International labour law

Information Commissioner gets tough on GDPR infringements

British Airways (BA) and the hotel group, Marriott International, have received huge fines as a result of not protecting personal data to the standards required by the General Data Protection Regulation (GDPR). In the case of BA, over half a million customers were diverted to a fake site through which their details were captured by cyber attackers.

The UK Information Commissioner took the view that BA was not operating adequate security measures and fined the company £183.39 million. Similarly, in the Marriott case, the Information Commissioner considered the group’s inability to identify a cyber breach, which stretched back to 2014 and involved an almost inconceivable 339 million guest records, was proof of a lack of adequate security, and fined them £99.2 million.

The cases highlight how the new GDPR financial penalties are starting to bite (a maximum fine equivalent to 4% of the company’s worldwide revenue). In the case of BA, the fine represented 1.5% of the firm’s 2017 worldwide revenue. And it’s not just the UK: the French regulator CNIL fined real estate agent Sergic €400,000 for website vulnerabilities that allowed individuals to view the personal data of other users.

This is a timely reminder of the need to ensure that, in addition to privacy statements displayed on websites, businesses operate security measures with real substance to ensure personal data is processed without risk.

New Holiday Act

Businesses are readying themselves for the new Holiday Act. The Act will become effective from 1 September 2019. However, employers will have to prepare for the new rules far earlier due to the complexity involved.

Under the old Act, the accrual year and the holiday year were separate and this was held to be in contravention of the EU Working Time Directive on the basis that new employees were not able to take the mandatory 20 days of holiday in their first year of employment as required by the Directive.

The new Act remedies this so that the accrual year and holiday year run simultaneously – albeit on a slightly different basis. Holiday is accrued from 1 September to 31 August of the following year. It can be taken between 1 September and 31 December of the following year.

There will be a transitional period from 1 September 2019 to 31 August 2020 to avoid the risk of double accrual under the old and new systems. During this time all accrued holidays will be frozen and reported to the ‘Employee’s Fund for Residual Holiday Funds’ which will administer the holidays during the transition period. The effect is that the employee will not be able to use the holidays accrued in the transition period.

Given the complexities of the transitional arrangements, employers are advised to plan well ahead.

Macron’s ordinances under fire

In September 2017, President Macron undertook a controversial overhaul of the French Labour Code and one of the key outcomes was to cap the amount of damages awarded to employees for claims of unfair dismissal - i.e. where an employer terminates an employee without just cause.

Following implementation of the Macron scale of damages, there has been a mixed approach to their application. Some courts have declined to apply the scale on the basis that it is contrary to the provisions of the International Labour Organisation (Convention 158, Termination of Employment Convention 1982) and the Council of Europe (Article 24 of the European Social Charter). Both uphold the right to ‘appropriate’ compensation and the Macron scale works to deny an employee of this.

There is also a trend for employees to use alternative heads of claim in an attempt to increase the potential compensation awarded – therefore claims for unpaid overtime, data privacy, moral damages, and disputes around technicalities have all increased.

Many of the cases have been appealed. The first wave of cases is due to hit the Court of Appeal in the coming weeks with the hope that the current contradictory climate can be set straight with a clear precedent to be followed for future disputes.

Vacation carry-over

Under the terms of the German Vacation Act, any accrued but untaken vacation days at the end of the year are lost. Employees only have a right to carry over untaken accrual if prevented by sickness absence or business reasons from taking the vacation in the relevant year.

In late 2018, the Court of Justice of the European Union (CJEU) ruled that employers must notify employees of their outstanding vacation. Only after this notification would the balance be adjudged as expired if not used. It was left to the German Federal Labour Court to determine the mechanics of how this would work in practice – i.e. how the accrual would be carried forward, and whether the ruling would have retroactive effect to prior years.

The German court clarified that the unused accrual would simply be added to the new year’s entitlement to be used within that year (with the requirement again that the employee needs to be made aware of their balance and its potential expiry before the end of the year). They also confirmed that this right could be claimed for prior years where there was no expiry notification from the employer.

In order to get up to speed and avoid the potential for a huge rolling liability it is suggested that employers:

• determine total number of days of untaken accrual for the current and prior years of employment
• provide the employee with a clear statement that this balance will expire if not taken by the end of the current year.

This will ensure that the employer has caught up with its liabilities and block the potential for large pay-outs on termination.

Schrems Strikes Back – EU data transfers under threat …again

Six years ago, Maximillian Schrems brought about the demise of the US Safe Harbor system for US-bound transfers of EU data, successfully claiming against Facebook that, once in the US, there could be no guarantees that the data was being processed to the standards required by the EU given the US government’s powers of mass surveillance.

The CJEU found in favour of Schrems. The Safe Harbor scheme was disbanded and replaced by the US/EU Privacy Shield. At the same time, the European Commission confirmed that the EU Standard Clauses were still a legitimate basis for transfers of EU personal data to recipients located outside of the EEA. The Standard Clauses being a written agreement that contractually commits the overseas receiver to apply EU standards to their data processing.

Not content with seeing off the Safe Harbor regime, Schrems raised another complaint against Facebook with the Irish regulator this time focussing on the legitimacy of Standard Contractual Clauses and the new Privacy Shield. The Irish regulator referred the case to the CJEU who will give their binding opinion on the 12 December 2019 and a full decision in early 2020.

Should the CJEU find in favour of Schrems for a second time and kill off the Standard Clauses and the Privacy Shield, it leaves international businesses in a very difficult position indeed. How exactly can a business lawfully transfer data outside of the EEA without them?

EU – gig worker directive

In April 2019, EU ministers approved a directive to clarify and improve the rights of workers in the gig economy. Each Member State has three years in which to implement the directive. It is likely that, in the event of Brexit, the UK will implement similar legislation given the findings of the UK Taylor Report which has already looked into the same issues.

The directive covers a lot of old ground but is progressive in the following areas:

• introducing, in certain scenarios, a rebuttable presumption of employment which will make it more difficult for companies to defend
• better protecting the rights of casual employees to claim accrued annual leave when they end their contracts
• ensuring workers are not prevented from taking parallel assignments with other companies/agencies
• preventing the practice of long probationary periods to avoid provision of employment rights, capping the probation period to six months
• ensuring greater predictability of employment terms and working patterns for casual workers, with a requirement for the worker to be provided with a clear statement of particulars no later than seven days after commencing work.

We will continue to monitor developments as each Member State implements the directive into domestic legislation.

Labour leasing under scrutiny

As of 31 August 2019, the South Australian Labour Hire Licensing Act 2017 (the Act) will become law.

The Act regulates the use of labour leasing arrangements, whereby businesses provide workers to client companies to work within their business. A Professional Employers Organisation would fall within the provisions of the Act. The Act makes it unlawful for an end client to engage the services of an unlicensed provider of labour. The licensing arrangements demand that the applicant company abides by a series of laws and pays an annual licence fee.

All licenced business will be listed in a public register. Unlicensed providers of labour are at risk of a $400,000 penalty and/or three years’ imprisonment. The end client will also be subject to a fine of $30,000 for the use of an unlicensed supplier.

Currently there is no Federal Australian legislation on the subject, the South Australian legislation comes off the back of Queensland and Victoria implementing similar legislation and it is anticipated other States will follow suit.

Worker status – Uber drivers

The gig economy has focussed the spotlight on the true status of workers – are they employees or self-employed contractors? This is a question being played out across the world’s labour courts and most recently the Australian Fair Work Ombudsman (FWO) gave the matter another airing.

The heart of the issue is that large organisations, such as Uber, Deliveroo, Air Tasker etc. can deny their workers access to minimum employment standards and benefits, such as the Australian superannuation scheme. Common to most jurisdictions, Australia has a balanced scorecard test to determine true status that focuses on factors such as degree of control, regularity of payment and whether there is financial risk, whether there are fixed hours and whether there is an ongoing expectation of work.

Whether or not the existing Uber arrangement is a sham arrangement is a big deal given that the ‘employer’ can face fines of up to €54,000 for each infringement in addition to liability for back taxes, unpaid overtime, annual leave, sick pay etc.

Following a review that was two years in the making, the FWO took the surprising view that Uber drivers are in fact independent contractors and not employees. The crux of their decision was whether or not individuals were obliged to perform work on demand – if they were then this would point to a relationship of employment. The FWO scrutinised driver logs, driver contracts and payment terms, as well as holding interviews with a cross section of drivers. They determined that Uber did not operate sufficient control over the drivers for them to be considered employees.

The decision has been derided by Uber drivers and local unions who claim that Uber do indeed control the relationship. This could have wider implications for the rest of the gig economy.

New DIFC Employment Law

The new Dubai International Financial Centre (DIFC) Employment Law (Law No 2, 2019) will come into effect on the 28 August 2019. The new law is effectively an upgrade to existing Employment Law, and in the main is more employer-friendly with the following main headlines:

• parental leave for new fathers – 5 days’ paid leave will be available in addition to time off for ante natal appointments
• new grounds for discrimination - rights broadened to include harassment and victimisation
• reduction of sick leave from 90 days to 60 days - with only 10 days at full pay and 20 days at half pay
• recognition of settlement agreements as a means of terminating the employment relationship
• a six month limitation period on unfair dismissal claims.

Additionally, the DIFC has announced that it will replace the end of year gratuity with a defined contribution savings scheme (the DIFC Employee Workplace Savings Trust Scheme). The motivation behind the change is to allow employees to benefit from regular payments that can be invested throughout the period of their employment rather than receiving a single lump sum on termination of employment. The amount contributed should be on par with the amount payable under the existing gratuity system.

The DIFC is one of the biggest free trade zones in Dubai accommodating over 24,000 workers and is the hub for financial services companies operating in Dubai. Unlike many of the other Free Trade Zones the DIFC does not apply the terms of the UAE Federal Labour Law and this upgrade will align the DIFC laws more fully with the UAE Federal Labour Law.

Mandatory registration of Internal Committees for Sexual Harassment

Mumbai now requires mandatory registration of Internal Committees for Sexual Harassment.

Under the terms of the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 an Indian employer with ten or more employees must have an Internal Committee established to deal with issues of sexual harassment.

In addition, the government of Maharashtra has issued an order that requires employers operating in the city of Mumbai to register their Internal Committee with the local authorities. Again, the requirement applies only to employers who employ ten employees or more. The registration must take place prior to 20 July 2019.