BCR efforts to harmonize and to give guidance for business Unexpected effect: SOX makes companies respect privacy laws because they have to pay attention to data protection laws

Thank you Questions Comments