The background screening industry is blooming. Whether it is the mainstream adoption of background checks triggered by compliance awareness, the development of major corporations partnering with independent contractors, or the globalization of the practice, the market is keen to find the right fit and ensure a safe environment.
It is not uncommon to find a situation where an employer located in California hires a background screening company located in New York to perform a background check on a candidate who is a Japanese citizen, and resident of Spain. Which data protection regulation should be applied in this scenario?
In some circumstances, the job posting or the employer’s consent form to the candidate establishes the law applicable to the recruitment process and the candidate has accepted it as is. If the job posting and/or the consent form is silent, the background screening companies have two options: (i) hire a multinational law firm with attorneys in California, New York, Japan, and Spain to provide the level of counsel – and comfort – needed in performing the background check, or (ii) ensure that the screening company is developing a sufficient level of accessible knowledge and thorough procedures to make a balanced decision for a state-of-the-art check.
The United States and the European Union have different cultural norms and, therefore, set different standards that a company must identify and must abide by when performing background checks.
For instance, two restrictive principles in the context of background screening are the European Union data minimization principle and the United States accuracy principle. Both principles go hand-in-hand and can be found in the overwhelming majority of data protection laws around the globe. The key differentiator is that the United States places an emphasis on the accuracy principle while the European Union is sensitive to data minimization.
Another example is found in the legal basis for lawful processing; consent is a must-have in the context of background screening in the United States, meanwhile European companies should rely on a legal ground different than consent in the context of employment. The Hellenic Data Protection Authority decision No 26/2019 recently reminded that consent may not be deemed as freely given due to the clear imbalance between the parties.
The cultural gap may explain the different standards found in data privacy, but it will not justify the lack of accountability in the processing of personal data.
Reconciling Data Privacy Regulations
While doing a background check on the global scene, all standards should be taken into consideration and weighed against one another in order to make a balanced decision. The European Court of Justice recently said that:
“(…) the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality (…)”.
All things must be taken into consideration – balanced decision and detailed documentation surrounding the management of personal data might be more powerful than ever in the context of global screening.
A relationship with a partner, a client, a data protection authority or a candidate could become litigious where a prejudice is suffered, notably upon the occurrence of a data protection law violation. This is likely to happen, for example, if the job candidate feels he or she has been prejudiced or the company has violated a data protection law.
Despite differences in standards across the world, a company can take steps to mitigate issues arising out of situations involving multinational jurisdictions. One can assume that hiring a multinational law firm with attorneys in many different states and countries in the world does not appear to be the most expedient way to provide a check. Thus, a company faced with a situation as described above should identify, assess, and mitigate any risks in performing background checks.
The risks commonly associated in collecting and processing data are:
- lack of accuracy;
- security breach; or
- leak of data.
To mitigate wrongful collection of data, lack of accuracy, the risk of breach or leak of data, a company can take appropriate technical and organizational measures. An organization can address risks in the collection and/or processing of data by establishing policies and procedures that set the highest standards and using the best efforts in documenting, implementing and auditing the policies and procedures on a regular basis. For example, these measures should include thoroughly training the teams handling data and implementing information technology measures to safeguard the data, such as pseudonymization, encryption, limited access, and network security.
The General Data Protection Regulation (“GDPR”) has been recognized as one of the “toughest” privacy regulations. Not only has the GDPR inspired many exo-EU countries to implement similar regulation, such as the Brazilian General Data Protection Law, Federal Law no. 13,709/2018; but the GDPR has also been explained in detail in order for the stakeholders to understand and implement it in a comprehensive manner.
To summarize, there are various data privacy regulations that can apply to one situation. The GDPR sets the tone amongst the highest standards to help you build a solid and comprehensive data privacy program within your organization as it integrates accountability as a key principle. The GDPR requires you to be aware and take responsibility for what you do, and more precisely, what personal data are you collecting and/or processing? Why are you collecting and/or processing personal data? And how are you collecting and/or processing personal data?
 Case C-507/17 Google v CNIL  ECLI:EU:C:2019:772
Alice Quinones – General Counsel