In May 2019, the Michigan Supreme Court issued rules that when implemented generally would prohibit Michigan courts from releasing personal identifying information (PII), such as birthdates, on court records. The rules were set to go into effect on July 1, 2021. Because consumer reporting agencies (CRAs) use PII to confirm the identities of the subjects of records and to comply with verification standards set forth in the Fair Credit Reporting Act (FCRA), CRAs would have been affected by the restrictions on access to court files, potentially impacting the timely and accurate release of background check information in Michigan.
In Van Buren v. United States, No. 19-783 (June 3, 2021), the Supreme Court of the United States recently waded into the meaning of the Computer Fraud and Abuse Act’s (CFAA) “exceeds authorized access” prohibition.
Employees may have a claim against their employers for access to information about all personal data processed by the employers pursuant to Article 15 (3), Sentence 1, of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)). Under the GDPR, employees have a right to access, among other things, information about the purposes of personal data processing, the recipients of the data processed, and the storage period relevant to the data.
On June 4, 2021, the European Commission adopted two new sets of standard contractual clauses (SCCs): one for data transfers from data controllers to data processors and one for data transfers from data exporters to data importers in the United States and other third countries. These new clauses update and replace the SCCs adopted in 2001, 2004, and 2010 that many employers currently use to legally transfer human resources (HR) data for employees based in the European Union (EU).
Retirement plans are increasingly subject to cybersecurity issues, and the U.S. Department of Labor (DOL) is taking notice. On April 14, 2021, the DOL published cybersecurity guidance “for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips” for hiring service providers and online security tips for participants. In recent years, DOL guidance that eased rules related to electronic communications to plan participants might have helped make participants more susceptible to phishing attempts that masquerade as official plan communications.
Virginia has joined California as the second state to enact a comprehensive data privacy law. On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. The VCDPA does not go into effect until January 1, 2023, but the broad privacy mandate will have an immediate impact on compliance efforts for many Virginia businesses.
COVID-19 continues to cause significant restrictions in many areas around the world, including workplaces: Employees are working in remote settings, they no longer share tools and supplies, partitions separate workspaces, employees may not gather in common areas, and in-person meetings are reduced to a minimum. With distribution of the first vaccines impending, employers may expect a return to pre-pandemic practices. There is wide variation internationally on the approach to vaccinations. Below are answers to employers’ frequently asked questions about vaccinating global and multinational workforces.
After the political and constitutional upheaval of the last four years that has been Brexit, a trade deal—the EU-UK Trade and Cooperation Agreement—was finally reached between the United Kingdom (UK) and the European Union (EU) on December 24, 2020, just days before the deadline when the UK was set to crash out of all EU treaties.
On November 3, 2020, California’s voters approved Proposition 24, the California Privacy Rights Act of 2020 (the so-called CCPA 2.0). This means that the new California Privacy Rights Act (CPRA) will amend the California Consumer Privacy Act (CCPA) with some significant changes.
On June 12, 2020, Québec’s then minister of justice, Sonia LeBel, tabled in the National Assembly Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
On September 11, 2020, the U.S. Department of Homeland Security (DHS) proposed a regulation that focuses on the expansion of the collection and use of biometric data in the enforcement and administration of immigration laws. The proposed rule would subject foreign nationals to periodic biometrics collection and continuous vetting after they enter the United States and until they become U.S. citizens.
Amidst the pandemic, China introduced a civil code—its first-ever compilation of civil laws detailing the rights of private parties. The code’s attention to sexual harassment provides another important reminder that even as workplaces focus on virtual workforces, social distancing, and other novel legal issues, workplace respect and inclusion remain essential to a well-functioning workplace.
On July 16, 2020, the Court of Justice of the European Union (CJEU) announced its judgment in the so-called Schrems II case (Case C-311/18), declaring that the EU-U.S. Privacy Shield is invalid because it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States.
Most readers are likely now familiar with the initial travel guidance for international travel issued by the U.S. Centers for Disease Control and Prevention (CDC). Since then, governors have taken the lead in issuing orders related to COVID-19 for, among other things, closing businesses, mandating citizens stay home, and only permitting essential businesses to operate. Along with those orders, many have issued guidance related to quarantines for out-of-state travelers, including those who have only traveled domestically within the United States. Many of these orders are expressly aimed at discouraging interstate travel other than for essential services.
Over the years, Congress has put forth various legislative proposals regarding data privacy. None of the past legislation received the support necessary to enable passage of a comprehensive national data privacy law. In the face of the ongoing COVID-19 pandemic, however, promising new privacy legislation has been introduced by Senator Roger Wicker (R-MS), chairman of the U.S. Senate Committee on Commerce, Science, and Transportation; Senator John Thune (R-SD), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Senator Jerry Moran (R-KN), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Senator Marsha Blackburn (R-TN).
With employers planning for employees to return to work following COVID-19–related closures, there are sure to be questions about sharing employee medical information as it relates to COVID-19 (symptoms, test results, status) within the workplace and with public authorities. Now may be a good time to review what has changed about federal privacy rules in light of the COVID-19 pandemic—and what hasn’t.
Since the outset of the COVID-19 pandemic, employers have been engaged in varying levels of contact tracing within the workplace. Contact tracing involves identifying individuals who may have been in close contact with a person who tested positive for the coronavirus while that person was likely infectious. As part of employers’ pandemic response practices, many are implementing policies and procedures that attempt to ascertain the identities of employees who may have been in “close contact” with employees diagnosed with COVID-19, or those suspected of having contracted the virus.
President Donald Trump signed the John S. McCain National Defense Authorization Act for Fiscal Year 2019 (NDAA) (Pub. L. No. 115-232) into law on August 13, 2018. Section 889 of the NDAA applies to schools, including hospital systems, labs, and research affiliates, receiving federal contracts, grants, and loans. Specifically, § 889(a)(1)(A), which went into effect on August 13, 2019, prohibits an executive agency from “procur[ing] or obtain[ing] or extend[ing] or renew[ing] a contract to procure or obtain any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as a part of any system.”
As the news reports show, the sudden shift to employees working from home poses new cybersecurity risks for businesses and the employees who work remotely.
Now that the U.S. Equal Employment Opportunity Commission (EEOC) acknowledges that employers may implement temperature screening measures in response to the current COVID-19 pandemic, many employers want to conduct them, and want to know how to conduct them. In some locations, employers may even feel compelled to conduct them based on location-specific or general community mitigation guidance from the U.S. Centers for Disease Control and Prevention (CDC).
An employer’s response to COVID-19 involves numerous privacy issues. Below are some answers to frequently asked questions (FAQs) about these issues within the United States and globally, based on laws such as the Americans with Disabilities Act (ADA) (which applies in the United States) and the European Union’s General Data Protection Regulation (GDPR). While many of these principles can be applied globally, employers should always look to applicable local laws in their jurisdictions and guidance from public health authorities. Employers should also consult any applicable internal policies, data privacy notices, employee collective bargaining agreements, employment contracts, and individual employment terms.
On March 10, 2020, the New York State Department of Financial Services (NYSDFS), which regulates a variety of financial service entities such as banks, credit unions, check cashers, insurance companies, mortgage brokers, investment advisors, and cryptocurrency businesses, issued guidance in a series of “industry letters” and “circular letters” requesting “assurance” of operational preparedness relating to COVID-19. Such operation preparedness plans include a plan to maintain an adequate workforce, including remote work and other strategies to safeguard the workforce.
The spread of the novel coronavirus (COVID-19) in the United Kingdom has caused employers to be increasingly concerned and uncertain regarding the future of their workforces. Below are some answers to frequently asked questions (FAQs) that employers may be facing as the virus affects UK workforces.
As COVID-19 continues to spread across the United States, it is anticipated that a large portion of the workforce will be asked to work from home for their own protection and for the protection of others. Working from home (or telecommuting) is not a new concept. However, it will be new for some employees and may strain the resources of a company during the COVID-19 outbreak.
Both employers and individuals continue to receive a barrage of information regarding the novel coronavirus 2019 (COVID-19). It is important to remember that during any time of stress, there will be some people with bad intentions willing to take advantage of the situation. “Phishing” and similar cybersecurity attacks are among the scams that the U.S. government is currently seeing in response to the COVID-19 pandemic.
As the coronavirus and the illness it causes, COVID-19, continue to spread, employers in France are taking into account the risk of an epidemic caused by the increase in the number of people who may become affected, both in France and abroad.
By March 21, 2020, nearly every business—not only those that conduct business in New York State—that owns or licenses computerized data that includes the private information of any New York State resident, will be required to implement certain safeguards to protect the security of such information.
On February 10, 2020, bipartisan cosponsors in the Wisconsin State Assembly introduced a trio of bills targeting the use of personal data information and modeled after the requirements of the European General Data Protection Regulation. Titled by their sponsors as the “Wisconsin Data Privacy Act,” the three bills work together to regulate what data a company may collect on an individual, when the company may collect it, how the company may use it, to whom the company may give it, and how long the company may retain it.
As coronavirus disease 2019 (COVID-19) continues to spread, employers have been trying to strike a balance between safety and privacy as they apply their own policies and attempt to follow laws such as the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act of 1996 in the United States.
As the world responds to the accelerating 2019 Novel Coronavirus (2019-nCoV) outbreak originating in Wuhan, China—a situation now declared by the World Health Organization to be a Public Health Emergency of International Concern—multinational employers, particularly those with employees based in or traveling to China, are assessing their role in managing workforce impact. In addition to taking precautions to prevent the spread of illness, employers are contending with government-imposed travel shutdowns and advisories, quarantines, border screenings, and extended holidays that may affect local operations and global mobility.