August 2020 | Compliance Update

Federal Developments

OSHA Publishes Frequently Asked Questions on COVID-19

On July 2, the Occupational Safety and Health Administration published a set of Frequently Asked Questions Related to COVID-19. The FAQs do not appear to provide any new guidance but are grouped by topic for easier reference and are more user-friendly as a result. Before publication of the FAQs, employers needing information had to visit multiple pages on the OSHA website and the website for the Centers for Disease Control and Prevention.

Highlights of the FAQs include the following:

  • Use of PPE when cleaning and disinfecting the workplace. Cleaning operations that entail the use of hazardous chemicals may trigger the OSHA standard regarding use of personal protective equipment.
  • Whether masks, which OSHA calls “cloth face coverings,” are required. OSHA states only that employees be “encouraged” to use them.
  • Standards that apply to employer protection of workers from COVID-19. The FAQs list a number of requirements that might apply, but the primary one is the General Duty Clause of the Occupational Safety and Health Act, which requires employers to provide employees with a workplace “free from recognized hazards that are causing or likely to cause death or serious physical harm.”
  • Whether an employer must provide restrooms and hand-washing facilities for employees. OSHA has specific standards that require most employers to provide toilet and hand-washing facilities.
  • What an employer should do when an employee tests positive for COVID-19. The agency tells employers to take action to protect other employees but does not require that other employees be notified.
  • Whether an employer can require an employee who has concerns about COVID-19 to come to work. OSHA says generally yes, except under circumstances where the situation is urgent and so clearly hazardous that reasonable persons would believe they would be in serious danger if they returned to work. (Depending on the circumstances, an employee with concerns about returning to work may be protected by other laws, such as the Americans with Disabilities Act.)
  • Whether an employee can be fired for complaining about workplace safety and health concerns related to COVID-19. OSHA protects employees who complain about any unsafe working conditions.

The agency defers to CDC guidelines for many of the answers to the questions and is careful to note that the FAQs are not a standard or a regulation, and do not create any new legal obligations. This is consistent with the position that OSHA has taken in all of its guidance related to coronavirus. There has been essentially no enforcement action taken against employers for COVID-19-related violations. Employee complaints result in a letter to the employer requesting very specific information on what the employer is doing to address COVID-19, but on-site inspections are rare. As the crisis continues, and political and public attitudes change, OSHA’s policy may also change, especially in situations where an employer has a large number of COVID-19 cases and is not following CDC and OSHA guidelines. There are requirements, such as the General Duty Clause noted above, that OSHA acknowledges it could use as the basis for citations against such an employer. The agency has successfully used the General Duty Clause to cite employers in cases involving workplace violence and heat stress, which have resulted in far fewer employee fatalities than coronavirus.

Guidance Clarifies COVID-19 Testing Coverage Requirements for Employer Health Plans

Employers have more clarity on COVID-19 testing coverage requirements—including new details on at-home tests, return-to-work testing, and out-of-network pricing—under new guidance that the U.S. Department of Health and Human Services (HHS), U.S. Department of Labor (DOL) and the U.S. Department of the Treasury jointly prepared.

The guidance—in the form of frequently asked questions (FAQs)—further interprets testing requirements that originally appeared in the Families First Coronavirus Response Act (FFCRA) and that were expanded in the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

The FFCRA requires group health plans to cover U.S. Food and Drug Administration (FDA)-approved COVID-19 tests and services related to the furnishing or administration of the tests on a first-dollar basis, meaning before a participant’s deductible is met and without requiring any other cost-sharing such as copayments or coinsurance. In addition, plans may not impose medical management requirements such as prior authorization on tests and related services. These requirements took effect March 18, 2020, and end when the national emergency period ends. The CARES Act later expanded the scope of covered COVID-19 tests to include tests:

  • for which “[t]he developer has requested, or intends to request, [FDA] emergency use authorization”;
  • “[that are] developed in and authorized by a State that has notified the Secretary of HHS of its intention to review” COVID-19 tests; or
  • that are specifically approved by further HHS guidance.

The FDA maintains a list of tests that have received FDA emergency use authorization and a list of states that have authorized COVID-19 tests. Previous DOL guidance clarified that the federal requirements covered serological (antibody) tests. Under the CARES Act, plans must also reimburse providers for COVID-19 tests at either a negotiated rate or the cash price, which providers are required to publish on a public website.

The new FAQ guidance, released June 23, 2020, provides a number of clarifications to the COVID-19 testing coverage requirement:

  • Plans, or their third-party administrators, can reasonably request evidence of a test developer’s FDA emergency use authorization request or intent to make such a request before paying a provider for a test. If no evidence is provided, a plan can treat the cost of the test under the plan’s pre-FFCRA terms, including requiring cost-sharing by the participant. The FDA maintains a list of laboratories and manufacturers that have validated their own COVID-19 tests and are preparing to or have requested emergency use authorization.
  • Earlier DOL guidance had required plans to cover testing and related services that were determined to be medically appropriate by an attending health care provider. The guidance defined an “attending [health care] provider” as “an individual…licensed under applicable state law…acting within the scope of [his or her] license, and…directly responsible for providing care to a patient.” The new FAQs specify that the attending provider need not be the patient’s primary care physician or directly administer the test—he or she need only make an individualized clinical assessment of medical appropriateness for the patient.
  • Plans must cover on a first-dollar basis at-home COVID-19 tests that otherwise fall under the scope of the CARES Act and that are determined to be medically appropriate by an attending provider.
  • Plans are required only to cover on a first-dollar basis COVID-19 tests primarily intended for individualized diagnosis or treatment. Tests administered to screen employees returning to work are not covered by the FFCRA and CARES Act requirements.
  • Plans are required to cover an unlimited number of COVID-19 tests per individual that otherwise meet the requirements of the FFCRA, CARES Act, and agency guidance.
  • Only COVID-19 tests—and not related services—need to be reimbursed at a negotiated rate or at the published cash price. The FAQs also state that participants should not be balance billed for COVID-19 tests, indicating that providers should accept the plan’s payment of a negotiated rate or the cash price as payment in full. As a result, participants may end up being balance billed by providers for services related to COVID-19 tests.
  • Plans are required to reimburse the negotiated cost or the published price of a test, even if that test is received in an out-of-network hospital emergency room. The FAQs indicate that the CARES Act requirements supersede the standard Affordable Care Act rules on out-of-network emergency services.
  • Upon the end of the national emergency period, plans must notify participants if they are going to discontinue covering COVID-19 tests and related services on a first-dollar basis. Ordinarily, plans would have to provide 60 days’ prior notice of a benefit reduction that would affect the summary of benefits and coverage, or SBC. But the FAQs indicate that this notice requirement would not apply if the plan previously notified participants of the temporary nature of the expanded coverage or provided notice “within a reasonable timeframe” that the coverage was ending.

CDC Issues COVID-19 Testing Strategy Guidance for Workplaces

On July 3, 2020, the U.S. Centers for Disease Control and Prevention (CDC) issued new guidance entitled “SARS-CoV-2 Testing Strategy: Considerations for Non-Healthcare Workplaces.” The new guidance recommends incorporating COVID-19 testing in five scenarios: (1) testing individuals with COVID-19-related symptoms; (2) testing asymptomatic individuals with a recent known or suspected exposure in order to control transmission; (3) testing asymptomatic individuals without a recent known or suspected exposure for early identification in special settings; (4) testing to determine when an individual may discontinue home isolation; and (5) testing for public health surveillance.

(1) Testing Symptomatic Individuals
The most relevant scenario for most employers is testing employees determined to be exhibiting COVID-19-related symptoms, such as when symptoms are identified during daily screening before employees enter the workplace. The CDC guidance suggests that employees with symptoms should be immediately separated from others and sent home or to a healthcare facility. If the employee tests positive, the employee should not come to work and should isolate at home until the employee satisfies the CDC’s criteria for discontinuing home isolation.

(2) Testing Individuals Exposed to the Virus
In addition to testing symptomatic employees, the CDC guidance envisions the use of viral testing of those in close contact with someone who has COVID-19 (e.g., in the non-healthcare setting, other employees who were within 6 feet of an infected employee for 15 minutes or longer). In this context, the CDC notes that such testing is often initiated by or conducted in consultation with state or local public health authorities. In addition, the CDC notes that “there may be a delay between the time a person is exposed to the virus and the time that [the] virus can be detected by testing, [and] early testing after exposure at a single time point may miss many infections.”

(3) Testing Individuals Who Haven’t Been Exposed to the Virus
The CDC suggests that a third application for COVID-19 testing is to help identify asymptomatic infected employees without any known or suspected exposure, particularly in workplaces where social distancing is difficult, remote settings where medical evaluation and treatment may be delayed, certain critical infrastructure settings, and workplaces that provide congregate housing to employees (such as fishing vessels, offshore oil platforms, and farm housing). In those scenarios, the CDC states that employers may consider different testing approaches, such as “initial testing of all workers before entering a workplace, periodic testing of workers at regular intervals, and/or targeted testing of new workers or those returning from a prolonged absence.” The CDC recommends that employers “have a plan in place for how they will modify operations based on test results and manage a higher risk of false positive results in a low prevalence population” prior to testing large portions of a workforce.

(4) Testing for Discontinuing Isolation
The fourth application for testing is to determine when an employee may safely discontinue home isolation (e.g., return to work). In this context, the CDC states that the determination of whether to use a symptom-based, time-based, or test-based strategy should be “made in consultation with healthcare providers and public health professionals.” (Note: Some state and local governments and public health authorities specifically advise against or even prohibit using a test-based strategy.) Notably, the CDC appears to soften its previous admonition that employers should not request a doctor’s note or test results in order to return an employee to work. In the new guidance, the CDC acknowledges that under the Americans with Disabilities Act (ADA), “employers are permitted to require a healthcare provider’s note to verify that employees are healthy and able to return to work.” Nevertheless, the CDC continues to warn that such documentation may be difficult to acquire from certain providers that “may not be able to provide such documentation in a timely manner.”

(5) Testing for Public Health Surveillance Purposes
The CDC states that COVID-19 testing also may be used for public health surveillance purposes in order to detect transmission hot spots or better understand disease trends in a workplace. According to the CDC, “[t]hese goals are consistent with employer-based occupational medicine surveillance programs[, which] may use testing to assess the burden of SARS-CoV-2 in the workforce…or evaluate the effectiveness of workplace infection control programs.” While the CDC notes that surveillance “should only be undertaken if the results have a reasonable likelihood of benefiting workers,” this scenario may be premature for consideration by employers absent further guidance from the U.S. Equal Employment Opportunity Commission (EEOC). At present, the EEOC’s guidance has approved of COVID-19 testing only in the context of determining if employees are safe to enter the workplace, and it is unclear whether a “surveillance” testing program would be deemed lawful under the ADA.

In addition to the discussion of the above outlined scenarios, employers may find the additional takeaways from the CDC guidance noteworthy:

  • The CDC states that its recommended testing strategies should be implemented as a supplement to other federal, state, and local health and safety laws applicable to the workplace and not as a replacement to other legal requirements. The CDC also notes that any testing should be carried out in a manner consistent with applicable employment laws, including with respect to employee privacy and confidentiality, and in accordance with published guidance from the EEOC.
  • The use of COVID-19 testing “may be incorporated as part of a comprehensive approach to reducing transmission in non-healthcare workplaces,” which includes other precautions, such as symptom screening and contact tracing, to help identify infected workers and take appropriate action “to slow and stop the spread of the virus.”
  • The CDC states that employees undergoing testing should receive “clear information” regarding (1) “the manufacturer and name of the test, the type of test, the purpose of the test, the reliability of the test, any limitations associated with the test, who will pay for the test, and how the test will be performed,” and (2) “how to understand what the results mean, actions associated with negative or positive results, who will receive the results, how the results may be used, and any consequences for declining to be tested.” The CDC also states that employees should receive “patient fact sheets” as part of the test’s emergency use authorization from the U.S. Food and Drug Administration (FDA).
  • The CDC notes that the U.S. Occupational Safety and Health Administration (OSHA) has issued interim guidance finding that COVID-19 is a recordable illness and outlining when an employer may be required to record an employee’s infection on the OSHA Form 300 log and/or report an employee’s illness.
  • The CDC guidance reiterates that while viral tests may be used to determine if an employee is currently infected with the virus, antibody tests should not be used as the sole basis to determine a current infection and “should not be used at this time to determine if an individual is immune.” Similarly, the EEOC recently issued guidance on antibody testing stating that under the ADA, employers may not use antibody tests as part of their employee screening programs to determine if employees are safe to enter the workplace.

Key Takeaways
This new guidance is a welcome development for employers seeking further insight into how they may implement COVID-19 testing in the workplace. While a helpful overview, the guidance is relatively high-level and raises additional legal questions, such as whether and to what extent an employer may unilaterally implement a “surveillance” testing program in the workplace without violating the ADA. Employers considering testing may want to review these guidelines carefully and evaluate additional requirements and guidance from the relevant state and local governments and public health authorities prior to implementing any large-scale testing program.

Return to Work Guidance (COVID-19 – July Update)

United States
As states across the U.S. adopt different reopening measures, the following list of state-wide orders on return to work protocolsface masks and employee health screenings will help you keep track of developments (dated 10 July 2020). Take a look at the recently published FAQs on COVID-19 by the Occupational Safety and Health Administration (OSHA). The FAQs consist of existing guidance which has now been consolidated in one place. We also look at various interstate travel restrictions which are being enforced and best practices for critical workers travelling to and from “hot spot” states.

United Kingdom
Employers are facing fresh challenges as lockdown restrictions are lifted in the UK. Here is a breakdown of the upcoming changes for employers to be aware of as employees return to work, including statutory sick pay and travel and quarantine requirements. We also take a look at how a return to work plan will affect vulnerable people and how best to deal with employee concerns.

The Health and Safety Executive (HSE) has urged businesses to ensure that their organization is COVID-19 secure and has published a list of areas in which businesses commonly fall short. Take a look at the press release from the HSE here. Find out which COVID-19 testing options are available to employers and businesses, what they can actually tell you and what arrangements to make to carry out the testing.

Ontario has taken a regional approach to enter Stage 3 of reopening on 17 July 2020. Here are further details on what this means for the province, including which places will remain closed and what the rules are around gatherings.

Use this cross-country update to stay on top of recent developments in Canada and this handy guide to getting back to business.

The state of health emergency came to an end in France on 10 July 2020. Find out more about what the country is doing to return people to work and its “individualized partial activity” approach.

In Brazil, the Ministry of the Economy and the Ministry of Health published Joint Ordinance Number 20, which sets out measures which employers are required to implement to reduce the risk of COVID-19 transmission in the workplace. These measures apply to those businesses that have remained open, rather than for those businesses looking to reopen. The full text of the ordinance can be found here (in Portuguese).

State Developments

This Won’t Hurt a Bit: Employee Temperature and Health Screenings – A List of Statewide Orders, as of July 10, 2020

Governors and public health officials across the country have implemented stringent measures to help contain the spread of COVID-19, such as safer at home and face covering mandates. Some jurisdictions also require employers to screen the health of employees, often as they begin a shift. These health screening steps, including temperature checks, are becoming more common as states further reopen their economies.

This post, current as of July 10, 2020 at 8:00 a.m. (CDT), covers statewide laws and orders that require employers to take employees’ temperatures and/or conduct other employee health screening procedures, such as asking employees about any COVID-19-consistent symptoms using a questionnaire or checklist. This chart covers only generally applicable requirements and does not cover the heightened requirements applicable to certain types of employees, such as healthcare workers; public health workers; long-term care, assisted living, and nursing home workers; first responders; and law enforcement. We will update this list regularly but expect it will become outdated quickly as new announcements are made.

Note that this list does not include temperature or health screening requirements at the local level. If you would like more information, please contact your Littler attorney for additional resources that summarize such requirements at both the state and local level.

In addition, this post does not address other significant issues related to employer screenings of employee health, including potential wage and hour, discrimination, and privacy concerns. As a result, employers should consult with counsel for details on additional orders that may apply to their operations and for guidance on related legal questions.

Please click on the link for further information identifying face covering guidance and return to work protocols, as well as an interactive reopening map.

Gov. Wolf Signs Senate Bill 637, Easing Restrictions for Pennsylvanians with Criminal Records to Reenter the Workforce

Governor Tom Wolf signed Senate Bill 637 on Wednesday, aimed at assisting people with criminal records to reenter the workforce in Pennsylvania. The bill, now signed into law, removes some job licensing barriers to Pennsylvania workers with a criminal record. According to the Wolf administration, one in five Pennsylvanians needs an occupational license to work. As of Wednesday, boards and commissions are not allowed to deny someone employment based on their criminal history unless their prior offenses are related to that particular line of work. Additionally, if boards and commissions do have stipulations about granting a job license to someone based on certain prior criminal offenses, that information will have to be publicly available. Boards are also asked to consider other factors of the applicant before deciding based on their criminal record and are requested to provide a preliminary decision to applicants so that applicants can present evidence to support their case for a license. Juvenile records or convictions expunged by the Clean Slate Law may not be considered by boards and commissions’ decisions to grant an occupational license. However, sexual offenders will still not be permitted to work as healthcare providers.

Virginia Adopts First-in-Nation COVID-19 Workplace Safety Rules for Employers

On July 15, 2020, the Commonwealth of Virginia’s Safety and Health Codes Board, in response to an executive order from Governor Ralph Northam, adopted emergency COVID-19 workplace safety rules for employers in Virginia, resulting in Virginia becoming the first state in the nation to adopt comprehensive workplace safety rules in connection with the pandemic. The rules, which are expected to become effective the week of July 27, 2020, will apply to all employers, employees, and places of employment that are under the jurisdiction of the Virginia Occupational Safety and Health program and will require employers to implement certain policies and procedures designed to mitigate risks relating to COVID-19 in the workplace.

“In the face of federal inaction, Virginia has stepped up to protect workers from COVID-19, creating the nation’s first enforceable workplace safety requirements,” Governor Northam said in a statement. “Keeping Virginians safe at work is not only a critical part of stopping the spread of this virus, it’s key to our economic recovery and it’s the right thing to do.” Some business groups, however, have expressed concerns that the new requirements could lead to confusion due to potential conflicts with current guidance, result in businesses being fined for failing to comply with certain restrictions by mistake, and impose additional cost burdens on businesses that are already struggling as a result of the pandemic’s economic impact.

The temporary rules seek to provide employers with flexibility to establish mitigation strategies that will eliminate or substantially decrease employee exposure to COVID-19 in the workplace. Requirements mandatory for all employers include the enforcement of physical distancing and notifying employees within 24 hours if a coworker tests positive for the virus. The rules also impose additional requirements on employers that present increased levels of risks associated with certain workplace hazards and job tasks.

The rules will expire six months after they become effective unless the Safety and Health Codes Board adopts permanent rules or repeals the temporary rules, or Governor Northam’s State of Emergency declaration expires prior to the end of such six-month period. Virginia’s Department of Labor and Industry will have authority to enforce the rules. Fines for violating the rules can range from $13,000 to $130,000 for repeat offenders.

Requirements for All Employers
Requirements applicable to all employers include the following:

  • Classifying employees by risk level (very high, high, medium, and lower) based on workplace hazards and job tasks;
  • Establishing and implementing policies and procedures for employees to self-monitor for COVID-19 signs and symptoms and to report symptoms;
  • Implementing procedures that will prevent employees who are known to have or are suspected of having COVID-19 from infecting healthy employees;
  • Notifying employees who may have been exposed to COVID-19 in the workplace, which notification should be given within 24 hours of discovery of the possible exposure while keeping confidential the identity of the infected employee;1
  • Establishing and implementing a return to work policy for employees known to have or suspected of having COVID-19;
  • Ensuring that employees observe physical distancing while on the job and during paid breaks on the employer’s property;
  • Ensuring compliance with mandatory requirements of any applicable Virginia executive order or order of public health emergency;
  • Implementing policies and procedures for workplace sanitation and disinfecting, including providing employees with access to hand washing or hand sanitizing and regularly cleaning and disinfecting common areas; and
  • Refraining from discharging or in any way discriminating against an employee for exercising any rights under the rules or raising reasonable concerns to the employer, its agent, or a government agency about infection control related to COVID-19.

Requirements for Employers with “Very High,” “High,” and “Medium” Exposure Risk
An employer will need to assess and classify its workplace for exposure risk, with the understanding that one workplace could have different levels of exposure risk (for example, in a healthcare setting, an employee intubating a known COVID-19 patient could be classified as “very high” risk, while an employee performing administrative work away from others could be considered “lower” risk). Employers with workplaces and job tasks deemed under the rules to have “very high,” “high,” or “medium” risk levels for COVID-19 are subject to more stringent requirements. Very high- and high-risk jobs generally include occupations in the healthcare or another field in which employees have direct contact with people known to have or suspected of having COVID-19. Medium-risk jobs are those not otherwise classified as very high or high exposure risk and that require “more than minimal occupational contact inside six feet with other employees, other persons, or the general public”; examples of jobs in the medium-risk category include poultry and meat processing, agricultural and hand labor, transportation, educational settings, restaurants, grocery stores, correctional facilities, gyms, and spas. Lower-risk job tasks are those not otherwise classified as very high, high, or medium that have minimal occupational contact with other employees, other persons, or the general public, such as in an office building setting.

Very high and high exposure risk jobs require employers to implement certain engineering controls, such as ensuring appropriate air-handling systems and installing physical barriers to the extent feasible, where such barriers will help mitigate the spread of virus transmission. Additionally, these employers must implement certain administrative and work practice controls, such as prescreening or surveying employees prior to each work shift to verify they do not have signs or symptoms of the virus and providing for telework and staggered shifts where feasible. Employers with very high and high exposure risk also will need to assess whether the COVID-19 hazards or job tasks necessitate the use of personal protective equipment and provide training for employees to recognize and minimize the hazards of COVID-19.

The rules applicable to medium exposure risk jobs also require employers to implement certain engineering controls relating to air-handling systems and the installation of physical barriers, to the extent feasible, that will help mitigate the spread of virus transmission, and, to the extent feasible, certain administrative and work practice controls, including prescreening or surveying employees prior to each work shift to verify they are not COVID-19 symptomatic and providing alternative work arrangements, such as telework and staggered shifts. Employers with medium exposure risk also will need to assess whether the COVID-19 hazards or job tasks necessitate the use of personal protective equipment.

Additionally, all employers with very high and high exposure risk and employers with medium exposure risk that employ 11 or more employees will need to develop and implement a written infectious disease preparedness and response plan within 60 days after the rules go into effect. This plan will need to, among other things, identify the name(s) or title(s) of the person(s) responsible for administering the plan (which persons must be knowledgeable in infection control principles and practices as they apply to the facility, service, or operation), address the levels of COVID-19 risk associated with the workplace and job tasks, consider contingency plans for situations that may arise from outbreaks, identify basic infection prevention measures to be implemented, provide for the identification, reporting, and isolation of employees known or suspected to have COVID-19, and address infectious disease preparedness and response with respect to third-party businesses and other persons accessing the workplace.

Additional Information
Virginia regulators are developing FAQs and other guidance on the rules to be made available to the public, which guidance likely will include materials to assist in classifying the exposure risks of job tasks, training employees, and developing an infectious disease preparedness and response plan. Venable will continue to monitor these actions, and we are available to provide clients with assistance in complying with the new workplace safety rules. We also can assist in developing monitoring and compliance systems to address regulatory and oversight obligations relating to COVID-19. Please find additional information about regulatory compliance and oversight obligations implicated by the COVID-19 pandemic here.

Court Cases

Ninth Circuit Addresses FCRA Standing Analysis and Emphasizes Importance of Remedial Measures

The Ninth Circuit recently issued an opinion addressing standing and willfulness under the Fair Credit Reporting Act (FCRA). In Ramirez v. TransUnion,[1] the Ninth Circuit affirmed a jury verdict and punitive damages award, although it reduced those damages by a third. The court held for the first time that “each class member must have standing to recover damages,” but also found that the class members’ standing need not be demonstrated at the class certification stage and that the class members had standing even if their credit reports had not been shared with any third party. In addition, the court looked to a prior court ruling against the defendant involving the same issues in finding the violations were willful and warranted the award of punitive damages.

Case Background

Sergio Ramirez alleged he was unable to buy a car because his credit report indicated he was on an Office of Foreign Assets Control (OFAC) terrorist watch list. TransUnion sent Ramirez a report without this information and with a conflicting letter indicating his name did match a name on the watch list. It turns out he was not on the watch list, but someone else with the same first and last name was on that list.

In 2012, Ramirez filed a lawsuit against TransUnion in the Northern District of California, seeking to represent a nationwide class of consumers whom TransUnion had falsely identified as being on the terrorist watch list, alleging willful failure to use reasonable procedures to prevent false positives and related claims. The court certified a class, and a jury then ruled against TransUnion on all claims, awarding the class approximately $8 million in statutory damages and $52 million in punitive damages. TransUnion appealed to the Ninth Circuit.

Ninth Circuit Decision

For the first time, the Ninth Circuit announced that “every member of a class certified under Federal Rule of Civil Procedure 23 must satisfy the basic requirements of Article III standing at the final stage of a money damages suit when class members are to be awarded individual monetary damages.”[2] The court found that each of the 8,185 class members had standing regardless of whether a third party accessed their credit reports. Judge McKeown agreed that all members of a damages class should have standing at trial, but she dissented in part because no evidence in the record supported finding a “serious likelihood of disclosure.”

Willful Violation and Punitives
The Ninth Circuit rejected TransUnion’s arguments that its conduct was based on reasonable but mistaken interpretations of the statute. The panel relied heavily on an earlier Third Circuit decision addressing the same product, where that court rejected TransUnion’s argument that the product was not covered by the FCRA and explained how to reduce false matches. As the Ninth Circuit explained, “TransUnion was provided with much of the guidance it needed to interpret its obligations under FCRA with respect to OFAC alerts back in 2010,” but “[d]espite this warning, TransUnion continued to use problematic matching technology and treat OFAC information as separate from other types of information on consumer reports.”[3] The court relied on TransUnion’s failure to implement the Third Circuit’s guidance in finding the FCRA violations were willful.

The Ninth Circuit characterized TransUnion’s delay in making policy changes as “reprehensible”[4] in affirming the award of punitive damages. The court found the amount of the award was constitutionally excessive, though, and reduced it from $52 million to $32 million.

TransUnion’s petition for rehearing en banc was denied on April 8, 2020.[5] On April 15, 2020, the court stayed its mandate for 90 days pending TransUnion’s filing of a petition for writ of certiorari.[6]

Key Takeaways

The court emphasized that its decision did not change the showing required at class certification It noted that “district courts and parties should keep in mind that they will need a mechanism for identifying class members who lack standing at the damages phase.”[6] Defendants should consider how this analysis impacts arguments in opposing class certification.

Willful Violations and Punitives
The court’s analysis underscores the importance of staying on top of court rulings, particularly at the appellate level. Although TransUnion had made some changes to its OFAC notifications in accordance with the Third Circuit’s Cortez decision, under the facts of this case, the Ninth Circuit appeared to find its actions to be too little too late. Courts and juries rarely award punitive damages in FCRA suits,[7] but the prior appellate ruling and hot button terrorist watch-list topic appears to have made this case the exception.

9th Circuit: FCRA Claim Cannot Prevail Without First Providing Notice of Disputed Information

On July 14, the U.S. Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of a group of defendants, including a credit reporting agency (CRA) and furnisher, after determining that a consumer plaintiff failed to adequately notify the CRA of an error on her credit report. According to the opinion, the plaintiff questioned the accuracy of certain information on her credit report and requested that these inaccuracies be investigated. Defendants investigated and corrected the inaccuracies and informed the plaintiff that if she further disputed the accuracy of the reported information, she could submit additional documentation to support her claim. Plaintiff continued to believe her credit report contained inaccuracies; specifically, she contended that the CRA was misreporting the date on which her bankruptcy was discharged. But rather than notify the CRA, she instead filed suit in federal district court alleging violations under the FCRA. The defendants filed for summary judgment which the district court granted, concluding that while “the date of the bankruptcy may have continued to be misreported after the conclusion of the reinvestigation,’ there was no genuine dispute of material fact on whether [the plaintiff] notified [the CRA] of that specific reporting error.” The 9th Circuit agreed, starting that because the plaintiff failed “to provide adequate notice of this reporting error” the scope of the defendants’ duties were limited. Moreover, the 9th Circuit held that a consumer cannot prevail on a “FCRA claim without first putting the [CRA] on notice of the information that is disputed.”

Supreme Court Issued Opinion in Seila Law LLC v. Consumer Financial Protection Bureau Resolving Question of Whether the Leadership Structure of the Consumer Financial Protection Bureau (CFPB) is Constitutional

In the 5-4 decision, the majority opinion, written by Chief Justice John Roberts, ruled that the CFPB leadership structure violates the Constitution’s separation of powers. Nonetheless, seven justices agreed this does not render the entire agency unconstitutional. The Court held that the provision in the Dodd-Frank Act providing that the CFPB director may only be removed by the President “for cause,” can be struck from the statute, and the agency may continue with a director that is removable by the President “at will,” which means, the CFPB director may be removed for any reason.

International Developments

On July 16, the Court of Justice of the European Union Invalidated Decision 2016/1250 on the Adequacy of the Protection Provided by the EU-US Data Protection Shield

A decision by the European Court of Justice in Case C-311/18 (Schrems II) has invalidated the adequacy decision authorizing the Privacy Shield as a mechanism for transfers between the European Union and the United States. However, it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.

Note that the Swiss-U.S. Privacy Shield is unaffected by the decision.

The U.S. Department of Commerce has issued the following statement in response to the decision:

“The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.”

See full opinion of the Court of Justice of the European Union at:

In Wake of the Schrems II Decision From the Court of Justice of the European Union (CJEU), Several EU Data Protection Authorities (DPAs) Have Issued Guidance Indicating How They Will Interpret and Enforce

The decision impacts international data transfers from the European Union (EU) to the U.S., invalidating the EU-U.S. Privacy Shield and calling for enhanced scrutiny of Standard Contractual Clauses (SCCs). The DPAs have taken varying stances on the validity of SCCs ranging from deeming SCCs “generally still valid” subject to case-by-case analysis (e.g., France and Denmark), to advising companies to cease transfers to the U.S. and switch to service providers located in the EU or a third country with an adequacy determination (e.g., the Netherlands). Click here to read about the decision and here for a list of the current DPA guidance.

European Data Protection Board (EDPB) Released FAQ Guidance in Response to Schrems II Ruling

The guidance addresses a range of topics, including the lack of a grace period for the ruling to take effect, and whether or not SCCs are a valid transfer mechanism. The EDPB states that “supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, [ ] have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.” The EDPB provides almost identical guidance regarding the use of Binding Corporate Rules (BCRs). Click here to read the EDPB guidance.

Baker McKenzie Releases Guide for Reopening Office in Latin America

The firm released a quick guide which includes six key topics when planning to reopen the workplace around 7 jurisdictions in Latin America. To access the guide, please click on the link below.

European Commission Conducting ‘Preparatory Work’ Should ECJ Invalidate Privacy Shield

In a long-awaited case on 16 July, the ECJ will rule on whether Standard Contractual Clauses (SCCs) are a legitimate way of transferring data to legal regimes outside of the EU while respecting EU data protection law. By extension, the ECJ could also adopt a position on the validity of the Privacy Shield agreement, the mechanism used for transferring personal data between the EU and the US. It would not be the first time judges at the highest court in Europe have invalidated an EU-US data framework, after the nullification of the 2015 Safe Harbor agreement, which eventually led to the creation of the Privacy Shield.

Speaking as part of a Brussels videoconference event on Tuesday (30 June), the EU’s Justice Chief Didier Reynders was pressed on what measures that the Commission is considering, should the ECJ decide to invalidate the Privacy Shield agreement.

Reynders said the Commission was conducting “preparatory works about the different possibilities that will result from the decision of the court.” “We don’t have one plan, but we have some ideas about the different ways to give an answer, following the scope of the decision of the court,” he added, keeping his cards close to his chest, however, on the specifics of how the Commission would react to a legal invalidation of the Privacy Shield.

In a non-binding opinion in December, the ECJ found that the Commission’s standard contractual clauses (SCC), used for data transfers between EU and non-EU countries were ‘valid.’ Opinions issued by the court are normally good indications on how final rulings turn out.

The case comes following a legal challenge from Austrian privacy activist Max Schrems, who believes that the Commission’s standard contractual clauses do not adequately protect citizen’s privacy.

Such contracts are issued in the absence of a data transfer adequacy agreement between the Commission and parties outside of the bloc, in an attempt to provide sufficient data protection safeguards. They are used by thousands of businesses worldwide, including tech giants such as Facebook.

Should the court rule in favor of Schrems in July, the move could have profound consequences on the way data flows operate between EU and non-EU businesses and may oblige firms to stop making such data transfers or potentially face hefty fines.

On the Privacy Shield agreement, ECJ Attorney General Saugmandsgaard Øe’s December opinion states that the courts should not necessarily be required to rule on the validity of the accord, due to the fact that the dispute in question only concerns the Commission’s establishment of standard contractual clauses.

However, the Advocate General himself questioned the legitimacy of the agreement, stating that there are “reasons that lead him to question the validity of the ‘privacy shield’ decision in the light of the right to respect for private life and the right to an effective remedy.”

In a previous 2015 case, Schrems successfully mounted a legal challenge over the EU’s ‘Safe Harbor’ privacy principles, developed to prevent private companies in the EU or the U.S. from losing or accidentally revealing personal data belonging to citizens.

That year, ECJ Advocate General Yves Bot issued an opinion to the court that stated the Safe Harbor agreement should be rendered invalid and added that individual data protection authorities could suspend data transfers to other countries should there be evidence of data protection rights being breached.

The ECJ ultimately upheld Bot’s opinion and the Safe Harbor agreement was invalidated.

The court will deliver the ruling on the case C-311/18, Facebook Ireland and Schrems, on 16 July.

This information has been prepared by Validity Screening Solutions for informational purposes only and is not legal advice. The content is intended for general information purposes only, and you are urged to consult a lawyer concerning your own situation and any specific legal questions you may have.