August 26, 2020
OSHA Publishes Frequently Asked Questions on COVID-19
On July 2, the Occupational Safety and Health Administration published a set of Frequently Asked Questions Related to COVID-19. The FAQs do not appear to provide any new guidance but are grouped by topic for easier reference and are more user-friendly as a result. Before publication of the FAQs, employers needing information had to visit multiple pages on the OSHA website and the website for the Centers for Disease Control and Prevention.
Highlights of the FAQs include the following:
The agency defers to CDC guidelines for many of the answers to the questions and is careful to note that the FAQs are not a standard or a regulation, and do not create any new legal obligations. This is consistent with the position that OSHA has taken in all of its guidance related to coronavirus. There has been essentially no enforcement action taken against employers for COVID-19-related violations. Employee complaints result in a letter to the employer requesting very specific information on what the employer is doing to address COVID-19, but on-site inspections are rare. As the crisis continues, and political and public attitudes change, OSHA’s policy may also change, especially in situations where an employer has a large number of COVID-19 cases and is not following CDC and OSHA guidelines. There are requirements, such as the General Duty Clause noted above, that OSHA acknowledges it could use as the basis for citations against such an employer. The agency has successfully used the General Duty Clause to cite employers in cases involving workplace violence and heat stress, which have resulted in far fewer employee fatalities than coronavirus.
Guidance Clarifies COVID-19 Testing Coverage Requirements for Employer Health Plans
Employers have more clarity on COVID-19 testing coverage requirements—including new details on at-home tests, return-to-work testing, and out-of-network pricing—under new guidance that the U.S. Department of Health and Human Services (HHS), U.S. Department of Labor (DOL) and the U.S. Department of the Treasury jointly prepared.
The guidance—in the form of frequently asked questions (FAQs)—further interprets testing requirements that originally appeared in the Families First Coronavirus Response Act (FFCRA) and that were expanded in the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
The FFCRA requires group health plans to cover U.S. Food and Drug Administration (FDA)-approved COVID-19 tests and services related to the furnishing or administration of the tests on a first-dollar basis, meaning before a participant’s deductible is met and without requiring any other cost-sharing such as copayments or coinsurance. In addition, plans may not impose medical management requirements such as prior authorization on tests and related services. These requirements took effect March 18, 2020, and end when the national emergency period ends. The CARES Act later expanded the scope of covered COVID-19 tests to include tests:
The FDA maintains a list of tests that have received FDA emergency use authorization and a list of states that have authorized COVID-19 tests. Previous DOL guidance clarified that the federal requirements covered serological (antibody) tests. Under the CARES Act, plans must also reimburse providers for COVID-19 tests at either a negotiated rate or the cash price, which providers are required to publish on a public website.
The new FAQ guidance, released June 23, 2020, provides a number of clarifications to the COVID-19 testing coverage requirement:
CDC Issues COVID-19 Testing Strategy Guidance for Workplaces
On July 3, 2020, the U.S. Centers for Disease Control and Prevention (CDC) issued new guidance entitled “SARS-CoV-2 Testing Strategy: Considerations for Non-Healthcare Workplaces.” The new guidance recommends incorporating COVID-19 testing in five scenarios: (1) testing individuals with COVID-19-related symptoms; (2) testing asymptomatic individuals with a recent known or suspected exposure in order to control transmission; (3) testing asymptomatic individuals without a recent known or suspected exposure for early identification in special settings; (4) testing to determine when an individual may discontinue home isolation; and (5) testing for public health surveillance.
(1) Testing Symptomatic Individuals
The most relevant scenario for most employers is testing employees determined to be exhibiting COVID-19-related symptoms, such as when symptoms are identified during daily screening before employees enter the workplace. The CDC guidance suggests that employees with symptoms should be immediately separated from others and sent home or to a healthcare facility. If the employee tests positive, the employee should not come to work and should isolate at home until the employee satisfies the CDC’s criteria for discontinuing home isolation.
(2) Testing Individuals Exposed to the Virus
In addition to testing symptomatic employees, the CDC guidance envisions the use of viral testing of those in close contact with someone who has COVID-19 (e.g., in the non-healthcare setting, other employees who were within 6 feet of an infected employee for 15 minutes or longer). In this context, the CDC notes that such testing is often initiated by or conducted in consultation with state or local public health authorities. In addition, the CDC notes that “there may be a delay between the time a person is exposed to the virus and the time that [the] virus can be detected by testing, [and] early testing after exposure at a single time point may miss many infections.”
(3) Testing Individuals Who Haven’t Been Exposed to the Virus
The CDC suggests that a third application for COVID-19 testing is to help identify asymptomatic infected employees without any known or suspected exposure, particularly in workplaces where social distancing is difficult, remote settings where medical evaluation and treatment may be delayed, certain critical infrastructure settings, and workplaces that provide congregate housing to employees (such as fishing vessels, offshore oil platforms, and farm housing). In those scenarios, the CDC states that employers may consider different testing approaches, such as “initial testing of all workers before entering a workplace, periodic testing of workers at regular intervals, and/or targeted testing of new workers or those returning from a prolonged absence.” The CDC recommends that employers “have a plan in place for how they will modify operations based on test results and manage a higher risk of false positive results in a low prevalence population” prior to testing large portions of a workforce.
(4) Testing for Discontinuing Isolation
The fourth application for testing is to determine when an employee may safely discontinue home isolation (e.g., return to work). In this context, the CDC states that the determination of whether to use a symptom-based, time-based, or test-based strategy should be “made in consultation with healthcare providers and public health professionals.” (Note: Some state and local governments and public health authorities specifically advise against or even prohibit using a test-based strategy.) Notably, the CDC appears to soften its previous admonition that employers should not request a doctor’s note or test results in order to return an employee to work. In the new guidance, the CDC acknowledges that under the Americans with Disabilities Act (ADA), “employers are permitted to require a healthcare provider’s note to verify that employees are healthy and able to return to work.” Nevertheless, the CDC continues to warn that such documentation may be difficult to acquire from certain providers that “may not be able to provide such documentation in a timely manner.”
(5) Testing for Public Health Surveillance Purposes
The CDC states that COVID-19 testing also may be used for public health surveillance purposes in order to detect transmission hot spots or better understand disease trends in a workplace. According to the CDC, “[t]hese goals are consistent with employer-based occupational medicine surveillance programs[, which] may use testing to assess the burden of SARS-CoV-2 in the workforce…or evaluate the effectiveness of workplace infection control programs.” While the CDC notes that surveillance “should only be undertaken if the results have a reasonable likelihood of benefiting workers,” this scenario may be premature for consideration by employers absent further guidance from the U.S. Equal Employment Opportunity Commission (EEOC). At present, the EEOC’s guidance has approved of COVID-19 testing only in the context of determining if employees are safe to enter the workplace, and it is unclear whether a “surveillance” testing program would be deemed lawful under the ADA.
In addition to the discussion of the above outlined scenarios, employers may find the additional takeaways from the CDC guidance noteworthy:
This new guidance is a welcome development for employers seeking further insight into how they may implement COVID-19 testing in the workplace. While a helpful overview, the guidance is relatively high-level and raises additional legal questions, such as whether and to what extent an employer may unilaterally implement a “surveillance” testing program in the workplace without violating the ADA. Employers considering testing may want to review these guidelines carefully and evaluate additional requirements and guidance from the relevant state and local governments and public health authorities prior to implementing any large-scale testing program.
Return to Work Guidance (COVID-19 – July Update)
As states across the U.S. adopt different reopening measures, the following list of state-wide orders on return to work protocols, face masks and employee health screenings will help you keep track of developments (dated 10 July 2020). Take a look at the recently published FAQs on COVID-19 by the Occupational Safety and Health Administration (OSHA). The FAQs consist of existing guidance which has now been consolidated in one place. We also look at various interstate travel restrictions which are being enforced and best practices for critical workers travelling to and from “hot spot” states.
Employers are facing fresh challenges as lockdown restrictions are lifted in the UK. Here is a breakdown of the upcoming changes for employers to be aware of as employees return to work, including statutory sick pay and travel and quarantine requirements. We also take a look at how a return to work plan will affect vulnerable people and how best to deal with employee concerns.
The Health and Safety Executive (HSE) has urged businesses to ensure that their organization is COVID-19 secure and has published a list of areas in which businesses commonly fall short. Take a look at the press release from the HSE here. Find out which COVID-19 testing options are available to employers and businesses, what they can actually tell you and what arrangements to make to carry out the testing.
Ontario has taken a regional approach to enter Stage 3 of reopening on 17 July 2020. Here are further details on what this means for the province, including which places will remain closed and what the rules are around gatherings.
The state of health emergency came to an end in France on 10 July 2020. Find out more about what the country is doing to return people to work and its “individualized partial activity” approach.
In Brazil, the Ministry of the Economy and the Ministry of Health published Joint Ordinance Number 20, which sets out measures which employers are required to implement to reduce the risk of COVID-19 transmission in the workplace. These measures apply to those businesses that have remained open, rather than for those businesses looking to reopen. The full text of the ordinance can be found here (in Portuguese).
This Won’t Hurt a Bit: Employee Temperature and Health Screenings – A List of Statewide Orders, as of July 10, 2020
Governors and public health officials across the country have implemented stringent measures to help contain the spread of COVID-19, such as safer at home and face covering mandates. Some jurisdictions also require employers to screen the health of employees, often as they begin a shift. These health screening steps, including temperature checks, are becoming more common as states further reopen their economies.
This post, current as of July 10, 2020 at 8:00 a.m. (CDT), covers statewide laws and orders that require employers to take employees’ temperatures and/or conduct other employee health screening procedures, such as asking employees about any COVID-19-consistent symptoms using a questionnaire or checklist. This chart covers only generally applicable requirements and does not cover the heightened requirements applicable to certain types of employees, such as healthcare workers; public health workers; long-term care, assisted living, and nursing home workers; first responders; and law enforcement. We will update this list regularly but expect it will become outdated quickly as new announcements are made.
Note that this list does not include temperature or health screening requirements at the local level. If you would like more information, please contact your Littler attorney for additional resources that summarize such requirements at both the state and local level.
In addition, this post does not address other significant issues related to employer screenings of employee health, including potential wage and hour, discrimination, and privacy concerns. As a result, employers should consult with counsel for details on additional orders that may apply to their operations and for guidance on related legal questions.
Gov. Wolf Signs Senate Bill 637, Easing Restrictions for Pennsylvanians with Criminal Records to Reenter the Workforce
Governor Tom Wolf signed Senate Bill 637 on Wednesday, aimed at assisting people with criminal records to reenter the workforce in Pennsylvania. The bill, now signed into law, removes some job licensing barriers to Pennsylvania workers with a criminal record. According to the Wolf administration, one in five Pennsylvanians needs an occupational license to work. As of Wednesday, boards and commissions are not allowed to deny someone employment based on their criminal history unless their prior offenses are related to that particular line of work. Additionally, if boards and commissions do have stipulations about granting a job license to someone based on certain prior criminal offenses, that information will have to be publicly available. Boards are also asked to consider other factors of the applicant before deciding based on their criminal record and are requested to provide a preliminary decision to applicants so that applicants can present evidence to support their case for a license. Juvenile records or convictions expunged by the Clean Slate Law may not be considered by boards and commissions’ decisions to grant an occupational license. However, sexual offenders will still not be permitted to work as healthcare providers.
Virginia Adopts First-in-Nation COVID-19 Workplace Safety Rules for Employers
On July 15, 2020, the Commonwealth of Virginia’s Safety and Health Codes Board, in response to an executive order from Governor Ralph Northam, adopted emergency COVID-19 workplace safety rules for employers in Virginia, resulting in Virginia becoming the first state in the nation to adopt comprehensive workplace safety rules in connection with the pandemic. The rules, which are expected to become effective the week of July 27, 2020, will apply to all employers, employees, and places of employment that are under the jurisdiction of the Virginia Occupational Safety and Health program and will require employers to implement certain policies and procedures designed to mitigate risks relating to COVID-19 in the workplace.
“In the face of federal inaction, Virginia has stepped up to protect workers from COVID-19, creating the nation’s first enforceable workplace safety requirements,” Governor Northam said in a statement. “Keeping Virginians safe at work is not only a critical part of stopping the spread of this virus, it’s key to our economic recovery and it’s the right thing to do.” Some business groups, however, have expressed concerns that the new requirements could lead to confusion due to potential conflicts with current guidance, result in businesses being fined for failing to comply with certain restrictions by mistake, and impose additional cost burdens on businesses that are already struggling as a result of the pandemic’s economic impact.
The temporary rules seek to provide employers with flexibility to establish mitigation strategies that will eliminate or substantially decrease employee exposure to COVID-19 in the workplace. Requirements mandatory for all employers include the enforcement of physical distancing and notifying employees within 24 hours if a coworker tests positive for the virus. The rules also impose additional requirements on employers that present increased levels of risks associated with certain workplace hazards and job tasks.
The rules will expire six months after they become effective unless the Safety and Health Codes Board adopts permanent rules or repeals the temporary rules, or Governor Northam’s State of Emergency declaration expires prior to the end of such six-month period. Virginia’s Department of Labor and Industry will have authority to enforce the rules. Fines for violating the rules can range from $13,000 to $130,000 for repeat offenders.
Requirements for All Employers
Requirements applicable to all employers include the following:
Requirements for Employers with “Very High,” “High,” and “Medium” Exposure Risk
An employer will need to assess and classify its workplace for exposure risk, with the understanding that one workplace could have different levels of exposure risk (for example, in a healthcare setting, an employee intubating a known COVID-19 patient could be classified as “very high” risk, while an employee performing administrative work away from others could be considered “lower” risk). Employers with workplaces and job tasks deemed under the rules to have “very high,” “high,” or “medium” risk levels for COVID-19 are subject to more stringent requirements. Very high- and high-risk jobs generally include occupations in the healthcare or another field in which employees have direct contact with people known to have or suspected of having COVID-19. Medium-risk jobs are those not otherwise classified as very high or high exposure risk and that require “more than minimal occupational contact inside six feet with other employees, other persons, or the general public”; examples of jobs in the medium-risk category include poultry and meat processing, agricultural and hand labor, transportation, educational settings, restaurants, grocery stores, correctional facilities, gyms, and spas. Lower-risk job tasks are those not otherwise classified as very high, high, or medium that have minimal occupational contact with other employees, other persons, or the general public, such as in an office building setting.
Very high and high exposure risk jobs require employers to implement certain engineering controls, such as ensuring appropriate air-handling systems and installing physical barriers to the extent feasible, where such barriers will help mitigate the spread of virus transmission. Additionally, these employers must implement certain administrative and work practice controls, such as prescreening or surveying employees prior to each work shift to verify they do not have signs or symptoms of the virus and providing for telework and staggered shifts where feasible. Employers with very high and high exposure risk also will need to assess whether the COVID-19 hazards or job tasks necessitate the use of personal protective equipment and provide training for employees to recognize and minimize the hazards of COVID-19.
The rules applicable to medium exposure risk jobs also require employers to implement certain engineering controls relating to air-handling systems and the installation of physical barriers, to the extent feasible, that will help mitigate the spread of virus transmission, and, to the extent feasible, certain administrative and work practice controls, including prescreening or surveying employees prior to each work shift to verify they are not COVID-19 symptomatic and providing alternative work arrangements, such as telework and staggered shifts. Employers with medium exposure risk also will need to assess whether the COVID-19 hazards or job tasks necessitate the use of personal protective equipment.
Additionally, all employers with very high and high exposure risk and employers with medium exposure risk that employ 11 or more employees will need to develop and implement a written infectious disease preparedness and response plan within 60 days after the rules go into effect. This plan will need to, among other things, identify the name(s) or title(s) of the person(s) responsible for administering the plan (which persons must be knowledgeable in infection control principles and practices as they apply to the facility, service, or operation), address the levels of COVID-19 risk associated with the workplace and job tasks, consider contingency plans for situations that may arise from outbreaks, identify basic infection prevention measures to be implemented, provide for the identification, reporting, and isolation of employees known or suspected to have COVID-19, and address infectious disease preparedness and response with respect to third-party businesses and other persons accessing the workplace.
Virginia regulators are developing FAQs and other guidance on the rules to be made available to the public, which guidance likely will include materials to assist in classifying the exposure risks of job tasks, training employees, and developing an infectious disease preparedness and response plan. Venable will continue to monitor these actions, and we are available to provide clients with assistance in complying with the new workplace safety rules. We also can assist in developing monitoring and compliance systems to address regulatory and oversight obligations relating to COVID-19. Please find additional information about regulatory compliance and oversight obligations implicated by the COVID-19 pandemic here.
Ninth Circuit Addresses FCRA Standing Analysis and Emphasizes Importance of Remedial Measures
The Ninth Circuit recently issued an opinion addressing standing and willfulness under the Fair Credit Reporting Act (FCRA). In Ramirez v. TransUnion, the Ninth Circuit affirmed a jury verdict and punitive damages award, although it reduced those damages by a third. The court held for the first time that “each class member must have standing to recover damages,” but also found that the class members’ standing need not be demonstrated at the class certification stage and that the class members had standing even if their credit reports had not been shared with any third party. In addition, the court looked to a prior court ruling against the defendant involving the same issues in finding the violations were willful and warranted the award of punitive damages.
Sergio Ramirez alleged he was unable to buy a car because his credit report indicated he was on an Office of Foreign Assets Control (OFAC) terrorist watch list. TransUnion sent Ramirez a report without this information and with a conflicting letter indicating his name did match a name on the watch list. It turns out he was not on the watch list, but someone else with the same first and last name was on that list.
In 2012, Ramirez filed a lawsuit against TransUnion in the Northern District of California, seeking to represent a nationwide class of consumers whom TransUnion had falsely identified as being on the terrorist watch list, alleging willful failure to use reasonable procedures to prevent false positives and related claims. The court certified a class, and a jury then ruled against TransUnion on all claims, awarding the class approximately $8 million in statutory damages and $52 million in punitive damages. TransUnion appealed to the Ninth Circuit.
Ninth Circuit Decision
For the first time, the Ninth Circuit announced that “every member of a class certified under Federal Rule of Civil Procedure 23 must satisfy the basic requirements of Article III standing at the final stage of a money damages suit when class members are to be awarded individual monetary damages.” The court found that each of the 8,185 class members had standing regardless of whether a third party accessed their credit reports. Judge McKeown agreed that all members of a damages class should have standing at trial, but she dissented in part because no evidence in the record supported finding a “serious likelihood of disclosure.”
Willful Violation and Punitives
The Ninth Circuit rejected TransUnion’s arguments that its conduct was based on reasonable but mistaken interpretations of the statute. The panel relied heavily on an earlier Third Circuit decision addressing the same product, where that court rejected TransUnion’s argument that the product was not covered by the FCRA and explained how to reduce false matches. As the Ninth Circuit explained, “TransUnion was provided with much of the guidance it needed to interpret its obligations under FCRA with respect to OFAC alerts back in 2010,” but “[d]espite this warning, TransUnion continued to use problematic matching technology and treat OFAC information as separate from other types of information on consumer reports.” The court relied on TransUnion’s failure to implement the Third Circuit’s guidance in finding the FCRA violations were willful.
The Ninth Circuit characterized TransUnion’s delay in making policy changes as “reprehensible” in affirming the award of punitive damages. The court found the amount of the award was constitutionally excessive, though, and reduced it from $52 million to $32 million.
TransUnion’s petition for rehearing en banc was denied on April 8, 2020. On April 15, 2020, the court stayed its mandate for 90 days pending TransUnion’s filing of a petition for writ of certiorari.
The court emphasized that its decision did not change the showing required at class certification It noted that “district courts and parties should keep in mind that they will need a mechanism for identifying class members who lack standing at the damages phase.” Defendants should consider how this analysis impacts arguments in opposing class certification.
Willful Violations and Punitives
The court’s analysis underscores the importance of staying on top of court rulings, particularly at the appellate level. Although TransUnion had made some changes to its OFAC notifications in accordance with the Third Circuit’s Cortez decision, under the facts of this case, the Ninth Circuit appeared to find its actions to be too little too late. Courts and juries rarely award punitive damages in FCRA suits, but the prior appellate ruling and hot button terrorist watch-list topic appears to have made this case the exception.
9th Circuit: FCRA Claim Cannot Prevail Without First Providing Notice of Disputed Information
On July 14, the U.S. Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of a group of defendants, including a credit reporting agency (CRA) and furnisher, after determining that a consumer plaintiff failed to adequately notify the CRA of an error on her credit report. According to the opinion, the plaintiff questioned the accuracy of certain information on her credit report and requested that these inaccuracies be investigated. Defendants investigated and corrected the inaccuracies and informed the plaintiff that if she further disputed the accuracy of the reported information, she could submit additional documentation to support her claim. Plaintiff continued to believe her credit report contained inaccuracies; specifically, she contended that the CRA was misreporting the date on which her bankruptcy was discharged. But rather than notify the CRA, she instead filed suit in federal district court alleging violations under the FCRA. The defendants filed for summary judgment which the district court granted, concluding that while “the date of the bankruptcy may have continued to be misreported after the conclusion of the reinvestigation,’ there was no genuine dispute of material fact on whether [the plaintiff] notified [the CRA] of that specific reporting error.” The 9th Circuit agreed, starting that because the plaintiff failed “to provide adequate notice of this reporting error” the scope of the defendants’ duties were limited. Moreover, the 9th Circuit held that a consumer cannot prevail on a “FCRA claim without first putting the [CRA] on notice of the information that is disputed.”
Supreme Court Issued Opinion in Seila Law LLC v. Consumer Financial Protection Bureau Resolving Question of Whether the Leadership Structure of the Consumer Financial Protection Bureau (CFPB) is Constitutional
In the 5-4 decision, the majority opinion, written by Chief Justice John Roberts, ruled that the CFPB leadership structure violates the Constitution’s separation of powers. Nonetheless, seven justices agreed this does not render the entire agency unconstitutional. The Court held that the provision in the Dodd-Frank Act providing that the CFPB director may only be removed by the President “for cause,” can be struck from the statute, and the agency may continue with a director that is removable by the President “at will,” which means, the CFPB director may be removed for any reason.
On July 16, the Court of Justice of the European Union Invalidated Decision 2016/1250 on the Adequacy of the Protection Provided by the EU-US Data Protection Shield
A decision by the European Court of Justice in Case C-311/18 (Schrems II) has invalidated the adequacy decision authorizing the Privacy Shield as a mechanism for transfers between the European Union and the United States. However, it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.
Note that the Swiss-U.S. Privacy Shield is unaffected by the decision.
The U.S. Department of Commerce has issued the following statement in response to the decision:
“The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”
See full opinion of the Court of Justice of the European Union at: https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.
In Wake of the Schrems II Decision From the Court of Justice of the European Union (CJEU), Several EU Data Protection Authorities (DPAs) Have Issued Guidance Indicating How They Will Interpret and Enforce
The decision impacts international data transfers from the European Union (EU) to the U.S., invalidating the EU-U.S. Privacy Shield and calling for enhanced scrutiny of Standard Contractual Clauses (SCCs). The DPAs have taken varying stances on the validity of SCCs ranging from deeming SCCs “generally still valid” subject to case-by-case analysis (e.g., France and Denmark), to advising companies to cease transfers to the U.S. and switch to service providers located in the EU or a third country with an adequacy determination (e.g., the Netherlands). Click here to read about the decision and here for a list of the current DPA guidance.
European Data Protection Board (EDPB) Released FAQ Guidance in Response to Schrems II Ruling
The guidance addresses a range of topics, including the lack of a grace period for the ruling to take effect, and whether or not SCCs are a valid transfer mechanism. The EDPB states that “supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, [ ] have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.” The EDPB provides almost identical guidance regarding the use of Binding Corporate Rules (BCRs). Click here to read the EDPB guidance.
Baker McKenzie Releases Guide for Reopening Office in Latin America
The firm released a quick guide which includes six key topics when planning to reopen the workplace around 7 jurisdictions in Latin America. To access the guide, please click on the link below.
European Commission Conducting ‘Preparatory Work’ Should ECJ Invalidate Privacy Shield
In a long-awaited case on 16 July, the ECJ will rule on whether Standard Contractual Clauses (SCCs) are a legitimate way of transferring data to legal regimes outside of the EU while respecting EU data protection law. By extension, the ECJ could also adopt a position on the validity of the Privacy Shield agreement, the mechanism used for transferring personal data between the EU and the US. It would not be the first time judges at the highest court in Europe have invalidated an EU-US data framework, after the nullification of the 2015 Safe Harbor agreement, which eventually led to the creation of the Privacy Shield.
Speaking as part of a Brussels videoconference event on Tuesday (30 June), the EU’s Justice Chief Didier Reynders was pressed on what measures that the Commission is considering, should the ECJ decide to invalidate the Privacy Shield agreement.
Reynders said the Commission was conducting “preparatory works about the different possibilities that will result from the decision of the court.” “We don’t have one plan, but we have some ideas about the different ways to give an answer, following the scope of the decision of the court,” he added, keeping his cards close to his chest, however, on the specifics of how the Commission would react to a legal invalidation of the Privacy Shield.
In a non-binding opinion in December, the ECJ found that the Commission’s standard contractual clauses (SCC), used for data transfers between EU and non-EU countries were ‘valid.’ Opinions issued by the court are normally good indications on how final rulings turn out.
The case comes following a legal challenge from Austrian privacy activist Max Schrems, who believes that the Commission’s standard contractual clauses do not adequately protect citizen’s privacy.
Such contracts are issued in the absence of a data transfer adequacy agreement between the Commission and parties outside of the bloc, in an attempt to provide sufficient data protection safeguards. They are used by thousands of businesses worldwide, including tech giants such as Facebook.
Should the court rule in favor of Schrems in July, the move could have profound consequences on the way data flows operate between EU and non-EU businesses and may oblige firms to stop making such data transfers or potentially face hefty fines.
On the Privacy Shield agreement, ECJ Attorney General Saugmandsgaard Øe’s December opinion states that the courts should not necessarily be required to rule on the validity of the accord, due to the fact that the dispute in question only concerns the Commission’s establishment of standard contractual clauses.
However, the Advocate General himself questioned the legitimacy of the agreement, stating that there are “reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”
In a previous 2015 case, Schrems successfully mounted a legal challenge over the EU’s ‘Safe Harbor’ privacy principles, developed to prevent private companies in the EU or the U.S. from losing or accidentally revealing personal data belonging to citizens.
That year, ECJ Advocate General Yves Bot issued an opinion to the court that stated the Safe Harbor agreement should be rendered invalid and added that individual data protection authorities could suspend data transfers to other countries should there be evidence of data protection rights being breached.
The ECJ ultimately upheld Bot’s opinion and the Safe Harbor agreement was invalidated.
The court will deliver the ruling on the case C-311/18, Facebook Ireland and Schrems, on 16 July.
This information has been prepared by Validity Screening Solutions for informational purposes only and is not legal advice. The content is intended for general information purposes only, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you may have.