June 4, 2019
Compliance and complacency don’t go well together, so we created an e-book to help you keep your screening practices compliant.
FTC Privacy Shield Investigations
On April 26th, Federal Trade Commission (FTC) Bureau of Consumer Protection Director Andrew Smith said in an interview that it is a goal of the FTC to bring more actions for substantial violations of the EU-U.S. Privacy Shield. According to Director Smith, the FTC will take Privacy Shield enforcement cases “as the FTC finds them.” The Privacy Shield provides European and American companies a framework to move data freely between Europe and the U.S. in compliance with privacy protection laws and governs approximately $260 billion in transatlantic data transfers annually.
Recent Background Screening Legislation
On May 2nd, the Colorado legislature passed SB19-177, which would require a fingerprint-based criminal history record check for the following:
On April 20th, the Texas House of Representatives passed H.B. 1865, which would require students of massage therapy schools to hold a student permit. On May 2nd, the Texas House of Representatives passed H.B. 2747, which would require a fingerprint-based background check for applicants of a massage therapy license.
The Colorado legislature passed H.B. 19-1237, which would require criminal background checks for the operators of a licensed behavioral health facility.
Georgia enacted H.B. 185, which requires directors of financial institutions to undergo a criminal history background check and credit report check.
On May 22nd, Minnesota enacted H.F. 637, which amends the professional license requirements for certain healthcare professions. The Act requires certain individuals to submit to a criminal history records check by the state Bureau of Criminal Apprehension and the Federal Bureau of Investigation, including licensees applying for eligibility to participate in an interstate licensure compact and applicants for initial licensure. The Act limits the validity of background checks to one year.
New Washington State Law Levels the Playing Field: Employers Prohibited from Asking Salary History but Mandated to Disclose Salary Ranges
Washington’s Legislature has joined many other states in passing a law expressly prohibiting employers from seeking prior salary history from applicants or employees, except in limited circumstances. Washington’s Equal Pay Opportunity Act, which became effective in June 2018, already prohibited employers from relying on salary history to establish pay to screen applicants or employees. This new law goes further in making it clear that employers should not request salary history or use it. The law allows employers to confirm an applicant’s compensation history under two circumstances: if the applicant voluntarily shares it, or after making an offer of employment with compensation.
Washington’s new law also imposes pay transparency requirements that go beyond most other pay equity laws. Employers with 15 or more employees must disclose pay information when applicants or employees request it. An applicant who is offered a position has the right to request the minimum wage or salary for the position. An employee who is offered an internal transfer to a new position or promotion also has the right to request the wage scale or salary range for the position. If a wage scale or salary range has not been established for a position, employers must provide the minimum wage or salary expectation set by the employer prior to posting the position or making the promotion or position transfer.
What Should Employers Do Now?
To ensure compliance with the new law and be prepared for greater employee scrutiny of their compensation, employers should:
Colorado Legislature Passes Significant Equal Pay Bill, Including Salary History Ban and Job Posting Requirements
In its recently concluded session, the Colorado General Assembly passed legislation to strengthen the state’s pay equity requirements, prohibit employers from seeking salary history from job applicants, and require employers to post internal job openings and list salary ranges on all postings. The governor is expected to sign Senate Bill 19-085, the Equal Pay for Equal Work Act, into law this month.
Limited Factors May Be Used to Explain Pay Disparities Between Employees of Different Sexes Performing Substantially Similar Work
The bill prohibits Colorado employers from discriminating on the basis of sex (or sex in combination with another protected status) by paying employees of different sexes differently for substantially similar work-regardless of job title-based on a composite of skill; effort, which may include consideration of shift work; and responsibility. However, pay differences are permitted if an employer can demonstrate that the entire differential is based on: a seniority system; a merit system; a system that measures earnings by quantity or quality of production; the geographic location where the work is performed; education, training, or experience to the extent they are reasonably related to the work in question; or travel, if the travel is a regular and necessary condition of the work performed. The law does not define the terms “seniority system” or “merit system.” Moreover, the employer must be able to demonstrate that it did not rely on prior salary history to justify a disparity in current pay.
Salary History Ban
When enacted, Colorado also will become the latest state to prohibit employers from seeking salary history from job applicants. If the employer learns of an applicant’s prior salary, the employer cannot rely on that information to determine current pay.
Liquidated Damages Available, But May Be Avoided By Conducting a Proactive Pay Equity Analysis
Employers that violate the law’s provisions may be liable for the differential between what the employee was paid and what the employee would have been paid if there was no violation, plus an equal amount as liquidated damages. However, an employer can avoid liquidated damages by demonstrating good faith and reasonable grounds for believing it did not commit a violation. In addition, in determining whether the employer’s violation was in good faith, consideration may be given to whether the employer, within two years prior to the lawsuit being filed, completed a thorough and comprehensive pay audit of its workforce, with the specific goal of identifying and remedying unlawful pay disparities.
Employers Must Announce Internal Openings and Include Salary Range in All Job Postings
In addition, part two of the legislation, entitled “Transparency in Pay and Opportunities for Promotion and Advancement,” will require significant changes to Colorado employers’ internal and external application processes. For both internal and external job postings, Colorado employers will be required to list the salary range for the position and a general description of the benefits and other compensation for the position. For internal openings, employers must make reasonable efforts to tell all employees about the opening on the same day, and prior to making a promotion decision.
Enhanced Record Retention Requirements, Including Job Descriptions
Although Colorado employers have no current obligation to prepare or use job descriptions, the bill will require employers to keep records of job descriptions and wage rate history of each employee for the duration of employment plus two years after the end of employment, in order for the Colorado Department of Labor to be able to determine if there is a pattern of wage discrepancy.
Colorado Voters May Have Opportunity to Weigh in Prior to Enactment
Once signed, the legislation will be effective January 1, 2021, unless a referendum petition is filed by August 10, 2019, in which case Colorado voters will decide in the November 2020 general election whether the bill will become law.
NYC Employers Can No Longer Use Pre-Employment Marijuana Testing to Weed Out Prospective Employees
On April 9, 2019, the New York City Council passed a bill that prohibits employers from conducting pre-employment drug testing for the presence of marijuana or tetrahydrocannabinols (THC). Because New York City Mayor Bill de Blasio neither signed nor vetoed the bill within 30 days of passage, it became law on May 10, 2019. Notably, however, the law does not go into effect until May 10, 2020. Once the law takes effect, employers will be unable to conduct pre-hire marijuana testing as a condition of employment. The law amends Section 8-107 of the New York City Administrative Code and provides “it shall be an unlawful discriminatory practice” for employers, labor organizations, employment agencies or their agents to require prospective employees “to submit to testing for the presence of any tetrahydrocannabinols or marijuana in such prospective employee’s system as a condition of employment.” The law, however, contains a long list of exceptions. For example, the law does not apply to any individuals applying for work:
The law also does not apply to drug testing required pursuant to:
The City is expected to provide further guidance on these exceptions once it issues rules for the law’s implementation. Notably, by its terms the law applies only to “prospective employees.” At this time, it is unclear what, if any, impact this bill will have on employers’ ability to test for marijuana and THC after an employee is hired. Because it is likely that the City’s anticipated rules will provide additional clarity on this issue, it would be prudent to review guidance from the City to confirm that NYC employers’ policies permitting testing of current employees for marijuana will continue to be lawful.
New Jersey Data Breach Notification Law
On May 10th, New Jersey enacted S. 52, which amends the state’s data breach notification law to expand the disclosure requirements for security breaches. The Act expands the definition of ‘personal information’ to include a “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” Organizations that report a security breach of an online account must advise the consumer to change relevant account information, including user names and passwords. https://www.njleg.state.nj.us/bills/BillView.asp?BillNumber=S52
California Court of Appeals Bolsters Willfulness Defense to FCRA Actions
In a positive development for employers, the California Court of Appeals affirmed summary judgment for an employer in a class action alleging willful violations of the Federal Fair Credit Reporting Act (“FCRA” or “Act”). In Culberson v. Walt Disney Parks and Resorts, the plaintiffs alleged Disney willfully violated two provisions of the FCRA: (1) plaintiffs alleged Disney’s disclosures letting job applicants know they may be subject to a consumer report were not contained in a standalone document; and (2) plaintiffs alleged Disney rejected some applicants based on information in their consumer reports without first providing the notice required by the FCRA. In affirming summary judgment, the court concluded that it need not decide whether Disney violated the FCRA, because the court found that any such violation was not willful.
The FCRA in Employment Decisions
The FCRA regulates, among other things, the manner in which employers can consider consumer reports when making employment decisions. The FCRA requires prospective employers to disclose to a job applicant, in a standalone document, that it may obtain a consumer report for employment purposes. The Act also requires an employer to provide an applicant a copy of the report and a description of the applicant’s rights under the Act before taking any adverse employment action based on the consumer report. An employer who negligently violates the FCRA may be liable for actual damages, but an employer who willfully violates the FCRA may be liable for statutory penalties and punitive damages. To be willful, an employer’s violation of the FCRA must be either knowing or reckless.
The Court of Appeals Decision
Disney’s standalone disclosure form included a description of the scope of the report, a statement that Disney may share the information with affiliated companies, an explanation of the applicant’s rights, an explanation that a third party would produce the report, and the third party’s contact information. The plaintiffs claimed Disney’s disclosure form violated the FCRA because it contained extraneous information and argued that the standalone report could contain only the following ten-word disclosure: “that a consumer report may be obtained for employment purposes.” The court of Appeals rejected plaintiffs’ arguments, because the FCRA does not make clear what information may be included in the disclosure, and because, at the time of the disclosures at issue (i.e., in 2011 and 2013), there was no authoritative guidance to warn Disney away from its position. Accordingly, the court concluded that no reasonable trier of fact could conclude that Disney’s standalone disclosure willfully violated the FCRA. Disney’s pre-adverse-action notice told applicants, in relevant part, “Based on [the reported] information, subject to you successfully challenging this information, we have decided to revoke your conditional offer of employment.” The plaintiffs argued this statement communicated a final decision and thus constituted an adverse action without allowing applicants to dispute the contents of the report, but the court of Appeals disagreed. The court held that the notice did not constitute an adverse action because the action was “subject to” a successful dispute by the applicant. Disney’s interpretation of the FCRA was reasonable, so there was no triable issue as to whether the alleged violation was willful.
The court’s holding regarding the standalone disclosure is particularly important because it shores up employers’ “willfulness” defense and provides a useful distinction from recent pro-employee decisions from the Ninth Circuit. In Gilberg v. California Check Cashing, the standalone disclosure included various state disclosure requirements along with the FCRA disclosure, and the Ninth Circuit held the state information was clearly beyond what was permitted in the disclosure. Similarly, in Syed v. M-I, LLC, the standalone disclosure included a liability waiver, which was also clearly beyond what was permitted in the disclosure. In light of these recent decisions, employers should review their FCRA processes to ensure they reflect a reasonable interpretation of the Act.
Ninth Circuit Weighs in on Calculating the FCRA’s Seven-Year Reporting Rule
On May 14, 2019, the Ninth Circuit Court of Appeals added to the ongoing line of decisions in the Moran v. The Screening Prossaga, holding that under the Fair Credit Reporting Act’s rule prohibiting consumer reporting agencies from reporting any “record of arrest” older than seven years, the measuring period for a criminal charge runs from the date of entry rather than the date of disposition.
The Fair Credit Reporting Act (“FCRA”) contains an entire section devoted to the time periods for which certain information may be included in a background check report. Specifically, consumer reporting agencies are prohibited from including, among other things, the following in a consumer report: “Civil suits, civil judgments, and records of arrest that, from date of entry, antedate the report by more than seven years or until the governing statute of limitations has expired, whichever is the longer period.” It also has a catch-all that prohibits consumer reporting agencies from reporting: “Any other adverse item of information, other than records of convictions of crimes which antedates the report by more than seven years.” At issue in Moran was the appropriate measuring period for reporting certain criminal records that did not result in a conviction.
The plaintiff sued the consumer reporting agency for issuing a tenant screening background check report on him that contained his criminal history in violation of the California Investigative Consumer Reporting Agencies Act (“ICRAA”). The February 2010 report disclosed four criminal matters in the plaintiff’s background: a May 16, 2000, misdemeanor charge for being under the influence of a controlled substance (2000 Charge), dismissed on March 2, 2004; two June 2006 charges for burglary and forgery, dismissed that same month; and a June 2006 conviction for misdemeanor embezzlement from an elder dependent adult. The consumer reporting agency moved to dismiss, arguing that the ICRAA was unconstitutionally vague as to criminal history information, leaving persons of reasonable intelligence unable to tell whether that information is “character” information that the ICRAA governs or “creditworthiness” information that the California Consumer Reporting Agencies Act (“CCRAA”) governs. This distinction matters because the ICRAA imposes stricter duties and more severe penalties—such as the option to seek $10,000 in statutory damages in lieu of damages. The case was stayed pending resolution of Connor v. First Student Inc., a case in California state courts that considered the overlap and constitutionality of the ICRAA and the CCRAA. Ultimately, in Connor, the California Supreme Court held that the ICRAA is not unconstitutionally vague as applied to employment background checks. The Supreme Court concluded that “potential employers can comply with both statutes without undermining the purpose of either.”
In Moran, the Ninth Circuit was asked to consider the constitutionality of the ICRAA and the CCRAA and concluded that the Connor decision had resolved the issue and, thus, reversed the district court’s decision to dismiss the plaintiff’s complaint on that basis. However, the Ninth Circuit was also asked to consider whether the consumer reporting agency violated the FCRA’s seven-year rule with respect to the criminal history information included in the plaintiff’s report.
The district court had dismissed the plaintiff’s claim that the consumer reporting agency violated the seven-year rule based on the court’s determination that the reporting period for a criminal charge begins on the “date of disposition” instead of the date of entry. After an exhaustive review of the legislative history and the positions of federal agencies, such as the Federal Trade Commission, the Ninth Circuit disagreed and concluded that the reporting period for a criminal case begins on the date of entry, not the date of disposition. It went further and held that, “the dismissal of a charge does not constitute an adverse item and may not be reported after the reporting window for the charge has ended.” This meant that the consumer reporting agency in Moran arguably violated the FCRA by reporting the 2000 charge in the plaintiff’s report because the date of entry for that record was ten years older than the date of the report. The Ninth Circuit remanded the case to the district court for further proceedings in line with its opinion.
Given this new decision, consumer reporting agencies/background screening companies should evaluate their reporting procedures and processes especially as it relates to non-conviction records. While the Ninth’s Circuit reasoning was supported in the earlier amicus briefs filed by the Federal Trade Commission and the Consumer Financial Protection Bureau, there is at least for the time being a definitive statement on what can be reported. Employers should also be aware that given this new opinion, they may not receive non-conviction information on consumer reports where a charge was entered more than seven years from the date of the report. https://www.seyfarth.com/publications/OMM051519-LE
Puerto Rico: Being Charged with a Felony can be Just Cause for Dismissal
The Supreme Court of Puerto Rico recently determined that an employee accused of committing several felonies can be suspended indefinitely pending criminal trial without it being considered an unjust dismissal. It also held that an employee can be dismissed with just cause if found guilty of the felonies.
Under Puerto Rico Act No. 80 of May 30, 1976, known as the Unjust Dismissal Act, an employer must pay severance if it terminates an employee without just cause—as the term is defined therein—and an indefinite suspension exceeding three months is considered a dismissal. In the recent opinion González Santiago v. Baxter Healthcare of Puerto Rico, 2019 T.S.P.R. 79, an employee who had worked for a pharmaceutical company since 1998, was charged, in 2014, with six felonies and one misdemeanor in relation to child abuse and lascivious acts against a child. The company learned about the charges through the news and rumors in the plant; held a meeting with the employee; and suspended him from work and pay, in accordance with its employee manual. The manual provided that actions that adversely affect the “adequacy of the person as a company employee,” including committing felonies of any nature, not informing the employer that one has been charged with a felony and incurring in conduct against public morals are serious offenses that can lead to immediate dismissal. About a year later, when he was found guilty of the felonies, the company dismissed him. The employee filed a claim for unjust dismissal and age discrimination.
The 7-1 Supreme Court decision vacated the Court of Appeals´ decision and dismissed the employee´s complaint via summary judgment. The Court determined that an employer may establish the rules it considers reasonable; that a first offense may be enough for termination if it is sufficiently severe; and that an employer may evaluate its employees using the moral standards of society when a violation of such standards may affect the functioning of the business. The opinion also explains that while a person is presumed innocent for purposes of criminal proceedings, that presumption does not extend to the employment context. The opinion comments that a sexual felony against a minor is conduct that any person should know should never be committed, and knowledge that a colleague has committed such a crime would be disruptive to any workplace, so the employer was entitled to dismiss the employee when the charges were lodged and did not have to wait for a conviction. In a dissenting opinion, Associate Justice Estrella Martínez explained that an employee should not be automatically suspended or dismissed for having committed a felony; instead, the employer should have to prove that the particular wrongdoing is reasonably related to the business and affects the company´s operations.
In a previous case, Rosario v. Toyota, 166 D.P.R. 1 (2005) (non-binding judgment), the Supreme Court of Puerto Rico determined that taking into account previous convictions in the recruitment process could be considered discrimination based on social condition, which is prohibited by the Constitution of Puerto Rico. In that case, the employment candidate met all the requirements for the position of warehouse driver but was disqualified after a background check revealed that he had been convicted of involuntary homicide 20 years earlier. The Court proposed analyzing several factors when considering applicants with previous convictions: (1) the nature and severity of the criminal conduct; (2) the relation between the felony and the position requested, and the responsibilities it entails; (3) the applicant´s rehabilitation and any information that the applicant or a third party could provide about it; (4) the circumstances under which the felony was committed; (5) the age of the applicant when committing the felony; (6) the time elapsed between the conviction and the employment application; and (7) the employer´s legitimate interest in protecting the property, security, and well-being of the business, of third parties or of the general public.
The González Santiago opinion drifts away from the previous, more protective approach towards employees. Nevertheless, given that González Santiago deals with accusations against a current employee, while Rosario dealt with recruitment for employment after a conviction, the recent case does not supersede Rosario. Thus, employers should still consider the non-binding guidelines set in Rosario in their recruitment processes in Puerto Rico.
Georgia Supreme Court Case
On May 20th, the Georgia Supreme Court ruled in McConnell v. Georgia Department of Labor that the state government does not have an obligation to protect the privacy of individuals’ data. According to the article, the Georgia Department of Labor inappropriately exposed the data of the plaintiff, Thomas McConnell, and 4,756 other individuals when a Department of Labor employee accidently emailed a spreadsheet with the individuals’ personally identifiable information (PII) to 1,000 unintended email recipients. The spreadsheet contained the PII of unemployment beneficiaries over the age of 55, including name, Social Security number, telephone number, email address, and age. The plaintiff alleged that the Department of Labor breached its fiduciary duty and invaded the privacy by publicly disclosing the PII of the affected beneficiaries, which caused undue burdens. The court ruled that the plaintiff failed to state a claim: https://secureservercdn.net/18.104.22.168/0a1.d7a.myftpupload.com/wp-content/uploads/2019/06/s18g1316-1.pdf
Article Clarifying the Right to Rectification of Personal Data (Irish Data Protection Commission)
In light of increased awareness of the rights granted to individuals under the new data protection legislation, this note intends to clarify aspects of the right to rectification of personal data. In particular, this note examines the case of recording of names of individuals that contain diacritical marks (for example, fadas in the Irish language).
Article 5(1)(d) of the General Data Protection Regulation (GDPR) states that: “Personal data shall be…accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
Article 16 GDPR states: “The data subject shall have the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.”
Individuals have a right to rectification of their personal data under data protection legislation. What the right to rectification means in practice will depend on the circumstances of each case and the Data Protection Commission (DPC) examines each case that comes before it on its individual merits.
In general, data controllers will be required to take all reasonable steps to ensure the accuracy of personal data, taking account of the circumstances of the case, the nature of the personal data and, in particular, the purposes for which they are processed.
In respect of complaints received by the DPC in relation to the recording of a name without diacritical marks, e.g. the síneadh fada in the Irish language, consideration has to be given, in light of Article 5(1)(d) and Article 16 GDPR, to whether the recording of a name without diacritical marks is deemed to be inaccurate, having regard to the purposes for which the data (in this case, a data subject’s name) are processed.
Purposes of Processing
The notion of accuracy has to be interpreted in light of Article 5(1)(d) of the GDPR which states that every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In this regard, consideration has to be given as to whether the name appears in an isolated environment or whether there are other unique identifying factors associated with the personal data in question. The Commission must consider if the purposes of processing the data, in the absence of diacritical marks, is still being achieved without the diacritical marks being present.
The Data Subject’s Fundamental Rights
It must be also considered if a person’s fundamental right to data protection is affected by the processing of the personal data without the diacritical marks. Article 8(1) of the Charter of Fundamental Rights of the European Union recognizes that everyone has the right to the protection of personal data concerning him or her. Article 8(2) of the Charter recognizes the right of access to one’s personal data and the right to have such data rectified. This right is not absolute and may be limited in accordance with Article 52 of the Charter.
In a related context, the European Court of Human Rights has concluded that the omission of diacritical marks from a person’s name in certain official documents did not entail a breach of the right to private and family life guaranteed under Article 8 of the European Convention on Human Rights: see, for example, Šiškins and Šiškina v. Latvia (Application no. 59727/00, 8 November 2001).
The Official Languages Act
The Commission has consulted with An Coimisinéir Teanga and notes that the Official Languages Act 2003 does not impose an obligation on public bodies to record one’s name or address with diacritical marks such as fadas.
Views of other European Union Supervisory Authorities
The Commission liaised with our counterpart supervisory authorities in the European Union in relation to the inability of certain data controllers’ systems to record diacritical marks when documenting an individual’s name and the effect this may have on the accuracy of that recording. In this process, supervisory authorities expressed the view that the right to rectification was not absolute and that consideration must be given to the particular scenario in which the issue of the non-recording of diacritical marks arises. In particular, weighty consideration must be given to the purposes of the processing that is taking place and whether the alleged inaccurate data is used in an isolated environment or if it is used in conjunction with other personal identifiers.
UK Supreme Court Delivers Blow to Criminal Record Disclosure System
The UK government has lost its case defending the multiple convictions rule, which requires an individual to disclose all spent convictions if he or she has two or more such convictions. Generally, a conviction becomes “spent” after a certain period of time and thus does not need to be disclosed during a criminal records check. The intention is to give someone a second chance by preventing an old conviction from permanently impacting his or her reputation and career prospects. The time period required for a conviction to become spent varies depending on the seriousness of the offense. However, this principle does not apply when someone has two or more convictions. A recent case before the Supreme Court of the United Kingdom involved a job applicant-referred to as “P” in the court proceeding-who in 1999 was charged with shoplifting a book that cost 99p, an offense which was followed a few weeks later by a second offense of skipping bail when she failed to attend a court hearing related to the theft. That second offense meant she could not benefit from the spent convictions principle. However, the Supreme Court ruled that the multiple convictions rule was “disproportionate” and “wrong in principle,” with the result that the government will need to disapply the rule. A government spokesperson said that the government will consider the ruling carefully before responding. The takeaway for employers is that they must appreciate the possibility that spent convictions will not be revealed in UK criminal records checks, even in cases of individuals who have more than one such conviction.
Seeking input from interested third parties, the Office of the Privacy Commissioner of Canada (OPC) announced a revision to its policy position on transborder data flow under the federal Personal Information Protection and Electronic Documents Act(PIPEDA) through the recent release of a consultation document (the “Consultation Document”) and a supplementary discussion document.
The key points from the Consultation Document include the following:
The Consultation Document represents a shift in approach from that set out in the OPC’s 2009 Guidelines for Processing Personal Data Across Borders, which provided, among other things, that “a transfer for processing is a “use” of the information; not a disclosure.” The change under which cross-border data transfers will be considered a “disclosure” and not a “use” of personal information would help position Canada’s privacy rights closer to the European General Data Protection Regulation (GDPR).
In the supplementary discussion document, the OPC set out that the change in its position is based in part on findings from its investigation into Equifax’s 2017 data breach. The OPC concluded that “a transfer of personal information between one organization and another clearly fits within the generally accepted definition of ‘disclosure’.” The supplementary discussion document also states that along with consent, the principles of accountability and openness under PIPEDA apply. This proposed policy position from OPC has implications with respect to the consent required to transfer an individual’s personal information across a border. Under this new policy direction, further disclosure and express consent may be required to the extent that personal information is being disclosed to a third party in a different jurisdiction. As stated in the supplementary discussion document, the OPC’s change in position will “require organizations to highlight elements that were previously part of their openness obligations and ensure that individuals are aware of them when obtaining consent for transborder transfers.” To ensure compliance under PIPEDA, organizations should: (i) identify and map how personal information is collected, used/processed, stored, transferred and disclosed, and (ii) assess whether adequate consent has been obtained. This is particularly so given the policy position stated in the Consultation Document.
Latin America – The Ethics of Gathering Employee Data
It has become increasingly clear that data is now one of our world’s most precious resources, and over the last few years, businesses have been learning how to use data to become more successful and profitable. While the benefits of collecting and analyzing large amounts of information are vast, the rapid development of technology has also left businesses facing a host of new risks and challenges, one of which relates to the collection and use of employee data. In Latin America, most countries now have data protection legislation which helps employers determine what new technologies should or shouldn’t be implemented in the workplace, while employees have certain rights that can allow them to minimize the collection of their personal data and restrict how it is processed.
In Mexico, the right to data protection was established in the Constitution in 2009. In 2010, the Federal Law on Protection of Personal Data Held by Private Parties was enacted and in subsequent years, regulations of the law and several guidelines on the matter were also issued. This comprehensive legislation applies at a federal level and not on a state-by-state basis. The country has an independent Data Protection Authority—the National Institute of Transparency, Access to Information and Protection of Personal Data (INAI)—that oversees the enforcement of the data protection laws and promotes best practices across the country. Among the obligations the legislation establishes for data controllers is the requirement to provide a privacy notice to data subjects where data protection practices are clearly explained to employees. The notice must specify clearly why the data is being processed, such as for the payment of wages, and what could be considered voluntary data processing, such as data obtained from the implementation of new technologies, including wearable devices. While processing data for conventional purposes does not require consent from employees, consent for processing data for additional purposes is required. Another obligation is to allow data subjects, in this case, employees, the exercise of their rights over personal data (i.e. access, rectification, cancellation, objection, etc.). These obligations are basic when looking at technology in the employment context; however, they are not the only ones. While there have been some disputes relating to the processing of employees’ personal data in Mexico, they have concerned matters relating to the requirement for consent and privacy notices and none have involved the use of new technologies in the workplace so far. Indeed, lawyers are waiting to see how the right to data protection develops and is strengthened with resolutions by INAI and the local courts. For many, the use of new technologies and analysis of data in the labor context can be beneficial for both employees and employers, providing there is a clear understanding of what is legal and ethical.
Local laws in Colombia establish two fundamental personal data rights: the right to privacy and the right to data rectification. Similar to the EU’s General Data Protection Regulation (GDPR), regulations in Colombia are based on the principle that the processing of private, semi-private and sensitive personal data requires the data subject’s prior, express and informed consent. Even if employees expect little privacy while on company premises or when using company equipment, there have been several decisions in Colombian courts recognizing minimum privacy, or tolerable personal use for employees using internal hardware or software tools. Since the gathering of employee data from these new tools has not been directly regulated by local employment law, but broadly regulated by constitutional and GPDR law, nowadays employers have the responsibility for setting specific limits that can solve the tension between productivity and the fundamental rights of employees, starting from the principle that the gathering of information must respond to legitimate and ethical interests.
Chilean legislation includes several rules on the protection of personal data applicable to an employment relationship, which help mitigate the ethical problems that may arise for the employer. The Political Constitution of the Chilean Republic, Law No. 19,628 regarding the protection of private life or personal information, and the Labor Code contain the most important provisions relating to gathering employee data in Chile.
Article 19 No. 4 of the Chilean Constitution provides the protection of personal data as a constitutional right. This rule guarantees the respect and protection of private life and the honor of the person and their family, and also, the protection of their personal data.
Law No. 19,628 states that personal data may only be processed when determined by law or when the owner of the data gives written consent, in this case, the employee. The law also provides that the employee must be informed about the purpose of the processing of their personal data and its possible communication to the public. However, there are exceptions to this provision. Authorization is not required when private entities process personal data for their own exclusive use or that of their agents and affiliates, and it is for their own benefit. This applies to companies when processing employee data for their own exclusive internal use.
According to the law, personal data relates to ‘any information concerning individuals, identified or identifiable.’ This includes basic human resources data, such as, but not limited to, the employee’s name, date of birth or age, date of starting employment, remuneration and benefits, home address, marital status, number of dependent children, national registration number or identity card number, social insurance number, employee number, position in the organization, evaluations and complaints.
On the other hand, the processing of sensitive personal data is prohibited. Data considered to be sensitive may only be processed when determined by law, when the data owner gives written consent, or for obtaining health benefits, like those necessary for granting complementary health insurance to employees.
Sensitive personal data is defined in Chilean law as information regarding a person’s physical or moral characteristics, and facts or circumstances of their private life and intimacy, such as personal habits, racial background, political opinions, religious beliefs, physical and mental health and sexuality.
Chilean labor legislation expressly states that it is the employer’s responsibility to respect the guarantees of the constitution within the framework of labor relations in the company, ensuring the protection of employee data and especially the employee’s rights to privacy. In this context, article 154-bis of the Labor Code sets forth the employer’s confidentiality obligation to keep all information and private data related to its employees safe.
Singapore Updates Guidelines on Data Breach Notification and Accountability
Expected to be included as part of the upcoming amendment to the country’s data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.
EU-US Privacy Shield Complaint to be Heard by Europe’s Top Court in July
A legal challenge to the EU-US Privacy Shield, a mechanism used by thousands of companies to authorize data transfers from the European Union to the US, will be heard by Europe’s top court this summer. The General Court of the EU has set a date of July 1 and 2 to hear the complaint brought by French digital rights group, La Quadrature du Net, against the European Commission’s renegotiated data transfer agreement which argues the arrangement is still incompatible with EU law on account of U.S. government mass surveillance practices. Privacy Shield was only adopted three years ago after its forerunner, Safe Harbor, was struck down by the European Court of Justice in 2015 following the 2013 exposé of U.S. intelligence agencies’ access to personal data, revealed by NSA whistleblower Edward Snowden. The renegotiated arrangement tightened some elements and made the mechanism subject to annual reviews by the Commission to ensure it functions as intended. But even before it was adopted it faced fierce criticism—with data protection and privacy experts couching it as an attempt to put lipstick on the same old EU-law breaching pig. The Shield’s continued survival has also been placed under added pressure as a consequence of the Trump administration—which has entrenched rather than rolled back privacy-hostile U.S. laws, as well as dragging its feet on key appointments that the Commission said the arrangement’s survival depends on. Ahead of last year’s annual Privacy Shield review the EU parliament called for the mechanism to be suspended until the U.S. came into compliance. (The Commission ignored the calls.)
In one particularly embarrassing moment for the mechanism it emerged that disgraced political data company, Cambridge Analytica, had been signed up to self-certify its ‘compliance’ with EU privacy law…It will be up to the court in Luxembourg to hear and judge the complaint. A decision on the legality of Privacy Shield will follow sometime after July—perhaps in just a handful of months, as the CJEU has been known to move quickly in cases involving the defense of fundamental EU rights. Though it may also take the court longer to issue a judgement. All companies signed up to the Privacy Shield should be aware of the risk and have contingencies in place in case the arrangement is struck down. Nor is this complaint the only legal questions facing Privacy Shield. A challenge filed to a separate data transfer mechanism in Ireland by privacy campaigner Max Schrems—whose original challenge brought down Safe Harbor—has also now been referred by Irish courts to the CJEU, in what’s being referred to as ‘Schrems II’. In that case Facebook has attempted to block the court’s referral of questions to the CJEU—by seeking to appeal to Ireland’s Supreme Court, even though there is not normally a right to appeal a referral to the CJEU. Facebook was granted leave to appeal—and Ireland’s Supreme Court is expected to rule on that appeal early next month. The appeals process has not stayed the referral, though. Nor does it impinge upon La Quadrature du Net’s complaint against Privacy Shield being heard later this summer.
Massachusetts AG Ban-the-Box Enforcement
On May 6th, Massachusetts Attorney General (AG) Maura Healey announced that her office found two businesses in violation of the state’s ban-the-box law, which prohibits most employers from asking job applicants about their criminal history on an initial employment application. The AG found that the employers asked job applicants if they had ever been convicted of a felony or misdemeanor. The AG reached an agreement with clothing retailer Brooks Brothers and manufacturing company DesignWerkes, under which the companies agreed to each pay the state $5,000 and comply with the ban-the-box law. The AG sent warning letters to seventeen other employers: https://www.mass.gov/news/ag-healeys-investigation-finds-employers-in-violation-of-state-cori-law.
New York Offers Tax Credit to Employers Who Hire Recovering Substance Abusers
In an effort to combat the ongoing opioid crisis and substance abuse, New York State’s Budget for Fiscal Year 2020 includes the nation’s first tax incentive program for certified employers who hire people recovering from substance use disorders in full-time or part-time positions. The purpose of the Recovery Tax Credit program is two-fold: to create a recovery-oriented culture in business and local communities, as well as encourage growth by increasing employment opportunities.
Beginning in 2020, certified employers will receive a maximum credit of $2,000 for each eligible individual they hire who has worked a minimum of 500 hours. The State can allocate up to $2 million annually for the program. An eligible individual means an individual with a substance use disorder who is in a state of wellness free from the signs and symptoms of active addiction that has demonstrated to the employer’s satisfaction that he or she has completed a course of treatment for such substance use disorder.
To claim credit for eligible individuals employed during the preceding calendar year, an employer must apply annually to the New York State Office of Alcoholism and Substance Abuse Services by January 15. Applications for the first year of the program are due by January 15, 2021 for eligible individuals employed during the 2020 tax year. In addition to the program eligibility requirements set forth in the legislation, the employer must demonstrate that it provides a recovery supportive environment evidenced by a formal working relationship with a local recovery community organization. If the application is approved, a certificate of tax credit will be issued by March 31.
The Office of Alcoholism and Substance Abuse Services will administer the Recovery Tax Credit program in conjunction with the Department of Taxation and Finance.
This information has been prepared by Validity Screening Solutions for informational purposes only and is not legal advice. The content is intended for general information purposes only, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you may have.