Pictured: An H&M retail store in Leeds, West Yorkshire, UK. (Mtaylor848/ Wikimedia Commons)

German regulators fined Swedish apparel retailer H&M Group roughly $41.5 million for gratuitously collecting personal data on its employees at a company service center in Nuremberg – sending a clear message to all businesses that privacy guidelines extend to their own workforce.

The Data Protection Authority (DPA) of Hamburg said that the penalty – so far the second-largest a company has ever been issued under the statutes of the European Union’s General Data Protection Regulation (GDPR) – was the result of years of inappropriate worker data collection that was only discovered after a data leak.

But while some experts call the actions of H&M leadership blatant disregard for the law, GDPR infringement by companies may be far more widespread than many realize. SC Media spoke to a number of privacy and cybersecurity experts, who said businesses often treat information about their own employees differently than that of customers, which could place them squarely in violation of privacy regulations.

“Companies are often focused on customer data, more so than employee data processing,” said Alex van der Wolk, co-chair of Morrison & Foerster LLP’s Global Privacy & Data Security Practice. “This has everything to do with the fact that employee data processing has traditionally been straightforward – focused on compensation, HR administration.”

But as more and more initiatives emerge that involve the processing of employee data, consideration has to be paid to privacy.

Privacy of the employee trumps the interests of the company

In the case of H&M, for example, supervisors at the Nuremberg facility conducted “Welcome Back Talks” with employees who took vacations or sick leave, according to an announcement from the Hamburg Commissioner for Data Protection and Freedom of Information. A range of information was recorded by supervisors, including symptoms of illness and diagnoses, as well as family issues and religious beliefs. Some of this information was digitally stored and partly readable by up to 50 other managers throughout the company. The information was also used to help evaluate employee performance – an activity that violated the employees’ civil rights, the agency concluded.

The issue is not a lack of understanding about the regulation, said Mary Hildebrand, chair of Lowenstein Sandler LLP’s Privacy & Cybersecurity Practice. Companies are well aware that employees are covered under GDPR and have “the same rights under applicable data protection laws as revenue-generating customers.” What is lacking, she said, “is appropriate follow-through and implementation of these policies to ensure that employee privacy rights are respected.”

Hidebrand believes H&M knowingly violated the guidelines for years. But for many businesses, mishandling of data can come from fragmented operations. For example, the human resources department is typically in charge of employee data. And HR has its own structure and reporting system.

“This is often due to the overlap with labor and employment laws,” said Francois Gilbert, founder and CEO of DataMinding. By comparison, “personal data of outsiders such as customers, prospects or business associates and partners are usually handled by a separate department, which may be [legal], marketing and sales, or IT and security.”

Also complicating matters is the law itself. GDPR’s Article 6 states that the processing of individuals’ data is legal if it “is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,” except where such interests are overridden by the interests or rights and freedoms of the individual.

That can be open to interpretation. In the eyes of the business, employee data, which could offer input of employee performance, may indeed factor in to the interests of the company.

“It is not surprising that a business entity would view it as in their legitimate interest to collect and process personal information of employees within the framework of the company’ needs,” said Gilbert. “However, this legitimate interest is not absolute. There should be a balancing test: the (financial) interest of the company must not override the privacy interest of the employees,” as stated in the law.

This latest ruling could act as a strong deterrent against employee data mishandling, also spurring more diligence in oversight. Gilbert said the reported facts of the case “show excessive practices,” adding that the Hamburg DPA “has been known for taking strict positions regarding the protection of personal data.” Van der Wolk also noted a “tendency by German DPAs to issue high fines in recent years” in an attempt to crack down on irresponsible data collection and management.

For instance, the Berlin Commissioner for Data Protection and Freedom of Information in October 2019 fined German real estate company, Deutsche Wohnen 14.5 million euros.

Making up for past mistakes

H&M’s missteps first came to light in October 2019 when the data became accessible companywide for several hours due to a configuration error. Employees who worked at the facility for at least one month since GDPR took effect in May 2018 will be compensated by H&M.

In its own press release, H&M said it “takes full responsibility” and apologized for “processing employees’ personal data that were not in line with H&M’s guidelines and instructions.” Additionally, the company said it has launched a comprehensive action plan designed to “improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment and continue to train and educate both staff and leaders in this area.”

Steps taken include managerial changes, data privacy and labor law training, revised instructions for supervisors, the creation of a new data protection coordinator role, enhanced data cleansing processes and the improvement of IT solutions designed for compliant data storage.

“H&M has generated an impressive list of to-dos in an effort to compensate for egregious and illegal data collection and processing activities,” said Hildebrand. “The key question may be whether H&M senior management and the [data protection officer] have the intent, drive and integrity to properly implement these measures, monitor compliance, and take appropriate action as needed.”

Indeed, Gilbert said that the mishap at the H&M Nuremberg branch “might be a symptom of deeper problems at a larger scale” – and thus it is “wise to take the time to stop and analyze what happened, why it happened, and what must change moving forward.”

“Addressing data privacy within a company often entails awareness raising and sometimes a change in culture,” said van der Wolk. “This is not something you can fix with just a policy or with a simple piece of technology or tools. It’s something that needs to be lived and addressed in every communication.”