November 7, 2022
Will Virtual, Remote I-9 Verification Post-COVID Become a Reality?
Since March 2020, the USCIS has allowed virtual, remote I-9 verification where all employees are working remotely due to COVID, or when a new employee, post April 1, 2021, is working remotely due to COVID. Many employers as well as immigration attorneys have been clamoring for virtual, remote I-9 verification regardless of remote work. It looks like the Department of Homeland Security (DHS) has heard the pleas for this much-needed modernization of I-9 compliance.
On August 18, 2022, the DHS proposed the possibility of virtual, remote verification even if employees are not working remotely. DHS has requested comments from the general public on this subject. If this proposal is implemented, it could be a major change and improvement in the world of I-9 compliance.
In its request for comment, DHS stated it is looking at several ideas for remote, virtual verification, including a pilot program; one where the DHS secretary authorizes such due to a public health emergency, such as COVID; or as a permanent program. Many employers are in favor of a permanent option, and it might be the one most likely to be implemented as long as employers meet certain criteria. Possible criteria being explored are an employer’s being enrolled in and utilizing E-Verify, attending an online DHS course on detecting fraudulent documentation, and retaining copies of documentation (this last criterion is not required under federal law but is normally considered an option).
Additionally, DHS has discussed employers’ being preluded because of a fine, settlement or conviction related to Form I-9 practices. This criterion appears to be susceptible to many factors, such as what type of violations an employer committed to receive a fine or settlement—e.g., substantive paperwork violations or knowingly hiring undocumented workers? There is a vast difference between these two types of violations, and it could be argued an employer committing substantive paperwork violations should not be precluded from this program.
Also, the amount of the fine could be a consideration. An employer being fined $10,000, for example, might be viewed in a better light than one paying $100,000. Thus, an employer paying a $100,000 fine might be precluded but not the employer paying a $10,000 fine. Another factor to consider is when the settlement or fine occurred. For instance, a recent fine might be considered grounds for exclusion, while one issued in the distant past would not. As usual, the devil will be in the details.
Attorneys and the general public have until October 17, 2022, to file their comments. Afterward, DHS will draft the proposed regulation. Then this regulation will be submitted back to the general public for comment. Given the typical pace of government rulemaking, DHS is not expected to issue a final rule on this matter until late 2023. In the meantime, Littler will keep employers apprised of any significant developments.
Click Here for the Original Article
I-9 Compliance Flexibility Extended Again, but only for COVID Precautions
I-9 flexibility for remote workers is being extended again – through July 31, 2023 – but, it appears, only for safety precautions due to COVID-19.
The U.S. Immigrations and Customs Enforcement and Department of Homeland Security made the announcement last week. The flexibility allows qualifying employees to present virtually their I-9 identity and employment authorization documents. (The normal rule, first amended in March 2020 due to the pandemic, required these documents to be presented to the employer or its agent in person.) Before the announcement this week, the I-9 flexibility was set to expire in two weeks, on October 31.
The extended flexibility applies to employees who are working exclusively and alone in remote settings, whether or not their co-workers work remotely.
The ICE/DHS announcement was somewhat surprising, given that COVID restrictions have loosened so much since 2020. The extension may also be difficult for employers, especially those with large remote workforces. These employers may have already prepared to move to all in-person inspection by October 31, only to learn with two weeks to go that they can continue to perform some inspections remotely until next year.
Remote presentation guidance
As we previously reported, the “remote presentation” policy initially applied only to employees of employers whose workplaces were exclusively remote because of COVID. However, in April 2021, the policy was expanded to employees who were working exclusively and alone in remote settings, even if their co-workers were not.
In a remote presentation situation, the employer must inspect the Section 2 documents of a new hire via video link, fax, email, or other similar method, within three business days of the employee’s first day of employment.
(In the case of non-remote workers, the physical inspection must be performed in person within three business days of the employee’s first day of employment.)
Concerns for employers
It is not entirely clear that the I-9 flexibility applies only when employees are working remotely as a COVID safety precaution. However, that seems to be the case. The ICE/DHS announcement says that the extension is “[d]ue to continued safety precautions related to COVID-19.” The same qualifier appeared in guidance issued by ICE/DHS in March 2021, which said that remote presentation of documents was an option only if the employer or employee was “taking physical proximity precautions due to COVID-19.”
Therefore, it appears that employers should allow remote presentation only where there is a causal connection between COVID safety concerns and the employer’s decision to authorize remote work – for example, if an immunosuppressed employee needs to avoid possible exposure to COVID and has been allowed to work from home as a reasonable accommodation, or if there is a high COVID positivity rate in the area where the employee works.
On the other hand, if the remote work is for the convenience or personal preference of the employee or for business reasons of the employer, it appears that the I-9 flexibility will not apply. In other words, employees working remotely for these reasons should still present their documents in person. Otherwise, the employer risks being cited for I-9 violations and penalties assessed on a per-affected-employee basis.
Options for employers
Employers should consult with their immigration counsel if they have any concerns about the applicability of this I-9 flexibility to their specific circumstances. In addition, an employer could require remote workers to follow the normal in-person document inspection rules but use one of the many available vendors to perform this function as its agent.
Click Here for the Original Article
Employers Should Continue to Use Current Version of Form I-9 After Oct. 31, 2022
On October 12, 2022, the USCIS announced that employers should continue to use the current Form I-9 after its expiration date of October 31, 2022, until further notice. It is anticipated that the Department of Homeland Security will publish a new one-page Form I-9 in the coming months. Thus, until the new version of the Form I-9 is published and effective, employers should continue to use the current version of the I-9 form.
Click Here for the Original Article
Proposed Legislation Would Allow Furnishing Utility and Phone Bills to Credit Reporting Agencies
On September 26, Representative French Hill (R-AR) introduced new legislation, H.R. 8985, also known as the Credit Access and Inclusion Act of 2022, to amend the Fair Credit Reporting Act and allow payment information for utility bills and phone payments to be furnished to credit reporting agencies to help consumers raise their credit scores. This is an effort to address an issue highlighted by the CFPB Office of Research that estimated 26 million Americans are “credit invisible,” meaning they do not have a credit history with any of the three national credit reporting agencies.
In a press release, Representative Hill harkened back to his roots to explain the need for the proposed legislation. “As a former community banker, I understand how access to credit can open doors to opportunities like homeownership, yet too many central Arkansans are denied affordable credit opportunities because they don’t have a traditional credit payment history. My bill levels the playing field by allowing for additional data, such as utility and phone payments, to be reported to determine credit worthiness so that millions of hardworking Americans get credit for bills they are already paying.”
H.R. 8985 has been referred to the House Committee on Financial Services for consideration. A companion bill, S.2417, has been introduced in the Senate by Senator Tim Scott (R-SC) and Senator Joe Manchin (D-WV).
The Mortgage Bankers Association indicated its support for the bill, stating: “MBA applauds Representative French Hill for the introduction of the Credit Access and Inclusion Act which would promote the use of rental, utility, and telecommunications data to supplement traditional data provided to consumer reporting agencies. Underserved borrowers often have less experience using traditional financial products, creating barriers to entry for many consumers during the home purchase application process. The responsible utilization of alternative data, such as rental, utility, and telecommunications payment histories, will help safely expand access to credit to underserved borrowers.” The bill is also supported by the U.S. Chamber of Commerce, National Association of REALTORS, and The National Association of Hispanic Real Estate Professionals.
Click Here for the Original Article
New Hope for EU-US Data Transfer Mechanism Following White House Executive Order
The White House has issued its Executive Order (“EO”) on Enhancing Safeguards for United States Signal Intelligence Activities, which provides additional due process protections to the use of surveillance mechanisms by U.S. intelligence agencies and creates a new 2-layer redress mechanism for affected individuals. The EO is the most significant piece to facilitating data flows between the EU and U.S., following the European Court of Justice’s invalidation of the Privacy Shield in July 2020. The EO clears a path for the consideration of a new Data Privacy Framework (“DPF”) under which certified organizations will be able to export EU personal data to the U.S. The EO is not the final step, however. The Department of Commerce still must release principles to which companies must self-certify–which are likely to be more closely tied to GDPR than the Privacy Shield principles were–and the entire framework must receive an adequacy determination from the European Commission.
Background and Impact
On July 16, 2020, the Court of Justice of the European (“CJEU”) issued its landmark decision in the Schrems II case, which invalidated the Privacy Shield data transfer framework. In its judgment, the CJEU found that the European Commission’s adequacy decision legitimizing Privacy Shield was invalid because it did not sufficiently consider U.S. intelligence agencies’ authority to access EU personal data in the U.S. In particular, the CJEU found that U.S. intelligence agencies’ authority to access personal data in bulk violated EU law because (1) the legal frameworks for surveillance did not limit data collection to that which is strictly necessary, and (2) EU data subjects did not have actionable redress to challenge that data collection. After Schrems II, thousands of organizations no longer could rely on Privacy Shield to transfer EU personal data to the U.S.
The Schrems II decision also noted that EU standard contractual clauses (“SCCs”), another popular transfer mechanism, continue to be valid in principle but that data exporters and importers relying on SCCs are required to perform and document transfer impact assessments (“TIAs”) to confirm that the laws in recipient jurisdictions do not impede operation of the SCCs. In practice, the result of the Schrems II judgment was that the vast majority of organizations transferring EU personal data had to adopt SCCs and document TIAs internally to confirm the laws of recipient jurisdictions did not result in a violation of EU fundamental rights. This requirement has vexed organizations for the past two years, requiring costly assessments of often-opaque national security surveillance laws around the world.
One of the appeals of the new EO is that, to the extent that it results in a determination that U.S. laws are adequate to receive European transfers of data (along with a DPF certification or use of SCCs), TIAs for transfers to the U.S. will become easier, as the risk of unjustifiable data access will be considerably lower. In the interim, because the EO immediately reshapes the powers U.S. intelligence agencies have to access personal data, organizations should consider updating their TIAs to account for the new EO and its additional constraints on U.S. surveillance activities (and particularly once the EO’s redress mechanism is applied to EU data subjects, as described below).
What the EO Does
The EO does not replace existing U.S. surveillance laws. Rather, it adds a layer of protection for individuals by providing additional due process protections to the use of surveillance mechanisms by U.S. intelligence agencies. This includes the creation of a mechanism for individuals residing in certain non-U.S. jurisdictions to seek review of complaints regarding data collection by U.S. intelligence agencies.
Unlike previous legal text related to surveillance authorities (e.g., U.S. Privacy Act, EO 12333, and PPD 28), the EO does not establish different protections for U.S. persons and non-U.S. persons, and instead imposes due process protections on the data collection activities of U.S. surveillance agencies regardless of their targets. Furthermore, while the EO’s redress mechanism is not immediately applicable (i.e., the independent administrative court must first be established and the EU must be designated by the Attorney General as a “qualified state”), the principle-based safeguards it implements have immediate effect.
Below is a summary of the two types of protections arising under the EO: (1) principles-based safeguards and (2) the redress mechanism.
The EO mandates that signals intelligence activities be subject to additional safeguards. These include requiring that such activities be conducted only in pursuit of defined national security objectives and that the activities take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence. The EO further prescribes that such signals intelligence be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority. These protections are intended to approximate protections under EU law, to further make the argument that U.S. authorities are subject to essentially equivalent protections.
Further, signals intelligence activities may only be conducted pursuant to specific objectives defined in the EO, such as understanding or assessing the capabilities, intentions, or activities of a foreign government, a foreign military, a faction of a foreign nation, a foreign-based political organization, or an entity acting on behalf of or controlled by any such entities; protecting against foreign military capabilities and activities; protecting against terrorism; protecting against espionage; and protecting against cybersecurity threats created or exploited by, or malicious cyber activities conducted by or on behalf of, a foreign government, foreign organization, or foreign person.
The EO also notably contains a list of purposes for which signals intelligence collection activities may not occur. These are:
The EO places additional restrictions on the collection of signals intelligence, but stops short of prohibiting bulk collection. Although it notes that “targeted collection shall be prioritized,” it acknowledges that bulk collection may still occur. In order to address concerns over bulk collection, the EO states that “[…] the Intelligence Community shall apply reasonable methods and technical measures in order to limit the data collected to only what is necessary to advance a validated intelligence priority, while minimizing the collection of non-pertinent information” and sets forth a set list of objectives, similar to the list above, for which bulk collection may be permitted.
In addition to the limitations the EO places on signals intelligence activities, the EO requires U.S. intelligence agencies to adhere to certain data-handling principles, including data minimization through the establishment of policies and procedures; limitations on dissemination of personal information, including for non-US residents; limitations on retention of non-US citizens’ personal data to align it with legal requirements for retention of US citizens’ personal data; and requirements for data security and access. Finally, the EO requires the heads of the U.S. intelligence agencies to update their policies and procedures to be consistent with the EO and mandates consultation and review by the Privacy and Civil Liberties Oversight Board (“PCLOB”).
The second key protection added by the EO is a two-layer redress mechanism to ensure that complaints against U.S. intelligence agencies’ activities can be reviewed, including by the intelligence community and an independent review court.
Under the first layer, EU individuals will be able to lodge a complaint with the newly created Civil Liberties Protection Officer (“CLPO”) in the Office of the Director of National Intelligence. The CLPO is required to conduct an independent initial investigation of qualifying complaints (i.e., complaints transmitted by the appropriate public authority concerning U.S. signals intelligence activities) received to determine whether the EO’s enhanced safeguards or other applicable U.S. laws were violated and, if so, to determine the appropriate remediation. The Director of National Intelligence (“Director”) has until December 6, 2022 (i.e., 60 days from the publication of the EO) to design the complaint intake process.
The CLPO is charged with investigating qualifying complaints in a manner that protects classified or otherwise privileged or protected information. For each qualifying complaint the CLPO is required to:
The EO builds in a number of transparency mechanisms to this process. For example, the EO encourages the PCLOB to conduct an annual review of the processing of qualifying complaints, including providing the President, the Attorney General, the Director, the heads of elements of the Intelligence Community, the CLPO, and the congressional intelligence committees with a classified report detailing the results of its review; releasing to the public an unclassified version of the report; and publicly certifying whether the newly established redress mechanism is processing complaints consistent with the EO.
The Order also calls for the Attorney General to promulgate regulations, which have been released, establishing the DPRC, which will review determinations of the CLPO upon an application from an individual complainant or an element of the Intelligence Community. Judges on the DPRC will be appointed from outside the U.S. Government, have relevant experience in the fields of data privacy and national security, review cases independently, and enjoy protections against removal. Special advocates appointed by the DPRC in each case shall advocate on behalf of the complainant’s interest in the matter and inform the DPRC of the issues and relevant law.
In order to implement this redress mechanism (i.e., CLPO and the follow-on DPRC review), the EO authorizes the Attorney General to designate a jurisdiction (i.e., a country or regional economic integration organization) as a qualifying state for purposes of the redress mechanism. A “qualifying state” is one where:
The Attorney General’s office has the power, in consultation with other federal agencies, to revoke or amend a “qualifying state” designation if the criteria above are not met.
The provisions governing both the CLPO and the DPRC enhance existing statutory CLPO functions. Specifically, by establishing that the CLPO’s decision (and the decision of the DPRC if a complaint is reviewed) will be binding on U.S. intelligence agencies and provides protections to ensure the independence of the CLPO’s investigations and determinations, and the DPRC’s review, the EO aims to counter the CJEU’s judgment that U.S. law does not grant EU data subjects actionable redress in the court systems and therefore “no right to an effective remedy.”
Path Forward for a New Data Transfer Mechanism
The EO is a significant advancement following the two-year negotiation between EU and U.S. officials to replace the invalidated Privacy Shield framework and clears the path for an updated data transfer mechanism to be adopted. The European Commission issued a Q/A document, published contemporaneously with the EO’s release, committing to beginning the process of adopting an adequacy determination that would allow organizations certified by the U.S. Department of Commerce under the new DPF to transfer personal data between the EU and U.S. This program replaces the invalidated Privacy Shield, and it is expected to take 6 months for the Commission to issue the required adequacy determination for the DPF. During the EU’s political review process, the European data protection authorities will have a chance to issue their opinion on the new adequacy decision, which would however not be binding for the European Commission (see IAPP’s outline of the process, here).
What to do now?
Organizations transferring personal data to the United States should now consider:
Click Here for the Original Article
President Biden Announces Pardons and Orders Review of Cannabis Classification
Recently, President Biden announced an executive order to pardon all federal marijuana possession charges. The President also urged governors to do the same at the state level saying, “Just as no one should be in a federal prison solely due to the possession of marijuana, no one should be in a local jail or state prison for that reason, either.” While President Biden’s pardons signal a step toward overhauling U.S. policy, state convictions based on simple marijuana possession far outnumber the amount at the federal level. Even so, these pardons by the President effect thousands of individuals currently in federal prison and the sentiments expressed by President Biden could signal future changes in how the United States plans to regulate cannabis.
There is growing acceptance and normalization of cannabis in many parts of the country. Still, the incarceration of individuals for marijuana possession while others are able to do the same thing – and profiting handsomely – is leading many to question and criticize prior criminal laws and approaches. Marijuana is now legal or decriminalized in the majority of states, and in every election cycle, more and more states put marijuana legalization on the ballot. In February of 2021, the Biden administration announced that it would pursue cannabis decriminalization as well as expungements for people with prior cannabis convictions.[i] This recent mass pardon is a step closer toward President Biden fulfilling his promise. As of today, 19 states have legalized recreational marijuana use and 38 states have provisions for medical use on the books. Additionally, five states have some form of cannabis legalization on the ballot for this November. Twenty or thirty years ago it would have been hard to imagine that the majority of Americans would support cannabis legalization, but over the past couple of decades, support for cannabis legalization has almost doubled.[ii]
In addition to pardoning all past federal marijuana possession offenses, President Biden has asked the Secretary of Health and Human Services and the Attorney General of the United States to initiate the administrative process to expeditiously review how cannabis is scheduled under federal law. Currently, cannabis is considered a Schedule I drug, the highest level of classification under the Controlled Substances Act passed by Richard Nixon in 1970. Schedule I drugs are considered the most dangerous substances under the Controlled Substances Act.[iii] This means, at the federal level, marijuana is considered the same level of dangerous as heroin, LSD, and ecstasy, and falls in a higher classification than fentanyl, methamphetamine, and cocaine, which are all considered Schedule II drugs. Many have argued that the current classification is antiquated and ignores the therapeutic value of cannabis that is now accepted and recognized in a majority of states. Lowering the classification to a Schedule II or even a Schedule III drug would further expand medicinal usage and at the same time have a vast impact on the criminal justice system.
Reducing the classification of cannabis would allow cannabis companies access to financial institutions that all other businesses have the privilege of using. Currently, federal laws and regulations discourage banks and similar institutions from conducting business with cannabis companies because it is classified as a Schedule I controlled substance. The SAFE Banking Act of 2021[iv] is working to remedy this by generally prohibiting federal bank regulators from penalizing institutions for providing banking services to a legitimate cannabis-related business. Lowering the classification would be an even bigger step to take since the primary reason banks and other financial institutions are reluctant to work with the industry is because cannabis remains classified as a Schedule I controlled substance. Use and possession of cannabis is largely criminal on the federal level. Lowering the classification opens up the door to growth in this industry given the potential to access to more financial resources.
Similarly, another impact of lowering the classification is the potential for the growth of cannabis companies on publicly traded markets. When President Biden announced the pardon of all simple cannabis convictions on the federal level, cannabis stock prices briefly shot up. While they did level off and eventually returned to prior levels, the President’s announcement opens up the door more for cannabis legalization at the federal level down the line and the possibility being publicly traded on domestic exchange markets. This could lead to growth and more stability in the industry.
Reclassifying cannabis to a Schedule III drug could also reduce the tax burden for cannabis companies. Presently, cannabis companies are subject to 26 U.S. Code § 280E-Expenditures in connection with the illegal sale of drugs.[v] Section 280E of the Internal Revenue Code does not allow for tax deductions or credits for businesses that engage in “trafficking” Schedule I or II controlled substances, as defined by the Controlled Substances Act. These businesses include dispensaries. If cannabis is reduced to a Schedule III or lower drug, this could open up a new world of tax benefits for cannabis companies.
Finally, and perhaps the biggest potential impact if the classification of cannabis is lowered, is being just one step closer to cannabis being legalized on the federal level. More and more states have legalized cannabis to some extent, and there have been bills introduced at the federal level to accomplish the same. While it might be a ways off, the growing momentum for cannabis to be legal throughout the country cannot be ignored. The majority of Americans support the legalization of cannabis for recreational or medical use according to a 2021 Pew Research Center Poll,[vi] and those surveyed hope that state and federal policies will be reconciled.
Click Here for the Original Article
Employers Must Post EEOC’s New ‘Know Your Rights’ Poster
Employers with at least 15 employees are required to post the Equal Employment Opportunity Commission’s new mandatory “Know Your Rights” poster, which updates and replaces the previous “EEO is the Law” poster. The new poster must be placed in a conspicuous location in the workplace and the EEOC encourages employers with remote workers to post it electronically.
In its announcement, the EEOC highlighted the following changes in the poster:
For employers who do not have a physical location, or employers with employees who telework or work remotely and do not visit the physical workplace on a regular basis, the electronic posting can replace the physical posting requirement. The EEOC has acknowledged that in such cases, the electronic posting may be the only posting reasonably available to those individuals. However, if an employer has a physical location, electronic posting alone will not satisfy the physical posting requirement.
You can find a copy of the poster in English and Spanish on the EEOC’s website, which notes that translations in other languages will be forthcoming. Failure to comply with such posting requirements can lead to civil money penalties of $569 per violation. Given that many businesses closed their physical office space and other businesses implemented flexible remote work policies, every employer should take this opportunity to review all their federal, state, and local posting requirements.
Click Here for the Original Article
CFPB Issues Opinion On “Clearly False” Consumer Report Data
The CFPB issued an Advisory Opinion and accompanying press release clarifying the agency’s position that the Fair Credit Reporting Act requires consumer reporting agencies to implement reasonable internal controls to prevent the inclusion of clearly false data in consumer reports, particularly logically inconsistent or impossible information.
Specifically, the Advisory Opinion explains that consumer reporting agencies are uniquely positioned to identify obvious inaccuracies and implement policies and procedures to eliminate them. Examples include conflicting or inconsistent information, such as an account with a status of paid in full but that still reflects a balance due, or an original loan amount that increases over time, which is logically impossible.
The Advisory Opinion also examined other examples of clearly false data—such as a Date of First Delinquency more recent than the start of a delinquency—and emphasized the heightened risk of incorrect information to minors, particularly those in the foster care system.
Click Here for the Original Article
Colorado: AG Releases Draft CPA Rules
The Colorado Attorney General (‘AG’) published, on 30 September 2022, its draft rules implementing the Colorado Privacy Act (‘CPA’). In particular, the rules would expand privacy requirements under the CPA and address topics, such as consumer requests, data protection assessments, profiling, and the universal opt-out mechanism.
Furthermore, the current version of the draft rules:
You can read the draft rules here.
Click Here for the Original Article
Reusable Rental Screenings Could Save You Money, But Will Landlords Accept Them?
This new law could face the exact same challenge. It takes effect in January and gives renters a third-party option for reusable screening reports. That report could be used as many times as needed over 30 days, which could save families hundreds of dollars.
The report would include:
You won’t be able to tamper with the report’s contents but you can dispute any errors. These reports are voluntary for a complex to accept.
“Conceptually this is not a bad idea,” said Lucinda Lilley with the Southern California Rental Housing Association. “Renters are having a very difficult time finding housing.”
The SCRHA opposed the new law, and said they fought for changes and to make it voluntary. They say many landlords may not accept the reports.
“The problem with the bill is that it doesn’t provide the framework that’s necessary,” said Lilley. “We’d love to process rental applications more quickly.”
Lilley says the reports need to include a credit report and a criminal background check, and must explain how someone’s employment was verified.
Maryland and Washington have already passed laws for reusable rental screenings. Each of those screenings includes a credit report and criminal history.
Click Here for the Original Article
The New Jersey Cannabis Regulatory Commission Issues Much-Needed Interim Guidance on Managing Employees Working While Under the Influence of Cannabis Products
The enactment of the New Jersey Cannabis Regulatory Enforcement, Assistance, and Marketplace Modernization Act (CREAMMA), signed into law in February 2021, legalized the recreational use of marijuana for adults ages 21 and older in New Jersey. However, the right to marijuana use is not unfettered, and an employer’s right to maintain a drug-free workplace is often easier said than done where cannabis is concerned.
Under CREAMMA, an employer cannot discharge or take any other adverse action against an employee because the employee uses cannabis items outside of the workplace. An employer may, however, require an employee to undergo a drug test:
In this regard, CREAMMA directs the Cannabis Regulatory Commission (CRC), the entity tasked with crafting and enforcing rules and regulations governing the sale and use of cannabis in New Jersey, to prescribe regulations for issuing a Workplace Impairment Recognition Expert (WIRE) certification to full- or part-time employees or others contracted to provide services on behalf of an employer. Through education and training, a WIRE becomes certified in detecting and identifying an employee’s use of or impairment from a cannabis item or other intoxicating substance. CREAMMA also provides for a physical evaluation of an employee by an individual with the necessary certification.
The CRC, which has yet to promulgate regulations for the WIRE certification, however, recently issued a temporary Guidance on “Workplace Impairment” to assist employers grappling with striking a balance between their right to a drug-free and safe workplace and their employees’ right not to be discriminated against for cannabis use outside of work. Below is a summary of the Guidance, which the CRC has stated should be consulted by employers until the agency implements its final WIRE certification regulations.
To start, the Guidance notes that cannabis remains in an individual’s bloodstream well after it is initially ingested, and there is, at present, no reliable test for detecting current use. Accordingly, as a “best practice,” employers have been establishing “evidence-based protocols” for documenting signs of impairment in employees to determine “reasonable suspicion” and then using a drug test to determine whether an employee has recently used a cannabis product.
The Guidance also recognizes that while CREAMMA provides that a WIRE expert may be certified and assist an employer with detecting “physical and behavioral” signs of impairment in an employee, CREAMMA does not prevent an employer from continuing the use of established protocols to develop reasonable suspicion and then use that documentation, along with other evidence, such as a drug test, to determine that an individual violated the employer’s drug-free workplace policy.
Importantly, the Guidance makes clear that an employer violates CREAMMA if it takes any adverse action against an employee solely based on drug test results, which show the presence of a cannabis product. There is, however, no violation if an employer requires an employee to undergo a drug test upon “reasonable suspicion” of cannabis use while performing their work duties, or upon observable signs of impairment based on cannabis use, or following an investigation into a work-related accident. Accordingly, evidence-based documentation that shows an employee’s “physical” or other signs of impairment during work hours, taken together with a positive drug test showing use of a cannabis product, may be sufficient to justify an adverse employment action.
To aid in this analysis, employers may, but are not required to, utilize the “Reasonable Suspicion Observed Behavior Report” form, which the CRC has attached to the Guidance.
Regardless of whether an employer uses this form or their own form, the Guidance encourages employers to implement a standard operating procedure when it suspects that an employee is impaired. It also recommends that employers retain or designate an interim staff member or third-party contractor trained in identifying signs of impairment to assist in the process.
Finally, it is hoped that when issued, the CRC regulations for WIRE certification will provide much-needed clarity as to “reasonable suspicion.” In the interim, employers should follow the recent Guidance.
Click Here for the Original Article
California Consumer Privacy Act: Employee and B2B Exemptions Expire January 1, 2023
The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business (B2B) personal information have not been extended, further complicating the privacy regulatory landscape for businesses in California. California employers must prepare to provide an array of new privacy rights to employees as of January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA.
California is currently on track to be the first state to provide expansive privacy rights to employees. In addition, new privacy rights will apply to personal information collected in the context of a business “providing or receiving a product or service to or from” another business.
Two bills had been introduced in the California Legislature that would have extended or made permanent the employee and B2B exemptions, but neither bill had been enacted when the legislature’s session expired on August 31, 2022. Given that the legislature will not reconvene until January 1, 2023, it is now unlikely that the employee and B2B exemptions will be extended before the January 1 compliance date.
The CCPA currently imposes limited obligations on employers with respect to employee data if they qualify as “businesses” subject to the law. The CCPA applies to the personal information of “consumers,” but defines that term so broadly that it would include employees, job applicants, officers, directors, and independent contractors. California employers are currently required to provide those categories of consumers with a privacy notice that explains the type of employee data that is collected and the purposes of that collection.
New Employee Privacy Rights
Employers must update the CCPA privacy notice provided to California employees to describe and explain how employees can submit requests under the following new privacy rights, effective January 1.
Right to Know
Under the CPRA, employees will have the right to know about the personal information that the business collects about them. Most California employers should have in place certain processes consistent with the right to know, but the interaction between the CPRA and existing California laws will need to be assessed. For example, under the California Labor Code, employees are already entitled to know certain information that an employer has collected, such as payroll records (Cal. Labor Code § 226), signed documents (Labor Code § 432), and personnel files (Labor Code § 1198.5).
The CPRA would appear to give employees the right to know about other categories of personal information that are not subject to those Labor Code provisions, such as geolocation, biometrics, and internet activity. The CPRA will also require response timelines that differ from the Labor Code provisions (10 business days to confirm the receipt of the request and 45 calendar days to respond).
Right to Delete
The CPRA grants employees the right to delete personal information collected from them, subject to exceptions. For example, the CPRA provides an exception to the deletion right “to comply with a legal obligation.” Employers will need to assess federal, state, and local retention requirements when responding to a CPRA deletion request, including, but not limited to, the Americans with Disabilities Act, Family Medical Leave Act, Age Discrimination in Employment Act, and Fair Labor Standards Act.
Right to Opt Out of Sale or Sharing
The CPRA grants employees the right to opt out of an employer’s sale or sharing of their personal information. While most employers do not “sell” employee data as that term is typically understood, the CPRA’s definition of “sale” is very broad and would include disclosing employee personal information to a vendor, such as a payroll company, without entering into a CPRA service provider agreement with the vendor. “Sharing” is defined to mean sharing with a third party for cross-context behavioral advertising.
Right to Opt Out of Automated Decision-Making Technology
The CPRA provides consumers, including employees, with the right to opt out of a business’s use of “automated decision-making technology,” which includes profiling employees based on their “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”
This right has yet to be defined by the California Privacy Protection Agency (the Agency), which is charged with adopting related regulations.
Right to Correct Inaccurate Personal Information
The CPRA creates a new right to correct personal information that is inaccurate, which would extend to employees. An employer must use “commercially reasonable efforts” to correct inaccurate personal information upon the employee’s request, but this right has yet to be clarified in regulations to be issued by the Agency.
Right to Limit Use and Disclosure of Sensitive Personal Information
The CPRA also grants employees a new right to limit use and disclosure of “sensitive personal information,” which is defined to include (1) precise geolocation data, (2) racial or ethnic origin, (3) union membership, (4) the contents of certain employee email and text messages, and (5) biometric information.
However, this right only applies to use of sensitive personal information other than what would be “reasonably expected by an average” consumer/employee. Collection of sensitive personal information by an employer, such as racial or ethnic origin, for diversity and inclusion purposes may therefore be permitted under an exception.
How Employers Can Prepare for January 1
In addition to updating the CCPA employee privacy notice to grant the new rights listed above, employers should take the following steps to prepare for the January 1, 2023, CPRA compliance date.
Conduct Updated Data Inventory
An employer should review the employee and applicant personal information that it collects in order to ensure that its privacy notice properly describes the categories of personal information collected, used, and disclosed by the employer and to identify “sensitive personal information” subject to the new CPRA right. An inventory is also an important tool to make sure that the employer properly responds to right to know, right to delete, and other CPRA rights requests.
Enter Into Data Processing Agreements With Service Providers
Employers that share employee personal information with service providers must enter into data processing agreements that include certain required terms. Not only are such provisions required, but without an executed service provider agreement, routine disclosures to vendors may be deemed “sales” triggering opt-out rights.
Understand New Employee Rights and Exceptions
An employer should, prior to receiving its first employee privacy request after January 1, 2023, examine its interpretation of the various business exceptions to the rights, some of which are touched on above, and determine how it will respond to requests based on those interpretations.
Review Existing Employee Privacy Practices
Employers should reexamine existing employee policies and procedures in light of the CPRA. For example, employee monitoring programs should be revisited to consider whether they satisfy the CPRA’s standard that collection, use, retention, and sharing of a consumer’s personal information “must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”
Don’t Forget About B2B Information
While there is more focus on the expiration of the employee exemption, a similar exemption for B2B personal information is also expiring, effective January 1, 2023. As a general matter, personal information that a business collects about business contacts will be subject to the same CPRA privacy rights and obligations summarized above with respect to employee personal information.
Employers can take a bit of comfort from the fact that new CPRA requirements, such as those applicable to sensitive personal information, will not be enforced until July 1, 2023. Nevertheless, employers should prepare for CPRA compliance now, and closely monitor the progress of the CPRA regulations that the Agency is currently developing.
Click Here for the Original Article
How to Comply with Utah Privacy Law?
Businesses that have implemented compliance measures to comply with the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) can leverage existing compliance mechanisms designed to comply with the CCPA to satisfy requirements under the Utah Consumer Privacy Act (UCPA), which will become operative on 31 December 2023.
Most companies will not need to expand the scope of their CCPA-focused privacy notices to cover Utah residents exactly as California residents because the UCPA is more narrowly framed than the CCPA. To determine what works best for your company, consider the following concerning the UCPA.
Who and what data are protected?
The UCPA protects “consumers”, which is defined as Utah residents acting in an individual or household context. Individuals acting in an employment or commercial context are expressly excluded from protection. Protected information under the UCPA includes information that is linked or reasonably linkable to an identified or identifiable individual.
Who must comply?
Unless an exemption applies, the UCPA applies to “controllers” and “processors” that (i) either do business in Utah or produce a product or service targeted to Utah residents; (ii) have an annual revenue of at least USD 25 million; and (iii) satisfy one or more of the following two thresholds: (a) control or process the personal data of 100,000 or more Utah residents annually, or (b) derive over 50% of the entity’s gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Utah residents.
“Controller” is analogous to a “business” under the CCPA and is defined as a person doing business in Utah who determines the purposes for which and the means by which personal data are processed, regardless of whether the person makes the determination alone or with others. “Processor” is analogous to a “service provider” under the CCPA and is defined as a person who processes personal data on behalf of a controller. To qualify as a “processor” under the UCPA, a company has to process personal data on behalf of a controller and as instructed pursuant to a contract containing certain prescribed terms, whereas, under the CCPA, a company must both enter into and adhere to a contract with certain terms and only process personal information for certain business purposes as defined by the CCPA.
Privacy Notices. Controllers shall provide privacy notices that include: (i) categories of personal data; (ii) processing purposes; (iii) how to exercise data subject rights; (iv) categories of personal data shared with third parties; and (v) the categories of such third parties.
Controllers that “sell” personal data for monetary considerations or engages in targeted advertising must also clearly disclose how consumers can exercise their right to opt-out of such activities and stop the sale or processing when requested. The UCPA defines a “sale” of personal data as “the exchange of personal data for monetary consideration by a controller to a third party”. In other words, a sale seems to require money to be exchanged, although it is possible that monetary consideration could be found in reduced pricing models. This definition of sale is narrower than that under the CCPA, under which the disclosure of personal information for non-monetary consideration can be considered a sale.
Given the UCPA defines “selling” only as exchanging personal data specifically for monetary consideration, far fewer companies should be affected by the right to opt-out under the UCPA than by that under the CCPA. First, any contract not involving payments is excluded from the UCPA. Second, even contracts involving payments are arguably not covered by the UCPA’s definition of “sale” if the payment is intended for a service and the data sharing is coincidental, given the definitional focus on monetary consideration for personal data under the UCPA. This may leave only arrangements whereby controllers are paid specifically for the personal data of Utah residents. “Engaging in targeted advertising” is broader than “sharing for cross-context behavioral advertising” under the CCPA, but UCPA provides certain exemptions to its definition of targeted advertising, such as advertising based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application.
Notably, the UCPA’s definition of a “sale” contains a unique exemption that allows a controller to disclose personal data to a third party — without such disclosure being a “sale” — if the purpose is consistent with the consumer’s “reasonable expectations”, considering the context in which the consumer provided the personal data.
Controllers that provide typical core website disclosures would satisfy the disclosure obligations under the UCPA for online personal data collection practices but would need to supplement with disclosures for Utah residents for offline practices as applicable if they don’t already have that in place (e.g., at brick and mortar stores).
Technical and Organizational Measures and Data Processing Agreements. Controllers shall establish, implement, and maintain reasonable administrative, technical and physical data security practices. Further, before a processor performs any processing on behalf of a controller, the parties must enter into a contract that includes terms similar to those required under other state privacy laws, including controller to processor instructions, confidentiality commitments, and requirement to impose terms onwards to any sub-processors.
Data processors must adhere to controllers’ instructions and use appropriate technical and organizational measures to assist controllers in meeting their obligations under the UCPA. A processor that adheres to a controller’s instructions with respect specific processing of personal data remains a processor under the UCPA with respect to such processing.
Data Subject Rights. Data controllers must offer and operationalize access, deletion, portability, and as applicable opt-outs from the sale of personal data, targeting advertising, or the processing of sensitive data. Notably, like the CCPA but unlike the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring Act and the Virginia Consumer Data Protection Act, the right to deletion of personal data under the UCPA only extends to personal data that the consumer provided to the controller. Controllers must authenticate requests and take action within 45 days of receipt, with a 45-day extension if reasonably necessary. Parents or legal guardians shall exercise the rights of children younger than 13 on their behalf.
Controllers may not discriminate against those exercising UCPA rights, except controllers are not prohibited from offering a different price, rate, level, quality, or selection of a good or service if (i) the consumer has opted out of targeted advertising; or (ii) the offer is related to voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program. Controllers are also not required to provide a product, service, or functionality if the personal data is necessary to provide it and the data is either (i) not provided by the Utah resident; or (ii) not permitted by the Utah resident to be processed by the controller.
Controllers should be able to comply with the UCPA by expanding the scope of their compliance mechanisms designed to address the CCPA to cover consumers in Utah.
Sensitive Data. The UCPA defines “sensitive data” to mean certain prescribed categories of data, including personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, medical information, and other categories.
Controllers may not process sensitive data collected from a consumer without providing clear notice and giving an opportunity to opt out of the processing of sensitive data. In cases of processing sensitive data about a known child younger than 13, processing is required to be done in accordance with the US federal Children’s Online Privacy Protection Act (COPPA). Given verifiable parental opt-in consent is generally required under COPPA, this could potentially mean parental opt-in consent would be required for processing sensitive data about a child under 13. This is different from COPPA, which only requires parental opt-in consent before collecting personal information from a child.
Sanctions and remedies
The UCPA does not provide a private right of action and grants the Utah Attorney General exclusive enforcement authority. The enforcement mechanism in Utah is a two-step process. First, the Utah Division of Consumer Protection (UDCP) will investigate a complaint and determine if there is reasonable cause to believe substantial evidence exists that a person identified in a consumer complaint is in violation of the UCPA. The compliant will only be referred to the Utah Attorney General’s office if the UDCP makes such a determination.
The Utah Attorney General must provide written notice of alleged violation and a 30-day opportunity to cure. Any uncured violations are subject to civil penalties of up to USD 7,500 per violation.
Click Here for the Original Article
Personal Data Privacy Act Introduced in Michigan: Consent Required for Processing Personal Data
On Sept. 27, Michigan Sen. Rosemary Bayer and eight fellow Democrat cosponsors introduced Senate Bill 1182, which would create the Michigan Personal Data Privacy Act. The Michigan Legislature remains in session through the end of the year.
The Act would apply to a person to which both of the following apply:
The Act would afford consumers the right to:
OPT IN REQUIRED FOR PROCESSING ALL PERSONAL DATA
As noted above, the Act would give consumers the right to opt out of the processing of personal data if the processing is for certain purposes. Interestingly, however, Section 7(1)(a) states: “A controller shall do all of the following . . . Not process personal data or sensitive personal data concerning a consumer without obtaining the consumer’s consent.” The legislation provides no guidance on the process to obtain consent or make any other reference to opt in being the default for processing all personal data.
Among other things, the Act would not apply to:
DATA PROTECTION IMPACT ASSESSMENT
The Act would require a controller to perform a “data protection impact assessment” if personal data or sensitive personal data is processed for certain purposes. “Sensitive personal data” includes, among many other things, a social security number, driver’s license number and other forms of identification. The assessment must be made available to the Attorney General upon request but would be confidential and exempt from public inspection.
In the event of a violation, the Attorney General could seek a fine of not more than $7,500 for each violation if the violation is not cured within 30 days of notice. If the violation involves the failure of a data broker to properly register with the Attorney General, the fine could be $100 per day.
The legislation includes a private right of action for actual damages, injunctive relief, and any other relief a court deems appropriate.
This legislation is similar to the privacy laws passed in California, Virginia, Colorado, Utah, and Connecticut. However, if the Section 7(1)(a) opt-in mandate for the processing of all personal data is intentional (as opposed to requiring opt in only for https://consumerfsblog.com/2022/10/personal-data-privacy-act-introduced-in-michigan-consent-required-for-processing-personal-data/#page=1
Click Here for the Original Article
Are Background Checks Worth It Anymore?
Following a trend in California regarding increased leniency for those with conviction records, and ensuring that formerly incarcerated people are not unduly burdened by their past, Governor Newsom recently signed SB-731 into law. SB-731 effectively seals the records of many felony convictions if they: (a) occurred on or after January 1, 2005; and (b) if the individual has completed all terms of incarceration, probation, mandatory supervision, post-release community supervision, and parole; and (c) are not convicted of a new felony for four years.
Since January 1, 2018, the California Fair Chance Act barred employers from asking candidates about their conviction history on a job application, or running a conviction background check until after they offered the candidate a job (see our blog post on the Fair Chance Act, here).
Now, the inquiry into criminal records will be further limited effective July 1, 2023, as formerly incarcerated individuals’ records will be automatically sealed. This will undoubtedly lower the impact of criminal records on employment decisions.
Notably, SB-731 does not apply to all felony convictions. It does not apply to registered sex offenders or individuals convicted of violent or serious felonies. It further does not affect the ability to receive, or take adverse action based on, criminal history information for purposes of teacher credentialing or employment in public education.
Many employers routinely conduct background checks on applicants. However, with SB-731 signed into law, it may not be worth it to continue to do so. Those background checks will yield less information, and the Fair Chance Act already limits what information you can use if there is a conviction. Practically speaking, for many employers (such as retail, hospitality, manufacturing, and professional services), your efforts may be better spent having a responsible person at your company (preferably someone in Human Resources) conduct a simple search of publicly available information on social media. A social media search is completely legal, as long as you do it consistently, and as long as you do not rely on any information about protected categories to make unlawful decisions. For example, you cannot screen out applicants based on age, disability, or sexual orientation. Despite the risk of learning about protected categories, social media searches may provide you with more insight into a potential candidate than any background check. But please, do not be “sneaky,” and trick anyone into friending you to see information that is not publicly available.
Click Here for the Original Article
California Joins Growing List of States to Protect Employees’ Off-Duty Use of Marijuana
Starting January 1, 2024, employers in California will be prohibited from interfering with their employees’ off-duty use of marijuana. On September 18, 2022, Governor Gavin Newsom signed into law Assembly Bill 2188 (AB 2188), which amends California’s Fair Employment and Housing Act (FEHA) to add protections for employees by prohibiting employers from refusing to hire, firing, or otherwise taking an adverse action against an employee based on the employee’s “use of cannabis off the job and away from the workplace.” Although medicinal marijuana has been legal in California since 1996, and recreational marijuana legal since 2016, the FEHA did not previously provide workplace protections for employees’ permissive use of marijuana.
AB 2188 also amends the FEHA to prohibit discrimination in hiring or any term or condition of employment based on employer-required drug screening tests that detect “nonpsychoactive cannabis metabolites” in the employee’s “hair, blood, urine, or other bodily fluids.” The California legislature stated that because most marijuana tests can only detect whether cannabis metabolites are present, and have “no correlation to impairment on the job,” employers will need to instead rely on alternative tests to determine whether an employee is under the influence at work. These alternative tests can include “impairment tests” that “measure an individual employee against their own baseline performance,” or tests that “identify the presence of THC in an individual’s bodily fluids.”
Although the law does not specify what constitutes an “impairment test,” it is possible the legislature was referencing tests that measure an individual’s motor functions, the visual effects of being high, and/or obvious cognitive impairments such as impaired gait or mobility, glassy eyes, changes in speech, and/or reasoning ability. However, at this time, there is no universal definition, legally or medically, of what constitutes “impairment.” Employers wishing to utilize impairment tests should develop a protocol that identifies the signs of impairment that will be assessed and that includes training supervisors on recognizing and documenting signs of impairment.
It is also not immediately clear upon which bodily fluid tests employers can rely given that THC can remain detectable in a person’s system weeks after use and such tests might not be able to provide objective data as to whether an employee is impaired at a specific time. The intent of AB 2188 is to protect an employee’s off-duty use, so if an employee partakes on a Saturday and fails a drug test on a Wednesday, but is not impaired on Wednesday, taking action against that employee would be discriminatory and unlawful. Employers that rely on physical drugs should consider incorporating impairment tests into their drug testing procedures. A two-fold approach may better protect an employer from liability under AB 2188. Employers should also confirm with their drug testing providers that the provider tests for the presence of THC and not nonpsychoactive cannabis metabolites.
Importantly, AB 2188 does allow employers to prohibit marijuana use on the job and/or at the worksite and specifically states that there is a “consensus” that employees “should not arrive at a worksite high or impaired.” Employers would also still be permitted to maintain drug-free workplaces and prohibit the possession of marijuana at the workplace. The bill exempts employees “in the building and construction trades,” and positions which require federal drug tests and/or background tests.
With the amendments to the FEHA, California joins a growing list of states that have enacted employee protections for the recreational use of marijuana including Connecticut, Illinois, Montana, New Jersey, New York, and Rhode Island.
Click Here for the Original Article
Retailer Sued for Allegedly Using Sex Offender Site for Background Checks
An American online retailer and its background screening provider are facing a proposed class action lawsuit claiming alleged illegal use of a California sex offender website to conduct background checks on job applicants in violation of the federal Fair Credit Reporting Act (FCRA) and state law, according to a report from Reuters.
Reuters reports the Plaintiff – a former prospective employee – filed a complaint in Los Angeles federal court in September 2022 claiming the retailer and its background check provider violated state and federal laws by using the state Megan’s Law website and considering older sex offense convictions when screening applicants.
Reuters reports the Plaintiff in the lawsuit filed claims he was offered a job by the retailer in March 2022 but the offer was withdrawn after the background screening provider reported he was convicted of felony sex offenses in 2013 and served around five years in prison, information found on the Megan’s Law website.
Reuters reports that Megan’s Law prohibits employers from denying jobs to applicants because their names appear on the website unless they do so “to protect a person at risk” while another California law prohibits background screening providers from providing employers with criminal records of more than seven years old.
Reuters reports the lawsuit claims the retailer violated Megan’s Law and that the background screening provider violated California’s seven-year bar for criminal background checks and the FCRA by furnishing the retailer with unlawful reports. The class action lawsuit seeks to represent statewide classes on all three claims.
The FCRA 15 U.S.C § 1681 was enacted by Congress in 1970 to promote the accuracy, fairness, and privacy of consumer information contained in the files of CRAs, and to protect consumers from the willful and/or negligent inclusion of inaccurate information in their consumer reports, including credit reports.
Employment Screening Resources (ESR) is a service offering of ClearStar, a leading Human Resources technology company that specializes in background checks, drug testing, and occupational health screening. ClearStar offers background checks for employers that comply with the FCRA and state laws. To learn more, contact ClearStar.
Click Here for the Original Article
Nevada High Court Rules Recreational Marijuana is Not Lawful “Off-Duty Conduct”
Nevada employees who consume cannabis off-the-job for non-medical purposes can be fired by their employers for failing a drug test, according to a recent ruling by the Nevada Supreme Court.
Summary of the Decision
The Nevada Supreme Court recently handed employers a win when it upheld the dismissal of a lawsuit brought by an employee who claimed that his termination for testing positive for recreational cannabis violated the state’s lawful off-duty product law. (Ceballos v. NP Palace, LLC d/b/a Palace Station Hotel & Casino, 138 Nev. Adv. Op. 58 (Nev. 2022)).
The plaintiff worked as a table games dealer at a casino for more than a year without performance or disciplinary issues. After he slipped and fell in the employee breakroom, the employer required him to submit to a drug test. The test came back positive for cannabis. The positive test result led to the plaintiff’s termination.
The plaintiff sued, claiming that the employer had violated a Nevada’s “Off-Duty Conduct” law, which prohibits employers from taking action against employees who engage in “the lawful use in this state of any product outside the premises of the employer during the employee’s nonworking hours.” NRS 613.333. Because the state decriminalized recreational cannabis in 2017, the plaintiff argued that his employer could not terminate him for his off-duty use of the drug. The district court dismissed his complaint in its entirety, on the grounds that, because the drug continues to be illegal under federal law, its use is not “lawful . . . in this state.”
The Supreme Court, in upholding the dismissal, rejected the plaintiff’s interpretation of the statute, concluding that by using the phrase “in this state,” rather than “under state law,” the legislature intended for the law to require that the product be legal under both state and federal law. The Court also rejected the plaintiff’s tortious discharge claim because it did not involve one of the “rare and exceptional cases” where Nevada courts have recognized such a claim. The Court emphasized that the state’s decision to decriminalize cannabis in 2017 expressly preserved employers’ rights to enforce workplace policies prohibiting or restricting employees’ recreational cannabis use. The Court reasoned that, if the legislature had wanted all use of marijuana by off-duty employees to be protected, it wouldn’t have included this carve-out.
The Court’s holding in Ceballos means that Nevada’s “lawful off-duty conduct” statute does not protect employees’ off-duty recreational marijuana use, at least for now. However, the holding and result would be called into question if marijuana becomes legal under federal law.
Click Here for the Original Article
Data breach class actions: District of Massachusetts dismisses complaint for failure to allege injury-in-fact
We have written a number of articles about standing issues arising in data breach class actions. See, e.g., Data breach class actions: Third Circuit sets out parameters for Article III injury-in-fact (Oct. 27, 2022). The District of Massachusetts recently added to this line of cases in Webb v. Injured Workers Pharmacy, Inc., No. 22-10797-RGS, 2022 WL 10483751 (D. Mass. Oct. 17, 2022), where the district court dismissed a putative class action for failure to allege an Article III injury-in-fact.
In Webb, Injured Workers Pharmacy, Inc. (“IWP”), a pharmaceutical home delivery service, discovered in May 2021 that it had been hacked months earlier in a data breach that compromised the personally identifiable information (“PII”) of more than 75,000 of its customers, including social security numbers. The compromised PII included data belonging to current IWP customer Alexsis Webb and former IWP customer Marsclette Charley.
Webb and Charley filed a putative class action against IWP in the District of Massachusetts for injuries allegedly caused by the breach. They alleged claims for negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty, further alleging that they suffered “anxiety, sleep disruption, stress, and fear” and were forced to spend “considerable time and effort” monitoring their financial accounts. 2022 WL 10483751, at *1. Webb also alleged that she spent “hours” dealing with the Internal Revenue Service about a 2021 income tax return that an unauthorized individual had filed in her name. Id. In terms of monetary damages, they alleged actual injury in the form of “damages to and diminution in the value of [their] PII,” which they estimated was worth at least $1,000 on the “Dark Web.” Id.
IWP moved to dismiss their complaint for lack of standing under Federal Rule 12(b)(1) and for failure to state a claim under Federal Rule 12(b)(6). Applying the rule that a 12(b)(1) motion should be resolved before a 12(b)(6), the district court determined that plaintiffs did not allege any “concrete and particularized injuries that are actual or imminent” and dismissed the complaint. 2022 WL 10483751, at *1-2.
Citing the U.S. Supreme Court’s decision in TransUnion LLC v. Ramirez, 141 S. Ct 2190, 2211 (2021), the court observed that “[i]n a suit for damages, the mere risk of future harm, without more, cannot establish Article III standing.” 2022 WL 10483751, at *2. And, quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013), the court noted that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on . . . hypothetical future harm.” 2022 WL 10483751, at *2.
Reviewing the allegations of the complaint, the court ruled that it did not allege any identifiable harm, in that there was no allegation of monetary loss, data misuse, or that someone stole the PII. Regarding Webb’s tax return, there was no plausible allegation connecting the breach to that return, “only conjecture that a connection may exist.” Id. at *2 n.4. Regarding the allegations going to the value of their PII, the district court said it was not clear how the alleged diminution in the PII’s “black market value” inflicted an injury on plaintiffs. Id. at *2 n.5. The court ruled there was no alleged injury-in-fact, concluding: “Plaintiffs’ alleged injuries rest entirely on the future possibility that an unauthorized third party will, at some undetermined time, misuse their PII.”
Click Here for the Original Article
EU-US Data Privacy Framework
On October 7, 2022, the Biden Administration issued a long-awaited Executive Order focused on privacy and national security interests, in conjunction with the collection of data and information created outside the United States. The Executive Order can be found on the White House website.
Back in 2020, the European Union’s (EU) highest court struck down the Privacy Shield regulatory process, which was developed after the longstanding “Safe Harbor” method. This method was struck down by the Court of Justice of the European Union (CJEU) in late 2015, in the aftermath of disclosures in 2013 by Edward Snowden regarding the National Security Agency’s (NSA) surveillance programs and related data collections.
Since 2020, there has been no risk-free way to manifest data transfers between EU and US businesses. Although, there have also been no fines manifested against US businesses that have been grounded solely in the absence of a privacy shield or safe harbor. The EU has strongly implied that if a US business is otherwise compliant with the GDPR, the data collection processes of the US government will not be the sole grounds for finding that a US business is violating EU privacy laws.
US-based businesses, and the US government, hope that the EU’s announcement that it will review the recent Executive Order and create a draft adequacy decision. And as a result, commence an adoption process regarding the principles set forth in the Executive Order.
While the Executive Order doesn’t include extensive mandates or regulations on US-based businesses, it does include language that regulates government intelligence agencies’ data collection activities “only in pursuit of defined national security objectives” by “tak[ing] into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence,” and by being “conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority”.
Click Here for the Original Article
UK-US Data Access Agreement Enters Into Force
The U.S. Department of Justice (‘DoJ’) announced, on 3 October 2022, that the Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime entered into force on the same day. In particular, the DoJ outlined that the agreement, as authorised by the Clarifying Lawful Overseas Use of Data Act of 2018 (‘the CLOUD Act’), is the first of its kind, and will allow investigators from either country to gain access to data relating to serious crimes in a way which respects privacy and civil liberties.
Moreover, the DoJ highlighted that, under the agreement, service providers in one country may respond to qualifying, lawful orders for electronic data issued by service providers in the other country, notwithstanding any legal restrictions. Furthermore, the DoJ added that this will allow for more timely and efficient access to electronic data and will greatly enhance the ability of the US and the UK to tackle serious crime. Additionally, the DoJ noted requirements that must be met by US or UK authorities to invoke the agreement, namely that authorities from either country must not target individuals located in the other country and that this must relate to a serious crime, among other requirements, limitations, and conditions. You can read the announcement here.
Click Here for the Original Article
UK: DCMS Announces Plans to Replace GDPR While Retaining Data Adequacy
The Conservative Party published, on 3 October 2022, the speech of Michelle Donelan, Secretary of State for Digital, Culture, Media & Sport, at the 2022 Conservative Party Conference. In particular, on behalf of the Department for Digital, Culture, Media & Sport (‘DCMS’), Donelan outlined plans to create more wealth and prosperity through the tech, digital, cyber, creative, cultural, and arts sectors.
On the topic of data, Donelan announced that the DCMS will be replacing the system based on the EU’s General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) with a data protection system that will protect consumer privacy, while also retaining data adequacy, which would allow businesses to trade freely. In place of the GDPR, Donelan noted that the DCMS will co-design the new system with businesses and consider those countries that achieve adequacy without having the GDPR, such as Israel, Japan, South Korea, Canada, and New Zealand.
According to Donelan, the new data protection plan will focus on growth and common sense, in addition to helping to prevent losses from cyber attacks and reducing regulations and elements that may stifle business. As such, Donelan highlighted that these plans would not create another wave of legislation on businesses, but rather simplify complicated legislation and avoid the pitfalls of a one-size-fits-all system.
You can read the speech here.
Click Here for the Original Article
Indonesia Enacts its First Data Protection Act
On September 20, 2022, Indonesia’s parliament ratified the Personal Data Protection Act (the “Act”). The Act is the first comprehensive data protection law to be enacted in Indonesia and will come into effect on a date set by the Minister of State Secretariat. Organizations subject to the Act will have two years to come into compliance with the Act’s requirements.
The Act requires entities (whether public or private) that handle Indonesian residents’ personal data to ensure the protection of the data in their systems. The Act also will impose sanctions for the mishandling of personal data, including prison terms of up to six years for falsifying personal data for personal gain.
The Act provides the Indonesian president with the authority to create an oversight body to levy fines for violations of the Act. Fines of up to two percent of an entity’s annual revenue may be levied for violations of the Act. Additionally, those in violation of the Act may have their assets confiscated or be imprisoned for up to five years.
Under the Act, Indonesian residents will be able to claim compensation for breaches of their personal data and will be provided certain privacy rights, including the rights of access, deletion and restriction.
Click Here for the Original Article
New Swiss Data Protection Ordinance: Key Aspects
On 31 August 2022, the Swiss Federal Council adopted the new Data Protection Ordinance (DPO) and the new Ordinance on Data Protection Certifications. These provisions will enter into force on 1 September 2023, together with the new Data Protection Act (nDPA).
This article discusses the key aspects of the nDPA and the DPO for private persons and companies.
Key aspects of nDPA
The nDPA introduces several additional data protection obligations (for further details please see “Revised Data Protection Act approved”). Principally, controllers must:
Except for small and medium enterprises, companies are required to maintain an inventory of processing activities (article 12 of the nDPA). Under certain circumstances, controllers outside Switzerland need to appoint a representative in Switzerland where personal data of individuals in Switzerland is processed (article 14 of the nDPA). Some of these provisions are subject to personal criminal liability, such as in the following cases:
Key aspects of DPO
The key aspects of the DPO for private persons and companies are the following:
The countdown to the implementation has begun: on 1 September 2023, the nDPA and the DPO will enter into force. Companies that have not yet implemented the new nDPA and DPO requirements should start now. Large companies and companies involved in the processing of particularly sensitive data should check whether they need to comply with the increased documentation obligations. Every company should take special care to ensure compliance with the provisions sanctioned by criminal law.
Click Here for the Original Article
As China Cross-Border Data Transfer Security Assessment Requirement Comes Into Effect, New Guidelines Posted for Security Assessment Application
The new guidelines provide insight into how businesses can submit applications to the CAC in order to obtain approval via the CAC security assessment cross-border data transfer requirement.
As of September 2022, all businesses falling within the scope of China’s Cyberspace Administration (“CAC”) of China security assessment (one of three mechanisms that allow a business to conduct cross-border data transfers) must be complying with the applicable self-assessment and government assessment requirements. To help businesses comply, the CAC recently released guidelines on the applicable requirements.
Last year, China’s sweeping data protection law, the Personal Information Protection Law (“PIPL”), went into effect on November 1, 2021. The law specifically addresses entities that engage in transferring personal data from China to a location outside of China, but it left many wondering what exactly the new cross-border data transfer requirements are and how they can be satisfied.
As noted in previous posts, entities that are transferring Chinese personal data to another jurisdiction are required (1) to obtain consent from a data subject prior to transferring data to a foreign jurisdiction, and (2) to ensure the data transferred is sufficiently protected.
To meet this second requirement, PIPL sets forth three expressed options: (1) passing a CAC security assessment; (2) receiving certification from CAC-certified professional organizations; or (3) entering into standard contractual clauses. It is likely that the standard contractual clauses will become the standard mechanism as the professional certifications are limited in applicability. It is important to note, however, that if a business falls within the CAC security assessment scope that it must use the CAC security assessment as the transfer mechanism.
The second option—professional CAC certifications—are limited in that businesses are only able to utilize them to satisfy PIPL requirements in the following instances: (1) internal transfers between entities under the same business organization (e.g., intra-group data transfer agreements); and (2) data processing conducted wholly outside of China, by a non-China entity, related to the personal information of individuals located in China (e.g., businesses subject to PIPL’s extraterritorial jurisdiction). Additionally, the CAC has yet to actually specify which sub-agencies are allowed to grant the professional certifications.
Related to the CAC security assessment, the CAC published the draft “Outbound Data Transfer and Security Assessment Measures” (“CAC Measures”) in Oct. 2021, which recently took effect September 1, 2022. For more information on the CAC Measures, please see our previous alert. Only twenty-four hours before the Security Assessment Measures took effect, however, the CAC announced the publication of the Guidelines for Data Export Security Assessment Declaration (First Edition) (“CAC Guidelines”). The CAC Guidelines provide businesses with more specific details as to the Chinese government’s role in the assessment process and are intended to help businesses comply and to make data export security assessments standardized and orderly.
Importantly, the Security Assessment Measures require both a self-assessment and a government-led assessment. For entities that must conduct a CAC assessment to continue transferring “important data” or personal information, the CAC Guidelines provide directives on how to conduct the self-assessment, the contents of the application, and what supporting documents need to be filed with the CAC for approval. Only certain entities must comply with the CAC assessment depending on the type and volume of information transferred – see our previous alert for more information about all three of the cross-border data transfer mechanisms.
Scope of CAC Security Assessment Requirement
An entity must conduct a CAC security assessment if it (1) transfers important data collected or produced by critical infrastructure operators; (2) transfers “important data;” (3) collects personal information of over 1 million individuals; (4) transfers personal information of over 100,000 individuals; (5) transfers sensitive information of over 10,000 individuals; or (6) if other circumstances as stipulated by CAC apply.
Under the CAC Measures, “important data”, is defined to include any data that could endanger national security, economic operation, social stability, or public health and safety” if breached. In contrast, critical infrastructure is defined within other Chinese laws and regulations and includes, among other things service providers in the following industries or fields: communication, energy, transport, water, finance, public services, E-government services, and national defense.
Application & Supporting Documents
While the previously passed CAC Measures set forth specifics related to timing and the self-assessment requirement under the CAC security assessment, the newly published CAC Guidelines provide details on the second requirement—the government-led assessment.
Specifically, the CAC Guidelines set forth the documents and information that businesses need to include in their application to the CAC prior to the CAC conducting their assessment.
Applications must include a general description of the data transfers at issue, the self-assessment required under the CAC Measures, and copies of the applicable cross-border data transfer agreements that the in-scope business has entered into with the data processor(s).
The application also requires multiple documents, on top of the above information.
The application requires the data controller to prepare a certified copy of its (1) unified social credit code certificate, (2) legal representative’s ID card, (3) appointed agent’s ID card, and (4) agreements or other legal documents with the overseas data recipients—these must be in Chinese or bilingual. The data controller must also provide a Power of Attorney document appointing an agent handling the application and related matters, meaning in-scope businesses will likely need to engage local counsel in China. Additionally, a completed Application Form for Security Assessment of Cross-border Data Transfers—the templates for these requirements are included in the CAC Guidelines.
The foregoing is not an exhaustive list of what an entity may be required to submit for CAC assessment. Other relevant contractual and legally binding documents intended to conclude the data export risk self-assessment report may also be required.
The CAC assessment and application process are now in effect and remains a significant task. The deadline to prepare and submit the application is March 2023, and as it requires a substantial amount of information about the data recipient (who, in many cases, may likely be reluctant to provide the necessary information (e.g., registered capital amount, ID of security officer, number of employees), we recommend effected entities take action as soon as possible.
To assist entities in meeting the application deadline, the CAC Guidelines provide copies of the relevant forms required to be submitted (described above) and additional clarifications concerning questions presented in each form.
Click Here for the Original Article
Trucking Industry Group Seeks to Conduct Drug Screening Utilizing Hair Testing
The Federal Motor Carrier Safety Administration (FMCSA) has requested public comment on an application for exemption submitted by The Trucking Alliance that would allow trucking companies to use hair testing in addition to urine testing for random drug tests and pre-employment screenings. The exemption also asks that carriers be allowed to publish the results of those tests into the FMCSA’s Drug and Alcohol Clearinghouse, a database that employers must review when hiring a driver and annually during a driver’s employment.
The request for public comment is interesting both substantively and procedurally. The Trucking Alliance, whose members include major trucking companies, filed for a similar exemption in 2020, which the FMCSA denied because it lacked statutory authority to grant the relief sought. Drug policy matters fall under the jurisdiction of the U.S. Department of Health and Human Services (HHS), and the FMCSA is required to follow HHS’s Mandatory Guidelines regarding testing. Currently, urine testing is the only permitted method for screening truck drivers and other federal employees. The FMCSA does not appear to have changed its opinion about its lack of statutory authority to grant the relief sought or be motivated by a desire to better publicize a safety concern. Rather, the FMCSA seems to have determined that it has a statutory obligation to seek public comment even when it believe it does not have the authority to grant the request.
In 2015, HHS, through the enactment of the Fixing America’s Surface Transportation Act (FAST Act), was tasked with issuing guidelines on hair testing for drugs. In 2020, HHS issued proposed guidelines addressing hair testing, which were widely criticized by the trucking industry due to a requirement that if an employer were to elect to do hair testing, it must also collect one other specimen, e.g., urine or oral fluid. HHS is currently working on revising its proposed guidelines, but it remains unclear whether it will eliminate the need for secondary testing. Citing Jones v. City of Boston, 845 F.3d 28 (1st Cir. 2016) and Thompson v. Civil Service Com’n, 90 Mass.App.Ct. 462 (Oct. 7, 2016) in the proposed guidelines, HHS expressed concern that employment based on hair testing alone, without other corroborating evidence, may be vulnerable to legal challenge. In both cases, the Courts found that reliance on hair testing alone was not sufficiently reliable to be the sole basis for termination. One of the primary issues with hair testing is that a person may test positive if they were in an environment where a substance was present, but it does not necessarily mean that they have used the substance.
The trucking industry, however, has been utilizing hair testing for employment for several years and contends that hair testing is more reliable and accurate in detecting regular drug use as opposed to urine testing. It also eliminates certain vulnerabilities in collecting samples, i.e., urine testing does not allow the person collecting the sample to observe the supply of urine. Trucking companies may use hair testing to make their own determination as to whether a driver is fit to drive, but a hair test alone does not subject the driver to the FMCSA regulatory processes that apply to a positive urine test, such as being disqualified from driving until a return to duty protocol has been completed. Positive hair tests may also not be reported to the drug and alcohol clearinghouse, so if a company fires a driver based upon a hair test, the prospective employer would not be able to tell from the clearinghouse that the driver had a positive drug test. This reduces the effectiveness of the clearinghouse, which was intended to aid in information sharing between employers.
Potential Effects Unclear
The deadline for comments closed Sept. 23, 2022. It remains unclear what, if any, impact the comments could have to change drug testing requirements in the future. HHS’s initial proposed guidelines show a hesitancy to allow employers and federal agencies to solely rely on hair testing without corroborating evidence, and legal precedent finding hair testing unreliable on its own may do little to persuade HHS to change its initial proposed guidelines.
Click Here for the Original Article
Parents Want Annual Background Checks after Sex Offender Worked at School
Parents are calling for annual background checks on all Fairfax County Public Schools (FCPS) employees that interact directly with their children after a convicted sex offender was found to have been working as a counselor at one Middle School, according to a report from WJLA ABC 7News in Fairfax County, Virginia.
The sex offender – who was fired by FCPS in August 2022 – worked at the school for roughly 20 months after his initial arrest for solicitation of prostitution from a minor by Chesterfield County Police in November 2020 and continued working at the school even after his subsequent conviction in March 2022, 7News reported.
7News reported that the Chesterfield County Police tried to alert FCPS about the sex offender via email in 2020 but the department’s records now show the attempted email notifications bounced back as “undeliverable.” The former counselor registered as a sex offender in June 2022 but was listed as “self employed” on the registry.
“I was surprised this arrest took place in 2020 and it didn’t show up in an annual background check. And then I found out the school doesn’t conduct annual background checks on employees and counselors,” a parent who has three children in Fairfax County Public Schools told 7News.
7News reported that this parent is part of the Fairfax County Parents Association that “is now calling on FCPS to enact a new policy that would require annual criminal background checks for all employees ‘who, as a function of their job, may have one-on-one contact with children.’”
7News spoke to FCPS Superintendent one day after an announcement that the sex offender had been fired was made and asked the superintendent whether she would consider implementing more frequent employee background checks to try to prevent something like this from happening again.
“All of our employees upon hiring have background checks and reference checks, all of those safety checks. We are exploring a variety of options, I think, as we move forward based on this third party report, review, and recommendations in terms of how we might mitigate a situation like this coming forward in the future.”
Employment Screening Resources (ESR) is a service offering of ClearStar, a leading Human Resources technology company specializing in background checks, drug testing, and occupational health screening. ClearStar offers employee monitoring so employers can maintain standards and mitigate risk. To learn more, contact ClearStar.