More and more organizations are beginning to use or expand their use of artificial intelligence (AI) tools and services in the workplace. Despite AI’s proven potential for enhancing efficiency and decision-making, it has raised a host of issues in the workplace which, in turn, have prompted an array of federal and state regulatory efforts that are likely to increase in the near future.
On Thursday, June 6, 2019, Maine governor Janet Mills signed into law new data privacy protections for Maine residents. The law, entitled “An Act To Protect the Privacy of Online Customer Information,” places new restrictions on Internet service providers (ISPs), effective July 1, 2020.
On May 29, 2019, the California State Assembly passed Assembly Bill 25. The bill now moves to the state senate for a vote.
The Maine legislature has passed a bill imposing the nation’s strictest limitations on broadband providers’ use of consumer data. On May 30, 2019, the Maine State Senate approved the House’s amended version of Legislative Document (LD) 946, entitled “An Act To Protect the Privacy of Online Customer Information,” which now awaits Governor Janet Mills’s signature.
The European Data Protection Board (EDPB) and EU supervisory authorities have reported that they have received a large number of complaints during the first six months following the effective date of the GDPR. For example, the EDPB reported that it had received more than 42,000 complaints since May 25, 2018. The French Supervisory Authority (CNIL) reported a 20 percent increase in complaints filed during the first six months the GDPR was effective compared to the same period in 2017. Similarly, the Irish Supervisory Authority reported a 50 percent increase in data breach reports and a 65 percent increase in data protection complaints over the same period. The Irish Data Protection Commissioner also stated that several investigations of multijurisdictional complaints against large companies are being completed and that she expects major GDPR fines to be issued in 2019.
Article 35 of the GDPR provides that a data protection impact assessment (DPIA) must be performed for data processing that “is likely to result in a high risk to the rights and freedoms of natural persons.” DPIAs must contain (1) a description of the processing operation along with the purpose of the processing and, where applicable, the legitimate interest for the processing; (2) an assessment of the necessity and proportionality of the processing operation in relation to the purpose; (3) an assessment of the risks to the rights and freedoms of the data subjects; and (4) the measures to be taken to mitigate the risks.
Although the GDPR was intended to provide a uniform set of data protection requirements across the EU, the GDPR contains several provisions, known as “opening clauses,” that expressly permit individual EU countries to implement additional and/or stricter requirements for certain types of data that employers typically process.
As the January 1, 2020, effective date for the California Consumer Privacy Act (CCPA) draws closer, California lawmakers are still attempting to refine the law.
Much has happened since the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Many EU countries have enacted national legislation to implement and expand the requirements of the GDPR, while other developments have directly affected employers and created new obligations regarding the collection and processing of human resources (HR) data.
On January 21, 2019, a select panel of the French data protection authority, CNIL, which has the power to impose sanctions, fined a major technological services provider €50 million following its failure to comply with the obligations provided for in the General Data Protection Regulation (GDPR).
Have you heard of the “fake president” fraud? Despite the name, it has nothing to do with politics; it is a worldwide financial scam that has affected hundreds of multinational companies, especially companies in Europe.
The Illinois Supreme Court issued its long-awaited ruling in Rosenbach and reversed the appellate court’s decision that technical violations of the Illinois Biometric Information Privacy Act (“BIPA” or “Act”) without “some actual injury or harm” are not actionable.
The California Consumer Privacy Act (CCPA) is a new law that California Governor Jerry Brown signed on June 28, 2018, and will become effective on January 1, 2020. Amendments to the law are still being proposed, and the law will likely be amended and clarified.
With the General Data Protection Regulation (GDPR), the European Union’s new privacy law having come into effect on 25 May 2018, thousands of companies have been flooding inboxes in recent weeks with emails asking for consent from recipients, seemingly to comply with the GDPR.
On April 19, 2018, the Article 29 Working Party (Working Party), which is comprised of representatives from the data protection authorities in each of the 28 European Union (EU) member states, issued a position paper stating that all employers of EU employees are required to prepare and maintain records of processing activities relating to human resources data pursuant to Article 30 of the General Data Protection Regulation (GDPR).
With Governor Kay Ivey’s signature on the Alabama Data Breach Notification Act on March 28, 2018, Alabama followed the lead of 49 other states in requiring protection of sensitive consumer information and notice of data breaches, as well as imposing consequences for failing to comply with the Act.
On March 27, 2018, Helen Dixon, the data protection commissioner for Ireland, outlined the enforcement priorities of the Irish data protection authority (DPA) for the General Data Protection Regulation (GDPR) during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C. The Irish DPA has been ramping up its compliance capabilities for the GDPR and will undoubtedly serve as the lead DPA for GDPR enforcement for numerous U.S. companies that are headquartered or have locations in Ireland.
Employers obtain employee health information in a number of ways—most commonly, in relation to a work-related injury or when an employee requests medical leave or a disability accommodation. Most employers understand that such information is “confidential,” but may not fully understand what that means or what they should do to protect it.
Employers beware: Companies are experiencing a wave of phishing scams that target employee paychecks.
With less than six months until the May 25, 2018, effective date for the European Union (EU) General Data Protection Regulation (GDPR), companies are assessing their GDPR readiness and concentrating their compliance efforts on the highest risk areas. What is the highest risk area for GDPR compliance?
On October 18, 2017, the European Commission published its report and supporting documents regarding its first annual review of the EU-U.S. Privacy Shield (Privacy Shield), which sets forth procedures and safeguards for transferring personal data from the European Union (EU) to the United States.
The Wisconsin-based employer is reportedly the first in the United States to offer microchips (at a cost to the employer of $300 each) to employees on a voluntary basis.
On June 29, 2017, the Article 29 Working Party (the EU body representing the data protection authorities (DPA) of each EU member country) issued an updated opinion regarding the processing of personal data in the workplace. Recognizing that employers are rapidly adopting new information technology, the opinion updates the Working Party’s 2001 opinion regarding processing data in the employment context and 2002 opinion regarding the surveillance of electronic communications in the workplace.
On May 25, 2018, a short 12 months from now, employers must be in full compliance with the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) for EU human resources data.
Every January 31, employers scramble to meet the deadline for mailing W-2 forms to their employees. This year, a new iteration of an old W-2 phishing scam surfaced immediately thereafter. In the 2017 version, scammers posing as a company’s CEO or other high-level executive target human resources (HR) and payroll professionals with email messages requesting certain W-2s or all of a company’s W-2s.
As employers catch their breaths after an action-packed 2016, they need to gear up for another turbulent year for international data privacy issues in 2017. The top five international data privacy issues follow.
On January 11, 2017, the Swiss Federal Council and the U.S. International Trade Administration (ITA) announced that the Swiss-U.S. Privacy Shield will replace the U.S.-Swiss Safe Harbor Framework to permit U.S. businesses to transfer personal data from Switzerland to the U.S. in compliance with Swiss data protection laws. The validity of the U.S.-Swiss Safe Harbor Framework had been called into question ever since its European Union counterpart, the U.S.-EU Safe Harbor Framework, was invalidated by the European Court of Justice in October of 2015.
On July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield to replace the previously invalidated Safe Harbor Framework as an adequate method of transferring personal data from the European Economic Area to the United States. The U.S. Department of Commerce (DOC) will begin processing self-certification applications beginning August 1, 2016.
On June 24, 2016, the European Commission announced that it had reached a final agreement with the United States on the terms of the EU-U.S. Privacy Shield, which will permit U.S. companies to transfer the personal data of European Union (EU) citizens to the United States in compliance with EU data protection laws. The terms of the final agreement address several concerns raised by EU regulators about the initial Privacy Shield agreement reached in February of 2016, including concerns about the U.S. government’s ability to conduct mass surveillance of transferred data, the independence of the U.S. ombudsperson who will adjudicate complaints from EU citizens regarding misuse of their data, and the lack of protections regarding data retention and transfers to other companies.
The people of the United Kingdom have spoken on the issue of whether the United Kingdom should leave or remain in the European Union (EU), and by a narrow margin have decided to leave. In fact, by region, the voters of Scotland and Northern Ireland and a large majority in the country’s economic powerhouse, London, (and most major employers and financial organizations), clearly wished to remain in the EU but have been outvoted in the referendum by parts of England which have not prospered in recent years, and which perhaps never recovered from the 2008 recession.