The Latest on California’s Approach to Biometrics in the Workplace

Although California does not have a specific biometric privacy law like Illinois’s 2008 Biometric Information Privacy Act (BIPA) or its recently enacted 2019 Artificial Intelligence Video Interview Act (AIVIA), stay tuned for the impact of the California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020.  The CCPA will directly affect how certain employers use biometric data in the workplace.

New York State Doubles Down on Data Privacy, Sets High Bar for “Reasonable Safety Standards”

On July 25, 2019, New York governor Andrew Cuomo signed into law two bills aimed at increasing the obligations of entities handling computerized private data. The Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) expands the requirements for notifying affected parties in the event of a data breach and sets forth a demanding list of security measures that must be implemented to “maintain reasonable safeguards” to protect private information.

Bill to Exclude California Employees from CCPA Passes Senate Committee With Changes

On July 9, 2019, the California Senate Judiciary Committee passed Assembly Bill 25 (AB 25), but only after certain changes were made to quell opposition to the bill by labor groups. The bill  was originally drafted to exclude employees and job applicants from the definition of “consumer” under the California Consumer Privacy Act of 2018 (CCPA).

Keeping an Eye on Artificial Intelligence Regulation and Legislation

More and more organizations are beginning to use or expand their use of artificial intelligence (AI) tools and services in the workplace. Despite AI’s proven potential for enhancing efficiency and decision-making, it has raised a host of issues in the workplace which, in turn, have prompted an array of federal and state regulatory efforts that are likely to increase in the near future.

Maine Governor Could Sign Bill Enacting Nation’s Strictest Data Privacy Law for Internet Providers

The Maine legislature has passed a bill imposing the nation’s strictest limitations on broadband providers’ use of consumer data. On May 30, 2019, the Maine State Senate approved the House’s amended version of Legislative Document (LD) 946, entitled “An Act To Protect the Privacy of Online Customer Information,” which now awaits Governor Janet Mills’s signature.

A GDPR Update for Employers, Part IV: Implementing Lessons Learned From GDPR Complaints and Enforcement Actions

The European Data Protection Board (EDPB) and EU supervisory authorities have reported that they have received a large number of complaints during the first six months following the effective date of the GDPR. For example, the EDPB reported that it had received more than 42,000 complaints since May 25, 2018. The French Supervisory Authority (CNIL) reported a 20 percent increase in complaints filed during the first six months the GDPR was effective compared to the same period in 2017. Similarly, the Irish Supervisory Authority reported a 50 percent increase in data breach reports and a 65 percent increase in data protection complaints over the same period. The Irish Data Protection Commissioner also stated that several investigations of multijurisdictional complaints against large companies are being completed and that she expects major GDPR fines to be issued in 2019.

A GDPR Update for Employers, Part III: Preparing Required Data Protection Impact Assessments

Article 35 of the GDPR provides that a data protection impact assessment (DPIA) must be performed for data processing that “is likely to result in a high risk to the rights and freedoms of natural persons.” DPIAs must contain (1) a description of the processing operation along with the purpose of the processing and, where applicable, the legitimate interest for the processing; (2) an assessment of the necessity and proportionality of the processing operation in relation to the purpose; (3) an assessment of the risks to the rights and freedoms of the data subjects; and (4) the measures to be taken to mitigate the risks.

A GDPR Update for Employers, Part II: Aligning HR Practices to Comply with National Legislation Implementing the GDPR

Although the GDPR was intended to provide a uniform set of data protection requirements across the EU, the GDPR contains several provisions, known as “opening clauses,” that expressly permit individual EU countries to implement additional and/or stricter requirements for certain types of data that employers typically process.

A GDPR Update for Employers, Part I: Determining Whether Your Organization’s HR Data Processing Is Covered

Much has happened since the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Many EU countries have enacted national legislation to implement and expand the requirements of the GDPR, while other developments have directly affected employers and created new obligations regarding the collection and processing of human resources (HR) data.

Working Party Confirms That Employers of All Sizes Must Maintain Article 30 Records of Processing for Human Resources Data

On April 19, 2018, the Article 29 Working Party (Working Party), which is comprised of representatives from the data protection authorities in each of the 28 European Union (EU) member states, issued a position paper stating that all employers of EU employees are required to prepare and maintain records of processing activities relating to human resources data pursuant to Article 30 of the General Data Protection Regulation (GDPR).

EU Regulator Discusses Enforcement Priorities for the GDPR

On March 27, 2018, Helen Dixon, the data protection commissioner for Ireland, outlined the enforcement priorities of the Irish data protection authority (DPA) for the General Data Protection Regulation (GDPR) during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C. The Irish DPA has been ramping up its compliance capabilities for the GDPR and will undoubtedly serve as the lead DPA for GDPR enforcement for numerous U.S. companies that are headquartered or have locations in Ireland. 

The Highest Risk Area for GDPR Compliance: Processing HR Data

With less than six months until the May 25, 2018, effective date for the European Union (EU) General Data Protection Regulation (GDPR), companies are assessing their GDPR readiness and concentrating their compliance efforts on the highest risk areas. What is the highest risk area for GDPR compliance?

EU Regulators Issue an Updated Opinion on Processing Data in the Workplace

On June 29, 2017, the Article 29 Working Party (the EU body representing the data protection authorities (DPA) of each EU member country) issued an updated opinion regarding the processing of personal data in the workplace. Recognizing that employers are rapidly adopting new information technology, the opinion updates the Working Party’s 2001 opinion regarding processing data in the employment context and 2002 opinion regarding the surveillance of electronic communications in the workplace.