Tag Archive: European Union

Employers need to review protection of confidential information as new European laws are approved to harmonise the protection of trade secrets

Employers need to be aware that the Trade Secrets Directive (TSD) was approved yesterday by the European Council, marking the end of its legislative journey in Europe. We can now expect to see its swift publication in the Official Journal, with entry into force 20 days later, with the impact that implementing legislation is likely to be introduced in each Member State by summer 2018. The aim of the TSD is to harmonise the protection of trade secrets across Europe and to make it easier for employers to adopt uniform business policies so that innovation and economic growth can be promoted. It will introduce a minimum level of protections, which can be supplemented by local laws.  Time will tell how each Member State will address this and employers should ensure they monitor progress to stay on top of the implications for their business.

The approval of the TSD comes at the same time as the US has brought into law the Defend Trade Secrets Act. This implements a federal basis for claims relating to misappropriation of trade secrets (for more on this, see our article, ‘Federal Trade Secret Bill signed into law‘). With the protection of trade secrets riding high in the international arena, directing attention onto this area, and gaining a full understanding of the implications of these new laws,  has never been more important for multi-national employers.

For employers in the UK (any Brexit aside) the imminent arrival of the TSD should serve as impetus to carry out a full review of how business assets, and confidential information in particular, are currently protected, with a particular focus on ensuring the requirements of the TSD are met. Whilst the TSD is potentially helpful in widening the scope of the commercial information which can be protected, failing to understand how to achieve this protection in practice, could instead lead to it being lost, with potentially devastating consequences for the business.

Here are the key issues for employers:

Meaning of trade secret

Under the TSD, a trade secret is information which is secret (in the sense that it is not readily known amongst the relevant circles); has commercial value; and, crucially, for which reasonable steps have been taken to keep it secret. The TSD’s specific focus on the reasonable steps which have been taken to protect the information is a change to the current UK regime, and should be a red flag to employers; unless employers can demonstrate those steps, protection of the trade secret may not be available.

Unlawful acquisition, use or disclosure of trade secrets

Trade secrets will be acquired unlawfully if obtained through unauthorised access to, or appropriation of, materials containing the trade secret, or through any conduct which is contrary to honest commercial practices. It seems likely that the meaning of ‘honest commercial practices’ will attract litigation. Use or disclosure of trade secrets will be unlawful if a person has acquired the trade secret unlawfully, or it is in breach of a confidentiality agreement, a contractual duty, or any other duty not to disclose the trade secret.

Whistleblowing

The TSD does not protect trade secrets where the disclosure of the information serves the public interest and reveals misconduct, wrongdoing or illegal activity. There are some differences to the current UK whistleblowing regime. Some potentially impact favourably on employers (eg it appears that actual misconduct etc has to be disclosed, rather than the worker simply having a reasonable belief that it exists); others less favourably (eg it appears there is no restriction with regards to whom the worker can disclose the information). However, the provisions lack clarity and it seems likely that they will be the source of litigation and references to the ECJ. This lack of clarity has also prompted the the Greens/EFA group in the European Parliament to launch a draft whistleblower protection directive, which has received cross-party support and is awaiting approval and proposal by the European Commission. As currently drafted, the draft whistleblower protection directive would set a minimum standard for whistleblower protection which affords more protection than many stand-alone whistleblower laws. However, this is only the beginning of a very long legislative process.

Sanctions

The UK will need to introduce provisions to provide remedies for unlawful acquisition, use or disclosure of trade secrets. The remedies must include interim injunctions, permanent injunctions and damages. It is also obliged to include sanctions, including the possibility of recurring penalties, for any person who fails to comply with an interim or permanent injunction.

In the lead up to the implementation of the TSD, employers should take the opportunity to carry out a thorough audit of the information which the business wishes to protect, and assess whether it meets, or could potentially meet, ‘trade secret’ status, in particular by reviewing the steps which are in place to protect it. Employers should carry out a review not only of existing contractual provisions and policy documents, but also the current tangible, physical protections of confidential information, and the training which staff have had in this regard.

Also, with the launch this week by the Government of its call for evidence into the impact of non-compete restrictions, protection of business assets looks set to be a key issue for employers throughout 2016 and beyond.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/employers-need-to-review-protection-of-confidential-information-as-new-european-laws-are-approved-to-harmonise-the-protection-of-trade-secrets/

New European data protection rules will have significant impact on employers

Today’s adoption of the new EU General Data Protection Regulation (GDPR) heralds a new dawn in data protection, with far-reaching consequences for employers. For many, there will need to be a wholesale change in culture with a brand new approach to processing personal employee data. It is likely that existing practices will fall far wide of the mark and will require substantial review before the GDPR takes effect in 2018.  The importance of this cannot be overstated due to the introduction of extremely onerous sanctions which will heavily penalise breaches of the GDPR.

Although the new regime is challenging, compliance is achievable provided suitable planning and preparation is undertaken, and the correct steps are taken at the right time – beginning with a thorough audit of existing practices for data processing. The UK’s Information Commissioner’s Office (ICO) has published useful guidance for employers on the “12 steps to take now“. In order to meet the new obligations, co-operation in, and understanding of, the issues across the business is critical and employers are therefore likely to need Legal, HR, IT and Compliance teams to take an integrated approach.

Red flags for employers

The most important issues for employers, potentially involving changes to existing practices and/or new and significant administrative burdens, will include:

  • Grounds for processing employee data need to be audited: Employers will need to carefully consider the basis on which they process employee data. Employee consent to processing will almost certainly be invalid in the employment context, and, in any event, can be withdrawn at any time. Grounds which have been historically relied on, such as the employer having a legitimate interest in the data processing, will be subject to challenge due to a new right for employees to object to processing on this ground which cannot be overridden unless the employer has compelling legitimate grounds for the processing.
  • Data subject access requests will be easier for employees:  Employees will be able to make data subject access requests without restriction and without payment of a fee, unless the requests are manifestly unfounded or excessive. Employers must respond without ‘undue delay’ and no later than 1 month (subject to a 2 month extension for complex/multiple requests). At present, there are no exemptions (even on the grounds of legal privilege) which an employer can rely on to avoid provision of the employee’s personal data.
  • Extensive information will have to be given to employees when obtaining personal data: An administratively onerous net is cast over employers with the requirement to provide an extensive list of information to employees at the point when employers obtain their personal data.
  • Routine criminal records checks may not be allowed: Employees may have to review any policy of routinely conducting standard (ie not enhanced) criminal records’ checks. Under the new regime this appears to be unlawful on the basis that there is no requirement under UK law to carry out these checks.
  • Employees have new rights to erasure and rectification of their personal data: Employers must promptly erase an employee’s data if one of a number of ground applies, including that the data is no longer necessary for the purpose for which it was collected. Where data is alleged to be inaccurate, employers will also have onerous responsibilities to check and rectify the data and will be restricted as to how it is used in the interim.
  • Employees have the right not to be subjected to automated decision making: Unless it is necessary for entering into, or performance of, a contract between the employer and employee, is authorised by EU or UK law or is based on the employee’s explicit consent, employees have the right not to be subject to automated decision making, including profiling if it impacts on them legally or significantly. This is likely to apply to matters such as automated shortlisting; performance management triggers for sickness absence; attendance bonuses; holiday or shift rostering. Employers will therefore need alternative mechanisms for decision making if challenged.
  • Employers must notify any data protection breaches within 72 hours: Employers will have to notify the relevant national data protection authority (in the UK, the ICO) within 72 hours of becoming aware of a data protection breach resulting in unauthorised loss, amendment or disclosure of data, unless the breach is unlikely to result in a risk to the rights of the employees. If there is a high risk to employee rights employers will also have to promptly communicate the breach to the employees individually.
  • Employers must be audit ready at all times: Employers are expected to set up systems in a way which ensures compliance by design and default – restricting the data, use and access. The onus is on employers to prove compliance and they must keep records and have policies in place to demonstrate that.
  • Data protection standards may be ‘ramped up’: The long awaited harmonisation arrangements mean national supervisory authorities will be required to co-operate, assist each other in performing their tasks, provide mutual assistance and to actively take steps to achieve consistent application throughout the European Union. On the basis that it is unlikely that member states with stringent laws on data processing will want to compromise their protection, this may lead to a ‘ramping up’ of data protection across Europe to the highest denominator. The concept of lead supervisory authorities for cross-border processing is also being introduced which may be administratively beneficial for multi-national organisations; however, as the national supervisory authority will remain competent in a number of circumstances, it will remain to be seen how effective having a lead authority is in practice.
  • Transfers of data to third countries may be easier: Under the new regime, personal data may be transferred to a third country or an international organisation where there is a Commission finding of adequacy, if appropriate safeguards are in place eg binding corporate rules or standard contractual clauses adopted by the Commission or the ICO, or if one of a number of prescribed derogations is met. The recent impact of the Schrems case (which declared the Safe Harbour regime ineffective) will therefore potentially be resolved if the EU-US Privacy Shield is given a final finding of adequacy.
  • Sanctions are extremely onerous: Infringements relating to matters including the basic principles for processing (including conditions for consent) and the rights of data subjects will attract maximum penalties of €20,000,000 or 4% of total worldwide annual turnover, if higher.
  • Appointment of a DPO may be required: must do so if they are a public authority, are required to do so by local law or have core activities which require regular and systematic monitoring of individuals on a large scale or they carry out large scale processing of sensitive data or criminal records. The DPO is expected to be an expert in data protection law and will have significant responsibilities in ensuring compliance with the GDPR.With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data.

With the regulation expected to enter into force in 2018 (and no need for national implementing legislation), employers would be wise to use this lead-in period to fully analyse their existing data processing habits, question what data collection and processing is truly necessary for the employment relationship and introduce new policies and procedures to manage the data processing cycle so that they can enter 2018 with their house in order, fully equipped to address the data processing challenges ahead.

There is no doubt that the arrival of the GDPR is timely, coming at a point when information and communication technologies now underpin all aspects of the employment relationship and when employee awareness of individual privacy rights is high. Employers who have previously taken a more pragmatic view of compliance for employee data, prioritising protection of consumer and customer data instead, can no longer afford to do so.

For general information on data protection issues, view DLA Piper’s GDPR website and Privacy Matters blog.

Permanent link to this article: http://www.dlapiperbeaware.co.uk/new-european-data-protection-rules-will-have-significant-impact-on-employers/

Brexit: what are the implications for employment law?

The possibility of a UK exit from the EU – colloquially known as a Brexit – is high on the political, business and media agenda. On 23 June the UK will hold an in/out referendum to determine whether we should remain a member of the European Union. Whatever the result, the vote is a historic moment, which could have seismic implications for the economies of many European countries and transform the UK’s future role in world affairs. Against this backdrop, the impact of a Brexit on UK employment law is a relatively minor issue in a much wider debate, but bears consideration. What are the key questions for employers?

The legal implications of a Brexit turn on both the mechanics of exit and the model for any replacement UK / EU relationship, both of which are currently unknown.  We do know that any formal exit would not happen for at least two years following a vote to leave. In the event of an ‘out’ vote, the UK would invoke Article 50 of the Treaty on the European Union and notify the European Council that it intends to secede from the EU; a controlled and negotiated process developing over the following two years would follow. In the immediate aftermath, therefore, a vote to leave the EU is unlikely to have a significant impact on UK legislation.

Following a vote to leave, there would be a number of options for the future relationship between the UK and the EU, including:

  • The Norwegian model: Membership of EEA and EFTA (access to the single market);
  • The Swiss model: Member of EFTA; many bilateral agreements;
  • The Turkish model: join the EU Customs Union, access the EU market under WTO rules; and
  • Possibly, a bespoke UK model.

It is possible that the UK would seek to follow the Norwegian model and become part of EFTA and the EEA in order to continue favourable trading relations with countries in Europe.   As part of this organisation,  under its current rules,  the UK would remain subject to most aspects of EU social and employment policy given that EEA member states are bound by, for example,  the Acquired Rights Directive,  the Collective Redundancies Directive,  the Working Time Directive and the Agency Workers Directive. This would have a knock-on impact on the UK courts as the EFTA Court (which fulfils the judicial function within the EFTA system, interpreting the EEA Agreement with regard to the EFTA States) is bound by ECJ case law.  As such,  ECJ case law would continue to have a significant influence in the UK courts. In this scenario, the impact on UK employment law would be likely to be minimal in the short to medium term.

The Swiss model is unlikely to be an attractive option, as it involves complex negotiation of bilateral trade agreements, under which the EU would be likely to require the UK to adhere to many aspects of EU employment policy.

In the event of an alternative relationship, the UK Government may have more freedom to depart from EU social and employment policy, although that may come at a cost. A Brexit would make it more difficult to recruit individuals from and move them within Europe and, as such, the talent pool available to UK business would diminish.  Visa requirements could make it difficult to bring overseas talent and skills into the UK and individuals may prefer to be located within the EU given the unrestricted movement that would afford to them.   This impact would be felt across a range of sectors including, for example,  financial services,  technology,  hospitality and construction. Depending on the relationship negotiated, however, legislation could remain largely stable, with implemented Directives and existing Regulations remaining (even then, treaties would still be affected and the Supreme Court would become the highest court for interpretation). Alternatively Regulations could fall away but Directives already enacted in domestic law remain.  EU driven domestic legislation might be replaced on a case by case basis – although presumably not without sufficient warning.

The UK Government would be unlikely to fully repeal existing employment laws which implement EU requirements for a number of reasons including that:-

  • A raft of wholesale changes to employment law would lead to unwelcome confusion and uncertainty for employers as well the potential for significant cost in complying with a revised regime
  • Many of the rules which flow from Europe reflect accepted standards of good industrial relations;   for example, requiring employers not to discriminate and providing for rest breaks and paid holiday;
  • Even if it leaves the EU, it is expected that the UK will nonetheless remain in a significant trade relationship with the rest of Europe (whether as an EFTA member of the EEA or through bilateral trade agreements).   Any of these relationships will only be possible if the UK retains a playing field which is largely level with the rest of the EU in terms of employment law regulation; A far more likely outcome of a Brexit therefore is that the UK employment law regime is left largely as is, but that the Government legislates to remove or change some aspects of the existing regulation which are particularly unpopular with British employers.   The main examples of EU employment regulation cited by UK business as burdensome and which would therefore be likely to change are (i) the inability to harmonise employment terms after a business transfer; (ii) the requirement to ensure pay parity for agency workers after 12 weeks; and (iii) various aspects of the working time rules including record keeping and holiday pay.

In terms of ECJ case law, even assuming a full exit of the UK from the EU and no continuing EEA/trade relationships (which is unlikely),   UK employment tribunals would not be able to immediately completely ignore pre-existing ECJ case law.   ECJ judgments subsequently become incorporated into UK law, either by legislation being amended to take an ECJ ruling into account or through the a UK court following the ECJ’s stance in its own case law, as it is currently obliged to do.     The UK system of precedent means that past decisions remain binding on the lower courts and, even if there is a full exit from the EU, it will be largely impossible for an employment tribunal to depart from existing case law.   This will only change gradually over time, if and when the higher courts (EAT, Court of Appeal or Supreme Court) reconsider and change the established position on any particular aspect of employment law as a result of no longer being required to apply ECJ judgments. Further,   as referred to above, rather than the UK making a wholesale move away from its existing employment law regime post-Brexit, it is more likely to tinker with existing laws which will, therefore, mean that many aspects of our regulation would remain based on EU directives.   In these circumstances, the UK courts are likely to continue to view judgments of the ECJ as being persuasive in authority, albeit not binding.

If the ultimate outcome is that the UK becomes a member of the EEA, we would continue to be bound by both the Acquired Rights Directive and the Agency Workers Directive.   As such, the scope for changing the UK’s rules in these areas would be extremely limited although the Government may make moves to change those aspects of the UK implementing regulations which, arguably, “gold plate” the strict requirements of the relevant EU directives.Assuming a full EU exit, no EEA membership and no trade agreements,   technically the UK Government would be free to amend or repeal the TUPE and Agency Workers regimes in their entirety.   In reality, however, this is an unlikely outcome.   A large number of existing commercial agreements, particularly outsourcing arrangements, are based on the understanding that TUPE will apply to transfer staff in the event of a business change.   Removing this regime or changing it significantly would risk causing chaos and creating uncertainty for the business community and, as such, would not be a welcome measure.   Although the Agency Workers legislation is arguably less popular with employers,   entirely removing the protections for this category of workers, which have started to become embedded in the UK’s employment law landscape, would be politically difficult and would be likely to face strong resistance from the Trades Unions.   Watering down, rather than removing, agency worker rights is therefore a more likely outcome.

The UK’s legal system has become tightly enmeshed with that of the EU, and the unravelling process in the event of Brexit is likely to be long, complex and expensive. If the UK does vote to leave on 23 June, it is likely to be a long time before the full implications of Brexit become clear.

 

 

Permanent link to this article: http://www.dlapiperbeaware.co.uk/brexit-what-are-the-implications-for-employment-law/