Legal Report by Gordon Kerr - EuRA Strategic Consultant - Legal Services
It’s fair to say that the GDPR has been the dominant legal concern of the relocation industry (and most other industries!) in 2018. It’s also fairly certain that the GDPR will continue to get a lot of focus in the year ahead, as prosecutions and court decisions provide us with greater clarity on how the GDPR is being interpreted in practice. I will be monitoring this for EuRA and updating members of relevant developments. Fortunately, there is more to the legal world than data protection law and in this Report I bring to your attention some other legal issues which can impact on relocation businesses. These include the thorny issues that can arise for staff employed in more than one country; the potential negative consequences of the EU’s proposed new copyright Directive; and a look at some tricky aspects of Brexit for EU citizens working in the UK. Of course, I cannot resist the temptation to also report on some recent court decisions on the GDPR and data protection! As always, please feel free to share with me your own thoughts on the legal issues which are currently concerning you. EuRA is here to support you!
Can an employer choose which country’s laws apply to its employment contracts?
The short answer to this question is no. The reason that this topic comes up so often is that large employers with mobile staff can sometimes spot an opportunity to make significant cost savings by selecting a low-cost jurisdiction for their employment contracts. This was illustrated by a series of cases involving airlines.
Ryanair was fined more than €8 million for breaching French labour laws through avoidance of social security contracts. The airline’s French staff were given Irish contracts, which meant that lower social charges were paid. Ryanair was paying a charge of just 10% in Ireland, whereas the French charge would have been 45%. This followed a similar EasyJet case which also resulted in a substantial fine for the airline for avoiding French tax by opting for UK law to govern staff contracts.
So, why do so many multi-national employers get into this kind of mess? The starting point is that EU law allows parties to a contract to choose which country’s law will apply to their contract. But this general rule is overridden by the mandatory employment rules of the country in which an employee is working. These national rules apply automatically and cannot be ignored. If an employment contract contains terms that are contrary to the law of the country in which the employee is based, it is the local law which “wins”.
The other side of this coin is that employees are similarly unable to choose whichever country’s employment law works to their best advantage. This follows from the decision of the European Court of Justice in Schleker v Boedeker. In that case it suited the employee, Ms Boedeker, to have the case against her employer (a German company called Schleker) judged under Dutch law rather than German law. However, the court’s judgement was that there had to be an objective assessment of which country was most closely associated with the job, taking account of factors such as the currency of payment, where taxes are paid, where the employee lives and which benefits apply.
The upshot is that, while parties to a contract are generally free to decide on which country’s law will apply to a contract, this general rule can be overridden by tax rules and employment law. Whatever the contract says, courts will look at the “on the ground” reality and have powers to impose large fines on employers who are judged to be avoiding tax unlawfully.
Concern over new EU copyright law
It’s very rare for me to comment on something as esoteric as copyright law, but for all businesses which create online content (i.e. most businesses!), there is a legal change afoot which has some worrying implications.
A new EU Directive on “copyright in the digital single market” imposes an obligation on websites that allow users to upload files – such as Google, YouTube and Facebook – to filter everything for potential copyright infringements before making it available online. Many commentators are saying that this could spell the end of linking to other content, live streaming, parodies and memes.
To illustrate what this new law could mean in practice, there was a takedown by FIFA during the last World Cup of a homemade mobile phone video of a seven-year-old boy, posted on Twitter by his mother. The video was only a few seconds long, but in the background was some slightly out-of-focus footage of a Harry Kane goal the boy was celebrating. FIFA, as copyright holders, instructed Twitter to remove the video from its server and Twitter complied.
The good news is that, in July, the proposed law was rejected in the European Parliament by 318 votes to 278. It was argued successfully that the new law was too vague and far-reaching, and failed to grasp how the internet works.
The bad news is that the Directive will be revised and come back to Parliament for approval. Watch this space!
Data protection updates
1) Facebook and the principle of “transparency”
It’s impossible to talk about data protection right now without talking about Facebook. The issue of Facebook and Cambridge Analytica (in which UK and US lawyers alleged misuse of more than 71m people’s personal data) came to light before GDPR-day, but the issues raised were reflected in the changes that the GDPR was seeking to make in Europe.
Fair processing, or a lack of it, had already attracted the attention from the ICO (the UK’s data protection authority) who fined a number of high-profile charities in 2016 for using our personal data in ways that we would not expect. Facebook and those who bought data from Facebook have also been accused of this.
We did not expect our Facebook data to be used to influence politics and election results. This is a disturbing use of social media data and not one that most people expect or are comfortable with. The GDPR addresses this issue by obliging organisations to tell us what they are up to with their data: the “transparency” principle.
Arguably, this is the most significant change created by the GDPR. No doubt the authorities will continue to impose fines for security breaches, but the cultural change that the GDPR should bring about is in relation to transparency: through individuals exercising their personal data rights and challenging what organisations are doing or what organisations say they are doing.
Although most of the individual rights provided by the GDPR existed before, it already seems clear that the heightened awareness provided by the introduction of the GDPR has led to more people exercising their rights.
From those who receive unwanted marketing emails to those who are simply annoyed at an organisation, individuals are using the right to access their data, the right to object and the right to erasure. These rights exist to hold organisations to account for their processing. Overall, that has to be a good thing, but equally we have to recognise that, for some businesses, dealing with the increase in requests from individuals can be expensive and time consuming.
As for Facebook, it may feel lucky to have escaped with a fine of £500,000 (the maximum under pre-GDPR law). Had the offence occurred after 25th May 2018, the fine could well have been at the maximum level of 4% of global turnover. By my reckoning, this would have meant a fine in the hundreds of millions!
2) Is your data at risk from a disgruntled employee?
A UK court decision on a deliberate data breach by a disgruntled employee has serious implications for all businesses.
Morrisons, Britain’s fourth largest supermarket, faces “vast” compensation payments to over 5,000 employees who were the victims of a huge data leak. Employee bank account details, dates of birth, national insurance numbers, addresses and telephone numbers were stolen and posted online by Andrew Skelton, a disgruntled employee who had recently been disciplined. The frightening aspect for employers is that there is no suggestion that Morrisons did not have proper systems in place to protect data. Instead, the liability arises under the principle of “vicarious liability”, which makes an employer legally responsible for the actions of each of its employees.
So worrying news for businesses with any disgruntled employees with access to personnel records. But it was even worse news for Mr Skelton. In a separate criminal trial he was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years!
3) Recent fines for data protection failures ……
Although recent fines for data breaches still relate to pre-GDPR law, it is interesting to see the kinds of breaches which attract the attention of the authorities.
During September and October 2018, the ICO prosecuted several cases, including:
A fine of £90,000 to Boost Finance for sending 4,396,780 unsolicited marketing emails;
A fine of £120,000 to Heathrow Airport for the loss of a USB memory stick by a member of Heathrow staff which contained the personal and sensitive personal data of several individuals. Heathrow had not secured the data in the USB stick to a suitable standard. The ICO’s judgement also stated that there had been a lack of training and controls for staff on the use of removeable media to transfer personal data held on Heathrow's systems.
A fine of £400 for a nurse who inappropriately accessed the records of patients between 2014-16. The records accessed included maternity and paediatric patient records as well as accessing the blood results of a friend 44 times after they had been discharged. Not surprisingly, the nurse was also dismissed from her employment for gross misconduct.
While there have been no fines yet under the GDPR, the ICO has now issued its first GDPR “enforcement notice”. This was served on AIQ, a Canadian company located outside the EU. The notice was issued as AIQ was still holding and processing the data of UK citizens after the GDPR came into force. Interestingly, the processing was in connection with online political messages sent by AIQ on behalf of several UK political organisations to UK citizens during the Brexit referendum. The ICO held that AIQ had breached various GDPR requirements, including processing personal data without a lawful basis and processing personal data for purposes incompatible with the purpose for which it was collected.
The GDPR applied to this Canadian company because its processing of personal data related to the monitoring of the behaviour of data subjects within the EU. This illustrates the global reach of the GDPR.
Failure to comply with the enforcement notice could lead to a fine of up to EUR20 million or 4% of AIQ’s total annual worldwide turnover.
And finally on Brexit …….
One of the most pressing issues for employers in relation to Brexit is immigration and the rights of EU citizens following the UK’s exit from the EU. Many UK businesses hire EU workers, with some sectors such as agriculture being particularly dependent on seasonal EU workers. Still more will employ individuals who have family members who are EU nationals. In order that employers can effectively support affected employees, it is important that they are aware of the process that EU citizens/workers will require to go through in order to remain in the UK.
The UK Home Office has published the three steps EU citizens will need to take in order to obtain settled status in the UK following Brexit. EU citizens will need to complete these steps if they wish to remain in the UK after 30 June 2021. Irish citizens and those who already have indefinite leave to remain do not need to apply.
In order to apply for settled status, EU citizens must have lived in the UK for five years. Individuals must:
(1) prove their identity as an EU citizen (via passport/ID card);
(2) prove their residence in the UK (P60, bank statements, utility bills); and
(3) declare any past criminal convictions.
EU citizens who have lived in UK for less than five years can apply for "pre-settled status". This will enable them to live in the UK until they reach the five year period, when they can then apply for settled status.
There is a £65 fee for the application, which is reduced by 50% for children under 16. There will be no fee for:
those who already have valid indefinite leave to remain or a valid permanent residence document;
an application to move from pre-settled status to settled status; or
children in local authority care.
The scheme is set to open from late 2018 before becoming fully operational by 30 March 2019.
This article was written for The EuRApean - Edition December 2018