February 2, 2024
Skylar Foley
FEDERAL DEVELOPMENTS
On January 11, 2024, the Consumer Financial Protection Bureau (CFPB) issued two new advisory opinions: Fair Credit Reporting; Background Screening and Fair Credit Reporting; File Disclosure. The advisory opinions are part of the CFPB’s ongoing efforts to clean up what the CFPB describes in its press release as allegedly “sloppy” credit reporting practices and ensure credit report accuracy and transparency to consumers. As a reminder, advisory opinions are interpretive rules that provide guidance on the CFPB’s interpretation of a particular law or regulation.
The Biden Administration kicked off 2023 by issuing the “Blueprint for a Renter Bill of Rights” and directing the CFPB and Federal Trade Commission (FTC) to take actions in furtherance of those principles. In February, the CFPB and FTC issued a request for information on background screening in connection with rental housing. In July, the FTC issued a blog post reminding landlords, property managers, and other housing providers of their obligation under the Fair Credit Reporting Act to provide notice of adverse action when information in a consumer report leads them to deny housing to an applicant or require the applicant to pay a deposit that other applicants would not be required to pay. In November, the CFPB released two reports concerning tenant background checks. “Consumer Snapshot: Tenant Background Checks” discusses consumer complaints received by the CFPB that relate to tenant screening by landlords and “Tenant Background Checks Market” looks at the practices of the tenant screening industry. The CFPB has previously addressed the issues of accurate credit reporting and investigating credit report disputes in its supervisory highlights.
Background Checks
In the first advisory opinion, the CFPB addresses the provision of background check reports. Background checks are used by landlords and employers to make rental and employment determinations, respectively. Background check reports prepared by employment and tenant screening companies often contain information compiled from several sources about a consumer’s credit history, rental history, employment, salary, professional licenses, criminal arrests and convictions, and driving records. The CFPB advisory says prior research has determined that background check reports often contain false or misleading information that may adversely affect an individual’s housing or employment. In 2021, the CFPB issued an advisory opinion that it was unreasonable for consumer reporting agencies (CRAs) to use name-only matching (matching records to a consumer by first and last name without any other identifying information).
The current advisory opinion highlights that CRAs, covered by the Fair Credit Reporting Act (FCRA), must “follow reasonable procedures to assure maximum possible accuracy” under Section 607(b). Specifically, the CRA’s procedures should:
The advisory opinion further reminds consumer reporting companies that they may not report outdated negative information, such as a criminal charge that does not result in a conviction, for periods longer than permitted under FCRA section 605(a). While no time limit applies to reporting disposition information on criminal convictions, an arrest with no conviction ends seven years after the arrest date and subsequent events do not restart the reporting period applicable to the arrest. The CFPB further highlighted its settlement with TransUnion related to furnishing tenant screening reports without including available disposition information for the eviction proceedings.
CRA Disclosure of Credit Files
In the second advisory opinion, the CFPB addresses the consumer reporting agencies’ disclosure obligations to deliver complete files to consumers upon request. In the advisory opinion, the CFPB clarifies the consumer reporting agencies’ obligation, pursuant to Section 609(a) of FCRA, upon the consumer’s request, to “clearly and accurately” disclose “all information in the consumer’s file at the time of the request.” Relying on a Third Circuit holding in Kelly v. RealPage, Inc., 47 F.4th 202, 221 (3rd Cir. Aug. 24, 2022), the CFPB further emphasizes that consumers do not need to use specific language (such as “complete file” or “file”) in their request to trigger a consumer reporting agency’s file disclosure requirement under Section 609(a).
Specifically, the consumer reporting agency must provide consumers the following:
However, Section 609(a) does not require disclosure of any credit score, risk score or predictor.
This new file disclosure guidance aligns with the CFPB’s other efforts to ensure consumers have access to their data in Personal Financial Data Rights rulemaking and the Section 1034(c) advisory opinion.
As we previously blogged, the CFPB also has launched an FCRA rulemaking. We will continue to monitor any CFPB developments related to FCRA.
Click Here for the Original Article
The Biden Administration announced actions to support the equal pay principles set forth by Executive Orders 14035 and 14069. These actions will impact federal contractors and subcontractors who will be required to disclose pay ranges in certain job postings and prohibited from relying on salary history information when setting pay. Further, these actions will impact federal agencies who will be prohibited from considering current or past pay when determining the salary of federal employees.
Click Here for the Original Article
Class Action Areas Drive EEOC’s Strategic Enforcement Plan for 2024 – 2028
Late last year, the EEOC quietly announced its most recent Strategic Enforcement Plan, covering 2024–2028. To no surprise, the EEOC has indicated that it will implement a concerted effort to focus its resources on employment practices that often result in class and collective action lawsuits. More specifically, the EEOC announced the following “subject matter priorities” for the next four years:
The EEOC has indicated that it will focus on Charges that touch on the above topics while also intentionally prioritizing systemic enforcement actions and impact litigation to eradicate what it perceives to be discriminatory employment practices. As demonstrated briefly above, the EEOC has a keen interest in scrutinizing artificial intelligence and mass hiring practices via automatic recruitment tools, in addition to a renewed focus on employment practices that could have an adverse impact on those with intellectual or health-related disabilities, among other things. This could directly lead to an increase in Commissioner Charges, systemic investigations, pattern or practice lawsuits, and class action litigation regarding the topics listed in its Strategic Enforcement Plan.
Employers should be vigilant in monitoring these key areas of risk related to the EEOC’s new Strategic Enforcement Plan, as EEOC investigations can quickly escalate to regional or even nationwide systemic investigations and corresponding litigation.
Click Here for the Original Article
STATE, CITY, COUNTY AND MUNICIPAL DEVELOPMENTS
Pennsylvania and Philadelphia recently enacted changes that impact employer criminal background screening.
State Law
Enacted on December 14, 2023, and effective February 12, 2024, Pennsylvania’s House Bill No. 689 amends Pennsylvania law relating to the expungement of certain criminal record information and employer immunity when hiring individuals with expunged records.
First, the legislation immunizes employers from liability for any claim related to the effects of expunged records or the lawful use of criminal record history information when an applicant voluntarily discloses an expunged conviction. This helps clarify a potential ambiguity under existing state law regarding whether an employer still might face negligent hiring liability for hiring an individual with an expunged criminal record where the individual goes on to commit some misconduct, such as injuring a third party. Previously, a negligent hiring lawsuit might contend that if the employer learned about an expunged criminal record by means other than a formal background check or official court records, the employer should have used the record to disqualify the person, and by not doing so, was negligent. Such a stance would seemingly be contrary to the purpose behind criminal record expungement, and the new legislation seems intended to prevent such an incongruous argument from surviving dismissal.
Second, the law extends the availability of automatic expungements to pardons. The law requires that the Pennsylvania Board of Pardons, which administers pardons, to notify the Administrative Office of Pennsylvania Courts (AOPC) on a quarterly basis of any pardons, and then requires the AOPC to notify the relevant Court of Common Pleas to order the record expunged. Under the law as amended, criminal history record information that has been expunged or granted limited access cannot be used by private entities for employment, housing, or school matriculation purposes, unless required by federal law. If the law works as intended, employers should simply not see the pardoned cases because they are supposed to be unavailable to the public. However, given the number of required steps in the process and different entities involved, it is not inconceivable that a candidate may believe an offense has been expunged, when it fact it remains available in the public record. Moreover, several pieces of this process remain unclear, such as how quickly the AOPC will act upon receipt of information from the Board of Pardons, whether individuals will be notified that their pardoned convictions were expunged, and whether the court docket will be changed to reflect a pardon status while expungement is in process.
Third, the law expands eligibility for Pennsylvania’s pre-existing limited access status for criminal records. Now, certain individuals who are free from conviction for seven years and otherwise meet requirements can petition for limited access; previously, the minimum threshold was 10 years. The law also clarifies categories of offenses that are and are not eligible for limited access petitions.
Notably, this statewide legislation does not amend the existing requirements on an employer’s general use of criminal record history.1 Under existing law, Pennsylvania employers generally are required to use only job-related misdemeanor and felony convictions in making hiring decisions.
Philadelphia Ordinance
Philadelphia employers are subject to additional restrictions and procedural requirements under Philadelphia’s Fair Criminal Record Screening Standards Ordinance. For its part, Philadelphia weighed in by enacting an amendment to that ordinance specifically addressing employer use of convictions subject to “exoneration.” The city ordinance, effective January 19, 2024, defines “exoneration” as reversing or vacating a conviction by pardon, acquittal, dismissal or other post-conviction re-examination of the case by the court or other government official, and generally prohibits employers from denying employment based on convictions subject to “exoneration” as so defined.
To prepare for the January and February effective dates of the laws, employers in Pennsylvania may want to ensure that they have considered how to handle situations in which a candidate identifies that an offense has been expunged, pardoned, granted limited access or subject to other post-conviction relief before potentially denying employment based on such a record.
Click Here for the Original Article
Reminders About California’s Fair Chance Act
California’s Fair Chance Act also known as the “Ban the Box” law took effect in January 2018. It generally prohibits employers with five or more employees from asking about your conviction history before making you a job offer. In 2021, California’s Civil Rights Department (formerly the Department of Fair Employment and Housing) announced new efforts to identify and correct violations of the Fair Chance Act. Since then, the Civil Rights Department has stepped up enforcement of the statute. As such, it is vital for covered employers to understand the requirements under the law.
Covered Employers
Public and private employers with five or more employees are covered by the law. This includes union hiring halls, labor contractors, temporary employment agencies, and client employers.
Requesting Background Checks
Covered employers may not ask applicants about their criminal history until after a conditional offer is extended. However, even after a conditional offer, employers may not ask about or consider information about the following:
Steps for Rescinding a Job Offer
Under the law covered employers must take specific steps if they want to rescind a conditional job offer based on an applicant’s criminal history.
The Civil Rights Department has sample forms available on its website.
Click Here for the Original Article
Florida Law Imposes Additional E-Verify Requirements for Private Employers
Further Hiring Requirements for Private Employers
A. Overview of Senate Bill 1718 (“SB1718”)
Earlier this year, the State of Florida enacted a law that continues to have significant implications for employers across the Sunshine State. On May 10, 2023, Governor Ron DeSantis signed into law SB1718, now Section 448.095, Florida Statutes (“Section 448.095”), which requires private employers with 25 or more employees to use E-Verify for new hires—a measure aimed at combating illegal immigration into the state. This requirement became effective as of July 1, 2023.
B. Law Prior to SB1718
Since 2021, Florida law required every public agency, contractor, and subcontractor to use the E-Verify system to authenticate the work status of recent hires. Under such law, a contract between a public agency and a contractor and/or subcontractor must contain language that any new hires will be validated through E-Verify. This requirement applies to all contractors or subcontractors, regardless of size and employee headcount, under contract with a public agency. Notably, if a contractor enters into a contract with a subcontractor, the subcontractor must provide the contractor with an affidavit stating that the subcontractor does not employ, contract with, or subcontract with an unauthorized alien.
C. SB1718 Broadens Existing Law to Include Private Employers
The passing of SB1718 does not change the above requirements. Instead, the new law broadens the mandate to include all private employers with at least 25 employees, regardless of whether such private employers are under contract with a public agency. This requirement for private employers only applies to employees hired after July 1, 2023. Independent contractors are not subject to the requirements of Section 448.095.
Private employers have expressed confusion regarding the boundaries of the new law. It was unclear whether all 25-plus employees had to be based in Florida and also, whether out-of-state employers with remote workers based in Florida had to comply with the requirements of Section 448.095.
To clarify such confusion, the Florida Department of Revenue recently issued guidance on the issue, opining that according to Section 448.095, private employers with 25 or more employees performing services in Florida must certify the eligibility of their employees performing services in Florida (emphasis added). This development makes it clear—the E-Verify mandate applies to employees performing services in Florida, whereas such mandate does not apply to employees not performing services in the state.
Overview of the E-Verify System
Operated by the United States Department of Homeland Security, E-Verify is an online system that allows employers to verify the employment eligibility of new employees by comparing their information with government records. Mainly, the E-Verify system cross-references the social security number provided by the employee with the records of the Social Security Administration.
Despite Section 448.095, existing employer I-9 requirements remain in place. Employees hired before July 1, 2023 remain subject to all I-9 mandates, however, their information does not need to be entered into the E-Verify system.
How to Register in E-Verify
Florida private employers with over 25 or more employees must utilize E-Verify to authenticate all new hires. Employers can enroll online and find additional information on the E-Verify website.
Enforcement of Section 448.095
Enforcement for covered employers began on July 1, 2023. If the Florida Department of Economic Opportunity (“DEO”) determines an employer has failed to comply with the E-Verify requirements of Section 448.095, DEO will send such employer a notification and the employer will have 30 days to correct the noncompliance. If three violations occur in a 24-month period, a fine of $1,000 per day may be imposed. Also, other civil and criminal penalties may be imposed on a case-by-case basis, including suspension or revocation of state licenses, permits, registrations, among others.
Implications on Florida’s Business Community
The requirements of Section 448.095 increase the administrative responsibilities on employers. The expansion of the new law to include private employers with 25 or more employees requires thousands of business to adjust their customary procedures for onboarding new hires. With steep penalties for non-compliance, employers and their advisors must educate internal stakeholders of the requirements of Section 448.095. Those businesses contracting with government must be especially vigilant as there is no minimum number of employees to require the use of E-Verify.
Click Here for the Original Article
Washington D.C. is Set to Join the Trend Toward Requiring Pay Disclosures in Job Postings
Mayor Bowser signed enacted D.C. Act 25-367 “Wage Transparency Omnibus Amendment Act of 2023” which will amend the Wage Transparency Act of 2014. The action puts Washington, D.C. one step closer to joining the growing list of jurisdictions requiring pay ranges in job listings and advertisements. If the Act survives the 30-day Congressional review, the new law, which applies to employers with at least one employee in the District, will also require employers to disclose to prospective employees the existence of healthcare benefits they may receive, prior to the first interview. It will also expand DC’s current law to prohibit employers from seeking wage history information of prospective employees or screening prospective employees based on their wage history. The Office of the Attorney General will have enforcement authority. If the Act is not disapproved during the upcoming 30-day Congressional review, it will become effective as of June 30, 2024.
Required Pay Disclosures in Job Listings and Position Descriptions Advertised
The Act will require that employers provide the minimum and maximum projected salary or hourly pay in all job listings and position descriptions advertised. In stating the minimum and maximum salary or hourly pay for the position, the range must extend from the lowest to the highest salary or hourly pay that the employer in good faith believes at the time of the posting it would pay for the advertised job, promotion, or transfer opportunity.
Healthcare Benefit Disclosure Prior to Interview
The Act also requires that employers include information on the healthcare benefits offered to employees before the first interview. The law does not define “first interview,” nor does it specify whether a general description of the benefits is sufficient or if more detailed information may be required. There is no requirement, however, to include the healthcare benefit information in the job posting for the open position.
If an employer fails to disclose the pay range in a job listing or advertised position description, or fails to disclose the existence of healthcare benefits prior to the interview, the prospective employee is permitted to ask about such disclosures.
Prohibition on Seeking or Using “Wage History”
The Act will also limit employers’ ability to seek or use a prospective employee’s wage history in several ways. First, it prohibits employers from screening prospective employees based on their “wage history,” including by requiring that the wage history satisfy minimum or maximum criteria or by requiring the prospective employee to disclose their wage history as a condition of being interviewed or continuing to be considered for an offer of employment. Second, the Act will also prohibit employers from seeking the wage history of a prospective employee from a person who previously employed the individual. The term “wage history” is defined as “information related to compensation an employee has received from other or previous employment.” Further, the definition of “compensation” is expansive and includes “all forms of monetary and nonmonetary benefits an employer provides or promises to provide an employee in exchange for the employee’s services to the employer.”
Required Notice of Rights
Covered employers will also have another notice to add to the collection of required federal and state employment posters. This new Act will require employers to post a notice in a conspicuous place in the workplace notifying employees of their rights under the Wage Transparency Act. The notice must be posted in at least one location where employees congregate.
Enforcement and Potential Remedies
The Act will authorize the Attorney General to investigate whether an employer has violated the Act, including examining witnesses under oath, issuing subpoenas, compelling attendance of witnesses and production of documents, and taking depositions and affidavits. It also allows the Attorney General to bring a civil action against an employer for violating the Act for restitution or for injunctive, compensatory, or other authorized relief for an individual or the public at large. If successful, the Attorney General will be entitled to reasonable attorneys’ fees and costs and statutory penalties equal to any administrative penalties provided by law.
Next Steps for Employers
While the Act still must pass Congressional review, DC employers should start taking steps now to prepare to comply with these requirements and prohibitions. Employers should consider how they will appropriately identify pay ranges to include in their job postings. For those employers who have already begun to include pay ranges in all of their postings to address the patchwork of laws in other jurisdictions requiring such disclosures, you should consider whether your current approach to disclosures will be compliant in DC.
In addition to preparing to update job postings and advertised job descriptions, employers should also consider training for hiring managers, talent acquisition, and other human resources professionals to ensure there is a process in place to disclose healthcare benefits prior to a first interview and the restrictions on seeking or using wage history. Additionally, employers should also consider conducting a privileged review of employee compensation to determine whether there are unexplained discrepancies that should be addressed prior to publishing pay ranges.
Click Here for the Original Article
COURT CASES
A magistrate judge in the Northern District of Georgia recently recommended granting summary judgment in a Fair Credit Reporting Act (FCRA) case in favor of a background reporting company on the grounds that a report given only to the consumer is not a consumer report and including a valid conviction on a report does not violate the FCRA as long as its expungement is also included.
In Peeples v. National Data Research, Inc. (NDR), the plaintiff applied to a pre-med program at a school that required a background report from NDR as part of its application requirements. NDR’s report on the plaintiff listed a 2003 criminal conviction for “giving false information.” The 2003 conviction, however, was expunged by court order in December 2019. The report from NDR did not contain any information about the expungement and NDR did not have a policy to investigate whether court records have been expunged absent a consumer dispute.
NDR provided the background report to the plaintiff only. The plaintiff then requested removal of the conviction due to the expungement. NDR confirmed the plaintiff was convicted for giving false information and the judgment was expunged. It updated the report to include the expungement but did not remove the underlying conviction.
The plaintiff sued NDR for violation of two sections of the FCRA: § 1681e(b) for failing to follow reasonable procedures to assure maximum possible accuracy in the report; and § 1681i for failing to perform a reasonable reinvestigation and correct or suppress the expunged record and maintain reasonable procedures to prevent that inaccurate information from reappearing.
In the report and recommendation, the magistrate judge began the analysis by noting that the Eleventh Circuit draws a distinction between a consumer report and a credit file. A consumer report requires communication of the information to a third party. Section 1681e(b) relates solely to information in a consumer report. Because NDR provided the report only to the plaintiff, it was not a consumer report. NDR’s knowledge the plaintiff would be submitting the report to her school did not make it a consumer report because NDR was not the one providing it to a third party. As a result, the magistrate judge recommended the district court grant NDR summary judgment on the § 1681e(b) claim.
When considering the plaintiff’s claim under § 1681i, the court accepted that the report was inaccurate/incomplete when it did not include the expungement information, that the plaintiff notified NDR, and that her dispute was not frivolous, focusing only on whether NDR conducted a reasonable reinvestigation of the disputed item — the conviction — and whether failure to remove it caused the plaintiff harm. The magistrate judge noted that federal courts have generally held that including a valid conviction on a background report does not violate the FCRA, even if that conviction was later set aside, dismissed, or expunged. “For purposes of FCRA reporting, the historical fact of [the plaintiff’s] conviction was not altered by the expungement order, and the FCRA expressly permits consumer reporting agencies to report ‘records of convictions of crimes.’ 15 U.S.C. § 1681c(a).” Federal law, not South Carolina law, dictates the conviction is still a conviction. Ultimately, while the original report of conviction was incomplete, once NDR modified and corrected the report to include the expungement, nothing more was required and summary judgment was recommended in NDR’s favor on this claim.
Click Here for the Original Article
CJEU Rules on Processing of Sensitive Data and Compensation Under the GDPR
On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR.
Background
The case related to the processing of an incapacitated employee’s personal data, including health data, by the medical service provider (“MDK”) of a health insurance fund in Germany. Under applicable law, the MDK draws up reports on the capacity of individuals insured by the health insurance fund to work. These may include reports concerning the health of MDK’s own employees. After becoming aware of the fact that a report concerning himself had been prepared, an employee of MDK sought compensation under Article 82 of the GDPR.
The CJEU’s Ruling
In its judgment, the CJEU ruled that in order to process sensitive personal data under the GDPR, there must exist both a legal basis under Article 6 of the GDPR and an applicable exception under Article 9 of the GDPR.
The CJEU also held that the rules and limitations on the processing of sensitive personal data under Article 9.2(h) (which allows processing of sensitive personal data where necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services) and Article 9.3 of the GDPR (which provides that processing based on Article 9.2 (h) of the GDPR must be conducted by or under the responsibility of a professional subject to the obligation of professional secrecy) are also applicable to a situation in which a medical service provider processes health data of its employees in its capacity as medical service provider to assess their working capacity. In other words, the medical service provider could rely on Article 9.2 (h) of the GDPR to process its employees’ health data. The CJEU also clarified that Article 9.3 of the GDPR does not, by itself, require the controller to establish specific restrictions regarding the ability of work colleagues to access the health data of an employee.
On the interpretation of Article 82 of the GDPR, the CJEU held that the GDPR establishes a system of fault-based liability in which the controller’s fault is presumed, unless it is capable of proving that it is not in any way responsible for the event giving rise to the damage. On the nature of the compensation owed to the data subject under Article 82 of the GDPR, the CJEU clarified that it is purely compensatory, and not punitive in nature.
Read the judgement.
Click Here for the Original Article
Can you revoke an employment offer if the candidate fails a drug test?
The Human Rights Tribunal of Alberta recently determined that an employer did not discriminate against a job candidate by revoking an offer of employment after the job candidate failed a pre-employment drug test.
The candidate was offered a job as Business Continuity and Emergency Management Advisor. The position was classified as safety-sensitive, and the offer of employment specifically required the candidate to take a pre-employment drug test. The candidate testified that:
The drug test came back positive for cannabis. As a result, the employer revoked the job offer.
The candidate alleged that in revoking the job offer, the employer discriminated against him based on a physical disability in contravention of Alberta’s human rights legislation. Specifically, he alleged that he suffered from symptoms related to Hashimoto’s disease and that he used cannabis for medical purposes. The Tribunal accepted that the candidate suffered from a physical disability.
However, an obstacle for the candidate in this matter was that he only informed the employer of his disability and his medical use of cannabis after the job offer was revoked. Therefore, the Tribunal found that the employer could not have had knowledge of the candidate’s physical disability at the time it revoked the job offer. Furthermore, there were no indicators of a disability triggering a duty to inquire on the employer’s part.
Based on the above, the Tribunal determined that the candidate’s disability played no role in the revocation of the job offer and that the employer did not discriminate against the candidate.
This is a welcome decision for employers with safety-sensitive positions. It supports placing a positive onus on employees to appropriately disclose disability-related issues to their employer.
Each case needs to be reviewed based on its own facts. There may be times when it is in an employee’s best interest to voluntarily disclose a disability, and there may be others where indicators exist that trigger an employer’s duty to inquire. Employers are well-advised to follow the lead of the employer in this case and ensure that offers of employment clearly articulate the conditions and expectations related to pre-employment drug and alcohol testing.
We recommend that employers seek legal advice prior to implementing a drug or alcohol testing policy and prior to taking any disciplinary action against an employee who fails a drug or alcohol test.
Click Here for the Original Article
INTERNATIONAL DEVELOPMENTS
UK-US data bridge: ICO publishes updated TRA guidance
Following the implementation of the UK-US Data Bridge in October 2023, the ICO has updated its Transfer Risk Assessment guidance with a specific section on TRAs relating to transfers to the United States.
The updated guidance makes it clear that can parties rely on the analysis published by Department of Science, Innovation and Technology in relation to the Data Bridge when making data transfers on the basis of an alternative mechanism.
Data Bridge
The UK-US ‘Data Bridge’ took effect on 12 October 2023. It is an extension of the EU-US Data Privacy Framework, approved by the European Commission as adequate in respect of transfers from the EU to the US. As with previous, similar transatlantic arrangements, it can only be relied upon in respect of transfers to recipients who are certified under the scheme. As we highlighted in our analysis of the Data Bridge, this means that a TRA is still required for transfers to the US based on other transfer mechanisms. However, the DSIT analysis is still relevant in these circumstances. The ICO concludes that “it is reasonable and proportionate for you to rely on the DSIT analysis in your TRA, regardless of whether the personal information you are transferring is categorised as low, medium or high harm risk.”
ICO guidance on relying on the DSIT analysis
The ICO guidance states that a broad section of the DSIT analysis was directed at the application of relevant of US laws and practices more generally. It considered US respect for the rule of law and fundamental rights and freedoms, the existence of an effective and independent supervisory authority, and its relevant international commitments. The framework for public authorities to access personal data following transfer to the US was considered to be satisfactory and underpinned by appropriate safeguards and redress.
To that end, organisations are encouraged to simply incorporate the DSIT analysis into their TRAs by reference, documenting that:
Helpfully, the ICO provides examples of suitable wording for a TRA using the above direction, which can be found as part of the overall guidance here and helps to significantly streamline the TRA process.
Click Here for the Original Article
EU Releases Data Act to Facilitate Access and Use of Data
On 22 December 2023, the Regulation on harmonized rules on fair access to and use of data (“Data Act”) was published in the EU’s Official Journal.
The Data Act lays down rules on fair access to and use of personal and non-personal data across all economic sectors generated by connected products and digital related services.
In a nutshell, the Data Act:
The Data Act enters into force on 11 January 2024. Most of its rules will apply from 12 September 2025.
Click Here for the Original Article
CJEU rules that a credit score constitutes automated decision making under the GDPR
On 7 December 2023, the Court of Justice of the European Union (CJEU) issued a landmark judgment on Article 22 of the General Data Protection Regulation (GDPR), focused on decision making based solely on automated processing that produces legal effects concerning the data subject, or similarly significantly affects the data subject (ADM). The case involved a leading German credit reference agency, Schufa (Case C‑634/21). The judgment has significant implications for organisations using any kind of ADM, including scoring systems and systems that use Artificial Intelligence (AI). Allen & Overy previously published an update on the Advocate General’s Opinion on the case back in March 2023.
In a further GDPR judgment in relation to Schufa, the CJEU also ruled that they could not lawfully retain information from a public register related to debt, for a time extending beyond the public register’s retention period. Please see our blog on this judgment here.
The case emerged under the following circumstances. A loan application was refused based on the data subject’s Schufa score, used as a core component in the loan decision. Following a data subject access request (Article 15 GDPR), Schufa provided the data subject with the score and explained, in high level terms, the methods used to calculate that score. However, Schufa cited trade secrecy as justification for not providing information related to the weighting that lay behind the scoring system.
The data subject then took a complaint to the Data Protection and Freedom of Information Commissioner for the Federal State of Hesse, Germany (the HBDI). The HBDI found that there was no established case that Schufa’s credit score processing was non-compliant with Section 31 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) which governs the requirements of calculating scores. It also confirmed that Schufa does not need to share the details or mathematical formula related to how information about an individual is weighted to create the individual’s Schufa score. The data subject appealed the HBDI’s decision to the Administrative Court, Wiesbaden, Germany. That court then made a reference to the CJEU.
The key question of the reference was as follows: “whether Article 22(1) of the GDPR must be interpreted as meaning that the automated establishment, by a credit information agency, of a probability value based on personal data relating to a person and concerning his or her ability to meet payment commitments in the future constitutes ‘automated individual decision-making’ within the meaning of that provision, where a third party, to which that probability value is transmitted, draws strongly on that probability value to establish, implement or terminate a contractual relationship with that person.”
The pivotal issue in the case focused on Article 22 GDPR and whether the Schufa score constituted a decision solely based on automated decision making and whether that decision produced legal effects concerning the data subject or it similarly significantly affects them and thus whether Schufa should have shared more details on the logic behind the decision.
Under Article 22 GDPR, the data subject has the right not be subject to such ADM. There are exceptions under Article 22(2), specifically: (a) the decision is necessary for the performance of contract between the data subject and a data controller; (b) the decision is authorised by Union or Member State law to which the controller is subject and there are safeguards to protect the data subject; and (c) the decision is based on the data subject’s explicit consent. If relying on Article 22(2)(a) or (c) controllers will have to offer human intervention and a way for the data subject to express a view or contest the decision.
The CJEU found:
The judgment is part of a trend towards broad and data subject weighted interpretations of the GDPR by the CJEU, turning it into consumer rather than privacy law. The CJEU’s judgment on Article 22 GDPR was set out in broad terms and can be applied to other situations related to scoring systems. The judgment refers to a contractual relationship with the data subject in general terms rather than just the specifics of loan agreement process, indicating the potential breadth of relevance.
The judgment could therefore have implications for a range of scoring processes and decision making; for example, credit reference agencies also provide services for employment checks and anti-money laundering services (AML) can also offer digital services based on scores.
Although the judgment has broad implications, it does not follow that a large number of automated scoring systems are immediately caught by Article 22 GDPR, or are immediately unlawful. It will depend on how the score relates to the final decision made and what role it plays as a factor under consideration. The controller may also have a legal basis to carry out that ADM and safeguards in place as specified under Article 22 GDPR. There is now a significant expectation that data protection authorities need to provide guidance on what “draws strongly” means in practice.
A number of German Data Protection Authorities (DPAs) have issued statements following the judgment. The Hamburg DPA issued a statement, hailing the “ground-breaking importance for AI-based decisions” and also noting that it has “has consequences far beyond the scope of credit agencies – because it is transferable to the use of many AI systems”. The DPA also gave an example of AI analysing which patients are particularly suitable for a medical study, as an illustration of where the judgment may also make a difference.
The Data Protection Authority for Lower Saxony has also issued a statement and indicated: “The CJEU’s view on the interpretation of the term ‘automated decision’ could also have further implications, for example on systems that prepare decisions with the help of algorithms or artificial intelligence or make them ‘almost alone’, so to speak“.
Given the hype around, and importance of, AI, particularly generative AI, we can therefore expect further decisions and guidance from DPAs in 2024, setting out how the judgment will apply in a range of scenarios.
The European Data Protection Board (EDPB) may also need to update its guidelines on automated decision making and profiling. The guidelines were adopted in 2018 and will soon be six years old. While the Schufa CJEU judgment does not contradict the EDPB’s guidance, for example the EDPB had already found that Article 22 operated as prohibition in principle, the EDPB may want to expand on the wider implications and explain in more detail what the judgment means in practice, including the concept of “draws strongly” in decision making.
Schufa has issued a press release about the judgment. It welcomes the clarification that the judgment provides and notes that: “The overwhelming feedback from our customers is that payment forecasts in the form of the SCHUFA score are important for them, but are usually not the only decisive factor for concluding a contract”. This indicates that “draws strongly” test will be a key consideration for companies.
Lastly, in light of the EU Representative Actions Directive (2018/1828) and the increasing trend for data litigation, there is a risk that compensation claims may be launched not just against Schufa but also against organisations using the Schufa score. Allen & Overy’s blog from May 2023 assesses the recent CJEU jurisprudence on compensation, including the finding that mere infringement of the GDPR does not confer a right to compensation. Allen & Overy’s blog on the collective redress action for consumers in Germany from March 2023 considers the incoming implementation of the EU Representative actions under the Directive (EU) 2020/1828. A key question will be whether a de minimis threshold of equal damage across a class action claim is likely in Article 22 GDPR cases.
As we look ahead to 2024 we can expect the Schufa judgment to play an important role in how AI is used in automated decision making and where the boundary falls between automated and partially automated decisions. Companies should look out for new guidance and enforcement decisions from DPAs in the year ahead.
Click Here for the Original Article
The draft guide is published in the context of a public consultation. Organisations have 1 month to submit their observations to the CNIL. This article walks you through the context in which CNIL publishes this guide, its content and the keys takeaways.
Why the CNIL publishes this practical guide?
The General Data Protection Regulation (“GDPR”) aims at ensuring an equivalent level of protection to personal data within the European Union (“EU”) by imposing a regulatory framework which applies to all processing carried out within the EU or relating to individuals residing in the EU.
Some companies may transfer personal data outside the EU as part of their activities, for example by using service providers located in third countries, by using cloud services, or by communicating personal data to a parent company or subsidiaries. This raises the question of the protection of personal data transferred outside the EU, to countries that do not have the same legislation as the EU.
Under the GDPR, personal data must be offered the same level of protection afforded by the GDPR within the EU. This is the case, for example, when personal data is transferred to a country benefiting from an adequacy decision, i.e. a country recognised by the European Commission as offering an adequate level of protection that does not require the implementation of additional measures.
In the absence of an adequacy decision, the data exporter, whether acting as a controller or a processor, must implement measures to compensate for the lack of data protection in the third country, receiving personal data, by providing appropriate safeguards (Binding Corporate Rules (BCR), Standard Contractual Clauses (SCCs), etc.).
In its “Schrems II” judgment of 16 July 2020, the Court of Justice of the European Union (CJEU) ruled that standard contractual clauses were insufficient to ensure an effective protection of personal data, as they do not bind third countries due to their contractual nature.
As a consequence, the CJEU ruled that the data exporter must (i) verify whether the legislation of the third country receiving the personal data offers a level of protection that is essentially equivalent to that guaranteed in the EU and (ii) determine the appropriate additional measures where necessary, in addition to implementing the appropriate safeguards.
In order to fulfil this obligation, and where the transfer of personal data is based on a transfer tool listed under Article 46 of the GDPR, the data exporter, in collaboration with the data importer, must carry out a data transfer impact assessment (also referred to as a “TIA”).
The European Data Protection Board (EDPB) has already published, in June 2021, its recommendations on measures to supplement transfer tools to ensure compliance with the EU level of personal data protection in which the EDPB details the different steps to be followed by the data exporter when carrying out a TIA and provides information on the supplementary measures that can be implemented and their effectiveness.
Up until now, organisations have essentially relied on these recommendations and on the recommendations 02/2020 on essential European safeguards for surveillance measures to carry out TIAs.
It is in this context that the CNIL decided to draft its own practical guide to, in its own words, “help data exporters carry out their TIAs“.
At this stage, the CNIL is publishing a draft guide for public consultation until February 12, 2024. Publication of the definitive guide is scheduled for 2024.
What this guide contains?
This guide should be used as a methodology available for data exporters and enabling them to carry out a TIA.
It should be noted that the CNIL has very much relied on the EDPB recommendations when elaborating this guide. Nevertheless, this guide is intended to be more practical than the EDPB recommendations, since it includes a TIA template that can be used as is by data exporters. This TIA template takes indeed the form of a table to be completed, including boxes to be ticked, which includes and reorganises the different steps and elements mentioned by the EDPB in its recommendations. The guide includes a first part dedicated to the questions to be asked in order to determine whether a TIA is necessary:
The guide then provides a TIA template based on the six steps mentioned by the EDPB for carrying out a TIA, which are as follows:
The compilation of the different steps and information provided by the EDPB in its recommendations, in the form of a table listing all the elements that must be included in a TIA, appear to be useful and practical for data exporters.
What are the key takeaways of this guide?
Some elements are worth noting:
The CNIL has a much stricter interpretation of this duty to cooperate when the data importer is acting as a processor. The CNIL states that “In the context of a relationship between a controller and a processor, the transmission of this information to the controller by the processor is part of the latter’s obligations under Article 28 of the GDPR, and in particular Article 28(3)(h)”. The CNIL also considers that “the transmission by the importing processor of a simple conclusion or an executive summary of its assessment, without the provision of concrete information on the legislation of the third country and the practices of the authorities, as well as on the circumstances of the transfer, does not enable the processor to fulfil its obligations under Article 28 of the RGPD“. This rigorous interpretation of Article 28 of the GDPR requires the data processor importer to be significantly involved as it must provide concrete information on the legislation of the third country and the practices of its authorities.
This practical guide, which is still awaiting its final publication in 2024, is not mandatory but constitutes a tool helping organisations to comply with TIA requirements. The CNIL’s draft practical guide is available in French and in English. Organisations have until February 12, 2024 to submit their comments.
Click Here for the Original Article
Can you revoke an employment offer if the candidate fails a drug test (Alberta, Canada)?
The Human Rights Tribunal of Alberta recently determined that an employer did not discriminate against a job candidate by revoking an offer of employment after the job candidate failed a pre-employment drug test.
The candidate was offered a job as Business Continuity and Emergency Management Advisor. The position was classified as safety-sensitive, and the offer of employment specifically required the candidate to take a pre-employment drug test. The candidate testified that:
The drug test came back positive for cannabis. As a result, the employer revoked the job offer.
The candidate alleged that in revoking the job offer, the employer discriminated against him based on a physical disability in contravention of Alberta’s human rights legislation. Specifically, he alleged that he suffered from symptoms related to Hashimoto’s disease and that he used cannabis for medical purposes. The Tribunal accepted that the candidate suffered from a physical disability.
However, an obstacle for the candidate in this matter was that he only informed the employer of his disability and his medical use of cannabis after the job offer was revoked. Therefore, the Tribunal found that the employer could not have had knowledge of the candidate’s physical disability at the time it revoked the job offer. Furthermore, there were no indicators of a disability triggering a duty to inquire on the employer’s part.
Based on the above, the Tribunal determined that the candidate’s disability played no role in the revocation of the job offer and that the employer did not discriminate against the candidate.
Takeaway for Employers
This is a welcome decision for employers with safety-sensitive positions. It supports placing a positive onus on employees to appropriately disclose disability-related issues to their employer.
Each case needs to be reviewed based on its own facts. There may be times when it is in an employee’s best interest to voluntarily disclose a disability, and there may be others where indicators exist that trigger an employer’s duty to inquire. Employers are well-advised to follow the lead of the employer in this case and ensure that offers of employment clearly articulate the conditions and expectations related to pre-employment drug and alcohol testing.
Click Here for the Original Article
The European Commission (“Commission“) concluded that personal data transferred from the European Union (EU) to Argentina are adequately protected and, therefore, can continue to flow freely from the EU to Argentina.
In more detail
On 15 January 2024, the Commission published its conclusions regarding the first review of the adequacy decisions adopted — pursuant to Article 25(6) of Directive 95/46/EC (“Directive“) — in 1995. In these decisions, the Commission had determined that 11 countries or territories, including Argentina, guaranteed an adequate level of protection of personal data. This allowed data transfers from the EU to these countries.
With the entry into force of the EU General Data Protection Regulation 2016/67914 in 2018, it was established that adequacy decisions issued under the Directive would remain in force but be subject to review every four years.
In this first review, the Commission determined that data protection frameworks in the countries and territories under review have evolved through legislative reforms and regulations of the data protection authorities, among others.
In the case of Argentina, the Commission highlighted the importance of the independence of the Agency for Access to Public Information as a supervisory authority and the ratification of Convention 108+ in 2023. In addition, the Commission noted that the Data Protection Bill introduced in Congress could consolidate these developments, further strengthening the data protection framework in the country.
This decision is relevant as it positions the country at the forefront in the protection of personal data and enables fluidity and security in international operations.
Click Here for the Original Article
Quebec Law No. 25: a Little-known Privacy Law with a Big Reach
In late 2021, the Quebec legislature passed “The Privacy Legislation Modernization Act” or Law No. 25 (“Law 25”), which was designed to modernize and make significant changes to Quebec’s existing privacy framework. Previously, Quebec’s privacy regime was very industry-specific, but Law 25 is far broader and has general application. It grants significant new privacy rights for residents of Quebec and establishes heightened obligations for in-scope public and private organizations.
Of particular note for businesses outside Quebec, Law 25 applies to all organizations “carrying on an enterprise” in Quebec that collect, process, use, or disclose Personal Information of individuals located in Quebec. An “enterprise” is defined as carrying on an “organized economic activity,” but that activity does not have to be commercial in nature. Entities deemed “enterprises” under Law 25 include unions and medical practices, whereas spiritual and religious organizations are not considered enterprises, as their main purpose is not “economic.” Learning From a Decade of Experience: Quebec’s Private Sector Privacy Act, at 1.2.3 and 1.2.4. This means that the law likely applies to both for-profit and nonprofit organizations located abroad that process Personal Information of Quebec residents. There also are no minimum thresholds in terms of number of Quebec residents’ Personal Information processed or revenue generated nor broad-brush exemptions under Law 25 for categories of data or entities that are already regulated under different regimes. In short, Law 25 likely is in scope for any organization, either within or outside the borders of Quebec, which processes Personal Information associated with one or more of Quebec’s approximately 9 million residents.
Law 25 does not adopt the familiar terminology of “controller” or “processor.” However, Law 25 does stipulate that processing of Personal Information by third persons on behalf of an in-scope organization requires a written contract “to protect the confidentiality of the Personal Information communicated, to ensure that the information is used only for carrying out the mandate or performing the contract, and to ensure that the mandatary or person does not keep the information after the expiry of the mandate or contract.” Law 25 at Section III, para. 18.3.
Law 25 will be enforced by the Commission on Access to Information (“CAI”), and fines range up to 2% – 4% of worldwide turnover (revenue) or $10 – $25 million CAD, depending on the severity of the violation. Id. at Section VII, paras. 90.12-91. Finally, Law 25 gives rise to a new private right of action, allowing individuals to bring claims against in-scope organizations for recovery of statutory damages. Id. Law 25 also allows harmed employees to bring collective actions.
Given the above, Law 25 is comparable to the General Data Protection Regulation (“GDPR”) and has a broader reach than any U.S. state omnibus privacy law. When compared to Canada’s federal law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), Law 25 has more onerous requirements and poses a greater potential for liability. For example, PIPEDA does not afford residents expansive data subject rights, whereas Law 25 does offer Quebec residents with a full set of individual rights. Law 25 also has stricter consent requirements than PIPEDA.
Law 25’s requirements become effective in phases. Below is a list of Law 25’s primary requirements and mandatory compliance dates:
With the majority of Law 25’s requirements currently in effect, and the law becoming fully effective by the end of 2024, we can expect aggressive enforcement by the CAI.
While Law 25 went into force without much fanfare, organizations should waste no time in considering Law 25’s applicability. The following measures should be considered when assessing the applicability of Law 25 to business operations and preparing to comply:
Click Here for the Original Article
European Commission Approves of Canada’s Data Protection Regime (Again)
On January 15, 2024, the European Commission (“Commission”) renewed Canada’s adequacy status under the General Data Protection Regulation (“GDPR”).[1] You can read the Commission’s full report setting out its adequacy decision here (the “Report”).
The following bulletin will give you a brief overview of the GDPR, the importance of obtaining adequacy status, and why Canada’s adequacy status is important for Canadian businesses.
What is the GDPR?
The European Union (“EU”) enacted the GDPR in May 2018.[2] The GDPR strengthens the protection of all EU citizens with respect to the transfer of their personal data and harmonizes national data privacy laws throughout the EU.[3] The GDPR requires all companies processing the personal data of EU residents, including companies established outside the EU if they operate in the EU, to comply with the data protection rules set out therein.[4] For example, the GDPR requires that companies obtain “specific, informed and unambiguous consent” in order to process an individual’s personal data.[5]
What is adequacy status?
Pursuant to the GDPR, if the Commission finds that a country outside of the EU offers an adequate level of data protection, that country can obtain adequacy status.[6] Obtaining adequacy status involves a proposal from the European Commission, an opinion of the European Data Protection Board, an approval from representatives of EU countries, and the adoption of the decision by the European Commission.[7] However, adequacy status may be revoked at any time if the European Parliament and the Council request that the European Commission withdraw, maintain or amend its adequacy decision.[8]
Prior to the GDPR, 11 countries were granted adequacy status under the then Data Protection Directive 95/46/EC, namely: Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. These adequacy decisions have remained in force so far, even after the GDPR came into effect.
On January 15, 2024, following its review of the 11 existing adequacy decisions, the Commission renewed Canada’s adequacy status alongside the other 10 countries with existing adequacy status.[9] The Report concluded that the aforementioned countries’ existing data protection frameworks are aligned with the EU’s framework and provide significant data safeguards for personal data.[10]
The Commission found that Canada continues to provide an adequate level of protection for personal data transferred from the EU to recipients subject to Canada’s federal private sector privacy law, the Personal Information Protection Electronic Documents Act[11] (“PIPEDA”).
What does this mean for Canadian businesses?
If a country has adequacy status, personal data can flow from the EU to that country without the need for any additional data protection safeguards, such as standard contractual rules, the need for additional data processing addenda or authorizations to transfer the data. The additional safeguard requirements could be cumbersome and onerous for some organizations. Canada’s adequacy status results in increased efficiency for Canadian businesses transferring personal data from the EU to Canada.
What’s next?
To ensure Canada continues to maintain its adequacy status under the GDPR, the federal government will need to bring its privacy laws into closer alignment with the GDPR.
Canada’s federal privacy legislation, PIPEDA, is expected to see an overhaul soon. Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts known as the Digital Charter Implementation Act, 2022 (“Bill C-27”) has completed its second reading in Parliament and is undergoing consideration by the Standing Committee on Industry and Technology.
Bill C-27 introduced bold new measures that will bring Canadian privacy law into closer alignment with the GDPR. Closer alignment with the GDPR will continue to assist Canada in maintaining its adequacy status under the GDPR, allowing Canadian businesses to transfer personal information from the EU to Canada without additional data protection safeguards as discussed above.
Click Here for the Original Article
Ontario, Canada Human Rights Commission Publishes Policy on Caste-based Discrimination
The Ontario Human Rights Commission recently published a policy statement (Policy) pertaining to “caste-based discrimination” under Ontario’s Human Rights Code. The Policy advises organizations that they have a legal obligation under the Code to ensure that “their environments are free from discrimination and harassment, bullying or a poisoned environment based on caste and the related grounds”; to investigate claims of caste-based discrimination; and to remedy situations when such discrimination is found.
Click Here for the Original Article
MISCELLANEOUS DEVELOPMENTS
Rite Aid Settles FTC Allegations Regarding Use of Facial Recognition Technology
On December 19, 2023, the Federal Trade Commission (“FTC”) announced that it reached a settlement with Rite Aid Corporation and Rite Aid Headquarters Corporation (collectively, “Rite Aid”) to resolve allegations that the companies violated Section 5 of the FTC Act (as well as a prior settlement with the agency) by failing to implement reasonable procedures to prevent harm to consumers while using facial recognition technology. As part of the settlement, Rite Aid agreed to cease using “Facial Recognition or Analysis Systems” (defined below) for five years and establish a monitoring program to address certain risks if it seeks to use such systems for certain purposes in the future.
According to the FTC’s complaint, Rite Aid “used facial recognition technology in hundreds of its retail pharmacy locations to identify patrons that it had previously deemed likely to engage in shoplifting or other criminal behavior.” The FTC claimed that the technology sent alerts to Rite Aid’s employees when patrons were matched with entries in the company’s “watchlist database.” Rite Aid employees allegedly took action against patrons who triggered the matches by, for example, subjecting them to in-person surveillance. The FTC claimed that Rite Aid failed to consider or address foreseeable harm to patrons by such conduct, including failing to (1) test the technology’s accuracy, (2) enforce image quality standards necessary for the technology to function accurately, (3) take reasonable steps to train employees, and (4) “take steps to assess or address risks that its . . . [the] technology would disproportionately harm consumers because of their race, gender, or other demographic characteristics.”
The proposed consent order places a number of restrictions and obligations on Rite Aid, including with respect to its use of a “Facial Recognition or Analysis System,” which it defines as “an Automated Biometric Security or Surveillance System that analyzes or uses depictions or images, descriptions, recordings, copies, measurements, or geometry of or related to an individual’s face to generate an Output.” An “Automated Biometric Security or Surveillance System,” in turn, is defined as “any machine-based system, including any computer software, application, or algorithm, that analyzes or uses Biometric Information of, from, or about individual consumers to generate an Output that relates to those consumers, notwithstanding any assistance by a human being in such analysis or use, and that is used in whole or in part for a Security or Surveillance Purpose,” subject to a few exceptions.
Among other restrictions, the proposed consent order requires that Rite Aid:
The proposed FTC consent order is subject to a 30-day public comment period following publication in the Federal Register.
Rite Aid filed for relief under Chapter 11 of the Bankruptcy Code on October 15, 2023. Accordingly, the settlement is also subject to approval by the U.S. Bankruptcy Court overseeing the company’s bankruptcy proceeding.
This settlement was described by the FTC as the first enforcement action by the agency that addresses alleged discrimination through the use of automated decision-making technologies.
Click Here for the Original Article
New York has extended the statute of limitations for administrative complaints under the New York State Human Rights Law. On November 17, 2023, Governor Kathy Hochul signed into law Senate Bill S.3255, which amended Section 297-5 of the New York Executive Law. This amendment extends, from one year to three years, the time in which a person may file a complaint of unlawful discrimination with the New York State Division of Human Rights. The Division is the administrative agency that investigates and enforces New York State’s Human Rights Law.
Before this amendment, the NYS Human Rights Law contained a one-year statute of limitations for all administrative claims of discrimination other than sexual harassment. The statute of limitations for administrative claims of sexual harassment was three years. Under the new amendment, effective February 15, 2024, the statute of limitations for all administrative claims that arise on or after that date will be three years. Such claims include discrimination on the basis of race, color, creed, national origin, citizenship or immigration status, age, sexual orientation, disability, military status, and other protected classes, as well as claims of unlawful retaliation under the NYS Human Rights Law.
The statute of limitations for filing a claim in court under the NYS Human Rights Law is already three years. The amendment provides that administrative claims filed with the NYS Division of Human Rights will now have the same three-year time limit from the date of the alleged unlawful practice.
Click Here for the Original Article
What is a Negligent Hiring Claim in New Jersey?
Employers’ employees often encounter other members of the public. Those interactions can lead to litigation. For example, as addressed in one of my prior blog posts, an employee could be accused of sexually harassing a customer, vendor, or other third party. As discussed in that prior blog post, that could result in potential liability against the employer based upon New Jersey’s Law Against Discrimination.
Likewise, an employer who hires an employee with a history of drunk driving offenses could be sued for negligence in hiring if that employee injures a third party while operating a company vehicle intoxicated during company time. In other words, “negligence in hiring” claims are not limited to discrimination claims. The “negligence in hiring” claim may be asserted in addition to a respondeat superior claim (a legal theory in which an employer is responsible for the negligence or wrongdoing of its employees).
Because employers are responsible for “exercising a duty of reasonable care in the selection or retention of its employee,” under certain circumstances, an employer can be sued for negligence associated with the hiring of the employee. See, Di Cosala v. Kay, 91 N.J. 159, 170-171 (1982). The negligence in hiring claim has two elements that must be proven by the Plaintiff by a preponderance of the evidence:
Di Cosala v. Kay, 91 N.J. at 173.
Employers should take the following steps to try to limit the liability of this claim. First, employers should conduct reasonable due diligence before hiring an employee. If prior employers will speak with you, I recommend asking about potential prior problems with the prospective employee. Conduct online research to see if there are lawsuits or other claims against the prospective employee. Run background checks to see if the prospective employee has any licensing or other issues. Ask the prospective employee to provide a driver’s abstract and for information identifying potential “red flags.”
In doing so, please ensure your company files your particular state laws regarding questions and background information you may obtain/ask about. For example, the New Jersey Opportunity to Compete Act, N.J.S.A. 34:6B-11, et. seq., prohibits, amongst other things, a job applicant to fill out a job application or other screening form which asks about their criminal record.
Click Here for the Original Article
Developing, Offering and Using Generative AI Technologies: Canadian Privacy Regulators Weigh In
Canada’s federal, provincial and territorial privacy authorities have co-published a document entitled Principles for responsible, trustworthy and privacy-protective generative AI technologies (the “Principles”), offering critical guidance for organizations that develop, provide and use generative artificial intelligence (“GenAI”) systems.
GenAI, a subset of machine learning, has gained popularity for its ability to generate diverse outputs such as text, images and audio in response to users’ prompts. However, its reliance on vast training datasets and user inputs, often including personal information, poses unique privacy challenges.
The Principles are drafted to apply to organizations that are subject to Canada’s public, private and health sector privacy laws. Though the considerations outlined in the Principles are framed as recommendations, many will be mandatory for organizations to comply with applicable privacy legislation.
This bulletin includes a high-level summary of those Principles that apply equally to organizations that develop, provide and use GenAI systems. However, organizations are advised to consult the Principles in full, as they contain additional recommendations, including some that may apply exclusively to developers, providers and/or users of GenAI systems.
Key Principles and Recommendations
According to Canada’s privacy regulators, ten key privacy principles that apply to the development, provision and use of GenAI systems are as follows:
Click Here for the Original Article
Failure to Train, Discipline, or Supervise Employee Could Lead to A Negligence in Supervision Claim
In a previous blog post, I wrote about the elements of a negligence hiring claim and made recommendations how to avoid liability for your business. A negligence in supervision/retention claim has certain similarities to the negligence hiring cause of action. Negligence hiring, supervision, training, and retention claims are not based on vicarious liability, like a respondeat superior claim. Instead, each of those claims are based upon the actual fault of the employer. G.A.-H v. KGG, 238, N.J. 401, 415 (2019).
To be found liable for negligent supervision, training, or retention, the Plaintiff must establish that: (1) an employer knew or had reason to know that the failure to supervise or train an employee in a certain way would create a risk of harm, and (2) that risk of harm materializes and caused the Plaintiff’s damages. DiCosala v. Kay, 91 N.J. 159, 173 (1982). In the employment context, I have seen these claims brought against employers based on the following scenarios:
First, employers can limit their exposure to this claim by not retaining an employee they know or have reason to know has violated employment discrimination laws in the past. If an employee alleges workplace discrimination, the employer has a legal obligation to take steps to ensure that the alleged discriminatory conduct stops. I recommend if one of your employees makes an allegation of sexual harassment that your company retain the services of a neutral, unbiased, trained investigator to conduct a thorough investigation of the alleged conduct. The investigator will make certain recommendations after their investigation. I strongly encourage your business to follow those recommendations. For example, if the investigator recommends the termination of the alleged perpetrator’s employment, your company should do the same. If the company does not follow that recommendation and sometime later, the employee allegedly sexually harasses another employee, the decision not to follow the recommendation of the investigator could result in your company being sued for negligence in supervision, retention, or training.
Second, employers can limit their exposure to this claim or an indirect employment discrimination lawsuit by providing all employees with yearly training and implementing robust policies and procedures to ensure the same. I recommend that training begin at the inception of employment and continue at least once per year. Moreover, I recommend that your company draft and circulate an employee handbook that provides simple, straightforward information about your company’s discrimination rules and policies. Those polices should remind employees and managers about their rights, duties, and responsibilities to prevent workplace discrimination. Furthermore, they should educate employees on what to do if they either witness or are subjected to workplace discrimination.