I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.”
It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or organizations that endanger national security or the “peaceful coexistence of peoples” in any way – like for instance paying them a salary. Failure to comply with this law carries heavy fines; up to 5 years in jail for the CEO, for instance.
On the other hand, European data privacy laws prohibit routine scanning of personal data without due cause. So if nobody has done anything suspicious lately, running their names past the UN or EU lists is probably illegal in many countries.
Of course, tell that to the families after some nut explodes a vest of dynamite in your company canteen and slaughters a few of your employees.
So yes, companies have to screen their own people, but when exactly? On hiring? What if the employee has a change of heart two or three years later and signs up for the Muslim Brotherhood? Does that mean you have to scan periodically, maybe once or twice a year? And if you live in a country like Germany where the works committee has a big say in these matters, how do you ever hope to convince them?
According to Schultze-Melling, there are loads of even more mundane problems to consider. For instance, Osama Bin Laden would hardly use his real name when joining your company, and probably not even one of the score or so aka’s he is also listed under in the UN list, but would chose an entirely new name instead. How about different spellings? After all, for an Arab speaker, Ahmed Gamdi, Ahmad Al Gamdi, Ahmet Gamdi, and Ahmed Al-gamdi could very well be one and the same guy. There are more than 32 spelling for Lybia’s Colonel Gaddafi (or Qadhafi, Kadafi, Gadhafi, Qaddafi, etc.). Are you legally required to check them all?
As ist that wasn’t bad enough, you can try telling it the cops who come to arrest your boss because one of your employees gave to the local chapter of the Holy Land Foundation which funds Hamas or the National Development Front in India that finances Al-Qaeda. The UN and the EU, not to mention the US Department, publish lists of organizations they consider to be affiliates or fund raisers for international terrorists. Unfortunately, hardly any new employee mentions this in his hiring questionnaire, so what should you do? Periodically ask all your people whether they have joined a terrorist organization lately? Maybe hand them the list and ask them to make appropriate check marks. And what if they refuse — do you fire them? Anyway, answering in the affirmative could constitute an act of self-incrimination, so requiring it would itself be illegal in most civilized countries.
Until now, most HR departments have dealt with these questions in the handiest possible way – by ignoring them. Out of about 20 companies represented at the IAPP meeting, among them a few on the Fortune 100 list, only two raised their hands when I asked who has ever conducted a scan for terrorist suspects within their organizations.
My feeling is that this illustrates the legislative confusion surrounding identity and privacy on the governmental level, but it also points out some tough questions that need to be answered by identity pros before we can hope to achieve anything like a balanced approach to the legitimate concerns of citizens, employees and consumers about how authorities and employers handle their personal data on the one hand, and the requirements of businesses, bureaucracies and, yes, terrorism fighters on the other.