FEDERAL DEVELOPMENTS
CFPB Takes Action to Protect the Public from Shoddy Data Security Practices
Financial companies may be held liable for unfairly putting customers’ data at risk
The Consumer Financial Protection Bureau (CFPB) confirmed in a circular published today that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data. The circular provides guidance to consumer protection enforcers, including examples of when firms can be held liable for lax data security protocols.
“Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” said CFPB Director Rohit Chopra. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
The CFPB is increasing its focus on potential misuse and abuse of personal financial data. As part of this effort, the CFPB circular explains how and when firms may be violating the Consumer Financial Protection Act with respect to data security. Specifically, financial companies are at risk of violating the Consumer Financial Protection Act if they fail to have adequate measures to protect against data security incidents.
Past data security incidents, including the 2017 Equifax data breach, have led to the harvesting of the sensitive personal data of hundreds of millions of Americans. In some cases, these incidents violated the Consumer Financial Protection Act, in addition to other laws. For example, in 2019, the CFPB charged Equifax with violating the Consumer Financial Protection Act to address misconduct related to data security.
Today’s circular also provides examples of widely implemented data security practices. The circular does not suggest that particular security practices are specifically required under the Consumer Financial Protection Act. However, the circular notes some examples where the failure to implement the following data security measures might increase the risk that a firm’s conduct triggers liability under the Consumer Financial Protection Act, including:
- Multi-factor Authentication: Multi-factor authentication greatly increases the level of difficulty for adversaries to compromise enterprise user accounts, and thus gain access to sensitive customer data. Multi-factor authentication can protect against credential phishing, such as those using the Web Authentication standard supported by web browsers.
- Adequate Password Management: Unauthorized use of passwords is a common data security issue, as is the use of default enterprise logins or passwords. Username and password combinations can be sold on the dark web or posted for free on the internet, creating risk of future breaches. For firms that are still using passwords, password management policies and practices allow for ways to monitor for breaches at other entities where employees may be re-using logins and passwords.
- Timely Software Updates: Software vendors and creators, including open-source software libraries and projects, often send out patches and other updates to address continuously emerging threats. Upon announcement of these updates to address vulnerabilities, hackers immediately become aware that firms using older versions of software are potential targets to exploit. Protocols to immediately update software and address vulnerabilities once they become publicly known can reduce vulnerabilities.
Read today’s Consumer Financial Protection Circular on data security.
Click Here for the Original Article
Proposed Federal Rule Signals Remote Form I-9 Inspection of Employee Documents Will Likely Become Permanent Option
On August 18, 2022, the Department of Homeland Security (DHS) published a Proposed Rule titled Optional Alternatives to the Physical Document Examination Associated With Employment Eligibility Verification (Form I-9). The Proposed Rule would formalize the authority of the Secretary of Homeland Security to extend certain COVID-19 rules permitting remote inspection of employee documents presented for the Form I-9 and further explore alternative options to physical document examination procedures in the future. The Proposed Rule comes on the heels of the shift to remote working and hybrid schedules that have become increasingly common. DHS is accepting comments from the public on the Proposed Rule until October 17, 2022.
Background
U.S. employers are required to complete a Form I-9 for each new hire. As part of the Form I-9 process, the employer must physically examine the documents presented by the employee for employment eligibility purposes. Starting on March 20, 2022, however, DHS deferred the physical inspection requirements associated with the Form I-9 process only for those workers fully working remotely in response to the COVID-19 pandemic. This I-9 Requirement Flexibility has been extended by DHS until October 31, 2022.
The Proposed Rule
The Proposed Rule seeks to create a more permanent framework under which the Secretary of Homeland Security could authorize alternative options for Form I-9 document examination procedures for some or all employers. Such alternative procedures may be implemented as part of a pilot program, upon a determination that the procedures offer an equivalent level of security, or as a temporary measure to address public health emergencies.
While the Proposed Rule would grant the agency authority to create alternatives to the physical document examination requirement associated with Form I-9, the Proposed Rule itself does not create any such alternatives. In effect, the Proposed Rule simply seeks to give DHS discretion to establish alternative options for document examination during the Form I-9 process.
Key Points
- Changes, if any, in the Form I-9 physical document examination procedures will be reflected in a revision to the language currently in 8 CFR § 274a.2(b) and (c). According to the Proposed Rule, the revision would include additional language in paragraphs (b)(1)(ii)(A), (b)(1)(vii), and (c)(1)(ii) stating that an alternative procedure may be authorized by the Secretary for examining the documentation presented by individuals to establish identity and/or employment authorization when completing a Form I-9 when they are hired, reverified, or rehired.
- DHS is proposing changes to the Form I-9 and its accompanying instructions that would allow employers to indicate that alternative procedures were used.
- DHS is considering various document retention requirements, including requiring employers to retain copies of any documents presented remotely via video, fax, or email. DHS requests comments on any costs or increased burden for employers to retain such documentation, as well as comments on the benefits, costs, or any burdens for employees related to such document retention.
- The Form I-9 changes would allow Immigration and Customs Enforcement (ICE), when conducting an audit, to know that the employer used alternative verification procedures.
- DHS is considering adding a fraudulent document detection and an anti-discrimination training requirement for employers. For example, an employer using the alternative procedure may need to take a 30-60-minute online training on detecting fraudulent documents remotely and avoiding discrimination in the process.
DHS will review all comments submitted by October 17, 2022, and will ultimately issue a Final Rule.
Click Here for the Original Article
STATE DEVELOPMENTS
Miya’s Law: Florida Landlords Must Conduct Specific Background Checks for Their Apartment Employees
Florida’s new Miya’s Law, Fla. Stat. 83.515, imposes background screening and other specific requirements on landlords regarding their employees who work in apartments that can be classified as “nontransient” or “transient.”
Miya’s Law is named after Miya Marcano, who was killed in her apartment by a maintenance worker having access to her apartment.
Coverage
A nontransient apartment building or complex of buildings advertises at least 75 percent of its units to renters for stays longer than a month (i.e., a typical apartment building). See Chapter 509.242, Florida Statutes. A transient apartment building or building complex advertises more than 25 percent of its units to tenants for stays less than a month. An apartment building or complex must actually rent out its units for the shorter duration at least four times per year — not merely advertise as such — to qualify as transient.
Requirements
Miya’s Law requires landlords of nontransient and transient apartment buildings to perform background screenings on employees as a condition of employment.
Effective July 1, 2022, the background screening must be performed in accordance with the federal Fair Credit Reporting Act (and applicable state law, if the candidate resides outside of Florida) and must include a search of all criminal, sex offender, and sexual predator registries from all 50 states and Washington, D.C.
The law allows a landlord to disqualify an applicant who has: (i) been convicted of; (ii) been found guilty of; or (iii) pled guilty/nolo contendre to a crime involving the disregard for the safety of others that is a felony or first-degree misdemeanor in Florida.
The law also allows a landlord to disqualify applicants with any of these types of judgments if the crime was committed in another state but would be a felony or first-degree misdemeanor if committed in Florida.
Lastly, landlords could disqualify applicants if the conviction involved violence, such as murder, sexual battery, robbery, carjacking, home-invasion robbery, and stalking.
In addition to requiring the background screenings, Miya’s Law also mandates that landlords maintain a log for all keys for each unit and establish protocols for issuing, returning, and storing unit keys.
Every landlord must provide proof of either the background screenings or the key log procedures should Florida’s Division of Hotels and Restaurants request it.
Lodging, Food Service, Campgrounds
Miya’s Law also amends existing safety regulations for lodging, food service, and membership campgrounds, requiring those establishments to implement the same background screening process discussed above, effective January 1, 2023.
Other Changes
Covered property owners should be aware of two other changes not directly related to employment. First, a landlord may enter a dwelling to make repairs only after providing reasonable notice prior to entry: at least 24 hours, which Miya’s Law increased from 12 hours.
Second, any operator of a public lodging establishment is prohibited from charging by the hour for accommodations it must make for its guests. This does not include any late checkout fees. The prohibition went into effect when Governor Ron DeSantis signed Miya’s Law on June 27, 2022.
***
While Miya’s Law is Florida-specific, this new background check standard is instructive to employers grappling with how to make legal and business-appropriate post-offer decisions relating to someone’s criminal conviction in today’s highly sensitive environment. Often, the challenge is making an individualized assessment, when appropriate or required, considering all of the job-related factors and business necessity prior to denying employment.
Click Here for the Original Article
New York City and Colorado Are First to Require Compensation Ranges in Job Postings
New York City and Colorado have recently adopted laws that require covered employers to provide wage ranges in job advertisements in an effort to narrow the gender wage gap and encourage pay transparency.
New York City Pay Transparency Law
Effective Date: November 1, 2022
Covered Employers: The New York City Pay Transparency Law (the “Law”), as amended, applies to employers with four or more employees or one or more domestic workers in New York City. All four employees do not need to work in New York City or the same location for an employer to be covered. Employers are covered as long as one of the employees works in New York City. Independent contractors are counted toward the threshold, along with owners and individual employees.
Requirements: The Law will make it a discriminatory practice for an employer (or an employee or agent of an employer) to advertise a job, promotion, or transfer opportunity without stating the minimum and maximum annual salary or hourly wage for the position in the advertisement. In stating the minimum and maximum annual salary or hourly wage for a position, the range may extend from the lowest to the highest annual salary or hourly wage the employer in good faith believes at the time of the posting it would pay for the advertised job, promotion, or transfer opportunity. However, the range cannot be open-ended.
Remote Workers: The law does not apply to “positions that cannot or will not be performed, at least in part, in the city of New York.” Therefore, covered employers hiring for remote positions will still be required to post a salary or hourly wage range, regardless of where the position is actually performed, as it is possible for remote positions to be performed, at least in part, in New York City.
Enforcement: The Commission on Human Rights will also investigate complaints alleging violations of the salary transparency protections. In addition to filing complaints with the Commission on Human Rights, a current employee can bring a claim against their employer for a violation of the Law in relation to an advertisement by their employer for a job, promotion, or transfer opportunity. The Law also includes a safe harbor provision, where employers who are alleged to have violated the law will not have to pay any fine for the first violation if they cure and submit proof that they have cured the violation within 30 days of receiving the complaint, and the Commission accepts proof of the cure. However, doing so will be deemed an admission of liability.
Colorado Equal Pay Act
Effective Date: January 1, 2021
Covered Employers: The Colorado Equal Pay for Equal Work Act (the “Act”) applies to all employers that employ at least one employee in Colorado.
Requirements: The Act imposes requirements on covered employers to disclose compensation in job postings, notify employees of promotional opportunities, and keep wage rate and job description records. In regard to the job posting requirements under the Act, employers are specifically required to provide a 1) compensation range, 2) general description of any bonuses, commissions, or other compensation, and 3) general description of benefits in their job postings for the particular job advertised. A job “posting” is defined as any written or printed communication that the employer has a specific job or jobs available or is accepting job applications for a particular position or positions.
Employers must include a good-faith and reasonable estimate of the possible compensation range at the time the job was posted. This includes both hourly and salary compensation ranges. Employers cannot leave the bottom or top end of the compensation range open-ended.
Job postings must also contain a general description of benefits, including health care benefits, retirement benefits, and any benefits permitting paid days off (including sick leave, parental leave, and paid time off or vacation benefits). Furthermore, employers must describe the nature of the benefits provided but do not need to provide specific details or dollar values. Employers cannot use open-ended phrases such as “etc.,” or “and more.”
Remote Workers: Colorado’s law applies to any posting by a covered employer for either work tied to Colorado locations or remote work performable anywhere, but not work performable only at non-Colorado worksites. Therefore, a remote job posting, even if it states that the employer will not accept Colorado applicants, remains covered by the Act’s transparency requirements.
Enforcement: The Act’s pay transparency requirements are enforced by the Colorado Department of Labor and Employment Division of Labor Standards and Statistics (the “Division”). Employees can file a complaint with the Division, who can investigate and enforce the provisions under the Act, or the Division can initiate an investigation without any formal complaint. If the Division determines that the employer has committed a violation of the Act, it may order the employer to undertake actions to bring itself into compliance and remedy the violation, and/or fine the employer $500 to $10,000 for each violation.
Click Here for the Original Article
New Private Employee Protections in Connecticut Curtail Employer Political/Religious Communications
Private Connecticut employers must be careful about imposing their political or religious views on their employees, as a result of a new restriction on employer speech that took effect July 1, 2022. While apparently intended to target union opposition, the law has much broader application.
Titled “An Act Protecting Employee Freedom of Speech and Conscience,” the law has largely been discussed and presented in the media and on other blogs as targeting “captive audience meetings,” in which employers would address the union organizing process and present their case for why a union may not be beneficial for their employees. In prior years, the Connecticut attorney general had advised that a law specifically prohibiting employers from requiring employees to attend those meetings was likely to be invalidated on the grounds that it was preempted by the federal National Labor Relations Act.
The Connecticut legislature therefore went broader – much broader – and tacked a passing reference to unions on to what is now a law that grants Connecticut employees a protected right to refuse to:
- attend any employer-sponsored meeting, or
- otherwise listen to or view communications,
that are primarily intended to communicate the employer’s opinion on religious or political matters. If you want to know more about the union organizing implications of this law, I encourage you to read the articles posted by Ogletree Deakins and Littler on the subject. I instead want to focus on the scope of the law beyond the union context.
“Political matters” are defined to include elections, political parties, proposed legislation or regulations, and “the decision to join or support any political party or political, civic, community, fraternal or labor organization.” “Religious matters” are defined to relate to religious affiliation and practice and the decision to join or support any religious organization or association. Employers who discipline or threaten to discipline an employee for refusing to attend an employer meeting or listen to or view a communication on one of these subjects are liable to the employee for gross loss of wages, costs and reasonable attorney’s fees.
Given the breadth of the law’s opening language and the potential chilling effect on workplaces as employers parse what comprises political or religious speech, the law offers a few limited and somewhat vague exceptions, to exclude communications:
- of legally required information;
- of information that is necessary for employees to perform their job;
- that are part of coursework, symposia or an academic program involving an institution of higher education;
- amounting to casual, non-mandatory conversations between employees or with an agent or representative of the employer; or
- that are limited to the employer’s managerial and supervisory employees.
Religious organizations also are generally exempt from the act with regard to speech to employees on religious matters.
This is a somewhat frought time for employers to face restrictions on what they can communicate pertaining to political and religious views. Some employers, wrestling with the Supreme Court’s recent abortion decision in Dobbs v. Jackson Women’s Health Org. and employee reactions to that decision, have been modifying their benefit programs, holding support sessions, or otherwise communicating perspectives related to abortion. In Connecticut, these employers now need to ensure that their messaging and meetings steer clear of the restrictions imposed by the new “freedom of speech and conscience protections.”
And similarly, as we head into a contentious election year, Connecticut employers must be extra cautious about not requiring or pressuring employees to attend meetings the employer may host with politicians, and in reviewing any communications the employer may make on the elections, legislative proposals, and other political issues. It often is not a good practice for employers to impose their political views on employees – it can hurt morale and may not serve any business purpose. But when “political matters” are defined to include both proposed legislation or regulations – which often do pertain quite directly to business issues – and arguably more innocuous or even desirable actions like “get out the vote” drives that are not specific to any one political party, employers need to undertake careful calculations to ensure their conduct is not deemed to run afoul of the free speech law. Those employers who are uncertain how to proceed should consult with legal counsel.
Click Here for the Original Article
COURT CASES
Third Circuit uses “reasonable reader” standard to determine credit reports were not inaccurate or misleading under FCRA
The U.S. Court of Appeals for the Third Circuit has ruled that in determining whether a credit report is accurate or misleading under the Fair Credit Reporting Act’s “maximum possible accuracy” requirement, a district court should apply a “reasonable reader” standard. Ballard Spahr attorneys are currently representing clients in cases involving this legal issue.
Bibbs v. Trans Union LLC was one of three district court cases consolidated on appeal in which the plaintiff alleged that Trans Union had violated the FCRA requirements (1) in 15 U.S.C. Sec. 1681e(b) for a consumer reporting agency (CRA) to “assure maximum possible accuracy” in its credit reports, and (2) in 15 U.S.C. Sec. 1681i(a) for a CRA to “conduct a reasonable reinvestigation to determine whether [information disputed by the consumer] is inaccurate.” The plaintiffs in each of the three cases had obtained student loans, with two of the plaintiffs having obtained their loans from the same lender. Following nonpayment by each of the plaintiffs, their respective lenders closed their accounts and transferred them. Once the loans were transferred, their account balances with the lenders immediately went to zero and all of their payment obligations were transferred. Each plaintiff’s credit report contained the same negative pay status notation: “Account 120 Days Past Due Date.”
It was undisputed that (1) the plaintiffs failed to make timely payments on their loans, (2) Trans Union accurately reported their accounts as late until the dates they were closed and the balances were transferred, and (3) the plaintiffs owed no balance to their previous creditors once the accounts were transferred. The plaintiffs argued that the negative pay status notations on their credit reports were inaccurate and could mislead prospective creditors to incorrectly assume that the plaintiffs were currently more than 120 days past due. The plaintiffs’ lawyers sent letters to Trans Union disputing the accuracy of the credit reports in which they stated that it was impossible for the plaintiffs’ current status to be listed as late when they owed no money to the previous creditors. After investigating the disputes, Trans Union sent each plaintiff a report with the results of its investigation in which it explained that for accounts that have been closed and paid, the pay status represented the last known status of the account. Trans Union did not update or correct the disputed information and instead stated that the reports were correct.
The district court in each case granted Trans Union’s motion for judgment on the pleadings and dismissed the case without ordering further discovery. On appeal, the Third Circuit first considered whether it was correct for the district courts to use a “reasonable creditor” standard to determine whether Trans Union’s credit reports were misleading. The plaintiffs argued that even if the reports would not mislead a “reasonable creditor,” other less sophisticated users could be misled. After looking at the FCRA’s definition of “creditor” which includes “any person” who engages in the activities described, the Third Circuit found it “unreasonable to assume that Congress, in requiring ‘maximum possible accuracy’ and allowing individuals and entities other than sophisticated creditors to use credit reports to make decisions, drafted the FCRA with the intention that only sophisticated creditors should understand the information that these reports contain.” (emphasis included)
Despite finding that the “reasonable creditor” standard did not exclude unsophisticated individuals and entities, the Third Circuit nevertheless concluded that the term “reasonable creditor” did not accurately reflect the FCRA’s intent because the FCRA does not limit the permissible use of consumer reports to creditors and contemplates a range of permissible users. To account for these possibilities, the Third Circuit adopted a “reasonable reader” standard. It characterized the “reasonable reader” standard as “run[ning]the gamut to include sophisticated entities like banks and less sophisticated individuals such as local landlords.” According to the Third Circuit:
A court applying the reasonable reader standard to determine the accuracy of an entry in a report must make such a determination by reading the entry not in isolation, but rather by reading the report in its entirety. On the other hand, if an entry is inaccurate or ambiguous when read both in isolation and in the entirety of the report, that entry is not accurate under Sec. 1681e(b).
Applying the “reasonable reader” standard to Trans Union’s credit reports, the Third Circuit concluded that the reports were not inaccurate or misleading. Trans Union argued that when read in the entirety of the reports, the pay statuses were clearly historical notations. It asserted that since each report also indicated in two places that the account was closed and listed a $0 loan balance, the past due status could not create ambiguity regarding a plaintiff’s financial obligations.
While stating that “perhaps Trans Union could have made the reports even clearer,” the Third Circuit nevertheless found the reports to be clear as is. It acknowledged that despite the “goal” of maximum possible accuracy set by Sec. 1681e(b), “the possibility of further clarity is not an indication of vagueness; just because a report could potentially be a bit clearer does not mean that it is not very clear at present.” Agreeing with Trans Union, the Third Circuit found that a reasonable interpretation of Trans Union’s reports in their entirety was that the pay status of a closed account was historical information. As a result, the Third Circuit held that the reports were accurate under Sec 1681e(b).
In affirming the district courts’ grants of summary judgment to Trans Union, the Third Circuit also ruled that the district courts had correctly dismissed the plaintiffs’ claims that Trans Union violated Sec. 1681i(a) by failing to conduct a good faith investigation. It considered the plaintiffs’ claims under 1681i(a) to be foreclosed by its holding that the pay status notations were neither inaccurate nor misleading to a reasonable reader.
Finally, the Third Circuit rejected the plaintiffs’ argument that discovery was necessary to determine whether the pay status notations would mislead a creditor and whether creditors were likely to make adverse credit decisions against the plaintiffs based on the lower credit scores caused by the notations. Because it considered the reasonable reader standard to be an objective and not a subjective standard, the Third Circuit deemed the credit reports to be accurate under 1681i(a) as matter of law, thereby making discovery unnecessary. The Third Circuit noted that even if the pay status notations reduced the plaintiffs’ credit scores, “this sort of adverse historical notation and consequence” was permissible under Sec. 1681e(b) and that while the reduced credit scores could lead creditors to make adverse credit decisions, “it would be within their right to do so because [the plaintiffs’] credit reports are accurate.”
Click Here for the Original Article
Despite Decriminalization Of Adult Recreational Use Of Marijuana, Court Finds Its Use Is Not Lawful
Nevada’s voters decriminalized adult recreational use of marijuana by voter initiative. See Secretary of State, Statewide Ballot Initiative Question No. 2, 14 (Nov. 8, 2016, effective Jan. 1, 2017). Marijuana nonetheless remains illegal under federal law and may be prosecuted under the Controlled Substances Act. See 21 U.S.C. § 844(a). The question therefore arises whether adult recreational use of marijuana is “lawful” in Nevada.
NRS 613.333 grants employees a private right of action if they are terminated for engaging in “the lawful use in this state of any product outside the premises of the employer during the employee’s nonworking hours”. When the Palace Station casino terminated one if its dealers for a positive test for marijuana, he sued for lost wages and benefits under the statute. Yesterday, the Nevada Supreme Court held that because federal law criminalizes the possession of marijuana in Nevada, its use is not lawful in the state. Therefore, the erstwhile employee had no cause of action under NRS 613.333. Ceballos v. NP Palace, LLC, 138 Nev. Adv. Op. 58.
Click Here for the Original Article
INTERNATIONAL DEVELOPMENTS
German Court Rules EU Subsidiaries no Defence against Schrems II
A German procurement court has expanded the impact of Schrems II by ruling that even the hosting of data by European subsidiaries of US companies constitutes an unacceptable risk to the digital rights of EU citizens.
Click Here for the Original Article
Is medical history protected by discrimination law in Belgium?
Belgium has prohibited discrimination based on an individual’s ‘current or future state of health’ since 2007. On 7 July 2022, a bill was passed which broadens this. The concept of ‘current or future state of health’ is replaced by ‘state of health’, meaning that an individual’s past state of health is now also protected by the Anti-Discrimination Act.
Before this amendment, the 2007 Anti-Discrimination Act only prohibited discrimination on the basis of ‘present or future state of health’. This implied that people could, in principle, be discriminated against on the basis of a past illness from which they were now cured or in remission. For example, a person who had had cancer in the past and was denied a job because the employer feared s/he would relapse was not protected.
The bill changes this. An employer who discriminates on the basis of an employee’s medical history can now be ordered to pay damages amounting to six months’ salary. The employee or candidate who feels discriminated against, for example, during a job application or by his or her dismissal, only has to prove a presumption of discrimination. Case law takes into account the chronology of the facts. It will then be up to the employer to prove that the decision to dismiss or not to hire was taken on non-discriminatory grounds.
Nevertheless, this change is not entirely new. Both national CBA no. 38 on the recruitment and selection of employees and national CBA no. 95 on equal treatment during all phases of the employment relationship already apply the protected criterion of ‘medical history’. However, unlike the Anti-Discrimination Act, these collective bargaining agreements do not provide for compensation for the victim of discrimination.
Concretely, in the Anti-Discrimination Act, the words ‘current or future state of health’ will be replaced by the phrase ‘state of health’, so that a past state of health is also covered. This will also put an end to the ambiguity that existed on this topic and the differing interpretations in case law and legal doctrine.
It is worth noting that a distinction based on an individual’s state of health is not prohibited in all circumstances. As long as the employer can justify the difference in treatment on the basis of a legitimate aim and demonstrate that the means of achieving that aim are necessary, there is no discrimination.
Action point
Through an amendment to the Anti-Discrimination Act, it is now not only forbidden to discriminate on the basis of an employee’s or candidate’s current or future state of health, but also on the basis of his or her medical history. An employer who cannot justify discrimination based on the state of health will face the risk of having to pay compensation of six months’ salary to the discrimination victim.
Click Here for the Original Article
EU: CJEU finds data indirectly disclosing sexual orientation as sensitive personal data
The Court of Justice of the European Union (‘CJEU’) issued, on 1 August 2022, its preliminary ruling in OT v Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission, Lithuania) (Case C-184/20) referred to it by the Regional Administrative Court of Lithuania. In particular, the CJEU clarified that personal data liable to indirectly disclose the special categories of a natural person constitutes processing of special categories of personal data for the purpose of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
Background to the decision
More specifically, the CJEU stated that the case questions concerned a decision of the Chief Official Ethics Commission of Lithuania finding that OT had failed to fulfil its obligation to lodge a declaration of private interests in breach of Article 10(1) of the Law on the reconciliation of interests, Law No VIII-371 of 2 July 1997. In this regard, the CJEU noted that the following questions have been referred:
- Must Article 6(1)(e) of the GDPR on processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, with regard to Article 6(3) of the same, be interpreted as precluding a national provision that provides for the placing online of personal data contained in the declaration of private interests that any head of an establishment receiving public funds is required to lodge with the national authority responsible for collecting such declarations and checking their content?
- Must the prohibition of the processing of special categories of personal data established in Article 9(1) of the GDPR, in light of Article 9(2) of the same and particularly Article 9(2)(g), be interpreted as meaning that national law may not require the disclosure of data relating to declarations of private interests which may disclose personal data, including data regarding a person’s political views, trade union membership, sexual orientation, and other personal information?
Findings of the CJEU
Ultimately, with regard to the first question referred to it, the CJEU found that Article 6(1) and (3) of the GDPR in light of other relevant EU legal instruments, must be interpreted as precluding national legislation that provides for the online publication of the declaration of private interests that any head of an establishment receiving public funds is required to lodge, in so far as, in particular, that publication concerns name-specific data relating to their spouse, cohabitee or partner, or to persons who are close relatives of the declarant, or are known by them among other things.
Moreover, with regard to the second questions referred to it, the CJEU found that Article 9(1) of the GDPR must be interpreted as meaning that the publication of personal data on the authority’s public website that discloses indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data under the GDPR.
You can read a summary of the judgment here.
Click Here for the Original Article
Turkey: KVKK publishes banking industry good practices guide on protection of personal data
The Personal Data Protection Authority (‘KVKK’) published, on 5 August 2022, the banking industry good practices guide on protection of personal data. In particular, the guide sets forth the procedures and principles to be complied with and the obligations to be fulfilled within the framework of the Personal Data Protection Law No. 6698 (‘the Law’). However, the guide highlights that the Personal Data Protection Board will make its assessment, taking into account the specifics of the concrete case, and that it will conduct ex officio examinations where a complaint has been submitted to it or in the case of an alleged violation.
Moreover, the guide provides guidance to data controllers in relation to personal data processing activities carried out by banks in accordance with the Law and the secondary legislation issued by the Personal Data Protection Board, as well as practice examples in this context.
You can read the guide, only available in Turkish, here.
Click Here for the Original Article
How does the proposed American Data Privacy and Protection Act compare to the GDPR?
The American Data Privacy and Protection Act (“ADPPA”) is on its way to changing the face of U.S. data protection legislation on a federal level. This will impose new data protection obligations on organizations operating in the U.S. But how does this proposed legislation stack up to the GDPR? Osborne Clarke has reviewed and analyzed the new amended ADPPA bill and has compared it against the GDPR. While the in-depth analysis is available for download below, this Insight summarizes our key findings.
The ADPPA was introduced in the U.S. House of Representatives in July of 2022. This is the first time that a federal privacy legislation in the U.S. has advanced to the full chamber vote of the House. The introduction of the ADPPA marks a significant milestone, even if the further legislative process is expected to be delayed by the U.S. midterm elections in November this year.
The ADPPA, if and when adopted by the U.S. federal legislators, will be the first federal privacy legislation with the aim of harmonizing privacy rules in the US. The status quo of data protection developments in the U.S. varies on a state by state basis. The California Consumer Privacy Act from 2018 (which came into effect in 2020) was followed by state privacy acts in Colorado, Rhode Island, Utah, and Virginia, as well as active bills currently discussed by the state legislators in Massachusetts, Minnesota, New Jersey, Ohio, or Pennsylvania, which resulted in a very fragmented privacy landscape in the U.S.
The ADPPA vs the GDPR
Similarities of the amended ADPPA bill to the GDPR:
The general concept of the ADPPA is similar to many other national privacy laws, including the GDPR. Examples of these similarities include (in general terms):
- The key principles of transparency, data minimization, necessity and proportionality apply.
- The scope of data protected by the ADPPA is very broad and does significantly cross over with the definition of personal data under the GDPR. The ADPPA applies to “covered data” referring to information that identifies (or could be linked with other information to identify) an individual. However, “covered data” has significant exclusions (see below in differences of the ADPPA to the GDPR).
- Different roles are associated with different types of obligations (for instance, a “covered entity” under the ADPPA is comparable to a controller under the GDPR and a “service provider” under the ADPPA is comparable to a processor under the GDPR).
- Certain types of organizations subject to the ADPPA will be required to produce and maintain documents which are similar to those required under the GDPR, such as privacy policies, contracts with service providers and impact assessments.
- The concept of “sensitive covered data” under the ADPPA is comparable to the concept of special categories of personal data in that this type of data enjoys special protection under the ADPPA. However, the definition of “sensitive covered data” differs significantly from the definition of special categories of personal data under GDPR (see below in differences of the ADPPA to the GDPR)
- “Individuals” have rights to request access, correction, and deletion of “covered data” and to port “covered data” subject to certain conditions.
Differences of the amended ADPPA bill to the GDPR
There are key differences to the application of the ADPPA. Examples of these differences between the amended ADPPA bill and the GDPR are as follows:
- “Covered data” has some significant exclusions as the term does not include employee data and data that has been put in the public domain (see no. 1 of the in-depth-analysis).
- The term “individuals” (comparable to the term data subjects under the GDPR) only covers U.S. residents (see no. 2 of the in-depth-analysis).
- The term “covered entity” does not include federal, state, or governmental bodies (see no. 3 of the in-depth analysis).
- “Sensitive covered data” includes information which is not considered special categories of personal data under the GDPR, such as government-issued identifiers, financial account numbers, precise geolocation, private communication, and information relating to individuals under the age of 17 (see no. 8 of the in-depth-analysis).
- “Covered entities” and “service providers” that qualify as “large data holders” are subject to additional obligations under the ADPPA, whereas small businesses are exempt from certain obligations in order to reduce their administrative and financial burdens, namely in the area of data security (see no. 3 of the in-depth analysis).
- Companies of the same group are not considered “third parties”. This may result in a privilege for data transfers within a group of companies, unlike the GDPR, as such data transfers would seem to be excluded from the requirements for transfers to “third parties” (see no. 3c and 10 of the in-depth analysis).
- The rights of the “individuals” such as for access, deletion, and correction are further restricted compared to the restrictions under GDPR (see no. 12 of the in-depth analysis).
- There are no specific enforcement instruments under the new ADPPA on a federal level. On a state level, the ADPPA would be enforced by the state attorney general bringing a civil action against an organization. As such, there are no specific defined fines, unlike the GDPR, but organizations who breach the ADPPA could still be subject to pay damages.
Osborne Clarke Comment
Whilst the ADPPA would create a data protection regime in the USA which is more similar to that of the EU under the GDPR, the ADPPA is in many ways different to the GDPR. Should the ADPPA come into force, multi-national companies will need to know the details of the new legislation. Such companies should also understand how the requirements of the ADPPA can be addressed by leveraging any compliance documentation and procedures already existing at the company in order to avoid a fragmented and unharmonized privacy compliance program. As global privacy compliance programs are often times built on the GDPR requirements, it will be key to understand the similarities and differences between the ADPPA and the GDPR.
In addition, the increasing number of U.S. state legislation on privacy may be an additional compliance challenge depending on how the U.S. will solve the question of pre-emption (see no. 17 of the in-depth analysis).
As concerns data transfers under the GDPR to the U.S. in light of the Schrems II decision, we expect that the ADPPA will not have a significant positive impact because the definition of “covered data” protected by the ADPPA only applies to data of U.S. residents.
Click Here for the Original Article
Special (Category) Edition: CJEU Adopts Broad Interpretation of “Special Categories” of Personal Data Under GDPR
Earlier this month the Court of Justice of the European Union (“CJEU”) issued a decision adopting a surprisingly broad interpretation of the “special categories of personal data” under GDPR. Under GDPR Article 9, such data includes “personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.” Article 9(1) expressly prohibits the processing of that data unless one of the conditions specified in Article 9(2) applies, such as when the data subject has explicitly consented to the processing.
In its decision, the CJEU held that personal data elements that do not themselves directly reveal any “special category” data can be subject to Article 9’s restrictions if they indirectly reveal special category data through an “intellectual operation” involving cross-referencing or deduction.
This post examines the CJEU’s decision, and the impact it could have for organizations whose processing implicates its holding.
Case Background
The CJEU ruling arose from a Lithuanian anticorruption case. A Lithuanian public ethics regulator alleged that Lithuanian law required an executive at an organization in receipt of public funds to file a declaration making certain disclosures, including any spouse or partner name. The declaration would then be published on the internet. The executive argued that his filing of that declaration and its subsequent publication on the internet would violate his privacy and the privacy of any other individuals identified.
The referring court in Lithuania found the executive’s argument had some merit and noted in particular that the declaration’s collection of information such as spouse or partner name could reveal sensitive data such as “the fact that the data subject is cohabiting or is living with another person of the same sex.” The referring court therefore asked the CJEU to address whether the publication of declaration responses that could indirectly reveal special categories of data is subject to GDPR Article 9.
The CJEU’s Ruling
The CJEU held that the publication of “personal data that are liable to disclose indirectly the sexual orientation of a natural person” constitutes processing subject to GDPR Article 9. The analysis focused on the verb “reveal” in Article 9’s recitation of special data categories. To that end, the court found that “reveal” captures “not only . . . inherently sensitive data, but also . . . data revealing information of [a sensitive] nature indirectly, following an intellectual operation involving deduction or cross-referencing.”
The CJEU also stated that a broad conception of personal data subject to Article 9 accords with GDPR’s purpose of providing “a high level of protection of the fundamental rights and freedoms of natural persons, in particular of their private life.” The court held that applying its broad interpretation of “reveal” meant “the publication, on [a] website . . .of personal data that are liable to disclose indirectly the sexual orientation of a natural person constitutes processing of special categories of personal data” under GDPR Article 9.
While the decision is thus clear that data indirectly revealing special categories of data can be subject to GDPR Article 9, it leaves open several key issues for organizations to wrestle with, including:
- What activities constitute “intellectual operations involving deduction or cross-referencing?”
- Relatedly, is there a point at which the relationship between distinct data elements becomes too attenuated to “indirectly” reveal special categories?
- Should organizations assume that conclusions about sensitive data that could theoretically be drawn based on cross-referencing or deduction from available non-sensitive data are always accurate with respect to the data subject?
What to Do in Response
The CJEU ruling means that organizations may need to treat more personal data and combinations of personal data as special category data, and implement measures designed to satisfy the specific conditions that Article 9 imposes on the processing of that data. For example, under the CJEU’s reasoning, an employer collecting an employee’s spouse’s name for emergency contact purposes could be processing special category data if the name reveals the sexual orientation of the employee, in which case the data could be processed only if one of the conditions in Article 9(2) applies.
To address the associated compliance risk, organizations whose processing is subject to GDPR should take these three steps.
1. Assess data elements processed to identify their potential to indirectly reveal special categories.
Organizations should carefully assess their personal data processing activities and relevant data elements to determine whether any data elements or combinations of data elements could indirectly reveal special categories. To be sure, the ambiguity left by the CJEU’s decision around the key interpretative issues noted above will make it difficult to reach definitive conclusions and will require some consideration of an organization’s general risk tolerance. But the CJEU’s reasoning suggests that, at a minimum, data elements presented side-by-side or in the same dataset (like in the declaration form at issue in the Lithuanian case) could constitute special category data when that presentation naturally leads to a sensitive inference.
2. Ensure Article 9 legal bases for processing for any indirect special category data are established.
If an organization does determine that it is processing indirect special category data, it should then ensure there is an appropriate legal basis for that processing under Article 9. If, for example, consent is the basis for the processing of any non-sensitive data elements, the consent language should be explicit and broad enough to cover any indirect special category data or combinations of data as well.
3. Update other GDPR-required compliance measures as necessary.
Additional GDPR compliance updates, such as special category processing descriptions in privacy notices and Article 32 processing records, may also need to be updated to account for any indirect special category data.
* * *
The CJEU’s interpretation for special category data is likely broader than the standard many organizations applied when implementing their GDPR compliance programs. Organizations should thus review those programs, and adjust them as appropriate, to account for the CJEU’s decision.
Click Here for the Original Article
Data Transfers from European Companies to Their Non-European Affiliates
Controller A-1 (EEA) → Controller A-2 (Non-EEA)
Click Here for the Original Image
Brazil: Chamber of Deputies announces bill on data processing for state security under LGPD
The Chamber of Deputies announced, on 12 August 2022, Bill 1515/22 which regulates the application of the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (‘LGPD’) for purposes of state security, national defence, public security, and investigation and prosecution of criminal offences. In particular, the Chamber of Deputies explained that the bill prohibits the processing of data related to national security and defence by private companies, except in processes required by a legal entity governed by public law.
In regard to access to information, the Chamber of Deputies noted that the individual may have access to their personal data upon request to the competent authorities. On this point, the Chamber of Deputies clarified that a request can be denied with justification, which is subject to questioning by the Brazilian data protection authority (‘ANPD’) or legal action. In regard to data transfers, the Chamber of Deputies clarified that the bill allows the transfer of personal data to an international organisation or agent abroad that works in the areas of public security, national defence, and criminal prosecution.
Finally, the Chamber of Deputies noted that in cases of violation, the bill provides for the partial suspension of the operation of the database for up to two months, as well as holding the agent accountable in the administrative and criminal scope.
You can read the press release here and access the bill as well as track its progress here, all only available in Portuguese.
Click Here for the Original Article
Cuba: Law on Personal Data Protection published in Official Gazette
Law 149/2022 on Personal Data Protection was published, on 25 August 2022, in the Official Gazette of the Republic of Cuba, indicating that the National Assembly of People’s Power (‘ANPP’) had adopted the same. Accordingly, the Ministry of Justice, which will be responsible for ensuring compliance with the law, announced, on 25 August 2022, the publication of the law and clarified that it was previously approved by the ANPP on 14 May 2022, which noted, in its fifth session that Article 97 of the Constitution of the Republic of Cuba recognises the rights of every individual to access their personal data and to non-disclosure of their personal data. Consequently, the Ministry added that the law applies to the use of personal data, including gender, age, voice, and skin colour, by any natural or legal persons, as well as the mass media. Additionally, the Ministry indicated that the law provides security to individuals with data stored in records, files, and databases, and information of a public nature, as well as rights to deletion and modification, including any such correction, rectification, or update, of their personal data.
More specifically, the law provides requirements for persons controlling or processing databases of personal data, data transfers, personal data protection principles, rights of data holders, data retention, and processing personal data obtained through video cameras or any such device.
In relation to enforcement of the law, according to Section 4, natural or legal persons who fail to comply with its provisions may receive a warning, a fine of up to CUP 20,000 (approx. €830), an order suspending the database for up to five days, or an order closing the register, file, archive, or database. Moreover, the law also provides that sanctions may be appealed in writing within ten days following the date of notification. Additionally, the law states that the competent authority who may impose sanctions relating to the protection of personal data will be officials expressly authorised by the Central Administration of the State and national entities.
Lastly, the law will enter into force 180 days following its publication in the Official Gazette.
Click Here for the Original Article
MISCELLANEOUS DEVELOPMENTS
Restrictions on Hiring Personnel with Criminal Histories in the Insurance Industry
Over the last several years, federal and state governments have pushed employers to reemploy offenders, such as through tax incentives and subsidized training. Despite the public interest in such initiatives and programs, the insurance industry should take caution and consider specific, ongoing statutory obligations regulating or barring employment of individuals with certain criminal records.
Insurers should review their post-offer screening processes for prospective employees and agents to ensure each hiring or engagement is contingent on confirmation of eligibility to work under 18 U.S.C. § 1033 (Section 1033). Section 1033 was passed as part of the Violent Crime Control and Law Enforcement Act of 1994. The statute prohibits individuals who have been convicted of a felony “involving dishonesty or a breach of trust,” or an offense listed under Section 1033 (which includes, among others, embezzlement and theft), from engaging in the “business of insurance” without the written consent of an insurance regulatory official. 18 U.S.C. § 1033(e). Section 1033 also prohibits those engaged in the insurance business from permitting individuals covered by the above categories to engage in the “business of insurance.” Id. Violations may lead to various consequences including a civil penalty of up to $50,000 for each occurrence. 18 U.S.C. § 1034.
Section 1033 defines “business of insurance” broadly as “the writing of insurance,” or “the reinsuring of risks, by an insurer,” including “all acts necessary or incidental to such writing or reissuing.” 18 U.S.C. § 1033(f)(1).
Therefore, to comply with Section 1033, an insurer must determine whether the role of a prospective employee or agent will involve the “business of insurance” and, if so, whether that individual has been convicted of a crime involving dishonesty, breach of trust or a violation of Section 1033. Crimes involving dishonesty generally include some element of deceit or falsification, such as perjury, fraud, embezzlement, theft or bribery. Crimes involving a breach of trust often are based on a wrongful act violating the fiduciary relationship — for example, an estate executor who misappropriates estate funds. To compound things further, a conviction may cover certain deferred sentences and may, or may not, be subject to expungement laws.
To be sure, an insurer may still hire or engage an individual with a disqualifying Section 1033 conviction if the prior written consent is obtained from governing insurance regulatory officials. To obtain consent, called by some a Section 1033 waiver, the individual must complete and submit the application materials required by each governing state’s insurance commissioner or regulatory body. The National Association of Insurance Commissioners Guidelines explain that a prospective employee should apply in the state where the applicant’s most substantial work will be performed (if applicable) or the insurance company’s state of domicile. Individuals who are applying for a license as a producer or other licensed insurance professional should apply in the state issuing the resident license.
Although an individual must apply for a waiver herself, an insurer may need to assist in the process. For example, Pennsylvania’s waiver application requires a sworn affidavit from the insurer’s president or designated officer, as well as details about the proposed employment or business relationship with the insurer.
Because of the sensitivity associated with using criminal history data, the regulations affecting background checks and consumer credit act compliance, and employment discrimination laws that limit if not prohibit use of arrest and conviction records as racially discriminatory, the intersection of those issues makes Section 1033 compliance even more difficult. For example, the U.S. Equal Employment Opportunity Commission has explained that although Title VII (the federal anti-discrimination law) does not preempt federally imposed restrictions governing the employment of individuals with specific convictions, policies that impose exclusions beyond those restrictions may be subject to Title VII analysis.
Therefore, each insurer should regularly evaluate its recruiting, screening, hiring and onboarding processes to comply with best practices in the human resources profession, to adhere to employment discrimination laws and to avoid violations of Section 1033. That includes understanding waiver requirements to learn what information may be required for an individual’s waiver application and to assist the individual with the application process. Insurers also should be prepared to explain and defend the processes used for screening applicants if ever challenged under anti-discrimination laws or other theories.
Click Here for the Original Article
The CDC’s Revised COVID-19 Rules
As the COVID-19 pandemic continues to evolve, the Centers for Disease Control and Prevention (CDC) has once again issued new guidance on August 11, 2022.
The CDC has revised its guidance several times since the start of the pandemic in March 2020. However, this time, some commentators see the latest revisions to the CDC’s updated guidance as signaling a strategic shift in the pandemic. Many also see it as reaching the new normal given the existence of vaccines, immunity, and treatments. As Greta Massetti, PhD, MPH, MMWR author stated, “[t]his guidance acknowledges that the pandemic is not over, but also helps us move to a point where COVID-19 no longer severely disrupts our daily lives.”
What has changed?
The CDC has further loosened its COVID-19 guidance and – in particular – its guidance related isolation. The main change is that individuals, regardless of their vaccination status, are no longer recommended to quarantine after being exposed to the virus, as long as they don’t feel sick. Instead, exposed individuals should get tested after five days and wear a high-quality mask around others for ten (10) days.
The CDC did reiterate its policy of isolation for individuals who test positive for COVID-19 and those who are sick and suspect that they have COVID-19 but do not have a test yet. If positive, individuals should still isolate for at least five days in their home. The CDC further recommends that such individuals wear a high-quality mask for ten (10) days after the onset of symptoms or they may remove their mask sooner, if they have two sequential negative tests 48 hours apart.
More importantly (for us), what does this mean for employers?
The loosening of isolation recommendations by the CDC will likely make it easier for employers to require their employees return to the physical workplace. Employers could become one step closer to reaching pre-pandemic levels in the office. Since the CDC guidelines only recommend isolation for individuals who test positive for COVID-19 or are sick and suspect they have COVID-19, fewer employees are recommended to stay home. Consequently, employers could require exposed employees still come into the workplace, provided they don’t feel sick, and wear a mask.
Of course, as we discussed in prior blog posts, What the CDC’s Latest Mask Guidance Means for Employers, employers may implement and maintain current COVID-19 protocols that exceed what the CDC is recommending. Masks can prevent severe illness and individuals can choose to wear them at any time, even if they have tested positive for COVID-19 or been exposed.
In a previous iteration of its masking guidance, the CDC had identified other factors that may be helpful to employers in evaluating whether stricter protocols are appropriate: higher county risk levels; settings with more unvaccinated people; indoor settings with poor ventilation; inability to maintain social distancing; and activities that include shouting, physical exertion or heavy breathing, and the inability to wear a mask, among other things. We suggest that employers may also wish to consider that employees at high risk of severe illness may be impacted by these loosened standards (and require accommodations if their exposed-but-not-symptomatic-coworkers are in the office).
In addition, as we previously noted, employers should realize that there may be resistance to stricter protocols from some employees, managers, and visitors, and be prepared to address that. Clear and specific communication about what the protocols are and why they are required is helpful. And an employer can usually discipline employees for failing to comply with stricter employer-mandated protocols.
No matter what employers decide, with lessened restrictions and more liberal CDC guidance, it is clear that more employees could return to the workplace.
