Do International Privacy Rules Apply to You? Read This Before You Say No

crl_mastheadYou head HR for a regional hospital that has a 21st century career site and a vigorous branding and outreach program. Your jobs are posted to one of the major job boards, to niche and diversity sites, and to the free distribution services.

You follow all the rules, keep great records, and even passed an informal EEOC inquiry a couple years ago.

But lurking in your ATS is proof you’re breaking the laws of Germany, or maybe France, or possibly Canada. Maybe all of them. You never wanted those resumes (CVs, if you prefer), wouldn’t sponsor the candidates, and had no interest in hiring anyone from outside the region, let alone the United States. But now that you have applicants from countries with tough privacy laws, you are bound to follow them.

Dr. Donald Harris
Dr. Donald Harris

“Some companies assume that because they do not have a physical operating presence in Europe or Canada that such privacy laws do not apply to them,” says HR privacy expert Dr. Donald Harris. “This is an erroneous and risky assumption.”

President and founder of HR Privacy Solutions, Harris advises companies on complying with U.S. and international laws regarding the collection and use of employee information.

Even a company with no physical presence in a foreign country may be bound by its laws, he says, should it recruit there. As you can see from the hospital example, recruiting doesn’t have to be active in order for the rules to apply. Receiving a single resume from a foreign national is enough to trigger the application of the privacy rules of the job seeker’s country.

“We are living in a global world, so things are changing, ” Harris says, explaining that the privacy rules of the European Union and its member countries are designed to protect their citizens’ personal information. “The Europeans don’t want to see their laws ignored.”

What keeps our HR hospital executive out of the hot water is that no country is actively pursuing such minor violations as storing CVs beyond the legal limit, or not providing the individual the right to delete their resumes at will. “Enforcement is very difficult for them,” Harris conceeded. The U.S. has no treaties or reciprocal agreements with other countries on these issues, so the impact of foreign rules is muted.

But, warns Harris, “While regulators may have considerable difficulty in enforcing the laws with a foreign company, the laws do apply and international cooperation amongst privacy regulators is increasing. After all, what self-respecting government would allow the Internet to provide a free pass for circumventing its laws relating to privacy, employment, or a host of other areas?”

Article Continues Below

While the hospital in our example may never open a clinic in a foreign country, or otherwise do business there, a manufacturer might. So might other companies.

“One really has to look at where a company is going” before it decides to ignore foreign rules, Harris observes. If in the future it does decide to go global, its past transgressions could exact a cost.

“And even apart from the legal issues,” says Harris, is showing ignorance or disregard of local laws and expectations about personal information a smart way to go about recruiting someone?”

So what could our fictional hospital do to avoid breaking foreign privacy rules? Here are some simple steps:

  • Use pre-application questions that includes a geographic qualifier;
  • Discard applications from foreign countries upon receipt;
  • Make sure your site has a privacy statement that says what you will be doing with the collected information. Harris recommends that countries that are doing business globally take a look at Boeing’s privacy statement for guidance;
  • Review what the European Union says about HR data collection.

In the October issue of the Journal of Corporate Recruiting Leadership we discuss this and other international privacy concerns with Harris and offer his insights on the trends in HR privacy. The Journal is available by subscription only.

John Zappe is the editor of and a contributing editor of John was a newspaper reporter and editor until his geek gene lead him to launch his first website in 1994. He developed and managed online newspaper employment sites and sold advertising services to recruiters and employers. Before joining ERE Media in 2006, John was a senior consultant and analyst with Advanced Interactive Media and previously was Vice President of Digital Media for the Los Angeles Newspaper Group.

Besides writing for ERE, John consults with staffing firms and employment agencies, providing content and managing their social media programs. He also works with organizations and businesses to assist with audience development and marketing. In his spare time  he can be found hiking in the California mountains or competing in canine agility and obedience competitions.

You can contact him here.


1 Comment on “Do International Privacy Rules Apply to You? Read This Before You Say No

  1. As important as it is to follow applicable laws, if you are only recruiting individuals in the US and clearly state that you are only considering those legally able to work in the US, the issue of compliance is academic and impracticle o even consider.

    More important is whether privacy and protection of an individual’s data, beyond he compliance is becoming more and more important to a quality prospect who is interested in your company and reluctant to become a candidate, in part, because of your stance on privacy.

    I believe that will do more to drive firms to adopt world class standards (in which the US is clearly lagging) than anything another country might or might not act on.

Leave a Comment

Your email address will not be published. Required fields are marked *