European Union Data Privacy Laws Complicate Global Fleet Management
Web-based fleet management offered a vision of centralized global fleet management for multi-national companies. However, current (and possibly future) data privacy laws enacted by the European Union threaten to restrict the extent to which U.S. fleet managers can manage subsidiary fleets in Europe.
Known as the European Union Data Protection Directive, it has a direct bearing on U.S.-headquartered fleets, even though it is not law in the U.S. The Directive creates strict rules on the transfer of data concerning European Union employees (past or present) to companies headquartered outside the European Union (EU).
The “data” covered by the directive is information about EU employees that somehow identifies the individual by name or other means. The Directive creates rights for employees about whom information is collected. Each of the 25 national govern-ments comprising the EU is allowed to implement the directive in its own way. Entities that collect information must give EU em-ployees notice explaining who is collecting the data, who will ultimately have access to it, and why the data is being collected. EU employees also have the right to access and correct data about themselves.
In the context of fleet management, this privacy protection involves a tremendous amount of personal data contained in MVR records, accident histories, drivers’ home addresses, phone numbers, names of spouses (if personal use is allowed), etc. Likewise, EU privacy laws inhibit the transfer of data about its citizens to third-parties, such as fleet management companies. Under EU law, the data subject (driver) must be explicitly informed of these plans and given the chance to object.
U.S. Privacy Laws Deemed “Inadequate”
Under Europe’s Data Protection Directive, the U.S. is consid-ered to have inadequate protection for personal information. To facilitate transfers of personal information from Europe to coun-tries whose privacy practices are not deemed “adequate,” such as the U.S., the European Commission and the U.S. Department of Commerce developed a “safe harbor” framework that allows U.S. organizations to satisfy EU requirements. The safe harbor elimi-nates the need for prior approval to begin data transfers, or makes approval from the appropriate EU member countries automatic. The decision by U.S. organizations to enter the safe harbor is en-tirely voluntary.
To participate, a U.S. company must self-certify annually in writing to the U.S. Department of Commerce stating that it agrees to adhere to the various safe harbor requirements, such as notice, choice, access, and enforcement. If a U.S.-headquartered fleet does not use a safe harbor, it runs the risk of violating EU privacy laws.
Among the safe harbor requirements are:
Notice: U.S. companies must notify EU employees about the purpose for which they collect and use personal information. They must provide information about how individuals can contact the U.S. organization with inquiries or complaints, and the types of third parties to which it discloses the information.
Choice: U.S. companies must give EU employees the opportunity to choose (opt out) whether their personal information is disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
Transfer to Third Parties: To disclose information to a third-party, organizations must apply the “notice” and “choice” principles outline above. When a U.S. company wishes to transfer the information on EU employees to a third party, such as a fleet management company, it may do so if it makes sure that the third party subscribes to the safe harbor principles.
Access: European employees must have access to their personal information held by a U.S. company and be able to correct, amend, or delete that information where it is inaccurate.
Under the Federal Trade Commission Act, a U.S. company’s failure to abide by commitments to implement the safe harbor principles would be considered “deceptive and actionable” by the Federal Trade Commission. The FTC has the power to rectify such misrepresentations by seeking injunctive relief and civil penalties of up to $12,000 per day.
“Anonymizing” EU Drivers
EU data privacy laws have made global fleet management a complicated endeavor. The best way to comply with these privacy regulations is to “anonymize” individual EU employee drivers. U.S. companies should make reasonable efforts to accommodate EU employee privacy preferences. For example, this includes restricting access to the data, anonymizing certain data, or as-signing codes or pseudonyms when the actual names are not re-quired.
Global fleet management is more than managing vehicles.
Let me know what you think.