Employers seeking to purchase background checks on individuals from the European Union will now need to obtain three separate signed forms from that European citizen: (1) a U.S. Fair Credit Reporting Act Disclosure; (2) a U.S. Fair Credit Reporting Act Authorization; and (3) a European Union Data Transfer Consent.  To understand why one must understand the data privacy protection laws in Europe.

In Europe, there are three levels of law protecting an individual’s data.  At the top level is the Data Protection Directive issued by the European Union.  This Directive requires Member States (e.g., France, Ireland, and Germany) to enact legislation that protects the fundamental privacy rights of the individual. This Member State legislation constitutes the middle level of the data privacy laws.  Although these various laws among the European nations are similar, each has its own distinctive traits.  And at the bottom level of this hierarchy, each Member State has a Data Protection Authority, which is an independent government agency responsible for enforcing the data privacy legislation.

The Data Protection Directive requires that the Member States prohibit the transfer of personal data to a third country unless that third country ensures adequate levels of protection of the data.  This is known as the Safe Harbor Provision.  Back in 2000, the European Commission determined that the Safe Harbor scheme adopted by the United States ensured an adequate level of protection for data transferred from the EU to the U.S.  However, in 2014, an Austrian citizen by the name of Maximillian Schrems filed a complaint with the Irish Data Protection Commissioner arguing that his personal data hosted by Facebook in the United States was not adequately protected in light of the revelations made in 2013 by Edward Snowden regarding the activities of the United States National Security Agency (“NSA”).

This complaint made its way to the European Court of Justice to determine whether the Safe Harbor scheme adopted by the United States provided sufficient protection to the personal data of European citizens.  In an opinion issued on October 6, 2015, the Court of Justice concluded that, since the NSA has general, unlimited, and unsupervised access to personal data here in the United States, adequate protection was not provided to Mr. Schrems’s Facebook data.  In light of this conclusion, the Court directed the Irish Data Protection Commissioner to determine whether the transfer of data of Facebook’s European subscribers to the United States should be suspended on the ground that the U.S. does not afford an adequate level of protection to that data.

In response to this decision, some Data Protection Authorities in the Member States are determining that data cannot be safely transferred to the United States.  Fortunately, there is an exception: the Data Protection Directive does permit data to be transferred from Europe to the United States when the Data Subject gives his unambiguous consent to the transfer of data.  And ESS has always utilized the permission of the Data Subject, (i.e., the applicant for employment), when obtaining past employment, criminal, and education history from EU nations. But, considering the concerns of the Court of Justice, ESS believes it will be wise to provide an enhanced, separate, clear and comprehensive disclosure to the Data Subject about the nature of the data transfer, the objections made by the Court of Justice, and to obtain the agreement of the Data Subject to a transfer of the data notwithstanding.

Accordingly, going forward, ESS will require those clients wishing to purchase background checks on individuals with European Union personal data to use a separate, clear, and comprehensive consent form, in addition to the two current forms.  Please feel free to reach out to ESS’s Client Care team to obtain a copy of an exemplar EU Consent Form at results@es2.com.