EXECUTIVE SUMMARY
The screening compliance landscape recently witnessed some major changes that have been documented in this month’s SCREENING COMPLIANCE UPDATE. Below is an EXECUTIVE SUMMARY of some of the new developments at the FEDERAL, STATE, and INTERNATIONAL levels.
- FEDERAL DEVELOPMENTS: On March 19, the Equal Employment Opportunity Commission (EEOC) and the Department of Justice (DOJ) issued guidance addressing discriminatory Diversity, Equity and Inclusion (DEI) programs in the workplace. The guidance aims to provide a preliminary answer to the question, “What is considered unlawful DEI?”
- STATE DEVELOPMENTS: For multi-state employers, pay transparency requirements often get lost in the shuffle in the ever-changing landscape of federal, state, and local employment laws. A number of states already have pay transparency laws which require some level of disclosure of employee compensation and salary ranges for job or promotional opportunities. Additional states recently passed similar laws which either went into effect at the beginning of this year or will take effect in the coming months.
- INTERNATIONAL DEVELOPMENTS: After years of waiting, France is set to take a key step towards authorizing the production and dispensing of medical cannabis. Two decrees governing the specifications of cannabis-based medicinal products for medical use and the security of their production are in the process of being notified to the European Commission (EC).
I hope you find this month’s SCREENING COMPLIANCE UPDATE both informative and helpful in keeping up with establishing and maintaining a compliant background screening program.
Nicolas S. Dufour
ClearStar Executive Vice President, General Counsel & Corporate Secretary
FEDERAL DEVELOPMENTS
As marijuana laws continue to evolve across the United States, employers face growing challenges in understanding and implementing these laws within the workplace. From the early days of decriminalization to the widespread legalization of medical marijuana, the legal environment has shifted significantly, impacting both businesses and employees. In this blog, we’ll discuss the development of marijuana laws, focusing on the initial wave of state and local decriminalization and medical marijuana efforts, and what this means for employers today. In Parts 2 and 3, we’ll explore state-specific protections and offer guidance on how employers can better navigate medical marijuana use in the workplace.
The Early Days. . .
In the early years of marijuana law reform, many states focused on decriminalizing marijuana by reducing penalties for small possession amounts, often as part of broader criminal justice reform efforts. At the same time, more states began legalizing medical marijuana for qualifying conditions like chronic pain or cancer, though these programs were heavily regulated. Despite these changes, employers were not generally required to accommodate marijuana use in the workplace. Early laws often clarified that they didn’t alter drug testing laws, unemployment disqualification, or employer rights regarding marijuana use, even off-duty. Employers, for the most part, retained the right to enforce drug-free workplace policies without restriction. As time has passed, however, this has changed and evolved.
State v. Federal
A challenge for employers during the initial wave of marijuana legalization was the conflict between state and federal law and regulation. While many states legalized medical or recreational marijuana, federal law still classifies it as a Schedule I controlled substance, meaning it’s considered to have no medical use and a high abuse potential. For employers, this created complications and confusion, as they had to comply with federal drug-free workplace laws, especially if they were federal contractors or subject to federal regulations, forcing them to balance both state and federal requirements.
In recent years, many states have expanded their medical marijuana laws to include protections for medical marijuana users in the workplace. These laws generally prohibit employers from discriminating against employees based solely on their status as a registered medical marijuana patient/user or for testing positive for marijuana in a drug screening. Employers, however, are still allowed to enforce policies regarding impairment during working hours or drug use while on the job.
As marijuana laws evolve, employers must stay informed about the specific rules in their state. While state laws have increasingly offered protection for medical marijuana users, there are still several key issues employers need to consider – e.g. drug testing policies, discipline, workplace safety, accommodation, and federal and state compliance. Please tune in for Part 2 and 3 of this series for state specific protections and guidance on how you can better navigate medical marijuana use within your workplace.
Source: Lexology – Lehr Middlebrooks Vreeland & Thompson, P.C. – McKensie Meade
On March 19, the Equal Employment Opportunity Commission (EEOC) and the Department of Justice (DOJ) issued guidance addressing discriminatory Diversity, Equity and Inclusion (DEI) programs in the workplace. The guidance aims to provide a preliminary answer to the question, “What is considered unlawful DEI?”
The joint guidance released by these two civil rights agencies reemphasized that Title VII of the Civil Rights Act of 1964 prohibits employment discrimination and differential treatment based on protected characteristics such as race, ethnicity, national origin, and sex. Title VII’s protections cover employees, potential and actual applicants, interns, and training program participants.
According to the joint guidance, DEI policies, programs, or practices could be deemed unlawful under Title VII if an employer or covered entity takes employment action that is motivated, in whole or in part, by an employee’s protected characteristic.
The guidance provides examples of what is likely to be considered unlawful DEI. Examples include:
- Using quotas or otherwise balancing a workforce using protected characteristics.
- Hiring or firing based on protected characteristics.
- Promoting, demoting, conditioning or changes in compensation and/or fringe benefits based on protected characteristics.
- Limiting, segregating, and/or classifying employees based on protected characteristics.
- Workplace harassment motivated by protected characteristics.
- Retaliation by an employer or covered entity because an individual engaged in an activity protected under Title VII.
Federal contractors are expected to review and revise their practices and policies before the 90-day safe harbor period ends on April 21, to ensure alignment with President Trump’s directives. The joint guidance, along with a separate FAQ-style guidance which was released by the EEOC regarding Title VII and DEI-related discrimination in the workplace, provides some clarity on the enforcement priorities of the current administration.
Source: Lexology – Taft Stettinius & Hollister LLP – Suzanne Summer and Celeste Friel
STATE, CITY, COUNTY, AND MUNICIPAL DEVELOPMENTS
The Federal Trade Commission (FTC) implemented its 2024 rule banning non-compete agreements on April 23, 2024. The rule gained some life at first as a U.S. District Court in Pennsylvania ruled in its favor and denied a request to implement a permanent injunction. Since then, however, employers have won multiple arguments supporting the enforcement of non-compete agreements in front of the National Labor Relations Board and U.S. District Courts in Texas and Florida. The rule was vacated by a permanent injunction from the court in Texas on Aug. 20, 2024.
While the FTC rule goes through the appeals process, non-compete agreements remain a state law issue. To date, 33 states have implemented restrictions requiring the agreements to be reasonable in relation to the time, scope, and geographical area of the restriction. In January 2025, New York’s legislature reintroduced a bill that would make it the 34th state to restrict non-compete agreements.
Ohio introduced a bill in February 2025 that would make it the fifth state to ban non-compete agreements. Currently, California, Oklahoma, Minnesota, and North Dakota have outright bans on non-compete agreements. That said, Ohio’s proposed legislation would go beyond non-compete agreements for all employees, volunteers, and independent contractors.
Specifically, the Ohio law would prohibit any agreement that contains a forum selection clause requiring an Ohio employee to litigate a claim outside the state. The potential law would also prohibit an “agreement that imposes a fee or cost” on an employee “for terminating the work relationship” for various scenarios. Further, it would prohibit any agreement requiring “a worker who terminates the work relationship to reimburse the employer for an expense incurred” during the relationship for “training, orientation, evaluation, or other service intended to provide the worker with skills to perform the work or to improve performance.” Finally, the law would give courts the option to award punitive damages when an employer violates the law.
While state law determines whether agreements with restrictive covenants are enforceable, the laws are constantly changing. Based on this, employers should consider reviewing agreements with counsel to ensure they comply with various state laws.
Source: Lexology – Barnes & Thornburg LLP – Cody D. Woods
The Iowa Legislature passed a bill (Senate File 418) removing “gender identity” as a protected characteristic under the Iowa Civil Rights Act. The Act prohibits discrimination in employment, education, housing, credit, and public accommodations. Governor Kim Reynolds signed the bill on Feb. 28, 2025, and the new law is effective July 1, 2025.
Although Iowa is ending state civil rights protections based on gender identity, employers should be mindful that gender identity remains a protected characteristic under Title VII of the Civil Rights Act of 1964.
The bill expressly defines “male” and “female” and states that “sex should not be considered a synonym for gender identity.” Rather, the definitions of “male” and “female” are based on the sex assigned at birth. For purposes of state law, sex-based distinctions in line with these definitions are permitted in restrooms and locker rooms, among other places.
Iowa employers with at least 15 employees are covered by Title VII, which prohibits discrimination in employment. Gender identity remains a protected characteristic under Title VII, as interpreted by the U.S. Supreme Court in Bostock v. Clayton County. Some municipalities in Iowa also prohibit discrimination on the basis of gender identity.
Iowa employers should consult with counsel regarding necessary updates to policies and practices to ensure they align with federal, state, and municipal laws related to gender identity.
Keeping Up With New and Existing Pay Transparency Laws
For multi-state employers, pay transparency requirements often get lost in the shuffle in the ever-changing landscape of federal, state, and local employment laws. A number of states, including California, Colorado, and New York, already have pay transparency laws which require some level of disclosure of employee compensation and salary ranges for job or promotional opportunities.
Additional states, including Illinois and Minnesota, recently passed similar laws which either went into effect at the beginning of this year or will take effect in the coming months. While coverage and disclosure requirements vary by state and can be complex, we have summarized some key provisions below.
New Pay Transparency Laws Effective in 2025
Illinois’ pay transparency law took effect on January 1, 2025. It applies to employers with 15+ employees anywhere, not just in Illinois. The law requires employers to disclose pay scale and benefits in job postings, including to third-parties engaged to promote those opportunities (such as Indeed). Covered employers must also disclose promotional opportunities to current employees within two weeks of posting the job externally.
Minnesota’s pay transparency law took effect on January 1, 2025. It applies to employers with 30+ employees in the state. It requires that starting “salary ranges” and a general description of benefits be included in job postings. Salary ranges may not be open-ended.
New Jersey’s law is scheduled to take effect on June 1, 2025. It applies to employers with 10+ employees that do business, employ persons, or take applications for employment within the state. The law will require hourly wages, salary ranges, and benefit information to be included in internal and external job postings. It will also require covered employers to make “reasonable efforts” to share opportunities for promotion to all current employees in the affected department(s) prior to making a promotion decision, unless the promotion is based on seniority, performance, or emergent needs due to an unforeseen event.
Vermont’s new law will take effect on July 1, 2025, covering employers with five or more employees, with at least one working in Vermont. Employers must post the expected fixed compensation or “range of compensation” in internal and external job postings. This applies to jobs that are both physically located in Vermont or remote positions which will predominantly involve work for an office in Vermont. Different rules apply for certain tipped or commission-based roles.
Finally, Massachusetts’ pay transparency law will take effect on October 29, 2025, and apply to employers with 25+ employees in the state. It will require covered employers to post pay ranges in job postings, provide pay range information to employees offered internal promotions and transfers, and provide such information to current employees upon request.
Ensuring Compliance with Pay Transparency Laws
Multi-state employers may already be covered under pay transparency laws in other places. For example, California’s pay transparency requirements apply to employers with 15+ employees anywhere, not just in California, provided at least one of them works in the state. Covered employers must disclose pay scale information for all job opportunities in California, as well as to current employees upon request, and require any third-parties posting their job opportunities to do the same.
Further, California prohibits employers from asking applicants about their compensation history or relying on an applicant’s salary history in determining what to offer them.
Currently, Colorado has perhaps the most complex pay transparency requirements, which apply to any employer with at least one employee in the state. Among other things, Colorado’s law requires covered employers to make “reasonable efforts” to post job opportunities (excluding “career progression” or “career development”) to current employees on the same date, with certain exceptions under the statute. Employers must also disclose pay range, general benefits and other compensation information, as well as application deadlines in external postings for any position that could be performed in Colorado—including fully remote opportunities which could be performed anywhere. After selecting a candidate, employers must also issue a notice, with specific information required under the statute, to employees with whom the candidate will work.
Like California, Colorado also prohibits employers from asking candidates about their salary history or relying on their salary history in making an offer.
Maryland, Nevada, Rhode Island, Connecticut, Hawaii, New York, Washington, and the District of Columbia also have statewide pay transparency laws with varying coverage. Ohio has more limited local pay transparency requirements in Cincinnati and Toledo, which apply after an applicant with a conditional job offer has made a reasonable request for pay scale information.
Source: Lexology – Frost Brown Toff LLP – Michael A. Freimann and Meridith Grant
INTERNATIONAL DEVELOPMENTS
PLEASE NOTE: Spellings of words in International articles such as those written in the British English format are native to the original author and differ from the spellings of words in the American English format.
Monitoring Employees: How Can Organisations Avoid Infringement of Data Subject Rights in the UK?
Monitoring employees using technology is on the rise as technology continues to become more accessible, not only in terms of availability, but also due to cost. Workplace monitoring often involves the processing of personal data and this is not always obvious to employers, and this can lead to systems being introduced without considering the implications either from an employment or a data protection perspective.
With many employees working remotely from home or in a hybrid office/home location, organisations are increasingly monitoring the activities of their employees, with the intention of assessing productivity/performance and compliance with their employment terms, or to protect against legal, reputational or technology system risks.
In addition to telephone, email, and internet use, monitoring may extend to social media activity, attendance at online meetings, physical location, and use of vehicles. Methods of monitoring employees will vary according to the organisation and the extent of its technological capabilities and could include: spot checks within the organisation without reference to particular individuals; specific checks on individuals; monitoring the content of all calls or emails; monitoring internet or device use through keystrokes or mouse clicks; webcam recording; screenshots of employees’ screens; the use of dashcams in vehicles; monitoring timekeeping through access control; using biometric data (such as fingerprints or facial recognition) or swipe cards for time and attendance control; and CCTV and video surveillance to monitor employees’ activities generally.
Which laws govern employees’ rights?
There is no one specific law which permits or prohibits the monitoring of employees; rather, various laws and rights have come into place to govern its use. These include:
- The General Data Protection Regulation (UK GDPR). Under the UK GDPR, the data protection principles provide that personal data must be: processed lawfully, fairly and in a transparent manner; collected and processed only for specified, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary; be accurate and kept up to date; be kept for no longer than is necessary where there may be identification of data subjects; and be processed in a way that ensures appropriate security and protection. Further, individuals have the right to be informed that they are being monitored, the right of access to information obtained on them as a result of monitoring, and the right to object to being monitored. There are also specific rules that apply where automated decisions are being made.
- The Data Protection Act 2018 (DPA 2018). This expands upon the rights and protections given by UK GDPR.
- The European Convention on Human Rights (ECHR). Under Article 8, an individual has a right to respect for private and family life and correspondence. This is incorporated into UK law by the Human Rights Act 1998.
- The Employment Rights Act 1996 and the case law relating to unfair dismissal.
- The duty of trust and confidence implied into an employee’s contract of employment.
- The Equality Act 2010, which protects employees from discrimination.
What are the risks if employers get it wrong?
Infringement of data subject rights can be extremely costly for organisations. The Information Commissioner’s Office (ICO) has authority to impose fines of up to £17.5m or 4% of worldwide turnover, whichever is greater, and there are also the costs of any regulatory investigations and/or court proceedings. Enforcement action by the ICO is likely to generate public interest and may result in an organisation suffering reputational damage, losing existing customers and/or future business, and seeing its share value fall.
Infringement of data subject rights may also lead to claims by employees for unfair dismissal and/or discrimination.
What should organisations do?
Policies and processes: Organisations should ensure that they have the necessary policies and processes in place to manage the risks relating to employee monitoring. Such policies will include data protection policies, , and policies relating to the use of technology, CCTV, and social media.
Communication with employees: Covert monitoring in the workplace will only be justifiable in exceptional circumstances. Employers should ensure that employees are told about the monitoring the organisation intends to carry out and how data collected may be used (see below). The relevant staff should receive training in order to know, understand and be able implement the organisation’s employee monitoring programme in a compliant way.
Consider the data protection implications.: Relevant questions will be: What is the lawful basis for processing? Is a Data Protection Impact Assessment needed? What do the employees need to be told, and when and how? What are the considerations for security and access to data? How intrusive is the monitoring method? Is any special category data being used (including biometric data)? What is the impact of monitoring on employees? Is the monitoring justified?
Be familiar with and comply with the ICO’s 2023 guidance on monitoring employees: This guidance was produced to assist employers with complying with their obligations under the UK GDPR and DPA 2018 when they monitor employee activity and, should there be an issue, being able to demonstrate compliance with this guidance is likely to be useful.
Source: Lexology – Keystone Law – Emma Loveday-Hill
UK government expected to delay AI Bill to align with the US
In a possible shift in policy, the UK government is expected to delay its plans to regulate artificial intelligence (“AI”), with indications that the UK may be seeking to align itself more in line with the Trump administration on its approach to AI and technology more generally (according to a recent article written by The Guardian). The news comes amidst significant recent political instability, which may of course have broader implications on how the UK aligns itself with the US in general.
The UK position on AI
The UK’s long-anticipated ‘official’/government led AI legislation is now not expected to appear in Parliament until the summer of 2025 (if at all), having originally been anticipated for the end of 2024 (see our previous update).
However, Lord Holmes, who had originally introduced a Private Members’ AI Bill in 2023 under the previous government, is attempting to continue that Bill’s progress. As a Private Members’ Bill, it is unlikely to become law, but the debate may impact the UK government’s overall direction on AI.
Lord Holmes stated that
“The … government seems to have changed tack, siding instead with the US and Big Tech and there is no sign of the promised regulation on AI“.
As indicated in the King’s Speech last year and as we detailed in a previous update, the government stated that it intends to introduce ‘appropriate’ legislation to govern ‘powerful artificial intelligence models’, addressing concerns surrounding increasing risk accompanying rapidly evolving AI models.
The question has become not just when, but also if this will happen.
The US position under President Trump
President Trump’s administration has taken a markedly different stance from former President Biden, by revoking an Executive Order aimed at regulating AI within the public sphere (indeed the White House appears to no longer have a record of that Executive Order).
Instead, President Trump’s new order also established an ‘AI Action Plan’. This plan is expected to lead to an overall less strict regulatory framework than that of the EU, as indicated by the US administration’s recent comments on the topic; Vice President JD Vance recently criticised Europe’s proposed AI regulations during an AI summit in Paris, suggesting that ‘excessive’ regulation could inhibit innovation. Meanwhile, US states continue to pass their own AI laws (most recently, Virginia has passed its own AI Act which is a comprehensive artificial intelligence bill focused on preventing algorithmic discrimination).
In a move aligned more closely with the US, the UK government chose not to sign the Paris declaration, which was endorsed by several other countries. Under former President Biden’s administration, both the UK and the US had signed the Council of Europe’s ‘AI Convention’.
Analysis
The delay in the UK’s AI regulation plans reflects the broader geopolitical dynamics and the UK’s strategic decision to align more closely with US policies.
As we have seen, the political landscape, particularly under the new administration in the US is fast-moving, and the UK’s new position could again be subject to change; Prime Minister Starmer continues to balance tensions between the US and Europe, and there may be a question mark over its broader alignment with the US on AI and technology regulation in general.
Source: Lexology – Lewis Silkin LLP – Michael Charalambous
EU Pay Transparency Directive: The Current Status and How To Prepare
EU member states have until 7 June 2026 to implement the EU Pay Transparency Directive (the Directive) into their domestic law. This LawFlash summarises the Directive’s key requirements, considers the current implementation status of the Directive and sets out key preparatory steps global employers with EU operations should be taking now.
Sweden, Belgium, Poland, and Ireland have so far led the way and other countries are expected to publish draft proposals during 2025. As the deadline nears, many organisations operating in the EU have already commenced their compliance efforts, particularly with respect to trial-run gender pay reporting procedures. These test analyses can provide an important opportunity to remediate any pay disparities before the requirements come into force, mitigating the risk of being subject to onerous joint pay assessments under the Directive.
KEY ELEMENTS OF THE DIRECTIVE
The following table sets out a summary of the Directive’s key measures:
| Measure | Details |
| Equal Work and Work of Equal Value |
|
| Job Applicants |
|
| Pay Levels and Career Progression |
|
| Rights to Information |
|
| Pay Secrecy Clauses |
|
| Gender Pay Reporting | What information needs to be reported?
Accuracy and publication of report
In-scope employers The timing and frequency of publication depends on the employer’s size:
|
| Joint Pay Assessments |
|
| Remedies and Enforcement |
|
| Sanctions |
|
EARLY ADOPTERS – THE STATUS OF THE DIRECTIVE IN SWEDEN, BELGIUM, POLAND AND IRELAND
Sweden, Belgium, Poland, and Ireland have taken the first steps towards implementing the Directive. Overall, we have already learnt there is likely to be some degree of divergence between member states’ implementing legislation and the Directive itself, as well as between each of the EU member states’ own requirements.
The table below provides a high-level summary of the key points:
| COUNTRY | DATE | KEY POINTS |
| Sweden | Proposal published 29 May 2024 |
|
| Belgium | Signed into law on 12 September 2024 and effective from 1 January 2025 |
|
| Poland | Published 5 December 2024 |
|
| Ireland | Published 15 January 2025 |
|
CONSEQUENCES OF THE DIRECTIVE FOR EMPLOYERS
The Directive’s consequences are significant. It introduces a wide range of pay transparency measures, including, but not limited to, gender pay reporting obligations, extensive enforcement mechanisms (including fines and uncapped compensation for workers who suffer damage as a result of an employer infringing the Directive), as well as obligations for employers with pay gaps of 5% or more to remedy those differences. Such obligations will be particularly significant in member states which currently have no, or few, pay transparency requirements.
In particular, the Directive is likely to create two specific challenges for employers operating in the European Union:
- Compliance costs and increased administrative burden: Many employers will have to consider whether existing systems are able to collect the necessary data that the Directive requires and potentially adapt existing pay databases. Employers may also need to offer certain training to staff, for example on preparing gender pay reports and responding to requests for information.
- Litigation: Employers should note that there have been several high-profile equal pay cases in Belgium, France, and the United Kingdom, in which female claimants were successful only because they had the necessary information on the average pay levels of their male colleagues. Increased transparency will likely increase the risk of pay equity litigation and employers should ensure they are ready and prepared to defend such claims.
WHAT EMPLOYERS SHOULD BE DOING NOW TO PREPARE
Organisations operating in the European Union need to start preparing in earnest, particularly with respect to conducting a trial run of their reporting obligations to address any pay gaps should they fall in-scope of the gender pay reporting obligations under the Directive. Only one annual payroll cycle remains prior to the Directive being in force.
Other key actions employers should consider taking now include the following:
- Reviewing the requirements of the Directive so that relevant team members are well informed of the requirements and can advise the business more generally
- Establishing common internal understanding of the concepts of “equal work” and “work of equal value,” and considering how to organise workers into comparable value groups (not just typical hierarchical structures based on salary levels/reporting lines)
- Reviewing internal pay policies, job evaluation systems, job descriptions, and job adverts to check that they are gender neutral and based on objective criteria
- Reviewing template employment contracts to remove any pay secrecy type clauses
- Developing policies to govern how they will respond to employees exercising their pay transparency rights
- Verifying whether their payroll systems and job descriptions are sufficiently granular to allow responsible personnel to more easily comply with pay transparency obligations.
Source: Lexology – Morgan Lewis & Bockius LLP – Louise Skinner and Willian Mallin
France Makes Major Step Towards Medical Cannabis Legalisation After Years of Waiting
After years of waiting, France is set to take a key step towards authorising the production and dispensing of medical cannabis.
According to our information, the two decrees governing the specifications of cannabis-based medicinal products for medical use and the security of their production are in the process of being notified to the European Commission (EC). This notification, via the TRIS procedure, is an essential regulatory step before medical cannabis becomes part of common law.
These texts, finalised nearly two years ago, were awaiting a green light from the government before being sent to Brussels. Once they have been notified, a three-month standstill period begins, allowing the Commission and the other Member States to examine the texts and make comments. If a detailed opinion is given, this period may be extended by three months, obliging France to justify the measures envisaged in response.
If there are no major objections, the regulation of medical cannabis in France could therefore be validated by Europe after this period. The decrees will then have to be signed by the executive to come into force.
Does this mean that medical cannabis will be prescribed to French patients before the end of the year? Not necessarily.
Beyond the deadlines imposed by the EC, each medicine will still have to obtain individual authorisation from the health authorities. The French Health Minister recently indicated that he would leave it to the French National Authority for Health (HAS) to decide whether cannabis-based medicines should be included in the French healthcare system.
A statement that raises questions, since this responsibility normally falls to the Agence nationale de sécurité du médicament et des produits de santé (ANSM), as Professor Nicolas Authier recently pointed out: “The authorisation of drugs in France is the responsibility of the ANSM, not the HAS.
“Once authorisations have been given by the ANSM to drugs proposed by pharmaceutical players, it will remain to discuss their price and reimbursement possibilities”.
Historically, the HAS has tended to curb access to medical cannabis, as evidenced by the blocking of Sativex since 2014. France could therefore find itself with limited access, with the HAS able to assess the therapeutic potential of medical cannabis as low compared with existing treatments, despite the numerous positive evaluations of experimentation.
Other countries that have legalised medical cannabis have already experienced similar restrictions. While the notification of the decrees to the EC marks a step forward, the ultimate goal remains effective access to treatment for patients.
“We must not lose sight of the issue of price and reimbursement, which can delay patient access,” Franck Milone, founder of LaFleur – one of two French companies producing medical cannabis for research purposes – and himself a multiple sclerosis sufferer, tells us.
According to various studies, between 300,000 and 800,000 people could be eligible for a medical cannabis prescription in France for the five indications included in the trial.
Source: Lexology – NWD by Newsweed
The DPC’s handling of Subject Access Requests
The DPC is mandated to handle complaints from individuals, including requests for access to personal data (Article 15 GDPR). Article 15 GDPR contains a general obligation that firstly requires an organisation to confirm whether or not the individual’s personal data is undergoing processing.
In addition Article 15(1) GDPR entitles an individual to obtain information from an organisation concerning:
- the purpose for which personal data is being processed;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the personal data have been or will be disclosed;
- where possible, the envisaged period for which the personal data will be stored.
This information enables an individual to assess if the processing of their personal data is lawful and also ensures that they are in a position to exercise other rights under the GDPR, such as the right to erasure or rectification in certain circumstances.
In responding to a data access request, an organisation may be entitled to restrict the release of personal data if they can rely on restrictions in the GDPR and/or the Data Protection Act 2018. In such a case, the organisation must be able to demonstrate the reasoning for any restrictions.
In a case where records contain both the personal data of the individual as well as the personal data of another person(s), the GDPR (Article 15(4)) permits the organisation to withhold this information if its disclosure could adversely affect the other person(s) concerned. An example of this would be a case where medical records or the notes of a counselling session, for example, include information concerning both the individual as well as his/her spouse, former spouse, partner, children or other third parties. When considering the possible application of this GDPR restriction, an organisation should be able to demonstrate and have recorded the reasoning as to why it considers the restriction to be applicable along with details of how the decision was reached and the efforts made to consider the rights of all concerned (as outlined in the EDPB’s Data Subject Rights Guidelines).
Section 60(3)(b) of the Data Protection 2018 may also entitle an organisation to withhold information from an individual, to the extent that the information constitutes an expression of opinion about an individual given in confidence.
The DPC regularly handles complaints from individuals who are concerned that organisations have not addressed their request for access to their personal data appropriately.
When handling a complaint from an individual, the DPC will generally examine any restrictions relied upon by the organisation to withhold an individual’s personal data to assess whether or not the restrictions have been correctly applied in the particular circumstances of the complaint. In examining the validity of the restrictions the DPC will contact the organisation and pose certain investigative questions that will assist the DPC in determining the validity of the restrictions applied in each case.
The DPC is acutely aware of the sensitivities around certain complaints. Any information provided to the DPC in this context when handling matters of particular sensitivity, is kept strictly confidential and not shared outside of the DPC.
In a case where records contain the personal information of both the requesting individual as well as other people (such as the individual’s spouse/partner/child), the rights of those other parties – including their right to life and physical integrity, have to be balanced against the right of the requesting individual to access information about what personal data relating to him/her might be included in those records. In other words, the right to obtain access to information about what personal data might be contained in any record does not automatically outweigh the rights of third parties.
Any restriction of the right of access or to information must be justified on an evidential basis, by reference to the specific context of the case concerned. In the case of a “mixed record” which contains both the personal data of the requesting individual as well as related third parties (such as the requesting individual’s spouse/partner/child), it is clear that an identified risk of harm to the spouse/partner/child, arising from the potential disclosure of the information to the requesting individual, could justify the withholding of the information concerned. Furthermore, in highly sensitive situations where the release of personal data is highly likely to result in significant harms and risks to other persons, the general presumption is that right of access can be restricted. Such decisions should be documented and the organizations concerned are required to cooperate in confidence with the DPC in the performance of its functions. The DPC is available to discuss with and advise organizations on the best approach and where necessary is also available to meet to explore particularly sensitive issues.
Source: Ireland Data Protection Commission
MISCELLANEOUS DEVELOPMENTS
Supreme Court Appears Poised to Lower Bar for “Reverse Discrimination” Claims
On February 26, 2025, the Supreme Court heard oral argument in Ames v. Ohio Department of Youth Services, to address the question of whether a majority-group plaintiff must show additional “background circumstances” to support a discrimination claim under Title VII, beyond what a minority-group plaintiff must show. Based on the questioning at oral argument, it appears that a majority of the Justices agree with Ames that Title VII protects all workers equally and the same standards should apply to all Title VII plaintiffs.
* * *
Plaintiff Marlean Ames filed a lawsuit against her employer, the Ohio Department of Youth Services (the “Department”), alleging that it violated Title VII of the Civil Rights Act of 1964, after she was not selected for a promotion, and was subsequently demoted. Ames, who is heterosexual, alleged that these decisions were the result of discrimination based, among other things, on her sexual orientation, citing the fact that her supervisor is gay; that she was replaced in her original role with a gay employee; and that the promotion she had applied for was later filled with a gay employee. The district court granted summary judgment in favor of the Department.
On appeal, the U.S. Court of Appeals for the Sixth Circuit affirmed the district court grant of summary judgment, on the grounds that because “Ames is heterosexual . . . she must make a showing in addition to the usual ones for establishing a prima-facie case. Specifically, Ames must show ‘background circumstances to support the suspicion that the defendant is that unusual employer who discriminates against the majority,’” which is a standard that some federal circuit courts of appeal hold majority-group plaintiffs to in reverse discrimination cases.
The Supreme Court heard oral argument in the case on February 26, 2025, and many of the Justices appeared to agree with Ames that the same standards for stating a Title VII claim should apply to all plaintiffs. Justice Kavanaugh, for example, asked, “So . . . all you want for this case is a really short opinion that says discrimination on the basis of sexual orientation, whether it’s because you’re gay or because you’re straight, is prohibited, and the rules are the same whichever way that goes? . . . . That’s all we need to say, right?” Justice Barrett asked a question confirming that the U.S. Equal Employment Opportunity Commission has rejected the “background circumstances” rule. Justice Alito asked whether “the rule that the Sixth Circuit applied” was based on an interpretation of Supreme Court precedent that, he suggested, may be “no longer sound today.” In another line of questioning directed at the Department, Justices Kagan and Kavanaugh elicited an answer from counsel for the Department that “the idea that you hold people to different standards because of their protected characteristics is wrong.” As Justice Kagan noted to the Department’s counsel, “The question presented is whether a majority-group plaintiff has to show something more than a minority-group plaintiff, here, whether a straight person has to show more than a gay person. Everybody over here says no. You say no too. That was the question that we took the case to decide.”
Source: Lexology – Sullivan & Cromwell LLP
Fundamentals of Personnel Files for Employers in California
Current and former employees have the right to inspect their personnel files upon request within a timeframe set by statute. When an employment-related claim arises, these individuals typically request a copy of their personnel file. However, if the employer has not properly maintained these files, it is impossible to recreate them retroactively.
Here’s an overview of personnel files for California employers.
Requirement to Maintain Employee Personnel Files
To comply with California law, employers must retain former employees’ personnel files for a minimum of three years following the individual’s separation from the company.
Documents Employee is Entitled to Review
According to the California Labor Code, employers are required to provide employees with copies of any documents that they signed as part of obtaining or maintaining employment. Typical contents of personnel files include:
- Recruiting and screening documents (such as applications, resumes, and educational transcripts)
- Job descriptions
- Handbook and policy acknowledgments
- Employment agreements (if applicable)
Additional records used to determine qualifications for promotion, extra compensation, or disciplinary action should also be included. These could encompass:
- Notices of commendation, warnings, or discipline
- Notices of layoff, leaves of absence, and vacation
- Education and training notices and records
- Performance reviews
- Attendance records
- Payroll authorization forms
- Termination notices and documentation
Medical information should never be stored within the personnel file. Under California regulations, such information must be kept separately to protect the employee’s confidentiality. Medical details may include records associated with workers’ compensation claims or documentation provided during the interactive process for medical leave or accommodation requests.
Documents an Employee Cannot Review
Under California law, employees do not have the right to review certain records, including:
- Records related to the investigation of a possible criminal offense
- Letters of reference
- Ratings, reports, or records obtained from the employee’s previous employer, prepared by identifiable examination committee members, or obtained in connection with a promotional examination.
Exceptions
If an employee or former employee files a lawsuit that relates to a personnel matter against his or her employer or former employer, the right of the employee, former employee, or his or her representative to inspect or copy personnel records under this section ceases during the pendency of the lawsuit in the court with original jurisdiction. A lawsuit “relates to a personnel matter” if a current or former employee’s personnel records are relevant to the lawsuit.
Failure to Comply with Request to Inspect Personnel Records
Once an employer receives a written request from a current or former employee or a representative, the employer must provide a copy of the personnel records within 30 calendar days from the date the employer received the request, unless the current or former employee, or his or her representative, and the employer agree in writing to a date beyond 30 calendar days to produce a copy of the records, as long as the agreed-upon date does not exceed 35 calendar days from the employer’s receipt of the written request. Failure to comply within the time prescribed may allow the employee or the Labor Commissioner to recover a penalty of $750.00 from the employer. A current or former employee may also bring an action for injunctive relief to obtain compliance.
While maintaining organized personnel files will not protect an employer from all legal claims, ensuring the appropriate documents are retained for the correct amount of time per California law will facilitate litigation processes for both the employer and their attorney.
Requests for personnel files are often a precursor to a demand letter or lawsuit. Therefore, reviewing a proposed production with an attorney may facilitate early evaluation and strategic considerations.
Source: Lexology – Jackson Lewis PC – Gaurav B. Kalra and Raja Hafed
