Germany’s New Whistleblower Protection Act: What Employers Need to Know

On July 2, 2023, the new German Whistleblower Protection Act (Hinweisgeberschutzgesetz – HinSchG) took effect. The law contains comprehensive provisions for the protection of whistleblowers. At the same time, it obliges all companies with at least 50 employees to establish internal reporting channels. This article summarizes the key provisions of the new law.

Illinois Federal Judge Says Prevailing BIPA Defendants Must Show Bad Faith for Attorneys’ Fees

An Illinois federal court recently rejected an online eyewear retailer’s request for attorneys’ fees as the prevailing party in a Biometric Information Privacy Act (BIPA or Privacy Act) class action over its virtual try-on (VTO) tools. The district judge had previously dismissed the case with prejudice under the Privacy Act’s health care exemption.

New York State Bill Proposed to Restrict Electronic Monitoring, Automated Employment Decision Tools

Under a recently introduced bill, employers across New York State could face new restrictions on the electronic surveillance of workers and the growing use of automated decision-making and artificial intelligence (AI) technology to make employment decisions. Senate Bill (S) 07623 seeks to address privacy concerns with electronic surveillance, or so-called “bossware,” and concerns that automated decision-making tools result in discrimination against individuals with disabilities or against other members of protected groups.

SEC Finalizes New Cybersecurity Incident Reporting Rules for Public Companies

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) finalized new rules that mandate public companies to disclose material cybersecurity incidents and provide annual updates on their cybersecurity risk management, strategy, and governance. The rules, which also contain similar requirements for foreign private issuers, represent an additional operational burden with a short fuse for businesses juggling potentially overlapping state and federal law notifications in response to a cybersecurity incident.

Illinois Supreme Court Declines to Reconsider Privacy Act Per-Scan Damages

On July 18, 2023, the Supreme Court of Illinois declined to reconsider its February 2023 holding that claims under the state’s Biometric Information Privacy Act (Privacy Act or BIPA) accrue on each and every scan or transmission. The denial drew a dissent from three justices, who argued  that a per-scan interpretation “subvert[s] the intent of the Illinois General Assembly, threatens the survival of businesses in Illinois and consequently raises significant constitutional due process concerns.”

Illinois Federal Judge Says Privacy Act Damages Are Discretionary, Vacates $228M Award

A federal judge in the Northern District of Illinois vacated a $228 million damages award issued following the first-ever jury verdict in an Illinois Biometric Information Privacy Act (Privacy Act or BIPA) class action and ordered a new trial on the issue of damages. However, in doing so, the judge refused to overturn the jury’s finding that the company’s Privacy Act violations were intentional or reckless.

New York City Releases New Guidance on Law Regulating Use of Automated Employment Decision-Making Tools

On June 29, 2023, the New York City Department of Consumer and Worker Protection (DCWP) issued new guidance on the enforcement of the city’s law regulating the use of automated employment decision tools (AEDTs) ahead of the July 5, 2023, effective date for final rules implementing the law.

EEOC Issues New Guidance on Employer Use of AI and Disparate Impact Potential

On May 18, 2023, the U.S. Equal Employment Opportunity Commission (EEOC) issued the latest federal guidance on employer use of artificial intelligence (AI) and automated decision-making tools. The new guidance reinforces the EEOC’s ongoing focus on the use of AI in the workplace and serves as an important reminder to employers of potential legal compliance issues associated with the use of such tools.

EEOC Issues Joint Statement on Automated Systems and AI Concerns With Other Agencies

On April 25, 2023, the U.S. Equal Employment Opportunity Commission (EEOC), Department of Justice (DOJ) Civil Rights Division, Consumer Financial Protection Bureau (CFPB), and the Federal Trade Commission (FTC) issued a joint statement pledging to enforce federal laws to “promote responsible innovation” in the context of automated decision-making and artificial intelligence (AI) systems that are increasingly being used by public and private organizations, including to make employment-related decisions.

Chatbots Can Raise Unique Labor and Employment Law Risks

The launch of ChatGPT on November 30, 2022, ushered in an explosion of interest by businesses seeking to incorporate large language model artificial intelligence applications into the workplace. To capitalize on efficiencies that this technology presents, many employers have implemented or are considering the use of chatbots to serve human resource functions.

New York City Adopts Final Rules on Automated Decision-making Tools, AI in Hiring

On April 6, 2023, the New York City Department of Consumer and Worker Protection (DCWP) adopted highly anticipated final rules implementing the city’s law regulating the use of automated employment decision tools (AEDT) tools in hiring that will take effect on July 5, 2023. The AEDT law, which took effect on January 1, 2023, restricts the use of automated employment decision tools and artificial intelligence (AI) by employers and employment agencies by requiring that such tools be subjected to bias audits and requiring employers and employment agencies to notify employees and job candidates that such tools are being used to evaluate them.

Illinois Federal Judge Finds Another Eyewear Virtual Try-on Class Action Is Exempt Under BIPA’s Healthcare Exemption

A federal judge in Illinois recently ruled that online shoppers cannot sustain claims that a virtual try-on (VTO) tool that allegedly scans facial geometry to preview the look of sunglasses on their face violates the Biometric Information Privacy Act (BIPA or Privacy Act) because it falls into an exemption for “information captured from a patient in a health care setting.”

Bill in U.K. Parliament Would Facilitate Certain Types of Data Processing by Redefining ‘Personal Data’ Parameters

On March 8, 2023, the Data Protection and Digital Information (No. 2) Bill was introduced to the UK Parliament by the Department for Science, Innovation and Technology. If enacted, the Bill will make changes to the UK General Data Protection Regulation, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations. The Bill would facilitate certain types of data processing by redefining the parameters of what constitutes “personal data,” removing certain requirements and prohibitions, applying exemptions, and creating greater legal certainty regarding the permissibility of certain forms of personal data processing.

Illinois Supreme Court Rules Privacy Act Claims Accrue With Each Biometric Scan

On February 17, 2023, the Supreme Court of Illinois held claims under the Illinois Biometric Information Privacy Act (Privacy Act or BIPA) accrue on each and every scan or collection and further allowed so-called per scan damages. The ruling could open employers up to colossal and potentially devastating damages if the legislature does not amend the Privacy Act.

Minnesota Legislature Takes Up Noncompetition, Paid Family Leave, Cannabis Legalization, and Privacy Bills in 2023 Session

Minnesota’s 2023 legislative session is off to a hot start and turning out to be an important one for Minnesota employers and companies doing business in Minnesota. Currently, there are four noteworthy bills that employers should keep an eye on as they progress through the Minnesota Legislature.

Illinois Supreme Court Rules Privacy Act Claims Have Five Year Statute of Limitations

On February 2, 2023, the Supreme Court of the State of Illinois ruled that all claims under Section 15 of the state’s Biometric Information Privacy Act (Privacy Act or BIPA) have a five year statute of limitations. The decision partially overturns an appellate court ruling that had found claims under subsections 15(c) and 15(d) of the Privacy Act were governed by a one-year limitations period under Illinois law for defamation and privacy claims.

EEOC Hears Testimony Concerning Employment Discrimination in Artificial Intelligence and Automated Systems

On January 31, 2023, the U.S. Equal Employment Opportunity Commission (EEOC) held a public hearing, titled, “Navigating Employment Discrimination in AI and Automated Systems: A New Civil Rights Frontier,” to receive panelist testimony concerning the use of automated systems, including artificial intelligence, by employers in employment decisions.

New York City Updates Proposed Rules for Automated Employment Decision Tools: What’s New and What’s Next

On December 23, 2022, the New York City Department of Consumer and Worker Protection (DCWP) published updated proposed rules to implement the city’s automated employment decision tools (AEDT) law (Local Law 144). The law conditions the use of automated employment decision tools to screen candidates for employment or employees for promotion within the city on compliance with certain requirements, including the performance of a bias audit, and the furnishing of notifications to candidates and employees.

New York City Postpones Enforcement of Automated Employment Decision Tools Law, Will Hold Second Public Hearing

With the January 1, 2023, effective date of New York City’s automated employment decision tools law looming, the city’s Department of Consumer and Worker Protection announced on December 12, 2022, that it intended to convene a second public hearing and postpone enforcement of the law until April 15, 2023.

DashCam Developer Insulated From BIPA Liability

On November 3, 2022, an Illinois circuit court judge dismissed a Biometric Information Privacy Act (Privacy Act or BIPA) putative class action against Samsara, Inc., a DashCam developer. DashCam is a safety technology for trucking companies such as Samsara’s customer and co-defendant, Beelman Truck Co. The DashCam device points an internet-connected dashboard camera at the driver to detect risky driving behaviors.

First Jury Verdict Issued in Illinois Biometric Privacy Act Class Action

On October 12, 2022, a federal jury in the U.S. District Court for the Northern District of Illinois concluded that a company violated the Illinois Biometric Information Privacy Act (Privacy Act or BIPA) 45,600 times over six years by collecting truck drivers’ fingerprints to verify identities without the informed, written consent the Privacy Act requires.