July 20, 2022
The EEOC and DOJ Offer Suggestions to Employers on Avoiding Disability Discrimination When Using AI Technologies
The Equal Employment Opportunity Commission and the U.S. Department of Justice each issued guidance about possible discrimination in violation of the Americans with Disabilities Act when employers make employment decisions based on their use of artificial intelligence and other software tools. They further suggested “promising practices” to help avoid such discrimination.
Equal Employment Opportunity Commission (EEOC)
Of particular use to employers, the EEOC provides “promising practices” related to the use of AI tools, including the following:
U.S. Department of Justice (DOJ)
Federal “Ban the Box” Regulations Proposed
The U.S. Office of Personnel Management (OPM) proposed initial regulations to implement the Fair Chance to Compete for Jobs Act of 2019 (Fair Chance Act). The proposed regulations would apply to federal employees and will serve as the model for forthcoming regulations governing how and when federal contractors may consider the criminal histories of applicants and employees.
Background on the Law and Regulatory Process
The Fair Chance Act, Section 1123 of the National Defense Authorization Act for Fiscal Year 2020, was signed into law on Dec. 20, 2019, and took effect on Dec. 20, 2021. The law bans civilian and defense executive agencies from both awarding federal contracts and releasing payment to any contractor that violates the statutory requirements.
Specifically, as a condition of either a contract award or receiving payment on a contract, government contractors may not request a job applicant on the contract to disclose his or her criminal history information prior to the contractor’s extension of a conditional offer of employment. This restriction applies to criminal background requests made verbally and in writing. The Fair Chance Act provides two exceptions to the restriction, namely when: (1) consideration of an applicant’s criminal history is required by law; or (2) the individual, if hired, will have access to classified information or hold sensitive law enforcement or national security duties.
The statutory text left many questions unanswered and delegated rulemaking authority to the Federal Acquisition Regulatory Council (FAR Council). The FAR Council, in turn, is required to issue regulations consistent with those issued by OPM. Likewise, the law authorizes the Administrator of General Services, in consultation with the Secretary of Defense, to identify additional categories of positions to which the law does not apply.
OPM proposed the first set of regulations through a Notice of Proposed Rulemaking (NPRM), issued April 27, 2022. While these regulations, if adopted, will affect only federal employees, as noted above, the regulations also will serve as the blueprint for regulations the FAR Council will issue applicable to federal government contractors. To date, and not inconsistent with other rulemaking processes, the Open FAR/DFARS Case reports disseminated by the Office of the Under Secretary of Defense have indicated continued postponement of the deadline for the FAR Acquisition Law Team to draft a proposed FAR rule. See FAR Case No. 2020-008.
Details on the OPM Proposed Regulation
As an initial matter, the proposed OPM regulations contain a number of procedural elements that are likely limited to federal employment. Of most interest to federal contractors, however, the proposed regulations identify positions for which the prohibition under the Fair Chance Act for collecting criminal history information will not apply. These exceptions would include: (1) any position for which an agency is required by statute to inquire about criminal history prior to making an offer; (2) positions that may access classified information; (3) positions designated as sensitive by OPM and the Office of the Director of National Intelligence; (4) dual-status military technicians subject to a determination of eligibility for acceptance or retention in the armed forces, in connection with concurrent military membership; (5) federal law enforcement officers; and (6) political appointees.
Agencies also may request exceptions from OPM on a case-by-case basis. In turn, OPM will consider such requests based on specific job-related reasons as to why the agency needs to evaluate an applicant’s criminal history for a position prior to making a conditional offer of employment, giving due consideration to positions that involve transactions with minors, access to sensitive information or managing financial transactions. OPM will consider, among others, such factors as the nature of the position being filled and whether a clean criminal history record would be essential to the ability to perform one of the duties of the position effectively.
The proposed OPM regulations also establish a complaint process for job applicants to allege violations of the Fair Chance Act. Applicants initially would file a complaint with the employing agency, which would investigate and transmit the complaint and corresponding investigative report to OPM. If OPM determines that an agency employee has violated the Fair Chance Act, OPM may direct an employing agency to: (1) issue the employee a written warning; (2) process a suspension; and (3) collect a civil penalty.
Next Steps for Federal Contractors
The NPRM is subject to a notice-and-comment period that ends June 27, 2022. Comments may be submitted through the Federal eRulemaking Portal. Once OPM issues a final rule, the FAR Council presumably will propose its own, largely consistent regulations. The FAR Council is required to explain any substantive modification of the OPM regulation. It remains to be seen how closely the contractor regulations will adhere to the regulations issued by OPM. Given the statutory mandate that the FAR Council model its regulations on the OPM’s regulations, federal contractors should remain alert for forthcoming proposed changes to the FAR.
FTC Blog: FTC Act Creates “De Facto” Breach Notification Requirement
The Federal Trade Commission (FTC) recently published a blog post asserting that Section 5 of the FTC Act may require companies to notify individuals of breaches of their personal data, even where there is no specific breach notification requirement under state data breach or other laws. The FTC explained in its blog post that a failure to provide breach notifications may in some cases “increase the likelihood that affected parties will suffer harm,” and that in such cases the FTC Act creates a “de facto breach disclosure requirement.”
Accordingly, the FTC’s blog post takes the position that a company must provide “timely, accurate, and actionable security disclosures” with “information to help parties mitigate reasonably foreseeable harm” resulting from the breach. The blog post, titled “Security Beyond Prevention: The Importance of Effective Breach Disclosures,” was authorized by the FTC’s chief technology officer (CTO) and its Division of Privacy and Identity Protection (the Commission’s division responsible for data privacy and security-related enforcement activities).
Not surprisingly, the blog post has garnered significant attention from data security and incident response practitioners. To see why, compare such an implicit, “de facto breach notification requirement” to explicit breach notification requirements under state data breach laws. Those state laws define covered data breaches; enumerate specific data elements and data types that give rise to notification obligations (e.g., Social Security number, drivers’ license number, biometric data, and others); dictate specific information that must be disclosed; and specify how disclosures may be made. Some data breach laws provide rubrics for companies to use when evaluating whether the potential harm from a breach is sufficient to require notification to individuals. In contrast, the FTC Act has no definition of a data breach, is not limited to any specific elements or types of data, does not specify what information must be disclosed (other than to say that such information must help individuals “mitigate reasonably foreseeable harm”) or how it should be disclosed, and contains no mechanism companies can use to evaluate potential breach risks, but “regardless of whether a breach notification law applies, a breached entity that fails to disclose information to help parties mitigate reasonably foreseeable harm may violate Section 5 of the FTC Act.”
Many companies would struggle to figure out when this de facto FTC Act requirement applies, the types of data that give rise to it, determine what harm would be “reasonably foreseeable,” and the information that must be disclosed to help affected individuals effectively mitigate risks. Making these determinations would be especially difficult where potential harm from the breach is very speculative. For example, the likelihood of harm arising from a compromise of an individual’s browsing history or recent purchases would vary significantly by individual, and it is difficult to know whether there is any information a company could disclose to help individuals mitigate any such harm. This de facto requirement could be read to expand companies’ notification obligations considerably beyond current requirements—both in terms of the data giving rise to such requirements and the circumstances in which notifications are required.
This is hardly the first time the FTC has made significant waves with its blog. In recent years, the FTC has announced several enforcement priorities and interpretations of its authority in blog posts. For example, in 2021, the FTC published a post explaining that it considered its existing enforcement powers sufficient to regulate against discriminatory artificial intelligence systems (for a discussion of that post, see here). In another post, the FTC stated that failure to patch the infamous Log4j security vulnerability could violate the FTC Act (we discussed that blog post here).
While an implicit breach notification requirement from the FTC Act could be interpreted very broadly, it is possible that FTC enforcement would be more limited, focusing on cases where companies make misleading breach disclosures, conceal one or more breaches from consumers, or fail to provide readily available information to mitigate concrete harms like identity theft. DWT’s information security team will continue to monitor these developments.
CFPB Affirms Ability for States to Police Credit Reporting Markets
The Fair Credit Reporting Act does not stop states from enacting laws to tackle credit reporting problems related to medical debt, tenant screening, and other consumer risks.
Today, the Consumer Financial Protection Bureau (CFPB) issued an interpretive rule affirming states’ abilities to protect their residents through their own fair credit reporting laws. With limited preemption exceptions, states have the flexibility to preserve fair and competitive credit reporting markets by enacting state-level laws that are stricter than the federal Fair Credit Reporting Act (FCRA).
“Given the intrusive surveillance that Americans face every day, it is critical that states can protect their citizens from abuse and misuse of data,” said CFPB Director Rohit Chopra. “The legal interpretation issued today makes clear that federal law does not automatically hit delete on state data protections.”
Enacted in 1970, the Fair Credit Reporting Act, among other things, defines the permissible uses of, and establishes guidelines for information included in, credit reports. It also creates a process for people to dispute information in their credit files.
The federal statute leaves states with the flexibility to consider and enact laws that reflect challenges and risks affecting their local economies and residents. For example, tenant screening reports may contain questionable or incorrect information that impedes renters’ access to housing. States are able to enact protections against abuse and misuse of data to mitigate these consequences.
Congress made clear that the Fair Credit Reporting Act preempts only narrow categories of state laws. As federal regulators learned from the 2007-2008 mortgage crisis and ensuing Great Recession, federal preemption of state laws can stop state regulators from identifying dangerous patterns and mitigating market risks. Accordingly, today’s interpretive rule makes clear:
Today’s announcement is part of the CFPB’s work to support the role of states to protect consumers and honest businesses. On May 19, the CFPB issued an interpretive rule that describes states’ authorities to pursue lawbreaking companies and individuals under the Consumer Financial Protection Act. The CFPB will continue to consider other steps to promote state enforcement of fair credit reporting along with other parts of federal consumer financial protection law. These steps include consulting with states whenever interpretation of federal consumer financial protection law is relevant to a state regulatory or law enforcement matter, consistent with the State Official Notification Rule.
The issuance of today’s rule arises from the Office of the New Jersey Attorney General notifying the CFPB of pending litigation that included an allegation the FCRA preempted a New Jersey consumer protection statute.
New York Lawmakers Pass Statewide Salary Disclosure Law
As part of the end-of-session rush of legislative activity, New York State lawmakers passed a bill that will require private-sector employers in the state to disclose salary ranges on job postings. The bill now heads to Governor Kathy Hochul for her signature or veto. If enacted – which is expected – New York will be the latest state to jump on the hottest trend in pay equity legislation. Here is what employers need to know about the legislation – which potentially has nationwide reach.
What the Law Entails
New York’s salary transparency law mandates that employers disclose the compensation or range of compensation in any advertisement for a job, promotion, or transfer opportunity. The “range of compensation” means the minimum and maximum annual salary or hourly rate that the employer in good faith believes to be accurate at the time of the job posting. For positions compensated solely on a commission basis, employers can comply with the law by including a general statement that compensation will be based on commissions. In addition to salary disclosure, employers must also provide the job description for the position, if one exists. The statute applies to employers with four or more employees, so it excludes only the smallest employers from compliance. Temporary help firms are also excluded from compliance. Employers are required to keep records that show history of compensation ranges for each job opportunity and the job description for the position.
Importantly, the statute expressly applies to any jobs that can or will be performed, at least in part, in the state of New York. This means the statute seemingly applies to all listings for remote positions that can be performed wherever the employee resides because the position could be filled by an applicant who lives in New York who would thus work remotely in the state. Accordingly, the statute has reach beyond employers with a physical presence in the state.
Employers who fail to comply with the statute face civil penalties of up to $3,000, depending on employer size, good faith, gravity of the violation, and history of previous violations. Any person aggrieved by a violation of the statute can file a complaint with the New York labor commissioner, but there is no private right of action for an employee to file a lawsuit against the employer. Employers are, however, expressly prohibited from refusing to interview or hire or otherwise retaliating against any applicant or employee who exercises rights under the statute.
The statute directs the labor commissioner to issue rules and regulations to implement the statute and to conduct a public awareness campaign to help make employers aware of their obligations.
Pay Transparency Trend Continues
All employers must have pay transparency at top of mind, as this continues to be the hottest trend in pay equity legislation. Colorado, Washington, and New York City have all enacted similar pay transparency laws requiring disclosure of salary in job postings. Some jurisdictions, like Connecticut, Nevada, and Rhode Island require employers to proactively disclose salary ranges to candidates during the hiring process but not in job listings, while others require employers to provide pay ranges to candidates upon request (such as California, Maryland, and Cincinnati and Toledo, Ohio). We expect additional states and cities to consider similar pay transparency laws in the coming months. California, for example, has a pending bill which would require employers to provide the pay scale for a position to applicants, and some form of pay transparency laws have been proposed in Alaska, Massachusetts, Michigan, South Carolina, and Vermont. You can review pay equity initiatives by checking out the FP Pay Equity Map.
5 Steps to Take Now to Comply
The New York law will take effect 270 days after signed by Governor Hochul, assuming she signs it. So the effective date may be sometime in March 2023, depending on the date of signature. You should use this time to prepare to comply with the law. Here are five steps you should consider:
With COVID-19 Numbers on the Rise, Puerto Rico DOH Updates Quarantine and Isolation Guidelines
The Puerto Rico Department of Health (PR DOH) has issued new Guidelines for Case Investigation and Contact Tracing for COVID-19 (Guidelines). These provide updates to previously issued quarantine and isolation guidelines. With COVID-19 positivity rates nearing 30% on the Island, employers are struggling to maintain their operations while complying with PR DOH guidelines on quarantine and isolation. The following is a summary of the latest requirements.
We begin by recapping certain important definitions.
Close contact includes any person exposed to a confirmed or probable case of COVID-19, at a distance of less than 6 feet for at least 15 cumulative minutes in a 24-hour period.
Fully vaccinated is defined as follows, pursuant to applicable age groups:
With regards to the terms isolation and quarantine, the Centers for Disease Control and Prevention (CDC) provides an easy distinction between both: quarantine keeps someone who might have been exposed to the virus away from others; isolation keeps someone who is infected with the virus away from others, even in their home. Thus, a person will need to quarantine when they suspect exposure to a transmittable disease, but once they confirm infection, isolation is required.
According to the Guidelines, the following are the four potential scenarios for COVID-19 isolation in Puerto Rico:
The Guidelines provide the following quarantine guidelines in Puerto Rico2:
These guidelines establish the minimum compliance; employers are free to adapt more restrictive or conservative measures in the workplace. It is important to remember that employers continue to have an obligation to notify the PR DOH immediately if a case of COVID-19 is identified in the workplace to initiate the investigation of cases and contact tracing. Employers must notify the PR DOH via email at: [email protected] using the Agency’s form.
Many States Impose Requirements for Surveillance at Work
With the rise of remote work, employers are increasingly considering measures to monitor employee’s work, whether for security purposes, or to monitor productivity. But employers take note: some states are starting to weigh in by passing laws that limit employer monitoring or require employers to notify employees that they are monitoring them. And recording employee calls is a whole separate issue governed by state law. In some states, only one party need consent to recording the call, while in others all parties must consent.
New York has become the latest state to take action on monitoring. Effective May 7, 2022, the New York law requires private employers to notify employees if they monitor or otherwise intercept phone conversations, email, or internet access or usage, or usage of any other electronic device or system including but not limited to a computer, telephone, wire, or other electronic communication system. Employers in New York are required to notify both current employees, and newly hired employees, and to post the notice in a conspicuous place readily viewed by impacted employees. Employers should further have employees acknowledge receipt of the notice, and keep the acknowledgements. Employers who violate this law in New York may be fined $500 for a first offense, $1,000 for a second, and $3,000 for all subsequent offenses.
With the passing of this law, employers should be on the lookout for other states that may shortly follow suit. Connecticut already has a similar law requiring employers to issue a written notice to employees if they are being electronically monitored in the workplace. The Connecticut law also prohibits an employer from requesting or requirements employees or applicants to provide to the employer usernames and passwords for personal online accounts, to access or authenticate a personal online account in the employer’s present, or invite the employer or accept the employer’s invitation to join a group related to the employee’s personal account.
Delaware also requires that an employer provide notice to employees of monitoring: either an electronic notice of employer monitoring or intercepting policies one each day the employee accesses the employer-provided email or internet access services, or a one-time notice of the employer’s monitoring or intercepting policies.
In California, whether an employer can monitor or record an employee’s telephone communications and/or internet usage depends on whether the employee has a reasonable expectation of privacy. Courts in California consider who owns the equipment in question, whether the employee was given notice that a device they were given may be monitored, whether the employee had the opportunity to consent or reject monitoring, and accepted community norms.
In Texas, employer monitoring of employee electronic communications is considered an invasion of privacy. An employer may monitor its own phone system in order to ensure that employees are using the system for its intended purposes, however, employers must inform employees that this monitoring may be taking place.
Some states have not specifically addressed employer monitoring, but have other strict privacy laws that may consider an employer monitoring their employees’ communications to be an invasion of privacy. For example, in Alabama employers are prohibited from overhearing, recording, amplifying, or transmitting any part of a private communication (with very limited exceptions). In some states, including Arizona, Colorado, the District of Columbia, Illinois, Iowa, Kansas, Texas, and Wyoming, the interception of electronic or oral communications is prohibited unless the interceptor is a party to the communication, or a party to the communication consents.
Five (5) states, including Florida, require all parties to consent to record a telephone call. In Michigan, all parties must consent to the recording of a telephone call if a third party does the recording, but allows one party consent if a participant records; and Montana and Washington state laws require all parties to consent to recording, unless a recording party gives proper notice.
Rhode Island Becomes the 19th State to Legalize Recreational Cannabis
On May 25, 2022, Rhode Island Governor Dan McKee signed the Rhode Island Cannabis Act (the “Act”) into law, which legalizes recreational cannabis in Rhode Island.
Some key highlights of the Act include the following:
The New Regulatory Framework
The Act creates a three-member Rhode Island Cannabis Control Commission (the “Commission”) to be appointed by the governor with input from the House Speaker and Senate approval. The Commission will be responsible for, among other things; (1) adopting, amending, and repealing rules and regulations for the implementation, administration, and enforcement of the Act (the “Rules and Regulations”); (2) determining which applicants shall be awarded licenses under the Act; and (3) establishing the process and methodology for awarding licenses.
The Commission will be assisted by a Cannabis Advisory Board, comprised of 11 voting members and eight non-voting members, and the Office of Cannabis Regulation in the Department of Business Regulation. The Cannabis Advisory Board will collaborate with the Commission and the administrator of the cannabis office to advise and issue recommendations on the use, commerce, regulation and effects of recreational and medical cannabis within the state.
Automatic Expungement of Past Convictions
One of the most notable provisions of the Act is a provision providing for the automatic expungement of prior civil or criminal cannabis possession charges. Recognizing the harm caused by decades of prohibition, the bill’s sponsors included a process that gives courts until July 1, 2024 to automatically expunge prior convictions, and those who want their expungement sooner may request it and have costs waived. Under the legislation, any prior civil violation, misdemeanor or felony conviction for possession of marijuana that would be decriminalized will be automatically erased from court record systems.
DC Bill Prohibits Many Firings Due to Marijuana Use
The District of Columbia Council has unanimously passed legislation that would prohibit private employers from terminating, penalizing or declining to hire workers who test positive for marijuana use or who use the drug outside of work. The law would not apply to federal government jobs or contractors, because marijuana remains illegal at the federal level, and the measure also excludes some “safety-sensitive” positions.
Colorado becomes 7th state with a ‘clean slate’ law
On May 31, Colorado Governor Jared Polis signed the Clean Slate Act into law, making Colorado the seventh state to have one. “Clean slate” laws “create an automatic sealing process for old criminal records if a person remains crime-free for a set period of time,” Abby Diebold of the Responsible Business Initiative for Justice (RBIJ) told HR Dive in an email. Pennsylvania, Utah, Michigan, Connecticut, Delaware and Oklahoma have similar laws.
Colorado’s Clean Slate Act, SB22-099, allows for arrest records that don’t result in a conviction to be automatically sealed. Other criminal records that can be automatically sealed include civil infractions with four years since the final disposition, petty offense or misdemeanor records with seven years since the final disposition, and felonies with 10 years since the final disposition or release from jail, whichever comes later, Diebold explained. Crimes involving violence, such as murder, assault, sexual assault and robbery, which fall under the Crime Victims Rights Act, are not eligible. Colorado law also prevents record-sealing if the defendant still owes restitution, fines or court fees in the case.
With some exceptions, SB22-099 requires consumer reporting agencies, which employers typically use for background checks, to exclude sealed and expunged records from their reports. By making the process automatic, the law removes barriers, such as having to file a court petition, pay a fee, attend hearings and often secure legal representation, that commonly deter otherwise eligible individuals from getting their criminal records sealed. Automatic sealing of qualifying records under SB22-099 begins in 2024.
Vermont Enacts Insurance Data Security Law
On May 27, 2022, Vermont Governor Phil Scott signed H.515, making Vermont the twenty-first state to enact legislation based on the National Association of Insurance Commissioners Insurance Data Security Model Law (“MDL-668”). The Vermont Insurance Data Security Law applies to “licensees”—those licensed, authorized to operate or registered, and those required to be licensed, authorized or registered, under Vermont insurance law, with few exceptions. The new law generally follows MDL-668’s provisions, adopting the model law’s broad definition of nonpublic information and requiring licensees to, in part, maintain a written information security program (“WISP”) and investigate cybersecurity incidents. Unlike other state laws based on MDL-668, however, the Vermont Insurance Data Security Law declines to establish separate cybersecurity event notification requirements for licensees.
Information Security Program Requirements
Under the new law, licensees must develop, implement and maintain a comprehensive WISP that contains administrative, technical and physical safeguards for the protection of nonpublic information and the licensee’s information system. Licensees must conduct a risk assessment to create a WISP “commensurate with the size and complexity of the licensee, the nature and scope of the licensee’s activities, including its use of third-party service providers, and the sensitivity of the nonpublic information.” Among other requirements, licensees’ information security programs will be required to:
Licensees must annually certify their compliance with these information security program requirements in writing to the Vermont Deputy Commissioner of Insurance (the “Commissioner”) by April 15 and maintain records supporting the certification for five years. If a licensee has a board of directors, it also must provide the board with an annual written report on the WISP, compliance with the Vermont Insurance Data Security Law and other material matters related to information security.
Cybersecurity Event Investigation and Notification Requirements
Under the law, licensees must promptly investigate actual and potential cybersecurity events and undertake reasonable corrective measures. Licensees must maintain records about these cybersecurity events for at least five years. However, unlike MDL-668 and other state laws based thereon, the law does not impose notification obligations on licensees following a cybersecurity event. Instead, licensees are bound by the notification requirements of the Vermont Security Breach Notice Act, 9 V.S.A. § 2435.
Certain Licensees Are Exempt from the Law’s Requirements
Licensees will be exempt from the law’s information security program requirements if they (1) have fewer than 20 employees, including independent contractors; (2) are subject to HIPAA, maintain a HIPAA-compliant information security program and submit an annual written certification to the Commissioner; (3) are an employee, agent or representative of another licensee that is covered by the other licensee’s information security program; or (4) can produce documentation, as requested by the Commissioner, that they are subject to and in compliance with the interagency guidelines establishing standards for safeguarding customer information as set forth under the Gramm-Leach-Bliley Act.
Licensees are wholly exempt from the law if they are compliant with the New York Department of Financial Services Cybersecurity Requirements for Financial Services Companies (23 NYCRR §§ 500.0 to 500.23) and they submit a written statement to the Commissioner certifying such compliance.
Enforcement and Penalties Under the Law
The law is to be enforced by the Commissioner and does not contain a private right of action. The Commissioner can investigate licensees to determine if they have violated the law, suspend or revoke the licensee’s license, report violations to the Vermont Attorney General for prosecution and issue administrative penalties of $1,000 per violation or $10,000 per willful violation.
The law will go into effect on January 1, 2023. However, licensees will have until January 1, 2024 to comply with the information security program requirements and until January 1, 2025 to implement the third-party diligence requirements.
Rhode Island Legalizes Recreational Marijuana and Protects Off-Duty Use for Employees
Rhode Island Governor Dan McKee signed a bill on May 25 legalizing recreational marijuana in the state. The law, which took effect immediately, prohibits basing adverse employment actions on off-duty marijuana use, unless certain limited exceptions apply.
The new law generally prohibits employers from terminating employment or taking any disciplinary action against an employee “solely for an employee’s private, lawful use of cannabis outside the workplace and so long as the employee has not and is not working under the influence of cannabis.”
There are, however, a few exceptions to this general rule. If off-duty use is prohibited by a collective bargaining agreement, or the employer is a federal contractor or subject to a federal law or regulation under which the employer’s failure to terminate or discipline an employee would cause the employer to lose a monetary or licensing benefit, then the employer can impose necessary limitations on its employees. And, of course, working under the influence removes any job-related protections.
Notably, unlike some state laws, Rhode Island does not require a showing of on-the-job impairment, which should ease the burden when establishing the “under the influence” threshold.
The law also contains a safety-sensitive exception, which applies to any job, occupation, or profession that is “hazardous, dangerous or essential to public welfare and safety.” For these positions, employers may implement policies that prohibit the use or consumption of cannabis within 24 hours prior to a scheduled work shift or assignment. Under the law, the types of positions that qualify for this exception include, but are not limited to, those that require the operation of an aircraft, watercraft, heavy equipment, heavy machinery, commercial vehicles, school buses or public transportation, use of explosives, public safety first responder jobs, and emergency and surgical medical personnel. Given the broad scope of the exception, it will fall to the courts to test the contours.
For unregulated positions or positions that do not qualify for the law’s safety-sensitive exemption, employers may permissibly prohibit employees from (1) using or possessing cannabis in any workplace or location while an employee is performing work, including remote work; or (2) working under the influence of cannabis. Therefore, employers may continue to implement drug-free workplace policies that prohibit the use or possession of cannabis in the workplace or performing work under the influence of cannabis.
The law also provides for automatic expungement of certain civil violations and criminal convictions related to the possession of marijuana. Records will be expunged pursuant to procedures and timelines that will be determined by the judge overseeing the expungement hearing, but all eligible records will be expunged before July 1, 2024.
Under the law, employers cannot require an employee to disclose a sealed or expunged offense unless otherwise required by law. Employers should also be mindful of an existing Rhode Island law, which affords applicants for employment the right to deny the existence of an expunged offense.
TAKEAWAYS FOR EMPLOYERS
Rhode Island has joined an increasing number of states that are limiting employer discretion when it comes to basing adverse employment actions on lawful, off-duty use of marijuana. The Rhode Island law, however, creates a few gray areas that employers should be mindful of as they implement updates to their drug-related policies. For example, the law leaves open whether employers can permissibly impose zero-tolerance policies for salaried safety-sensitive roles, which are arguably always “on the clock,” such that the imposition of a prohibition on marijuana use 24 hours before a scheduled shift would effectively preclude all use.
In addition, the law’s use of an exemplary list of safety-sensitive positions affords employers (absent additional regulatory guidance) with some discretion to determine whether other roles may fall within the definition. Finally, the law does not provide for a private cause of action and does not impose civil or criminal penalties for disciplinary actions or termination decisions that violate the law’s requirements.
These ambiguities may become clear following litigation or through further legislative action. However, in the meantime, Rhode Island employers should review their drug use policies and procedures to ensure compliance with the law’s requirements.
Des Moines Passes ‘Ban the Box’ Law Prohibiting Criminal Inquiries on Job Applications
On November 15, 2021, the city of Des Moines, Iowa, passed a “ban-the-box” law that will limit employer inquiries and background checks into an applicant’s criminal history until after a conditional offer of employment. Though the law was passed and has already taken effect, it has received little fanfare and media attention despite its implications for employers.
The Des Moines city council unanimously passed the ordinance amending its municipal code to make it “illegal and discriminatory” for employers to: (1) include criminal history inquiries on an application, and (2) inquire into criminal history or conduct criminal background checks before a conditional offer of employment.
Under the law, employers may not:
The law defines the “application process” as beginning when the applicant inquires about the employment being sought and ends when the employer extends a conditional offer of employment. However, the law allows an employer to discuss the criminal record of an applicant if it is voluntarily disclosed by the applicant at an interview.
Additionally, employers are required to comply with all federal and state requirements relating to (1) authorizations for background checks, (2) the pre-adverse and adverse action process, and (3) the use of criminal record information.
A growing number of states and cities have passed ban-the-box laws in recent years aimed at encouraging employers to assess job applicants on qualifications and not a criminal record before denying an offer of employment.
The Des Moines law comes after the Iowa Supreme Court, in June 2021, upheld a provision of a city ordinance in Waterloo, Iowa banning employers from asking about criminal records on employment applications, finding the provision did not conflict with state law.
Private employers in Des Moines may want to review their application and hiring processes to ensure they are not engaging in criminal history inquiries or criminal background checks until after a conditional offer of employment.
Delaware moves forward with ‘ban the box’ legislation for college admissions
The Delaware Senate pushed through a bill this month that would forbid the state’s public and private colleges from inquiring about applicants’ criminal histories.
This is what’s known as “ban the box” legislation. Often, such measures limit employers from asking about a criminal record on job applications, but they have gained ground with colleges in the last several years.
Delaware’s proposal would permit colleges to ask about students’ criminal backgrounds once they were admitted so they can offer counseling or restrict participation in campus life. It also makes an exception for such offenses as stalking and sexual assault.
Ban the box policies were bolstered under former President Barack Obama, who took executive action in 2015 to block federal agencies from inquiring about criminal history during the job application process. His administration later solidified this practice in a regulation.
Proponents of ban the box say it helps reduce recidivism and discrimination against former offenders. Skeptics in higher education say questions on criminal background are necessary to learn as much as possible about applicants and keep campuses safe.
However, ban the box advocates say there’s no correlation between campus safety and students’ past convictions.
A 2015 report by the Center for Community Alternatives, a nonprofit advocating for criminal justice reforms, examined the application policies of the State University of New York system, which at the time asked about criminal history. The report found that some of the most visible campus crimes were committed by those with no criminal history, including the 2009 murder of a Binghamton University professor by a graduate student.
At the same time, asking prospective students about felony convictions dissuaded them from applying to SUNY, the nonprofit found. It estimated nearly 2,930 students indicated they had a felony conviction, and almost 1,830 of them did not complete their applications.
SUNY in 2016 ended the practice of applicants needing to declare felony convictions. It replaced the policy with requirements that students declare prior felony convictions when they sought campus housing, clinical work, internships or study abroad.
Many colleges still pose application questions on criminal records.
A survey cited in a 2019 American Association of Collegiate Registrars and Admissions Officers report found 70% of four-year colleges include admissions questions on criminal history. Of those, more than 80% of private institutions and 55% of public institutions did.
However, this data was collected prior to the Common Application announcing in 2018 that it would do away with questions about criminal history. The Common App, the online portal for admissions, at the time had about 800 member institutions. It has since grown to roughly 900.
In Delaware, the University of Delaware and Delaware Technical Community College do not ask applicants about their criminal records, according to news reports. Delaware State University, Wilmington University and Goldey Beacom College do.
A summary of the bill notes that banning questions about criminal histories is intended to promote diversity.
Under the bill, colleges that deny applicants because of a violent offense, such as sex crime, would need to disclose that fact to them.
The proposed legislation also requires the state’s education department to compile an annual report from each institution that includes the race and gender of applicants and accepted students.
Federal Appeals Court Sides with Employer in Job Applicant’s Background Check Suit
A job applicant who didn’t disclose a felony conviction can’t sue her prospective employer under a federal background-check law for failing to provide proper notice before rescinding her offer, according to a recent decision from a federal appeals court. The job applicant didn’t claim the background report was wrong. Instead, she argued that she should have been given a chance to explain the conviction before the offer was withdrawn. In Schumacher v. SC Data Center, Inc., the 8th U.S. Circuit Court of Appeals ruled in favor of the employer even though it technically violated the Fair Credit Reporting Act (FCRA). The act doesn’t give applicants the right to explain negative but accurate information in a consumer report before the employer can make an adverse employment decision, the court said in a May 3 decision. Although the ruling is good news for employers, you should take the following three steps to comply with FCRA’s notice requirements and avoid similar claims.
1. Don’t Jump to Conclusions
In the Schumacher case, Ria Schumacher applied for a position with SC Data Center. She stated on the job application that she had never been convicted of a felony but added that she “was once arrested in 1996 at age 17 and then found not guilty.”
SC Data Center conducted a background investigation through a third party, which revealed that Schumacher was actually convicted of murder and armed robbery in 1996. Based on this information, the employer rescinded the offer without giving her a chance to correct or explain the results. Schumacher filed suit against SC Data asserting that the company violated FCRA by taking adverse employment action based on the background check without providing her with a copy of the report to review for accuracy.
In this case, the job applicant did not dispute the accuracy of the report. But when a discrepancy arises in a situation involving your company, you shouldn’t automatically assume that the results of the background investigation are correct or that the job candidate lied on the application. It’s important not to jump to conclusions but instead follow the proper process outlined by the federal statute.
“One of the primary goals of the FCRA is to protect consumers and employees from the dissemination of inaccurate information,” the 8th Circuit said. Congress amended FCRA in 1996 due to concerns about the level of inaccurate information reported by agencies and the challenges consumers face when they try to fix errors.
2. Document Your Process
You should create and follow a process to ensure employees receive required disclosures, provide appropriate authorization and receive all necessary notices from start to finish during the background investigation. Because lawmakers didn’t want employers making hiring decisions based on inaccurate information, FCRA requires employers to provide job applicants and employees with notice that they intend to make a decision based on a background report before making the decision, a copy of the report, a description of their FCRA rights, and a reasonable opportunity to respond to any information that may be incorrect. We recommend you read our earlier Insight, Avoiding Hidden Hiring Landmines: 4-Step FCRA Compliance Plan for Handling Pre-Adverse Action Notices, for more detail.
In this case, SC Data Center didn’t follow these steps, leading Schumacher to bring a class-action lawsuit. Although the court sided with SC Data Center, the outcome hinged on the accuracy of the felony conviction.
SC Data Center clearly wrote on the report that the offer was rescinded due to undisclosed felony convictions. “While it is true that Schumacher did not receive a copy of her report prior to rescindment of the job offer, she has not claimed the report was inaccurate,” the 8th Circuit said.
“We decline Schumacher’s request to create an additional right under the FCRA – that is, the right to explain to a prospective employer negative but accurate information in a consumer report prior to the employer taking an adverse employment action,” the court added.
3. Review Laws in Your Locations
Finally, you should always check the rules in your jurisdiction. The legal analysis in this case is a bit technical – focusing on whether the employee alleged a “concrete injury” or only “a bare procedural violation, divorced from any concrete harm.” The 8th Circuit Court of Appeals – which hears cases arising in Missouri, Minnesota, Arkansas, Iowa, Nebraska, North Dakota, and South Dakota – ruled that Schumacher failed to show she suffered a concrete injury from the company’s improper disclosure, so she lacked “standing” to bring the lawsuit.
Other federal circuit courts, however, have reached different results. For example, the 3rd Circuit (with jurisdiction over New Jersey, Pennsylvania, and Delaware) has said “taking an adverse employment action without providing the required consumer report is the very harm that Congress sought to prevent, arising from prototypical conduct proscribed by the FCRA.” This means that employers in the 3rd Circuit may be on the hook for failing to provide a copy of the report, even if the accuracy is not disputed. Additionally, not all state courts, which may also exercise jurisdiction over FCRA actions, require a concrete injury “standing” requirement.
What does it matter? Claims for technical violations can turn into costly class-action lawsuits against employers.
Additionally, state laws on background checks vary significantly and may involve more steps than what is required under FCRA. Some states, counties, and cities also have so-called “ban-the-box” and “fair chance” laws that prohibit employers from asking about criminal history on job applications, or require very specific steps before relying on criminal histories in making employment decisions. Therefore, you should carefully review the rules in the locations where your employees are located and coordinate with your workplace law counsel to make sure you have appropriate steps in place to comply.
Background Screener Agrees to Resolve Class Action Over Alleged Misreporting of Criminal Convictions
On May 26, preliminary approval was sought to resolve a proposed class action, pending in the U.S. District Court for the District of Minnesota, against background screening company Inflection Risk Solutions LLC (Inflection). The proposed settlement seeks to resolve claims that Inflection violated the Fair Credit Reporting Act by allegedly reporting misdemeanor convictions as felonies in criminal background reports, without noting that such convictions, though originally categorized as felonies, had been deemed misdemeanors by operation of Minnesota law. The case is Taylor v. Inflection Risk Solutions LLC, No. 0:20-cv-02266-PAM-JFD (D. Minn.).
Plaintiff Tony Taylor filed the complaint after being informed by Airbnb, following a rent application, that due to the results of his criminal background report, Taylor was permanently barred from making any reservations via Airbnb, and his account was deactivated. Inflection’s screening report indicated that Taylor had a felony conviction, despite allegations that this conviction was deemed a misdemeanor under the Minnesota Criminal Code due to Taylor’s successful completion of his probation terms without a prison sentence. Further, the report categorized his conviction as a violent offense, despite Taylor’s allegations that Minnesota court records never included this classification. Taylor asserted two putative class action claims under Section 1681(e)(b) of the Fair Credit Reporting Act for (1) misreporting misdemeanors as felonies on behalf of a deemed misdemeanor class, and (2) misreporting a nonviolent offense as violent on behalf of a nationwide inaccurate offense characterization class and a Minnesota inaccurate offense characterization subclass.
The proposed settlement includes a $4 million common fund divided between the deemed misdemeanor class and the nationwide inaccurate offense characterization class, with no reversion of any portion of the fund to Inflection. The deemed misdemeanor class includes an estimated 994 individuals whose convictions were reported as felonies despite being deemed misdemeanors under the Minnesota Criminal Code. The nationwide inaccurate offense characterization class includes an estimated 38,916 individuals who were the subject of a report that characterized an offense as “violent,” but where the description of the crime on the report is one of the parties’ agreed-upon list of offenses that do not involve a violent act (included in an exhibit to the settlement agreement). The nationwide inaccurate offense characterization class is further divided into two subclasses based upon whether class members are entitled to automatic payment or must submit a claim form.
The common fund will allocate $747,000 to the deemed misdemeanor class, with estimated payments of $470 per class member, and $3,253,000 to the nationwide inaccurate offense characterization class, with estimated payments of $95 per class member. To address the alleged reporting errors raised in the litigation, Inflection has made changes to its offense categorization system to characterize certain offenses as “other,” rather than as “violent,” and has reduced its error rate with respect to its review of Minnesota conviction records.
Excusing False Positive Drug Test Caused by CBD Use May Be a Reasonable Accommodation, Says U.S. District Court in Louisiana
A federal district court in Louisiana, in Huber v. Blue Cross & Blue Shield of Florida, Inc., recently denied an employer’s motion for summary judgment in an Americans with Disabilities Act (ADA) and Louisiana Employment Discrimination Law (LEDL) case, finding, among other things, that accounting for and excusing a false positive drug test resulting from extended cannabidiol (CBD) use may be a reasonable accommodation.
Michelle Huber, an IT business analyst who worked remotely for Blue Cross and Blue Shield of Florida, Inc. (BCBS), suffered from recurrent debilitating migraines for which she received an accommodation beginning in 2006 and took frequent leave under the Family and Medical Leave Act (FMLA) from 2014 through 2016. In 2016, Huber was diagnosed with hemiplegic migraines, which cause one-sided weakness and total impairment for up to three days. In 2017, her doctor recommended “non-psychoactive hemp-based CBD oil” to manage her migraines. While using CBD oil, Huber’s migraines improved, and so did her work performance. In fact, Huber was promoted, received “five out of five” performance ratings, and reduced her overall FMLA leave after starting a CBD regimen.
In 2019, Huber was informed that she would be required to take a drug test due to federal contract requirements. Huber reminded her supervisor of her disability, that her medications included CBD oil, and that due to her promotion she was not covered by the federal contract at issue. Huber’s supervisor instructed her to “play along” and take the drug test anyway because the results would not have any bearing on her job. Despite these assurances, the employer terminated Huber’s employment after she failed the drug test for tetrahydrocannabinol (THC)—the psychoactive compound in marijuana.
Huber filed suit alleging that BCBS violated the ADA and LEDL by terminating her employment based on her disability, by failing to accommodate her disability, and by intentionally interfering with her rights under the ADA. BCBS filed a motion for summary judgment, arguing that Huber was not a “qualified individual” under the ADA or LEDL because passing a drug test was a requirement for the job, and that its stated reasons for her discharge—her failing the drug test—was not a pretext for unlawful discrimination. U.S. District Judge Mary Ann Vial Lemmon denied summary judgment on all claims.
The District Court’s Decision
At issue in Huber’s wrongful termination claim was whether she was a qualified individual under the ADA or LEDL. The court found that whether Huber was qualified was a question for the jury because it was not clear that the federal contract applied to her, and even if it did, BCBS had failed to show that she was under the influence of illegal, non-prescribed controlled substances while working remotely. Huber submitted an affidavit averring that she had never used marijuana, and she submitted a letter from her doctor explaining that the CBD oil product she was taking could produce a false positive. BCBS’s medical review officer (MRO) testified the results “were too high to be a false positive,” but its own senior employee relations consultant testified that the MRO did not appear to have considered whether Huber’s fourteen other prescription medications in combination with her chronic health conditions, her body weight, and her extended use of CBD oil over several years could have caused her to metabolize CBD oil at a much slower rate than normal, resulting in the positive result. The court went on to explain that BCBS’s reliance on a 15 ng/mL cutoff for THC was below the low end of Louisiana’s statutory range of 50 – 100 ng/mL for THC concentrations that can have negative employment consequences.
The court also found fact issues regarding whether the reason for discharge—failing a drug test—was pretextual. BCBS argued that it had “accommodated [Huber’s] disability for over a decade,” that she had been granted leave under the FMLA and was able to take time off as needed, and that following the same round of testing that resulted in her discharge, two other non-disabled employees were terminated for positive drug screens, including one who claimed that his test result was a false positive caused by CBD oil. Huber argued that BCBS’s true motivation for her discharge was discriminatory because, she alleged, the company was trying to avoid future healthcare costs for her disability, which had already cost more than $700,000.
The court noted that Huber “pointed to evidence that even if [BCBS’s] proffered reason [were] true, an additional motivating factor could have been [her] disability, which ha[d] required [BCBS] to absorb extensive medical costs.”
“This theory,” the court stated, “together with the issue whether the drug test was actually required for [Huber’s] position, indicate outstanding issues of fact.”
The most interesting issue in the case is the failure-to-accommodate claim. BCBS conceded that Huber was a qualified individual with a disability and that it was aware of the limitations imposed by the disability. BCBS challenged whether it had failed to reasonably accommodate her known limitations. Huber asserted that BCBS had “failed to accommodate her by not allowing her to use medically prescribed, non-psychoactive CBD oil to manage her migraines.” BCBS countered that argument by asserting that it never restricted Huber from taking CBD and that Huber was asking it to ignore a positive drug test result for THC. Excusing a positive test result is not a reasonable accommodation, BCBS argued, but a form of preferential treatment.
The court found that the accommodation sought by Huber—that she be allowed to use CBD oil to control her migraines—necessarily implied that a false positive caused by the CBD oil would not be held against her. “Thus, for the accommodation to be reasonable,” the court wrote, “[the] defendant must provide some way to account for and excuse a false positive.” The court noted that while BCBS had argued that Huber had been given an opportunity to provide additional information about her CBD use, it was not clear to the court that BCBS had actually considered the additional information provided by Huber to explain her positive test result. The court further stated that the employer had failed to provide a good-faith basis for its conclusion that Huber’s 90ng/mL result was a definitive positive result (not a false positive) though it fell within Louisiana’s statutory range of excusable levels when negative employment consequences might occur based on nanogram level. Accordingly, the court found a fact issue on the reasonable accommodation claim.
Lastly, the court allowed Huber’s ADA interference claim to advance, noting that the U.S. Court of Appeals for the Fifth Circuit has not yet articulated a specific test to state such a claim. The court explained that by using CBD oil to control her migraines, Huber “engaged in the enjoyment of a protected right” and “[a]n implied corollary of that accommodation is that the employer must make allowances for a false positive test caused by the CBD oil.”
First, it is important to keep in mind that this is a case involving the use of CBD oil—not medical marijuana, which has been permitted in Louisiana since 2019 and which is psychoactive because of the increased THC content. Nevertheless, CBD products contain trace amounts of THC (less than 0.3 percent). Because this is a CBD case, and not a marijuana case, the court was not required to reconcile the apparent conflict between the ADA, which does not recognize marijuana as a lawful prescription drug because it is a Schedule I controlled substance under federal anti-drug laws, and the LEDL, which does not replicate the ADA’s treatment of marijuana.
Second, with the growing popularity of CBD oil to treat a myriad of health issues including pain, anxiety, and sleep issues, employers may want to be prepared to address possible false-positive drug screens caused by trace amounts of THC in some CBD oils. Employers also may want to consider how to accommodate false-positive drug tests caused by the use of CBD oils, as explained by the district court. When evaluating a positive drug test for THC, employers may want to consider all relevant facts, including the employee’s medical history.
Finally, employers in Louisiana may want to consider Louisiana’s statutory range of 50 ng/mL – 100 ng/mL for THC concentrations before making negative employment decisions.
A Job Applicant is not an Employee for Compensation Purposes
Seyfarth Synopsis: The Ninth Circuit recently concluded that job applicants are not entitled to compensation for time devoted to pre-employment drug tests because an employment relationship has not yet been formed. The Ninth Circuit held that the “control test” does not apply to job applicants, and that, under California contract law, the applicants had no contract for employment until they passed the pre-hire drug tests. Johnson v. WinCo Foods.
On August 23, 2017, Plaintiff Alfred Johnson filed a class action complaint in California state court alleging that he was an employee when he took a drug test as part of WinCo Food’s “contingent job offer.” Johnson asserted claims under the California Labor Code and California’s Unfair Competition Law, seeking compensation for the time and expenses (mileage) associated with traveling to, and taking, the drug test. (WinCo paid the cost of administering the drug test). WinCo Foods removed the case to federal court under the Class Action Fairness Act.
The District Court’s Decision
After the District Court granted Johnson’s motion for class certification, both parties moved for summary judgement on the substantive claims. The District Court granted summary judgment in WinCo Food’s favor, holding that Johnson and the class members were not employees when they took the drug test under either a “control theory” or “contract theory” of employment.
The Ninth Circuit’s Decision
The Ninth Circuit Court affirmed the District Court’s ruling, noting the lack of “authoritative California state court” guidance on this recurring issue. It declined to send the question to the California Supreme Court, however, because “California law is clear”: Johnson and the other class members “were not yet employees” when they took the drug tests and thus were not owed any compensation for any associated time and expenses.
The Court first held that the “control test” established by the California Supreme Court in Borello and Martinez does not apply to job applicants taking a drug test. This is because “control over a drug test as part of the job application process is not control over the performance of the job,” and “class members were not performing work for an employer when they took the preemployment drug test; they were instead applying for the job.”
The Court rejected Johnson’s suggestion that pre-employment drug screening is akin to the (possibly compensable) interviews that staffing agencies require individuals to attend prior to receiving job placements with staffing agency clients. The “key difference,” the Court noted, is that staffing agency workers “were doing the employment agency’s work when they went to the job interviews, whereas Johnson and fellow class members were not doing work for WinCo when they took the drug tests.”
The Ninth Circuit then addressed Johnson’s “contract theory”—namely, that an employment contract was formed the moment class members accepted WinCo Food’s contingent job offer, and that the drug test was merely a “condition subsequent” allowing WinCo to terminate the employment relationship in the event of a drug test failure. The Court rejected this argument, noting that “WinCo went to great lengths when the verbal offer was made to communicate that its job offer was conditional.” The Ninth Circuit therefore concluded that passing a drug test was a “condition precedent” to contract formation, such that there was no employment contract until the contingency was satisfied.
WinCo was represented by Seyfarth Shaw.
What Johnson Means for Employers
Johnson makes clear that employers do not need to compensate job applicants for the time and expenses related to drug testing during the application process (except for the cost of the drug test, which employers should bear), and that the employment relationship does not begin until the condition is satisfied. To avoid any doubt, employers should be careful to expressly articulate that an offer of employment is contingent on passing the drug test, and explain what must be done to satisfy the contingency.
Luxembourg: CNPD adopts first ever GDPR certification mechanism
The National Commission for Data Protection (‘CNPD’) announced, on 8 June 2022, that it had adopted, on 13 May 2022, its certification mechanism, the General Data Protection Regulation (Regulation (EU) 2016/679) Certified Assurance Report-based Processing Activities (‘GDPR-CARPA’), making it the first certification mechanism to be adopted on a national and international level under the GDPR. In particular, the CNPD highlights that following the adoption of the GDPR-CARPA, companies, public authorities, associations, and other organisations established in Luxembourg now have the possibility to demonstrate that their data processing activities comply with the GDPR.
In addition, the CNPD outlined that the implementation of a certification mechanism can promote transparency and compliance to the GDPR, and allow data subjects to better gauge the degree of protection offered by products, services, processes, or systems used or offered by the organisations that process their personal data. However, the CNPD underlined that the GDPR-CARPA does not certify an organisation but rather specific processing operations.
Office of the Privacy Commissioner of Canada Issues Interpretation Bulletin
The Office of the Privacy Commission of Canada (OPC) issued an interpretive bulletin around the definition of “sensitive information” under the Personal Information Protection and Electronic Documents Act (PIPEDA). While not a binding legal interpretation, the bulletin provides guidance for compliance with PIPEDA. The bulletin provides examples of information determined to be “sensitive,” including in the health and financial sectors. While what information is “sensitive” will vary depending on the facts of each case, information related to health and financial data, ethnic and racial origins, political opinions, genetic and biometric data, an individual’s sex life or sexual orientation, and religious or political beliefs is generally considered sensitive.
The Netherlands: Monitoring Discrimination When Recruiting and Selecting Employees
Equal opportunity in the job market is not yet a given for everyone in the Netherlands; discrimination when recruiting and selecting new employees still occurs. The bill to oversee equal opportunities for recruitment and selection (Wetsvoorstel toezicht gelijke kansen voor werving en selectie) seeks to change this. The bill aims to create equal opportunities in the recruitment and selection process and to prevent discrimination in the labor market. The most important part of this bill is that employers and intermediaries1 must adopt a procedure ensuring equal treatment and preventing discrimination on the labour market.
Background and purpose of the bill
The bill is part of a wide range of measures and activities initiated by the government to promote equal employment opportunities and fair assessments based on knowledge and skills. It specifically looks at equal opportunities for all in the context of recruitment and selection and requires employers and intermediaries to operate without making unjustified distinctions, such as distinction based on religion, sex, nationality, disability, chronic illness and/or age.
The monitoring of recruitment and selection policies should encourage employers and intermediaries to adopt policies aimed at recruitment and selection that provide equal opportunities for all. The idea is that a written “procedure” will stimulate transparency, conscious behavior and informed choices, rather than automatic, unconscious behavior where biases may play a role.
Procedure: what should it look like?
If enacted into law, the bill would require organizations with 25 employees or more to adopt a written procedure. Although no specific details are given of what the procedure should look like, the bill’s Explanatory Memorandum does provide some guidance:
Finally, all parties should have insight into the procedure.
Inform employees in relevant positions
The employer and intermediary would be obliged to inform the employees involved in the recruitment and selection process about the risks of labour market discrimination and about the measures taken to prevent it.
Duty to verify when outsourcing recruitment and selection
The bill also provides for the situation where employers have outsourced the recruitment and selection to external parties. In those cases, employers have a duty to verify; the employer must be able to guarantee that the external party has a procedure in place (as described above).
The works council’s right of consent
Employers that have a works council would be required to submit the procedure to the works council for consent, as it can be regarded as a regulation in the field of recruitment policy within the meaning of the Dutch Works Councils Act (Wet op de ondernemingsraden).
Compliance; sanctions imposed by the Netherlands Labour Authority
The Netherlands Labour Authority (Nederlandse Arbeidsinspectie) would verify whether employers and intermediaries have adopted a procedure and could impose sanctions if employers do not comply with their obligations. The NLA would first demand compliance, followed by a fine if necessary that would be published and could therefore cause reputational damage.
The bill is currently being debated in the Dutch House of Representatives. To enable employers to draw up a procedure and, if required, submit it to the works council for consent, an implementation period would be applied of at least nine months after the publication of the Act. We will keep you informed.
Thailand: Supplementary legislation signed into law under the PDPA
The Royal Gazette of Thailand published, on 20 June 2022, four laws that accompany the Personal Data Protection Act 2019 (‘PDPA’). In particular, the four laws constitute the supplementary laws anticipated by the Ministry of Digital Economy and Society (‘MDES’), namely:
French Enforcement Authorities Publish First-Ever Guidance on Internal Anti-Bribery and Corruption Investigations
On March 7, 2022, the French Anti-Corruption Agency (Agence Française Anticorruption, or “AFA”) and the National Financial Prosecutor’s Office (Parquet National Financier, or “PNF”) jointly published a draft of their first-ever guidance on how businesses should conduct internal investigations related to bribery and corruption (the “Guide”).1 While the Guide targets companies with more than 500 employees and whose annual revenue exceeds EUR 100 million, the recommendations and best practices are a useful lodestar for businesses of any size operating in France.
The Guide is particularly notable given France’s June 2017 enactment of sweeping anti-corruption legislation known as Sapin II. As we have previously discussed,2 in passing Sapin II, France replaced its passive (and oft-criticized) approach to anti-corruption efforts with a sophisticated and increasingly proactive enforcement regime. In this context, the Guide—together with the recent AFA and PNF joint guidelines on France’s deferred prosecution agreements (Convention Judiciaire d’Intérêt Public, or “CJIP”)3 and the French national bar council (Conseil national des barreaux, or “CNB”) guidelines on best practices and ethical considerations for internal investigations4 —serves as a critical reference for businesses operating in the world’s seventh largest economy.5
I. THE GUIDANCE
Although it does not impose any legal requirements on companies operating in France, the Guide provides such companies with a roadmap for best practices when conducting an internal investigation. First and foremost, the Guide repeatedly recommends that companies communicate and cooperate with French enforcement authorities as early in the investigation process as possible. Implicit in these recommendations is that such cooperation increases the likelihood of favorable settlement terms, such as in an ensuing CJIP; however, unlike guidance from peer enforcement agencies in the United States6 and United Kingdom,7 the Guide does not directly explain how companies can receive credit for their cooperation with the government.
With respect to internal investigations themselves, the Guide outlines best practices when conducting employee interviews. In particular, the Guide recommends that investigators should distinguish between preliminary scoping or fact-finding interviews, and those where a specific employee is accused and the interview may serve as the basis for a disciplinary sanction, as the latter would legally be considered part of a disciplinary procedure rather than an internal investigation. Such guidance is informed by a 2016 decision from the Court of Cassation (Cour de cassation, France’s supreme civil and criminal appellate court) that distinguished an employee’s rights depending on the nature of the interview.8 As a result, the Guide recommends that practitioners structure their internal investigations such that interviews of key individuals are held later in the process, allowing for a more clear delineation between the investigatory and disciplinary phases.9
In the same vein, the Guide also emphasizes that investigations must be justified and proportionate in relation to the potential issue involved and must respect employees’ private lives. To achieve these goals and comply with Article 5 of the EU General Data Protection Regulation (GDPR), the Guide lists six key principles that companies should use to shape their investigations: (1) lawfulness, fairness, and transparency; (2) limitations on the purposes for collection, processing, and storage; (3) data minimization; (4) accuracy of data; (5) data storage limits; and (6) integrity and confidentiality. The Guide notes that penalties for non-compliance with these principles can result in a penalty of up to EUR 20 million or up to 4% of the company’s total worldwide annual revenue of the preceding financial year.10
Finally, the Guide summarizes recommended procedures for concluding internal investigations. Where an investigation confirms allegations of wrongdoing, the Guide notes that the company must not only discipline its employee in accordance with internal policies, but must initiate any disciplinary proceedings against an employee within two months from the time they have exact knowledge of the incident.11 The Guide also notes that while companies have discretion as to whether they report any incidents to the judicial authorities, the conclusions of internal investigations do not bind the authorities and the court may still seek criminal liability of the legal person.12 Where an internal investigation does not confirm allegations of corruption, the Guide recommends that the investigative team close the matter and internally archive a confidential report precisely detailing the steps taken in the inquiry.13 Where the results of the investigation are inconclusive, the Guide recommends that companies consider an external audit, particularly when a company cannot completely refute allegations of corruption.14 In all cases, the Guide recommends that companies reflect on any vulnerabilities identified during the investigation and update internal controls accordingly.15
II. EXPERT INSIGHTS & WHAT TO WATCH FOR
Stéphane de Navacelle, managing partner at Navacelle in Paris, views the guidance as a sign of France’s increasing appetite for enforcement:
“The guidance is the reflection of the PNF reaching a high level of sophistication and wanting to assert complete control over discussions with corporate defendants and, ultimately, individuals who fall within the scope of its investigations. It is likely that the PNF will feel more and more comfortable imposing plea deals (or trials) instead of DPAs when it views cooperation as less than absolute.”
As a result, de Navacelle advises that clients facing scrutiny should consider communicating with French authorities as early as possible: “Gaining credibility with the PNF at a very early stage—and the AFA when it comes knocking—is key. Where multiple enforcement authorities may be involved, the PNF has likely already been coordinating with the U.K. SFO or the U.S. DOJ by the time counsel is on-boarded.”
Ropes & Gray partner Amanda Raad agrees: “This increased desire by regulators around the world to lead investigations locally should not go unnoticed. It is critical to identify all relevant jurisdictions at the beginning of any investigation or review.”
Public comment on the draft Guide closed on April 8, 2022, and a final publication date has not yet been announced. While the draft Guide offers best practices and principles for companies seeking to comply with French anti-corruption laws, it remains to be seen whether and/or how French authorities—particularly the AFA and PNF—will reward businesses for their adoption of recommended best practices or voluntary cooperation with enforcement authorities. Legal observers will also be keeping a keen eye on the second term of newly reelected French President Emmanuel Macron, as well as the ongoing French legislative elections (on June 12 and 19, 2022), particularly given France’s leading parties’ divergent views on Sapin II.
Gender Pay Gap Reporting Regulations Published – Ireland
Almost one year after the enactment of the Gender Pay Gap (Information) Act 2021 (“Act”) in July 2021, the Government recently published the Employment Equality Act (1998 (Section 20A) (Gender Pay Gap Information) Regulations 2022 (“Regulations”), which gives effect to the Act and provides further details on the manner and timing of gender pay gap reporting obligations.
What is a Gender Pay Gap?
A gender pay gap is not the same as a failure to pay equal pay for like work. Employers are already obligated to pay equal pay to both genders for like work. A gender pay gap refers to the difference in the average hourly wage of men and women across a workforce. The Act requires employers to publish the gender pay gap differentials in their organisations, setting out pay differences between female and male employees.
We have set out below the specific gender pay gap information that must be reported by in scope employers. Employers must publish this information on their website or make it available in physical form for a period of three years in a manner that is accessible to all employees and the public. This report must include a written statement in which the employer explains the reasons for any gender pay differences and the measures (if any) being taken, or proposed to the taken, by the employer to eliminate or reduce such differences.
Timeline for Triggering Reporting Obligations:
By way of brief refresher, the Act requires employers with the following employee thresholds to report gender pay gap information in the next three years:
Our previous discussion on gender pay gap reporting obligations and the timing of such obligations is available here.
Key dates for employers with at least 250 employees:
Employers with at least 250 employees will be required to choose a date (known as a “snapshot date”) in June 2022 for the purpose of reporting. These in-scope employers will then be required to publish their gender pay gap report six months after the chosen “snapshot date” (i.e. if the “snapshot date” is 10 June 2022, the reporting date will be 10 December 2022).
The Regulations largely repeat the obligations contained in the Act. However, they also provide detailed metrics which employers are to base their gender pay gap reporting on including definitions of “bonus”, “allowance”, “hourly remuneration”, “ordinary pay” and “working hours” and how to calculate gender pay gap information using these definitions.
Information that must be Published:
The Regulations expand on the information to be published relating to mean hourly remuneration which includes the following:
The Regulations confirm that in scope employers must publish their gender pay gap report no later than six months after the relevant date (the date in June selected by the employer).
Further guidance and examples of how to calculate gender pay gap information are contained in the Regulations, which are available here.
Consequences for Non-Compliance with the Act:
Under the Act, employees may refer a complaint to the Workplace Relations Commission (“WRC”) alleging that their employer has failed to comply with their obligations under the Act. The WRC will investigate the complaint. If it finds the complaint well-founded, the WRC may order the employer to take a specified course of action. However, employees who make complaints under the Act do not have a right of compensation and there is no provision for monetary fines to be imposed on employers.
Separately, the Act empowers the Irish Human Rights and Equality Commission (“IHREC”) to apply to the Circuit Court or High Court for an order directing an employer to comply with its obligations under the Act. The IHREC must have reasonable grounds for believing that an employer is not complying with its obligations under the Act before it may make such an application.
Despite the limited legal consequences for non-compliance, there are reputational and organisational risks for employers as outlined below.
Although the Regulations only apply to larger Irish employers, all Irish employers should be aware of the spotlight this throws on their gender diversity and inclusion practices. Employers who have assessed their gender pay gap and steps that might be required to bridge it may have an advantage over their competitors at a time when the market pressures on recruitment and retention has never been tougher. Carrying out trial gender pay gap reviews with the benefit of legal professional privilege is recommended in order to identify and assess any issues that might exist in order to take appropriate steps to deal with it.
Sustainable gender diversity requires employers to take a holistic approach. Preferential treatment should only be used where it is necessary and proportionate and having first carried out a gender-neutral objective assessment of the facts. Clear, transparent policies and procedures, generous family-friendly leave entitlements for all genders, flexible working time arrangements, mindful performance management and career progression all play their part. Training and mentoring programmes for staff at all levels that emphasises equality of opportunity and the benefits of gender balance on leadership teams may also be helpful.
Most employers will have a gender pay gap; understanding why a gender pay gap exists and being able to demonstrate the measures envisaged to address and reduce any gender pay gap are likely to have a positive impact on recruitment, retention and workplace culture.
More consumers may gain access to once-unobtainable financial products if lawmakers open the door to new data sources for credit scores. Here’s how smaller data providers can do their part and remain compliant with federal regulations.
More consumers may gain access to once-unobtainable financial products if lawmakers open the door to new data sources for credit scores. Here’s how smaller data providers can do their part and remain compliant with federal regulations.
The FICO score has played an integral role in the financial lives of American consumers since its introduction in 1989. As a measure of creditworthiness, those with higher FICO scores typically have more opportunities to obtain traditional financial products such as loans, mortgages and credit cards. Others struggle to gain access to the credit ecosystem.
But there’s long been a chicken-and-egg conundrum with the score methodology. The three national consumer reporting agencies — Equifax, Experian and TransUnion (collectively “CRAs”) — typically generate their scores by reviewing an individual’s payment history on loans, mortgages and credit cards. But many American consumers do not have sufficient credit to obtain these products in the first place. And without the products, they have difficulty building their relevant payment histories. Approximately 10 percent of U.S. adults experience this “credit invisibility,” according to the Consumer Financial Protection Bureau (“CFPB”).
While many people who live outside the traditional credit ecosystem pay their rent and utility bills in full and on time, these types of non-loan payments typically are not factored into FICO credit scores.
However, proposed federal legislation may one day crack the chicken-and-egg conundrum. The bipartisan Credit Access and Inclusion Act of 2021, currently before both houses of Congress, is intended to encourage landlords, telecommunication companies and utility providers to report full, on-time payments to credit bureaus. Some studies show that the inclusion of this kind of alternative data can significantly raise certain consumers’ credit scores.
A TransUnion study found that when rent payments were included in a credit file, some consumers saw their credit scores rise by nearly 60 points. This material increase could open the doors to financial inclusion for more consumers7.
Introducing additional consumers into the credit ecosystem through alternative data will potentially broaden the customer base for traditional lenders as well as entities such as landlords and telecommunication companies. However, providing data to the reporting agencies comes with certain compliance requirements — and potential scrutiny from regulators — of which participating entities should be aware. For more information, please click here.
Asking Employees About Salary Expectations Could Lead to Discrimination Claims
In recent years, a number of states have passed laws prohibiting prospective employers from asking applicants about their salaries in their current jobs or overall salary history. However, these laws may not restrict employers from asking applicants about their salary needs or expectations for the advertised position. Asking questions such as these during job interviews could raise questions with regard to compliance with federal equal pay laws.
These arguments go as follows: If an applicant requests a pay level less than what the employer was otherwise willing to offer, the company may take advantage of the wage savings. Studies conducted by the Equal Employment Opportunity Commission and other groups have concluded that, statistically, women are less likely to aggressively bargain for higher salaries. Therefore, if salaries are based on applicant expectations, this practice could have a disparate impact on women.
Last week’s EmployNews described a new Microsoft policy that sets starting salaries for all U.S. positions based on published ranges. The use of such salary bands rather than individual negotiations with applicants could help avoid claims that the employer’s hiring practices unintentionally but improperly result in a disparate impact based on gender.