October 5, 2022
A Notice for Federal Drug Testing Collection Sites & CDL Employers Regarding FMCSA Regulated Employees
U.S. Department of Transportation sent this bulletin at 09/21/2022 09:55 AM EDT
On September 9, 2022, the Federal Motor Carrier Safety Administration (FMCSA) sent out a list serve titled “A Notice for Federal Drug Testing Collection Sites & CDL Employers Regarding FMCSA Regulated Employees”. The notice reminds collection sites and employers to only use a Federal Drug Testing Custody and Control Form (CCF) when testing employees subject to FMCSA drug testing regulations and to properly fill out the Federal CCF.
The US Department of Transportation (DOT) has regulations governing drug and alcohol testing for certain transportation industry employees. These regulations help ensure that the traveling American public can feel safe in their day to day journeys. Part of the effective execution of these regulations relies upon drug testing collection sites. For Federal drug testing programs to operate efficiently and effectively, collection sites play an integral role in making sure the right individuals are administered the right tests.
There are several modes under DOT that have regulations about how employees in their specific part of the transportation industry should be tested. For the Federal Motor Carrier Safety Administration (FMCSA), one of the modes under DOT, only commercial driver’s license (CDL) holders, commercial learner’s permit (CLP) holders, or drivers that should have either a CDL or CLP should be given a DOT drug test with FMCSA specified as the DOT Agency on the custody and control form (CCF). Administering Federal drug tests to anyone other than these groups under FMCSA regulations creates an unnecessary administrative burdens on everyone in the Federal drug testing arena including, employers, drivers, medical review officers, third party administrators, and Federal staff. It is for this reason that FMCSA put together the, “Collection Site Notice” linked below. This notice provides important information for both collection sites and employers to use when determining who should be given what type of test.
Employers: Please keep this notice handy and make sure that anyone involved in drug and alcohol testing at your company has a copy of it.
Collection Sites: Please review the attached notice with your staff. Also, we encourage posting the second page of the notice in your collection site, particularly in places where collections are actively taking place.
DOT and FMCSA drug and alcohol testing regulations make it safer for everyone in the United States to get around. This notice will help ensure that these regulations are implemented properly.
Pandemic to Permanent? Proposed Changes to the I-9 Verification Process
Welcome news for U.S. employers—the federal government has issued new proposed rules that may lead to further temporary or permanent changes to the I-9 verification process. As set forth in the Notice of Proposed Rulemaking published by the U.S. Immigration and Customs Enforcement (“ICE”), Department of Homeland Security (“DHS”), on August 18, 2022 (the “Proposed Rule”), alternate options for some or all employers are on the horizon. ICE, as a federal law enforcement agency under DHS, monitors and enforces compliance with Form I-9.
FORM I-9 DOCUMENTATION REQUIREMENTS
Pursuant to the employment eligibility provisions of the Immigration Reform and Control Act of 1986 (“IRCA”) as set forth in the Immigration and Nationality Act (“INA”), employers are prohibited from hiring any individual (including citizens of the United States) without first verifying their identity and employment authorization via Form I-9. Prior to the beginning of the COVID-19 pandemic, employers were required to examine hard copies of worker identification documents (such as passports, driver’s licenses, Native American tribal documents, and United States Social Security cards), in person within three business days after the first date of employment, to ensure that the documentation appeared to be genuine and that they related to the individual who presented them.
I-9 VERIFICATION FLEXIBILITIES IN THE AGE OF COVID-19
Given the logistical challenges presented by the pandemic, DHS announced a series of temporary flexibilities regarding the in-person I-9 document inspection process, which were intended to encourage social distancing and enable remote work. The first announcement, issued March 20, 2020, indicated that DHS would evaluate employers’ I-9 completion practices (regarding physical inspection of I-9 documents) on a case-by-case basis. As of April 1, 2021, DHS indicated that the in-person inspection of I-9 documents only applied to “those employees who physically report to work at a company location on any regular, consistent, or predictable basis.” Additionally, employees hired on or after that date and who work exclusively in a remote setting due to COVID-19 related precautions, were temporarily exempt from the physical inspection requirements “until they undertake non-remote employment on a regular, consistent, or predictable basis, or the extension of the flexibilities related to such requirements is terminated, whichever is earlier.” As noted in our prior alert, the most recent, temporary extension of these flexibilities is currently set to expire October 31, 2022.
THE PROPOSED RULE
The Proposed Rule published on August 18, 2022 seeks to formalize the authority of the Secretary of Homeland Security (the “Secretary”) to “extend flexibilities, provide alternative options, or conduct a pilot program to further evaluate an alternative procedure option (in addition to the procedures set forth in regulations) for some or all employers, regardless of whether their employees physically report to work at a company location.” As noted in the Proposed Rule, DHS recognized that the COVID-19 pandemic caused more employers to adopt remote work arrangements. Citing studies by the Pew Research Center (“How the Coronavirus Outbreak Has – and Hasn’t – Changed the Way Americans Work,” Dec. 9, 2020 and “COVID-19 Pandemic Continues To Reshape Work in America,” Feb. 16, 2022), DHS observed that 61% of workers with a workplace outside of the home have indicated that they are choosing not to go into their physical workplace.
As set forth in the Proposed Rule, DHS is seeking comment regarding the following changes and their potential impact on employers:
The specifics of these and other potential revisions will, themselves, be the subject of subsequent proposed rulemaking.
PUBLIC COMMENT PERIOD AND NEXT STEPS
DHS has invited public comment on the Proposed Rule through October 17, 2022. In the meantime, employers should be mindful that the current, temporary extension of I-9 flexibilities is set to expire October 31, 2022.
CCPA Business-to-Business and Employment Information Exceptions Ending
As the California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, the temporary and partial exceptions for employment and business-to-business information will expire, making California the first and only state with a general privacy law that applies to this type of information. The current partial exceptions, which were proposed in 2019 as part of a set of amendments to the California Consumer Privacy Act (CCPA), were originally extended again until January 1, 2023 as part of the ballot initiative that enacted the CPRA. While multiple bills were proposed to extend the partial exceptions either by one additional year or indefinitely, all of the proposed bills failed to make it out of committee and passed by the California legislature by August 31, 2022, the last day for such bills to be passed in the legislative year.
What Is Employment-Related Information and Business-to-Business Information?
The current exceptions included many, but not all, of the provisions in the CCPA relating to employment and business to business information. The employment information exception applied to personal information collected by a business about a consumer acting as a job applicant or who is a past or current employee of, owner of, director of, officer of, medical staff member of, or contractor of the business and their beneficiaries and dependents (Employment-Related Information), so long as the business used the information solely in the context of the employment relationship. Under the CCPA’s exception for Employment-Related Information, the business was only required to provide the employee with a shortened privacy notice and the CCPA provided the employee with a private right of action in the event of a data breach where the business failed to use reasonable security measures. Businesses should be reminded that “personal information” under the CPRA is defined broadly, and Employment-Related Information may now include things like network monitoring, video surveillance, photographs, and document metadata. It may also biometric data (including fingerprints and face and voice recognition when used to identify or authenticate the employee), which may be applicable to some businesses. Businesses should also be aware that biometric data may come under other stringent privacy statutes in and of itself (e.g., see, the Biometric Information Privacy Act in Illinois – 740 ILCS 14 and California SB 1189).
The business-to-business exception applied to personal information collected and used by the business about a consumer acting as an employee, owner, director, officer, or contractor of another company, partnership, sole proprietorship, nonprofit, or government entity, but solely to the extent the business used this personal information in the context of conducting due diligence regarding, or providing or receiving a product or service to such company, partnership, sole proprietorship, nonprofit, or government agency (B2B Information). Under the CCPA, businesses were only required to provide the consumer with an opportunity to opt-out of the disclosure of their B2B Information for monetary or other valuable consideration (i.e., a “sale” under the CCPA), if any, but was not required to provide a privacy notice and the CCPA did not otherwise provide a private right of action for data breaches.
Which Requirements Under the CPRA will apply to Employment-Related Information and Business-to-Business Information?
With the partial exceptions for Employment-Related Information and B2B Information expiring, the CPRA in its entirety will apply to these categories. This includes:
While current and former employees, job applicants, and business relations should always have been counted for the purposes of determining whether a business met the thresholds for CCPA, the full applicability of the CPRA to Employment-Related Information and B2B Information underscores the need to consider these individuals for the purpose of determining the applicability of the CPRA.
Impact on Businesses and the Use of Data
Businesses that are subject to both the CPRA and the GDPR should be familiar with the application of privacy requirements and data subject rights to Employment-Related Information and B2B Information, as the GDPR made no distinction between these classes of individuals and other data subjects. However, the expiration of the partial exceptions increase the compliance burden for businesses that are subject to the CPRA but not the GDPR. Such businesses should:
Impact on Employment-Related Information
The right of a consumer to access, delete, and correct their personal information may be especially troubling for Employment-Related Information. Employment-Related Information may include information that the business needs to keep confidential, such as the raw feedback related to performance appraisals, information about investigation activities, hiring/firing/disciplinary decisions, and other similar information. Businesses should consider the applicability of the exemptions set forth in Section 1798.145 of the CPRA when developing policies and procedures to comply with consumer requests from current, past, and prospective employees, owners, directors, officers, medical staff members, and contractors (and their beneficiaries and dependents). Applicable exceptions may include:
Businesses should also carefully review their policies and procedures for redacting certain personal information from responses to access requests. Businesses may collect and use categories of personal information as part of Employment-Related Information that it doesn’t collect from the rest of its consumers and which the CPRA regulations prevent the business from producing as part of a consumer access request. This includes a consumer’s social security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or other medical identification number, account passwords, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. The CPRA regulations prohibit disclosure of the specific pieces of these types of personal information in response to a consumer access request, but must still disclose a generic description of this type of information when collected by the business.
Impact on B2B Information
The impact on B2B Information may be less troublesome than Employment-Related Information. Most businesses will not have as much sensitive information about their business relations, if any. Nevertheless, businesses should still consider if the exceptions described above apply to any B2B Information in light of a request from a consumer in the business-to-business context..
California Expands FEHA to Include Off The Job Cannabis Use
Virtually all California employers with five or more employees are covered by the Fair Employment and Housing Act (FEHA), the state’s most noteworthy civil rights law. FEHA protects and safeguards the right and opportunity of all persons to seek, obtain, and hold employment free from discrimination by establishing a comprehensive scheme to combat employment discrimination.
It currently prohibits covered employers from discriminating against any person with respect to nearly all terms, conditions, and privileges of employment on the basis of any of the following: race, religious creed, color, national origin, ancestry, physical or mental disability, medical condition, genetic information, marital status, sex, gender, gender identity, gender expression, age, sexual orientation, or military and veteran status.
With the passage of Assembly Bill 2188, which adds Section 12954 to the Government Code, California lawmakers have added another protected category to that list—off-duty and off-site cannabis use. In addition, the new law amends FEHA to prohibit employers from taking action based upon traditional drug screening methods.
In the new law, the Legislature finds and declares that tetrahydrocannabinol (THC)—the psychoactive chemical compound in cannabis—is stored in the body as a nonpsychoactive cannabis metabolite after it is metabolized. The law further states that these metabolites do not indicate impairment, but only that an individual has consumed cannabis in the last few weeks.
Presently, according to the Legislature, the intent of employment-related drug tests is to identify employees who may be impaired or under the influence of THC at a worksite. However, most cannabis drug tests tend to only show the presence of the nonpsychoactive cannabis metabolites that have no correlation to present impairment. Further, the Legislature observed that because the science has improved, alternative drug tests that better correlate to impairment are more readily available and do not rely upon the presence of nonpsychoactive cannabis metabolites to identify the presence of recently consumed THC.
AB 2188 aims to address that perceived disconnect. In particular, the bill amends FEHA to make it unlawful for an employer to discriminate against a person in hiring, termination, or any term or condition of employment, or otherwise penalize a person, if the discrimination is based upon the person’s “use of cannabis off the job and away from the workplace.” But, that rule would not prohibit an employer from discriminating in hiring or any term of employment based on a “scientifically valid preemployment drug screening conducted through methods that do not screen for nonpsychoactive cannabis metabolites.”
In addition, FEHA will now prohibit discrimination in hiring or any term of employment based upon an employer-required drug screening test that has found the person to have nonpsychoactive cannabis metabolites in their hair or bodily fluids.
In all events, Government Code Section 12954 does nothing to permit an employee to possess, be impaired by, or use cannabis on the job, or affects the rights or obligations of an employer to maintain a drug and alcohol free workplace.
The new portion of FEHA created by AB 2188 does not apply to (1) employees in the “building and construction trades” or (2) applicants or individuals hired for positions that require a federal government background investigation or security clearance. The new law also does not preempt any state or federal laws requiring individuals to be tested for controlled substances or as a condition related to federal funding or licensing-related benefits.
AB 2188’s changes to FEHA are effective as January 1, 2024. Once in effect, they will substantially alter how and when employers can drug test employees for cannabis, and what they can do with those results. Employers may want to consider reviewing existing employment hiring, discipline, and termination policies and practices now to ensure they are in compliance upon the law taking effect. And, employers who utilize pre-employment drug screening will need to identify and source compliant testing methods in order to continue pre-employment screenings consistent with the new requirements. Employers should consult with their labor and employment counsel to ensure that they are ready, able, and prepared to comply with the new law once it takes effect.
Bill to Standardize Reusable Screening Reports for Rental Applications Heads to Governor Newsom
More than two years into the pandemic, California’s rental market has become extremely tight for prospective tenants, with prices skyrocketing and limited availability. Many rental shoppers are required by landlords to pay fees ranging from $25 to $55 per adult for credit checks, employment verifications and criminal background reports. Application fees for rental housing create additional cost burdens for renters seeking new housing, often resulting in people of color taking on a greater financial burden due to the application fees. In an effort to reduce this cost burden, Assemblymember Chris Ward introduced AB 2559 to standardize reusable screening reports for rental applicants that can be used multiple times within a 30-day window.
“The competition in the rental market is fierce, and sometimes, there can be 30 or more applicants for one unit,” Assemblymember Chris Ward (D-San Diego) said. “People are having to apply to multiple units to try and secure a place to live, and that can add up to hundreds of dollars. AB 2559 will allow would-be tenants to pay one fee and use one screening report for multiple rental applications, as well as verify that the information on the screening report is accurate.”
AB 2559 will standardize reusable screening reports in California and allow landlords who wish to accept the reports to receive them from a third-party company that provides the service. The reusable screening reports would include name, contact information, eviction history, employment, rental history, and last known address. The tenant is not able to tamper with the report contents, but does have the opportunity to review the report for accuracy and dispute any errors with the tenant screening company. Additionally, landlords could publicize whether reusable screening reports are accepted during the application process.
In 2019, the State of Washington and in 2021 the State of Maryland passed legislation to allow landlords to accept reusable screening reports. According to the Zillow Consumer Housing Trends Report for 2022, 26% of U.S. renters who moved in the past two years listed multiple application fees as the top stressor of a rental search. AB 2559 will make rental properties more accessible to renters, while saving landlords time and effort in collecting fees and purchasing the reports.
New York Restricts Automated Decision Making in Employment
Businesses operating in New York City should be aware of a local law addressing the use of automated employment screening and decision-making tools coming into effect on January 1, 2023. This law applies broadly to employers and employment agencies operating in New York City that target New York City residents using what it refers to as Automated Employment Decision Tools.
Generally, this law prohibits employers from using Automated Employment Decision Tools to screen candidates or employees for employment decisions unless: (1) the tool has been subject to a bias audit conducted no more than one year prior to the use of such tool; and (2) a summary of the results of the bias audit, as well as the distribution date of the tool at issue, have been made publicly available on the website of the employer prior to using the tool. A “bias audit” is defined as “an impartial evaluation by an independent auditor,” which includes “the testing of an automated employment decision tool to assess the tool’s disparate impact on persons of any component 1 category required to be reported by employers pursuant to” 42 U.S.C. § 2000e-8(c) and 29 C.F.R. § 1602.7. The law does not, however, define “independent auditor.”
Additionally, employers or agencies that use an automated employment decision tool to screen candidates or employees must notify each individual (1) that an automated employment decision tool will be used in connection with the assessment at least 10 business days before use of the tool, and allow the candidate to request an alternative selection method; (2) of the characteristics or other metrics the tool will use to assess the candidate / employee, and (3) of the types of information collected by the tool, the sources of the data, and information regarding the employer’s data retention policy.
The bias audit required under this law must be an impartial evaluation conducted by an independent auditor. As most employers implementing automated employment screening tools rely on third party service providers, employers should begin coordinating now to ensure compliance come January 1, 2023. Failure to comply can result in penalties of $500 per violation for the first infraction and up to $1,500 per subsequent infraction.
NYC Council revisits bill to ban most background checks—including criminal—by landlords
An anti-discrimination bill that would ban most New York City landlords from considering criminal history in assessing tenants was reintroduced in the City Council on Thursday after succumbing to resistance last year from property owners and some residents.
Supporters of the bill view the legislation as an important step toward helping the formerly incarcerated secure homes as the city faces a raging housing crisis. Four borough presidents and a majority of the members of the Council are behind the bill, said The bill, the Fair Chance for Housing Act, would allow landlords to consider the criminal history of potential tenants who are listed on the sex offender registry, but otherwise limit the use of background checks, according to Powers’ office.
An estimated one in 10 adult New Yorkers have a conviction history. Powers added that helping the formerly convicted find housing is a broader safety issue.
But a similar push wilted last year, even after its success seemed secured by 27 Council sponsors — making up more than half the body — and the backing of former Mayor Bill de Blasio.
Opposition from landlords and residents proved powerful in preventing Council passage.
Frank Ricci, the executive vice president of the Rent Stabilization Association, which represents property owners, said his organization had publicized the issue, and would again.
“Last year, it was the residents and buildings that stopped it,” Ricci said. “That came from the ground up.”
Ricci acknowledged that many formerly incarcerated New Yorkers may be great tenants, but argued property owners should be able to consider a raft of considerations to protect the safety of their buildings.
“The way the legislation is right now, I think it’s putting criminal privilege over tenant safety,” Ricci added.
And Joseph Strasburg, the Rent Stabilization Association’s president, said in a statement that “it defies all logic to prohibit building owners from utilizing criminal background checks.”
But Public Advocate Jumaane Williams, a Brooklyn Democrat, said that the bill would simply secure “a fair chance” for the formerly incarcerated.
“You cannot ask returning residents to be their best selves, and then not allow them to get a job and a place to live,” Williams said at the rally. “We’re just saying: Please, give them a fair chance, so we can all be safe.”
Mayor Adams has offered his support for the legislation. Enhancing protections for New Yorkers with criminal records is a plank in his housing blueprint.
A spokesman for the mayor, Charles Lutvak, said in a statement: “We look forward to reviewing the details of the introduced legislation, and we will work closely with our partners in the City Council to ensure it accomplishes that goal.”
It was not immediately clear how likely the bill was to pass even in the progressive City Council, nor was it certain that the city would be well-equipped to enforce the bill if it became law.
But its passage would come as a watershed moment for some 750,000 New York City residents with histories of convictions.
New Jersey landlords are already barred from considering criminal histories when assessing tenants. Seattle and San Francisco have similar provisions.
“If we want safe communities, we have to house every single New Yorker,” said Councilwoman Tiffany Cabán, a Queens Democrat. “Without any exceptions.”
Cannabis Testing in the New Jersey Workplace Just Got a Little Less Hazy
On September 9, 2022, the New Jersey Cannabis Regulatory Commission (“CRC”) issued interim guidance (the “Guidance”) for employers regarding the employment protections passed for cannabis users last year pursuant to the New Jersey Cannabis Regulatory, Enforcement Assistance, and Marketplace Modernization Act (“NJCREAMMA”). The Guidance shall remain in effect until the CRC publishes the standards for Workplace Impairment Recognition Expert (“WIRE”) certification.
As noted in more detail below, the Guidance discusses an employer’s right to maintain a substance-free workplace and offers practical guidance for employers struggling with how to ascertain whether an employee is impaired during working hours.
What protections are available to cannabis users in the workplace?
As we previously reported, NJCREAMMA provides various employment protections for employees who use cannabis recreationally and imposes strenuous requirements on New Jersey employers who conduct drug testing for the presence of cannabis in an individual’s system. Namely, under NJCREAMMA:
Notably, the “physical evaluation” requirement has been temporarily suspended by the CRC since August 2021 until the CRC develops WIRE certification standards. As noted above, the Guidance provides that it “is intended to serve as guidance until the NJ-CRC formulates and approves standards for WIRE certifications.”
What does the Guidance say?
The Guidance contains the following key takeaways:
The Guidance reaffirms that NJCREAMMA prohibits employers from taking any adverse employment actions against employees based solely on their use of cannabis or having cannabis metabolites in their system.
What should employers do now?
All New Jersey employers should carefully review the Guidance and update their current drug testing and substance-free workplace policies and procedures with counsel to ensure compliance with the Guidance. Employers should also either implement the CRC’s sample Reasonable Suspicion Observation Report or create their own for use in connection with enforcing substance-free workplace policies. Finally, employers should identify and train employees who can determine suspected cannabis impairment during work hours or use a third-party contractor.
Could Recreational Marijuana Use Jeopardize a Nevada Employee’s Job?
Recreational marijuana use is legal under Nevada state law. But could recreational marijuana use jeopardize an employee’s employment? Nevada voters voted to legalize recreational marijuana use effective January 1, 2017. The law decriminalized recreational marijuana when used in compliance with Nevada law. The statute decriminalizing recreational marijuana use specifically indicated that it did not preclude an employer from maintaining, enacting, and enforcing a workplace policy prohibiting the conduct made legal by the statute. However, under a Nevada statute, employees cannot be terminated for lawful off-duty use of a product in this state, unless that use adversely affects the employee’s ability to perform their job or other employees’ safety. Employers that terminate employees for engaging in lawful off duty use of a product may be required to pay damages to terminated employees. As a result, many employers operated under the assumption that employees who tested positive for recreational marijuana use could not be terminated because Nevada legalized recreational marijuana use.
In Ceballos v. NP Palace, LLC, a recent Nevada Supreme Court decision,3 the Court analyzed whether an employer could discharge an employee for recreational marijuana use. Palace Station employed Danny Ceballos as a table games dealer. According to Ceballos, he had no performance or disciplinary issues. On June 25, 2020, Ceballos slipped and fell in the employee breakroom. After his fall, Ceballos submitted to a drug test that tested positive for the presence of marijuana. Palace Station terminated Ceballos’ employment due to the positive test result; there was no allegation that Ceballos was intoxicated or otherwise impaired during his shift.
The Court held that “although Nevada has decriminalized adult recreational marijuana use, the drug continues to be illegal under federal law. Because federal law criminalizes the possession of marijuana in Nevada, its use is not ‘lawful… in this state’ and does not support a private right of action under NRS 613.333.” The Court also held that because NRS 678D.510(1)(a) authorizes employers to prohibit or restrict recreational marijuana use by employees, employees discharged after testing positive for the presence of marijuana do not have a common-law discharge claim.
The Ceballos decision raises questions about the future of recreational marijuana use by employees, and the Nevada Legislature has not indicated whether it intends to provide employees with employment protection in light of the Ceballos decision. For the time being, employers are within their right to enforce drug policies that prohibit recreational marijuana use. According to Ceballos, an employee terminated for recreational use of cannabis can neither sue the employer under NRS 613.333 nor under a common law tortious discharge claim. Employers looking to discipline employees for recreational marijuana use should ensure their employment policies allow for such discipline.
*Note: Ceballos does not address medical marijuana use, so employers should remain mindful of the Nevada medical marijuana statute applicable to employees.
Colorado Expands Notice Requirements for Employees Upon Termination
When a Colorado employee’s employment terminates for any reason, employers are required to provide certain information to the employee regarding unemployment insurance benefits. Colorado expanded employers’ notice requirements under Senate Bill 22-234, which was passed on May 25, 2022. Employers now must include the following information in a notice of unemployment insurance benefits form upon termination:
This information must be included in addition to the information employers already were required to provide to Colorado employees in the unemployment insurance notice, including a statement that unemployment insurance benefits are available to unemployed workers who meet state-enacted criteria, contact information for unemployed workers to file a claim, information needed to file a claim, and contact information to inquire about the status of a claim after it is filed.
The Colorado Department of Labor and Employment is expected to provide a revised notice form soon. We also anticipate additional guidance on the level of detail required when listing the reason for an employee’s separation. In the interim, Colorado employers should review their separation procedures and update their required notices to include the additional requirements listed above.
California’s Pay Transparency Act (SB 1162) – Are You Prepared?
This week the California legislature passed a pay transparency act that – pending Governor Newsom’s signature – will require significant changes in how employers draft job postings and how they report pay data to the State. The Governor has until September 30, 2022 to sign the bill into law, but given the scope of the changes, employers may want to begin preparing in the event the bill becomes law.
Job Postings Must Include Wage Ranges
If signed into law, starting January 1, 2023, employers with 15+ employees must include a position’s salary or hourly wage range (not including bonuses or equity-based compensation) in any internal or external job posting. This requirement extends to job postings published by a third party at an employer’s request.
SB 1162 does not limit the definition of employers to only those with operations or employees in California. As a result, this law could also impact employers that do not have a physical office or current employees in California but publish nationwide job postings for remote positions.
Expansion of Pay Scale Disclosures Upon Request
Under existing California law, after an external applicant has completed an initial interview for a position, an employer must provide the position’s salary or hourly wage range upon the applicant’s reasonable request.
SB 1162 would expand this requirement to cover current employees who request the pay scale for the position in which they are currently employed, as well as any external applicant seeking employment with the employer who makes such a request. This is significant for employers because previously this requirement only applied to applicants who had completed an initial interview. The new requirement to share wage range information with current employees and applicants applies to all employers – including those with fewer than 15 employees.
SB 1162 would also establish a civil penalty of up to $10,000 per violation of its pay scale disclosure and job posting requirements. However, no penalty would apply for a first violation of the job posting requirement if the employer can show that all job postings for open positions have been updated to include the pay scale.
Expansion of Pay Data Reporting Requirements (Beginning May 2023)
Existing law in California requires employers with 100+ employees to annually report pay data on each of 10 specified job categories to the California Department of Fair Employment and Housing (DFEH). This report is calculated from a “snapshot” of a single pay period of the employer’s choice between October 1 and December 31.
Beginning in 2023, SB 1162 would expand these DFEH reporting requirements. For each job category, employers must include the median and mean hourly rate, broken down by race, ethnicity, and sex. This is a material change from existing law, which only requires numerical counts of employees by race, ethnicity, and sex within each job category’s pay band. Employers also must produce this data for individuals hired through labor contractors, which are individuals/entities supplying workers to perform labor within the employer’s usual course of business. If there are differences between groups of employees within the same job category, this new reporting requirement could lead to claims of discrimination. The pay data reports are not publicly reported at this time due to a late amendment to the bill, which originally would have required the State to post the reports on a public website. However, it is likely that such reports would be available via a FOIA request or through civil discovery.
SB 1162 would also establish a civil penalty of up to $100 per employee for an employer that fails to report and a civil penalty of up to $200 per employee for a subsequent reporting violation.
Reminder of Other Existing Pay Transparency Requirements
Existing law in California prohibits employers from asking job applicants for “salary history information.” However, employers may ask about an applicant’s “salary expectation” for the position. In addition, employers are not prohibited from making a compensation decision based on a current employee’s existing salary (or an applicant’s salary if they have voluntarily disclosed it), so long as any wage differential resulting from that compensation decision is justified by one of the Equal Pay Act factors: seniority or merit system, production system, or a bona fide factor such as education, training, or experience.
Pay Transparency Laws in Other Jurisdictions
Employers operating outside of California should also confirm pay transparency requirements in other jurisdictions. Right now, Colorado State and Jersey City are the only jurisdictions that require certain employers to provide wage ranges in job postings. However, Washington State and three New York localities (Ithaca City, New York City, and Westchester County) have passed similar laws, scheduled to go into effect within the next few months. Other jurisdictions have pay transparency laws requiring employers to provide wage ranges at an applicant’s request and/or have compulsory disclosure requirements at other points in the hiring/employment process.
Each jurisdiction has taken its own approach and has slightly different requirements. Please see a more detailed summary of these jurisdictions’ requirements here.
What You Should Do
To comply with California’s current law, employers are encouraged to consult with employment counsel on their job listings and should develop pay bands for each role in advance of posting the role. To prepare for potential new job posting requirements, employers should develop a process for consistently publishing wage range information in internal and external job postings, as well as a process for preserving such publications to prove compliance. Relatedly, employers should train managers, recruiters, and human resources professionals on these processes and the new law’s requirements.
To prepare for potential expanded public reporting in 2023, employers may also consider an internal audit of current employee wages to ensure there are not any significant discrepancies or inequities.
Given the growing number of states and localities requiring wage transparency, multistate employers may consider a national policy for including wage ranges in job postings and/or providing wage ranges to applicants.
Harris County Becomes Latest in Texas to Adopt a Ban the Box Hiring Policy
Earlier this year, Harris County, Texas, which encompasses a substantial majority of the City of Houston, became the sixth Texas city or county to embrace a “ban the box” policy when it adopted the Fair Chance Policy.
“Ban the box” policies are gaining support around the country, with over 37 states and over 150 cities and counties having adopted some form of a ban the box policy, including several in Texas. Generally, these policies are designed to ensure that potential employers consider a job candidate’s skills and qualifications first, thereby eliminating any implicit bias or negative implication to his/her application due to a criminal conviction or arrest record. As the name suggests, these policies typically eliminate the box (or question) on an employer’s employment application where the applicant must check off whether or not he/she has a criminal record. To be clear, ban the box policies do not eliminate an employer’s right or ability to inquire into an applicant’s criminal background, but rather restrict those questions to later in the hiring process.
Ban the Box in Texas
In Texas, Travis County was at the forefront of ban the box initiatives when, in April 2008, the Travis County Commissioner’s Court voted to remove the question regarding an applicant’s criminal background from county job applications. The City of Austin followed, enacting a similar policy a few months later. In March 2016, the Austin City Council took things a step further by enacting the State’s first ban the box ordinance applicable to both public and private employers. Shortly thereafter, San Antonio and Dallas County each followed with their own ordinances, both of which apply only to public employers.
In June 2021, the City of DeSoto, Texas, enacted its ban the box ordinance – the Fair Chance Hiring Ordinance. Like the Austin ordinance, DeSoto’s ordinance applies to both public and private employers.
In early 2022, Harris County followed suit by voting to enact the Fair Chance Policy. Unlike in Austin and DeSoto, where the ban the box ordinances apply to both public and private employers (assuming certain conditions are present), the Fair Chance Policy aligns more closely with Dallas County, Travis County, and San Antonio, Texas, as it applies only to public employers, i.e., it does not apply to private employers.
Harris County’s Fair Chance Policy will “prohibit departments from considering an applicant’s record of arrest if that arrest did not result in a conviction, or if it did and it was expunged or sealed, or it’s a misdemeanor for which no jail time can be sentenced,” said Harris County Attorney Christian Menefee – who proposed the program. Menefee further noted that the Fair Chance Policy “will allow departments to conduct a criminal background check only after a conditional offer of employment [is made]…The policy will prohibit blanket disqualification of applicants solely because they have a conviction…Instead, what it’s going to call for is an individualized assessment of various factors, including what was the nature of the offense. What is the position that the applicant is applying for?”
Currently, the Fair Chance Policy applies only to departments led by county appointees, not elected officials (though elected officials are free to adopt the Fair Chance Policy in his/her office).
It is clear that ban the box policies are gaining popularity throughout Texas and the United States, and private businesses should be alert for similar bills that could be introduced that impact the private sector.
New York City Council Passes Law Regulating Use of Artificial Intelligence in Employment Decisions
The New York City Council has recently enacted an ordinance banning artificial intelligence (“AI”) in employment decisions unless the technology has been subject to an independent bias audit within a year of use.
Many employers have been using AI in employment decisions for years without regulation. This technology can range from algorithms finding ideal candidates to software used to asses a candidate’s performance during screening interviews. While AI tools promote efficiency, reduce costs, and can help employers make informed decisions, technology can run afoul of discrimination laws by reinforcing bias or screening out candidates of protected classes.
The law, which takes effect on January 1, 2023, bans such unregulated practices in New York City by requiring employers to obtain an independent audit of their automated tools within a year of use. Employers will be required to make the results of the audit publicly available on their websites.
Additionally, employers must notify candidates who reside in New York City within 10 days of using automated tools and detail the job qualifications and characteristics that the tool will use to assess the candidate. Employers that do not comply will be subject to a $500 fine for the first violation, and a $1,500 fine for each subsequent violation. The penalty will then be multiplied by each day that the issue is unresolved. These penalties can add up quickly, making it crucial for employers to review their automated employment tools before the law takes effect.
There are unanswered questions that the City needs to address for a smooth implementation of this law. The law does not specify the independent people or agencies qualified to perform a “bias audit,” although many larger employers have been validating similar types of pre-employment tools prior to use for years.
Although the City’s Office of the Corporation Counsel is authorized to bring a lawsuit to address violations of the new law, private lawsuits by aggrieved parties are not expressly permitted. The law is silent about whether class action lawsuits could be filed, it is likely that the new law would promote the filing of such lawsuits to the extent that the AI tools would be used in accordance with uniform policies and practices.
While NYC has not issued guidance at this time, it is likely that more direction will be issued before the law takes effect in January 2023.
New Jersey Cannabis Regulatory Commission Issues Guidance on “Workplace Impairment” Determinations
On February 22, 2021, New Jersey Governor Phil Murphy signed the “New Jersey Cannabis Regulatory, Enforcement Assistance, and Marketplace Modernization Act” (CREAMMA), which amended the New Jersey Constitution to legalize recreational cannabis. The law allows employers to conduct numerous forms of drug testing for cannabis, but limits an employer’s ability to rely on a positive cannabis test result in making employment decisions. It requires that a drug test include both “scientifically reliable objective testing methods and procedures, such as testing of blood, urine, or saliva” and a “physical evaluation.” The “physical evaluation” must be conducted by an individual certified to provide an opinion about an employee’s state of impairment, or lack of impairment, related to the use of cannabis. The law tasked the Cannabis Regulatory Commission with adopting standards for this “Workplace Impairment Recognition Expert” (WIRE), who must be trained to detect and identify an employee’s use or impairment from cannabis or other intoxicating substances and to assist in the investigation of workplace accidents.
On August 19, 2021, the Commission published its “Personal Use Cannabis Rules,” which said virtually nothing about employer drug testing practices. It did, however, suspend the physical evaluation requirement until the Commission “develops standards” for the WIRE. Although the law has been on the books for 18 months, the Commission has not adopted any standards.
Instead, on September 9, 2022, the Commission released interim Guidance to assist employers with making “workplace impairment” determinations. In the Guidance, the Commission highlights the need for employers to “establish evidence-based protocols for documenting observed behavior and physical signs of impairment to develop reasonable suspicion, and then to utilize a drug test to verify whether or not an individual has used an impairing substance in recent history.”
The Guidance advises that employers can “continue to utilize established protocols for developing reasonable suspicion of impairment and using that documentation, paired with other evidence, like a drug test, to make the determination that an individual violated a drug free workplace policy.” The Guidance goes on to remind employers that they cannot take employment action against an individual “solely due to the presence of cannabinoid metabolites in the employee’s bodily fluid.” However, a positive test result can be considered when “combined with evidence-based documentation of physical signs or other evidence of impairment during an employee’s prescribed work hours.”
Fortunately, the Guidance provides best practices for employers to consider that will help them determine workplace impairment, at least until the Commission issues the WIRE standards, which include:
As more states and localities enact laws prohibiting employers from considering positive cannabis test results absent other evidence of workplace impairment, the need for a robust and defensible reasonable suspicion testing program is critical. While we await the Commission’s WIRE standards, New Jersey employers should consider modifying their drug testing policies and practices, providing training and documentation to managers tasked with making reasonable suspicion determinations, and determining the drug test most appropriate to use in conjunction with workplace impairment determinations. We will provide an update as soon as the new regulations are adopted.
Illinois Pay Transparency: Fast-Approaching Deadlines and Enforcement Dates
Compliance deadlines for Illinois Equal Pay Act amendments are quickly approaching
Employers with more than 100 employees must fulfill the new requirements by March 23, 2023, unless the business commenced operations after March 31, 2021
Other states are creating salary transparency laws for private employers to ensure pay equity among employees regardless of gender, race, or ethnicity
In 2021, Illinois announced amendments to its 2003 Equal Pay Act to ensure pay equity among employees and prohibit pay discrimination on the basis of sex or racial identity.
Any prior employer with 100 or more employees in Illinois and that is required to submit an annual EEO-1 report to the Equal Employment Opportunity Commission is now required to submit an application to the Illinois Department of Labor to obtain an equal pay registration certificate.
Other states followed suit and some application deadlines are approaching.
In Illinois, the application includes:
Employers authorized to operate in Illinois after March 31, 2021, must submit an application within the first three years of operation, but no sooner than Jan. 1, 2024. Those authorized to operate in Illinois on or before March 31, 2021, must file their application between March 24, 2022, and March 23, 2024. If employers have multiple locations within the state, only one application for the registration certification is required.
Colorado, Connecticut and Nevada already have laws that require private employers to provide some level of pay transparency. Other states are joining in:
The first state to legislate pay transparency, the California legislature has passed a new law requiring employers with 15 or more employees in the state to post salary ranges, including third parties whom the employer engages for job postings. Employers with more than 100 employees in the state also must demonstrate their mean and median pay data by gender, ethnicity, and racial categories. This legislation awaits signature by Gov. Gavin Newsom. If signed it will become effective Jan. 1, 2023.
In New York State, statewide pay transparency legislation requiring employers to disclose job compensation range in position postings awaits the signature of Gov. Kathy Hochul. Ithaca, New York City, and Westchester County already have passed legislation requiring employers and employment agencies to include the salary maximum and minimum when posting jobs, promotions, or transfer opportunities. The compliance deadlines for these cities and counties differ, but all will take effect before the end of 2022.
Beginning Jan. 1, 2023, employers must provide salary ranges to applicants who request the information and to employees at the time of hire, at the employee’s request, or when an employee move into a new role.
Beginning Jan.1, 2023, employers in the state of Washington , with 15 or more employees, must disclose on job postings the salary range, including a description of all benefits and other compensation.
Nevada Supreme Court Affirms Termination for Off-Duty Recreational Marijuana Use
Ending years of discussion about the scope of state law employment protections for individuals who use marijuana recreationally, the Nevada Supreme Court has upheld a lower court’s decision to dismiss a complaint by an employee who was fired for testing positive for marijuana on a post-accident drug test. In Ceballos v. NP Palace, LLC, the employee asserted that the positive drug result was due to his use of recreational marijuana at home, that he was not intoxicated or impaired at work, and he had complied with state law. After his termination, the employee brought a complaint against his employer for damages under Nevada’s law protecting the off-work use of a lawful product and common-law tortious discharge.
The employee’s first proposed cause of action alleged a violation of NRS 613.333(1), which makes it unlawful for employers to “[d]ischarge . . . any employee . . . because the employee engage[d] in the lawful use in this state of any product outside the premises of the employer during the employee’s nonworking hours” so long as “that use does not adversely affect the employee’s ability to perform his or her job or the safety of other employees.” The Nevada Supreme Court rejected the employee’s argument that the phrase “lawful use in this state” meant lawful under state law, and found that the statute refers to the use of products lawful under both state and federal law. In reaching this conclusion, the Nevada Supreme Court examined the language of the statute, noting the meaning of the prepositional phrase “in this state” is different from “under state law,” and that latter of which signals the Legislature’s intent to focus on state law. The Nevada Supreme Court cited with approval a 2015 opinion from the Colorado Supreme Court, which similarly held that “lawful activity” did not include marijuana use that is illegal under federal law but legal under state law.
The court also rejected the employee’s claim for tortious discharge in violation of public policy. Considering whether policies prohibiting marijuana use violate public policy, the court examined the interplay between the recreational marijuana statutes and employment law, and concluded that state law expressly permits employers to adopt and enforce workplace policies prohibiting or restricting recreational marijuana use. The court emphasized that the Legislature had authorized employers to prohibit or restrict recreational marijuana use by employees, and held that for the court to conclude otherwise would intrude on the prerogative of the Legislature.
The Nevada Supreme Court’s decision provides clarity for employers about how evolving marijuana laws impact workplace rules prohibiting recreational marijuana use. Individuals who use marijuana for medical reasons as permitted by state law may, in contrast, may be entitled to accommodations provided that they do not use marijuana at work and their off-duty marijuana use will not pose a safety risk. Employers are encouraged to consult with knowledgeable counsel in drafting and implementing drug testing policies and procedures.
EEOC Sues BaronHR and Radiant Services for Discriminatory Recruitment and Hiring
The U.S. Equal Employment Opportunity Commission (EEOC) filed suit against the national staffing agency BaronHR, LLC and Radiant Services Corporation, a commercial laundry facility that serves the hospitality industry in Southern California, for discriminatory denial of employment based on race, national origin, and sex, the federal agency announced today
The EEOC charged that since 2015, BaronHR and Radiant failed to recruit, refer, and hire Black, Asian, and White applicants for low-skill positions. The EEOC further alleged that Radiant requested only female applicants for certain “light” job positions, and only male applicants for “heavy” job positions. BaronHR acquiesced by recruiting and referring applicants based solely on their sex, the EEOC said.
Finally, the EEOC alleges that BaronHR required that applicants have no medical conditions or history of injury. BaronHR’s unlawful hiring criteria excluded qualified individuals with disabilities, perceived disabilities, or a record of a disability.
The EEOC investigated BaronHR and Radiant following Commissioner’s Charges alleging violations of Title VII of the Civil Rights Act of 1964 and the Americans with Disabilities Act (ADA), which prohibit discrimination in recruitment and hiring. The EEOC filed suit (EEOC v. Radiant Services Corp. and BaronHR, LLC, Case No. 2:22-cv-06517) in U.S. District Court for the Central District of California, after first attempting to reach a pre-litigation settlement through its conciliation process.
“Staffing agencies and employers have a dual-employer relationship, which makes both responsible for ensuring a discrimination-free workplace,” said Anna Park, regional attorney for the Los Angeles District Office. “Preferential hiring has no place in the workforce and acquiescing to such requests extends liability from the employer to the staffing agency.”
Acting Los Angeles District Director Christine Park-Gonzalez said, “Screening out qualified job applicants based on sex, race, national origin or disability is prohibited under federal law. The EEOC is here to ensure that job applicants and workers are protected from such injustices in the workplace.”
Eliminating barriers in recruitment and hiring, especially class-based recruitment and hiring practices that discriminate against racial, ethnic and religious groups, older workers, women, and people with disabilities, is one of six national priorities identified by the Commission’s Strategic Enforcement Plan (SEP).
For more information about race and color discrimination, visit the EEOC’s website at https://www.eeoc.gov/racecolor-discrimination; for information on sex discrimination: https://www.eeoc.gov/sex-based-discrimination; for information on national origin discrimination: https://www.eeoc.gov/national-origin-discrimination; and for information on disability discrimination: https://www.eeoc.gov/eeoc-disability-related-resources.
Canada’s Federal Government Proposes Changes to Privacy Act
On June 16, 2022, the government of Canada tabled a bill that would make significant changes to privacy laws impacting employers in the federal jurisdiction. The new legislation, the Digital Charter Implementation Act (Bill C-27) would replace Part 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) and would create three pieces of legislation in its place, the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act (PIDPTA), and the Artificial Intelligence and Data Act (AIDA).
Consumer Privacy and Protection Act (CPPA)
The legal framework of the CPPA is designed around the familiar concept of consent. As under PIPEDA, employers would be required to obtain consent for the collection, use, and disclosure of personal information except in limited circumstances. In terms of an employment relationship, the bill would only apply to employers in federal industries (examples of which include transportation, radio, and banks), and most obligations for employers would remain much the same as under PIPEDA.
The major change worth noting would be the ability for individuals, including employees of federal organizations, to request that their personal information be deleted, effectively withdrawing consent where the data is not strictly needed. The CPPA outlines the process of requesting deletion of information, and establishes timelines for response and processes for denials and appeals. The bill also specifies practices to be followed regarding sharing personal information with service providers. Namely, employers would be able to share data with service providers without separate consent, but the onus would be on the collector of private data to ensure that the service provider operates with the same diligence and notifies the organization in the case of any breaches.
Also of note, the CPPA would require organizations to implement a privacy management program that must consider the volume and sensitivity of the personal information under their control.
The bill would exempt business activities and those purposes that are consistent with employment activities when the information retained is from an employee or potential employee. The CPPA would also include a “legitimate interest” exception, meaning that an organization may use and disclose personal data (including providing information to the government and law enforcement) without an individual’s consent or knowledge if the organization or broader public has an interest that outweighs the infringement to the individual.
The CPPA would create a stricter standard for the personal data of minors. Under the bill, any federal employer with employees under the age of majority would need to consider any personal information from these individuals as sensitive information without exception.
An important addition under the CPPA is the differentiation between anonymous and de-identified data as types of nonpersonal information. Under the CPPA, organizations may freely share anonymous data, which may be a useful tool for employers that need information about employees, without the need to associate the data with individuals. The CPPA considers information de-identified if it could pose a risk of identification even when identifiers have been removed or scrubbed. This type of information would still be subject to all the protections of the CPPA.
Personal Information and Data Protection Tribunal Act (PIDPTA)
Enforcement of the regulations set out by the CPPA would fall in the hands of the tribunal created by the PIDPTA. The tribunal may impose fines of up to $10 million or 3 percent of an organization’s gross global revenue for breaching the CPPA. Individuals would also have a separate right of action under the act.
The tribunal created would also review orders and recommendations from the federal privacy commissioner.
Artificial Intelligence and Data Act (AIDA)
The AIDA would regulate the processing of data related to human activities by artificial intelligence systems that have a full or partial level of autonomy. The AIDA is meant to prevent the propagation of biases based on human rights protected grounds.
In practice, the AIDA would demand that organizations publish descriptions and uses of artificial intelligence software. Violations could result in fines up to $25 million or 5 percent of global revenue. There are also penalties for individual offenders ($100,000 or five years imprisonment).
What the New Privacy Laws Could Mean for Employers
In anticipation of Bill C-27 taking effect, employers may want to review existing policies and practices to determine what revisions will be needed to address the new regulatory framework. In particular, federally regulated employers may want to ensure the exceptions under the legislation applied if possible. The bill provides for several different types of exceptions to the general consent requirement, notably for business operations. Generally, employers would be allowed to collect or use employees’ personal information without their knowledge or consent for any reason listed under the exceptions provided for by law provided that:
Exceptions specified in the legislation include:
Specifically in the employment context, the need for consent would not apply to information that organizations used for purposes consistent to those for which the information was provided. Federal employers and businesses may use personal data as necessary to establish, manage, or terminate an employment relationship with an individual.
It should also be noted that employers would be permitted to use personal information without employees’ knowledge or consent “if it is reasonable to expect that the collection with their knowledge or consent would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of federal or provincial law.” In other words, in certain types of workplace investigations (e.g., workplace harassment complaints), an employer may be permitted to use an employee’s personal information to investigate a complaint.
The new bill would require employers to ensure that their use of personal data either complies with the CPPA’s requirements or reasonably mitigates harm without an undue negative impact on the employee. This may require employers to closely and conservatively assess whether the use of data is in line with the purpose provided for. In any situation in which this is not the case, employers may be required to have a critical need to use the information without informing the employee and obtaining consent. Such exceptions may be rare.
Ultimately, federally regulated organizations that collect and use employee data may want to begin examining their processes and systems so that they are ready should the bill pass. For example, organizations may want to create processes for individuals (like employees, former employees, and individuals who went through any stage of hiring) to request deletion of any of their personal data that the organization is not using for employment purposes. Employers may want to reexamine internal privacy management programs and train (or retrain) privacy management representatives to assess these issues. By starting early, employers may be able to amend their policies and practices as smoothly as possible.
Indonesia parliament passes long-awaited data protection bill
JAKARTA, Sept 20 (Reuters) – Indonesia’s parliament passed into law on Tuesday a personal data protection bill that includes corporate fines and up to six years imprisonment for those found to have mishandled data in the world’s fourth most populous country.
Lawmakers overwhelmingly approved the bill, which authorises the president to form an oversight body to fine data handlers for breaching rules on distributing or gathering personal data.
The biggest fine is 2% of a corporation’s annual revenue and could see their assets confiscated or auctioned off. The law includes a two-year “adjustment” period, but does not specify how violations would be addressed during that phase.
China Cross-Border Data Transfer Mechanism and Its Implications
China’s rise on the global stage has manifested itself in many ways, and it should be no surprise that China has gained prominence in terms of its privacy and security legislation. In recent years, major pieces of legislation have been promulgated: the 2017 Cybersecurity Law, the 2021 Data Security Law and the 2021 Personal Information Protection Law.
One common area of interest arising from those three laws, especially for organizations, is how cross-border data transfers will be addressed and implemented. And perhaps fittingly in the heat of summer, the cross-border data transfer landscape in China heated up with the following developments:
These developments provide the initial implementation details for engaging in cross-border data transfers from China for organizations. The details are familiar in some parts, while others raise questions and contain implications to ensure compliance.
Overview of China’s cross-border data transfer rules
While the rules continue to evolve, the current rules require a step-by-step approach to navigate the cross-border data transfer requirements.
The first step to consider is if the transfer is a regulated cross-border data transfer scenario. A useful reference point is the 2017 draft Guidelines for Cross Border Data Transfer Security Assessments issued by TC260, which listed situations which would be considered as cross-border data transfers, including remote access to the data from abroad.
The second step to consider is if there are any applicable exceptions. For example, Article 35 of the 2021 draft Network Data Security Regulations contains the exception “where the Personal Information Processor [i.e., a data controller] needs to provide the personal information of related party abroad in order to conclude or perform the contract to which an individual is a party, or where personal information must be provided abroad in order to protect the personal life and health and the safety of property.” It remains to be seen if the exception will be included in the final version, but the inclusion of the exception would certainly be reasonable.
The third and final step is to choose from the following three cross-border data transfer mechanisms depending on the specific circumstances. An organization will undergo a CAC security assessment if:
It is a critical information infrastructure operator or a personal information processor based in China (the equivalent term of “data controller”) who processes 1 million or more individuals’ personal information.
Comparison of the three mechanisms
Currently, the only mechanism organizations can avail themselves of is the security assessment when it takes effect Sept. 1. That said, when the three mechanisms do come into effect, the following may be worth keeping in mind when embarking on a specific mechanism:
Security assessments are valid for two years. Once a security assessment is passed, this provides a degree of certainty for organizations. The uncertainty, however, is the amount of time it would take for the security assessment process to be completed, especially if the assessment is deemed to be complicated, and with the probable involvement of the national and provincial-level CAC, State Council authorities and other specialized organizations.
Certification is anticipated to solve frequent personal information transfers among subsidiaries or affiliates. However, we expect certification may not have broad applicability in practice. This is due to the low thresholds that would trigger security assessments and the fact certification applies to data transfers out of China among intra-company/group entities only. It is also unclear how long certification, once obtained, will be valid.
SCCs presumably allow for cross-border data transfers without the regulator’s prior approval. However, SCCs may be difficult to conclude when foreign recipients do not have a China office or are unfamiliar with China’s laws or some of the obligations within the SCCs. Further, we expect that as in the case of certifications, the SCCs may not have wide applicability in practice as a standalone data transfer mechanism due to the low thresholds for security assessments.
Implications for MNCs in China
It would be a mistake to ignore the sea change of regulation taking place in China. While relying on existing processes and governance structures may be a good starting point for most multi-national companies, adopting further prudent steps to ensure compliance is probably the best way forward.
Bring out the calculators. Self-assessment and calculating the number of individuals to which the processing and transfers relate will be critical as that determines if the CAC security assessment is required. Processes may be required to monitor thresholds and to trigger internal reviews.
Know your data. As the CAC security assessment is also tied to the classification of the data, e.g., sensitive personal information, knowing what data is being transferred is also crucial. This would require a good understanding of data flows.
Hire a DPO in China if you do not have one. In the current guidelines, a DPO is necessary for domestic and overseas entities applying for certification. In any event, an organization also needs designated personnel to conduct data protection impact assessments and to communicate with the CAC, e.g., for security assessment approval or filing the SCC with the CAC. An expert in the area may also facilitate communication and mitigate the risk of possible confusion or misunderstanding.
Privacy by Design will help you. Incorporating additional questions in your existing DPIA process to address the purpose of transfer, risk of transfer, and the number of individuals will help assess the need for security assessments and ensure that transparency, consent and DSAR requirements are complied with.
Be conservative. Be cautious in handling the ambiguities in the legislation. A fair amount within the rules remains unclear, e.g., what is considered a cross-border data transfer. We suggest aiming for a higher bar to minimize the frequency of revisiting earlier positions and the risk of law enforcement.
The rules for cross-border data transfers will continue to evolve. Continued watchfulness and investments in compliance is required. If the recent summer heat is anything to go by, we will continue to see an elevated frequency of changes in the data regulatory climate.
Canada: What Privacy Updates Are Coming Into Force September 22, 2022, For Businesses Operating In Québec?
A majority of the updates to Québec’s private sector privacy law in Law 25, also known as Bill 64, An Act to modernize legislative provisions as regards the protection of personal information (Bill 64), will come into force on September 22, 2023. Some provisions will come into effect on September 22, 2022. We have outlined a few of the significant upcoming changes below.
Québec joins the growing jurisdictions requiring organizations (“persons carrying on an enterprise”) to report breaches. Bill 64 references “confidentiality incidents,” which are unauthorized access, use or communication of personal information, the loss of personal information or any other breach of the protection of such information. This is similar in concept to a breach of “security safeguards” articulated in the Personal Information Protection and Electronic Documents Act, (PIPEDA).
Regardless of the significance of the incident, an organization must take reasonable steps to reduce the risk of injury and to prevent similar incidents. There are also record keeping requirements for all confidentiality incidents.
Notification and reporting requirements will arise if the incident presents a “risk of serious injury,” which is determined by considering the sensitivity of the information, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes. This test may be similar to the “real risk of significant harm” standard in other laws; however, it may be interpreted more narrowly based on a greater focus on the likelihood of harm.
Presently, draft regulations set out the requirements for individual notices and reports to the Commission, as well as the organization’s incident register retention requirements.
Default and Designation of a Privacy Officer
In the absence of the written delegation of authority to a privacy officer, the individual with the highest authority in the organization will be responsible for ensuring implementation of and compliance with the Act Respecting the Protection of Personal Information.
Organizations are required to publish the privacy officer’s title and contact information on the organization’s website, or make it available by any other appropriate means in the absence of a website.
Reporting Biometric Uses and Databases
Québec’s privacy laws already address biometrics more specifically than other Canadian legislation. Biometrics can include physical traits, like eyes, face shape and fingerprints, and behaviours, like voice and keystrokes, as well as biological characteristics, like blood and saliva.
Now, organizations will be required to provide information to the Commission about the creation of a database of biometric characteristics and measurements at least sixty (60) days before the database is used. Organizations must also notify the Commission before beginning to verify or confirm a person’s identity using biometric means.
Formal Agreements required to Share Personal Information in a Commercial Transaction
Québec will be aligned with other private sector laws in Canada permitting disclosure of personal information for the purposes of a “business transaction” such as a merger, acquisition or sale of a substantial aspect of the business. Consent of the individuals involved will not be required as long as the organizations meet certain requirements, including having an agreement to limit use and safeguard the information. If the transaction is completed, the individuals must be notified of the transfer of their personal information..
Employers in Ontario must adopt employee electronic monitoring policies by October 11, 2022
The Ontario Employment Standards Act, 2000 (the “ESA”) has been amended to require employers with 25 or more employees in Ontario to have an employee electronic monitoring policy and provide this policy to all of their employees in Ontario as of October 11, 2022.
The employee electronic monitoring policy must include the following:
The Government of Ontario has provided guidance to employers clarifying whether they are required to comply with the employee electronic monitoring policy section of the ESA. After 2022, employers who have 25 or more employees in Ontario as of January 1 of a given year are required to have an employee electronic monitoring policy in place by no later than March 1 of that year.
However, an employer who has fewer than 25 employees in Ontario as of January 1 of a given year, but has 25 or more employees in Ontario later in the year, is not required to have an employee electronic monitoring policy for that year.
Finally, an employer who has 25 or more employees in Ontario as of January 1 of a given year, but has fewer than 25 employees in Ontario later in the year, is still required to have an employee electronic monitoring policy for that year.
Health Information Shouldn’t Be Shared Via Fax or Unsecured Email, Privacy Commissioners Urge
The practice of sharing sensitive health information via fax or unencrypted email needs to stop, according to a joint statement from Canada’s privacy commissioners.
On September 21, Philippe Dufresne, the Privacy Commissioner of Canada, endorsed a resolution along with his provincial and territorial counterparts calling on governments to implement a digital health communication infrastructure to replace faxes and unencrypted emails with more secure alternatives.
“Ensuring that the shift to digital health care is secured by reasonable administrative, technical and physical safeguards is critical to maintaining Canadians’ trust in the health system,” the resolution reads. “Furthermore, the adoption of secure digital technologies can provide relief from the administrative, financial and reputational costs associated with privacy breaches.”
Breaches Caused By Insecure Communications
To reduce these breaches, the privacy commissioners are urging governments to:
The privacy commissioners are also calling on health care providers to:
Breaches May “Set Back Public Trust in the Health System”
As we’ve discussed in previous blogs, the average cost of a data breach hit a record-high US$4.35 million this year and most breaches have the potential to cause significant harm to affected individuals.
“Furthermore, breaches can consume an inordinate amount of time and effort to contain and remediate, taking away valuable health resources from other important services,” the privacy commissioners warned in their resolution. “Misdirected communications and data breaches can also create delays in the delivery of care to individuals, cause harm to institutions’ reputations, and set back public trust in the health system.”
With so much at stake, health care organizations would be well advised to act now to ensure they are taking the necessary steps to protect personal health information.
Italy: New obligation to notify cyber incidents enters into force
Law No. 142 of 21 September 2022 (‘Law No. 142’), which converted into law Decree Law No. 115 of 9 August 2022, Containing Urgent Measures Regarding Energy, Water Emergency, Social, and Industrial Policies (‘Decree Law No. 115, as converted into law’), was published, on 21 September 2022, in the Official Gazette and entered into force the following day. In particular, Article 37-quater of Decree Law No. 115, as converted into law, amends Article 1 of Decree Law No. 105 of 21 September 2019, Urgent Provisions on the Cybersecurity National Perimeter (‘Decree Law No. 105, as amended’), by inserting a new paragraph 3-bis. More specifically, Article 1(3-bis) of Decree Law No. 105, as amended, imposes a new obligation to notify, within 72 hours, to the Italian National Cybersecurity Agency (‘ACN’) all incidents affecting entities within the existing National Cybersecurity Perimeter, even if they do not directly affect assets specifically included in the same.
In addition, Article 1(3-bis) of Decree Law No. 105, as amended, specifies that the 72-hour timeframe for the incident notification shall be counted from the moment in which the subjects included in the National Cybersecurity Perimeter become aware of the incident. Moreover, Article 1(3-bis) of Decree Law No. 105, as amended, provides that the taxonomy of incidents to be notified to the ACN and the specific notification modalities will be further defined by technical determinations to be adopted by the Director General of the ACN.