UKC

The small European company I work for wants to store personal data they hold about me in their US office. Should I let them ? They've asked me to sign a very loosely worded document giving them permission to do this. I believe there are certain requirements under local and EU law about this, about which the document makes no mention, nor whether they adhere to EU data protection rules. My view is I don't see its necessary and I'd rather they stored it in the HR dept where I work, as they have done until now. Am I being slightly paranoid or is it reasonable to request they keep it local to me?

In reply to Dave:
Send them an email asking them to make sure that they ensure adherence to EU rules on data storage, and can they look into whether it being stored in the US complies with this?

In reply to Timmd:


They can't give that assurance. A US company is bound by US law, they can't give any guarantee that they can ignore any changes in US law that are at odds with EU law.

To the OP, you're only paranoid if you have no reason to suspect it's for underhand reasons. Do you work in an industry that has blacklisting, or anything else that might be banned in the EU?

In reply to Dave:

I think they can, at the moment, if the transfer and storage of the data in the US meet/exceed EU data protection requirements.

Recent EU (Safe Harbor?) findings may change the current directive.

In reply to Dave:

Is it actually a change to their systems or is it because "safe harbour" has been declared invalid?

"Safe Harbour" was a policy in which data could be held in the USA after agreeing to abide by EU data privacy laws. However thanks to the NSA snooping it has been found to be invalid. Even if a company signs up to it the USA government can override them making it pointless.
Lots of lawyers are currently arguing about what it actually means. For example if your company uses a third party HR system which is cloud based in the USA then it might be invalid (or if they use outlook online on similar).
I am not sure you can sign away your rights that easily as well. Although again thats one for the lawyers.

Thanks. There is nothing underhand about it or the company and its basically to let HR at the US end to access and store personal data. After further investigation this morning I believe they've already transferred the data some months ago anyway and had not asked for US/EU Safe Harbour coverage, though as its been pointed out here its not valid now anyway after the recent Euro Court ruling, or informed employees that they transferred it and are now scrambling to cover themselves. This doesn't particularly reassure me that they are likely to have got data protection systems in place properly. I think its reasonable to ask for more information on whether they've got it covered from the legal side and have that specified in the document they want me to sign, or ?

In reply to Dave:

If you really want to take up this fight... You should be informed of the following:

What is the purpose of the collect/tft of data to the US?

ex: the management wants to get a picture of the skills available.

What data is being transferred? For how long will it be kept?

coming back to the above example, you could argue that there is no need for any info that would identify an individual to be transfered.

Who and how will it be processed?

What are the measures in place for me to access it?

Correct me if wrong!

In reply to Dave:
Do you trust them? If not, time to find another job. The working relationship only really works in a relationship of trust.

Aside from that, the horse has bolted; data is now an international thing. We don't know where things are hosted and we don't really *need* to know. That court ruling was curiously Luddite.

Neil

In reply to Dave:

What's the repercussions of you refusing to sign it? If it's not going to impact you by saying no I'd definitely say no. There's no need to store data in the US these days and it does nothing but put your info at risk.

I have been asked to sign similar paper after company I was working for was bought by Americans. I refused. Had a bit of debate with HR. It is more like HR had a debate while I was 'no' and 'I don't want to discuss it'. My main reason was as simple as I just didn't wanted to waste time trying to understand that it means to me.

For next 7 months it did not backfired on me in any way. After that I resigned because Americans decided not to pay bonuses to Londoners