California is considering new regulations on the use of technology or artificial intelligence (AI) to screen job candidates or make other employment decisions. If the regulations become law, California would be the first state to adopt substantive restrictions specifically addressing this emerging, and often misunderstood, technology.
Under an amendment to the New York Civil Rights Law that will take effect on May 7, 2022, private-sector employers that monitor their employees’ use of telephones, emails, and the internet must provide notice of such monitoring. The following provides highlights of the new law.
On April 11, 2022, Bill 88, the Working for Workers Act, 2022, received Royal Assent in Ontario, thus enacting the Digital Platform Workers’ Rights Act, 2022.
There is a growing trend of using participant data to cross-sell financial products unrelated to plan recordkeeping by large recordkeepers and asset custodians of employer-sponsored retirement plans. In light of the fact that plan fiduciaries are ultimately legally responsible for the management and mismanagement of a retirement plan, this trend to use participant data may raise issues for employers in their role as plan sponsors and fiduciaries.
On March 25, 2022, the European Union (EU) announced that the United States and the EU had reached an agreement in principle to replace the EU-U.S Privacy Shield framework, which the European Court of Justice (CJEU) struck down in its July 2020 Schrems II decision. Since the Schrems II decision, U.S. and EU negotiators have been hammering out a workable data transfer mechanism to permit the transfer of EU data to the United States.
On February 28, 2022, the Government of Ontario introduced Bill 88, the Working for Workers Act, 2022. Bill 88 would enact the Digital Platform Workers’ Rights Act, 2022, which would establish rights for workers who offer services through digital platforms. In addition, Bill 88 would amend a number of statutes including the Employment Standards Act, 2000.
On February 3, 2022, in McDonald v. Symphony Bronzeville Park, LLC, the Illinois Supreme Court held the exclusive remedy provisions of the Illinois Workers’ Compensation Act (“Compensation Act”) do not preempt employee statutory damages claims under the Illinois Biometric Privacy Act (“Privacy Act”).
On 2 February 2022, the UK Information Commissioner’s Office (ICO) published the final form of its much-anticipated new International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses.
In celebration of Data Privacy Day, we are highlighting some of these laws as well as some global data privacy and protection questions, expectations, and trends that lie ahead in 2022. Without further ado, below are some of the privacy laws from around the world that we anticipate will go into effect in 2022 or that recently went into effect.
Beginning January 1, 2020, certain California employers were required to comply with portions of the California Consumer Privacy Act of 2018 (CCPA) regarding the collection of consumers’ personal information. On November 3, 2020, California voters passed Proposition 24, the California Privacy Rights Act of 2020 (CPRA), which dramatically strengthened and expanded the CCPA. Employers subject to the CPRA must be in compliance by January 1, 2023. The urgency for employers to start those efforts now to meet this compliance deadline is caused by, among other things, the fact that employees have disclosure rights under the CPRA.
Employers and employment agencies in New York City that currently utilize, or expect to utilize, automated tools to make employment decisions may wish to begin planning now for restrictions that will take effect on January 1, 2023, concerning the types of tools that may be utilized and the disclosures concerning such tools that must be provided to candidates for employment or promotions.
On November 8, 2021, New York Governor Kathy Hochul signed into law an amendment to the New York Civil Rights Law that requires employers with places of business in the state to provide prior notice concerning the monitoring of employee telephone, email, or internet usage.
The Information Commissioner’s Office (ICO) recently released its response to the UK government consultation, ‘Data: A new direction’. The consultation was conducted by the Department for Digital, Culture, Media and Sport (DCMS).
The Act to Promote Works Council Elections and Works Council Activities in a Digital Working World (which is also known as the “Works Council Modernization Act” or Betriebsrätemodernisierungsgesetz) went into effect in Germany on June 18, 2021.
In May 2019, the Michigan Supreme Court issued rules that when implemented generally would prohibit Michigan courts from releasing personal identifying information (PII), such as birthdates, on court records. The rules were set to go into effect on July 1, 2021. Because consumer reporting agencies (CRAs) use PII to confirm the identities of the subjects of records and to comply with verification standards set forth in the Fair Credit Reporting Act (FCRA), CRAs would have been affected by the restrictions on access to court files, potentially impacting the timely and accurate release of background check information in Michigan.
In Van Buren v. United States, No. 19-783 (June 3, 2021), the Supreme Court of the United States recently waded into the meaning of the Computer Fraud and Abuse Act’s (CFAA) “exceeds authorized access” prohibition.
Employees may have a claim against their employers for access to information about all personal data processed by the employers pursuant to Article 15 (3), Sentence 1, of Regulation (EU) 2016/679 (General Data Protection Regulation (GDPR)). Under the GDPR, employees have a right to access, among other things, information about the purposes of personal data processing, the recipients of the data processed, and the storage period relevant to the data.
On June 4, 2021, the European Commission adopted two new sets of standard contractual clauses (SCCs): one for data transfers from data controllers to data processors and one for data transfers from data exporters to data importers in the United States and other third countries. These new clauses update and replace the SCCs adopted in 2001, 2004, and 2010 that many employers currently use to legally transfer human resources (HR) data for employees based in the European Union (EU).
Retirement plans are increasingly subject to cybersecurity issues, and the U.S. Department of Labor (DOL) is taking notice. On April 14, 2021, the DOL published cybersecurity guidance “for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips” for hiring service providers and online security tips for participants. In recent years, DOL guidance that eased rules related to electronic communications to plan participants might have helped make participants more susceptible to phishing attempts that masquerade as official plan communications.
Virginia has joined California as the second state to enact a comprehensive data privacy law. On March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (VCDPA) into law. The VCDPA does not go into effect until January 1, 2023, but the broad privacy mandate will have an immediate impact on compliance efforts for many Virginia businesses.
COVID-19 continues to cause significant restrictions in many areas around the world, including workplaces: Employees are working in remote settings, they no longer share tools and supplies, partitions separate workspaces, employees may not gather in common areas, and in-person meetings are reduced to a minimum. With distribution of the first vaccines impending, employers may expect a return to pre-pandemic practices. There is wide variation internationally on the approach to vaccinations. Below are answers to employers’ frequently asked questions about vaccinating global and multinational workforces.
After the political and constitutional upheaval of the last four years that has been Brexit, a trade deal—the EU-UK Trade and Cooperation Agreement—was finally reached between the United Kingdom (UK) and the European Union (EU) on December 24, 2020, just days before the deadline when the UK was set to crash out of all EU treaties.
On November 3, 2020, California’s voters approved Proposition 24, the California Privacy Rights Act of 2020 (the so-called CCPA 2.0). This means that the new California Privacy Rights Act (CPRA) will amend the California Consumer Privacy Act (CCPA) with some significant changes.
On June 12, 2020, Québec’s then minister of justice, Sonia LeBel, tabled in the National Assembly Bill 64, An Act to modernize legislative provisions as regards the protection of personal information.
On September 11, 2020, the U.S. Department of Homeland Security (DHS) proposed a regulation that focuses on the expansion of the collection and use of biometric data in the enforcement and administration of immigration laws. The proposed rule would subject foreign nationals to periodic biometrics collection and continuous vetting after they enter the United States and until they become U.S. citizens.
Amidst the pandemic, China introduced a civil code—its first-ever compilation of civil laws detailing the rights of private parties. The code’s attention to sexual harassment provides another important reminder that even as workplaces focus on virtual workforces, social distancing, and other novel legal issues, workplace respect and inclusion remain essential to a well-functioning workplace.
On July 16, 2020, the Court of Justice of the European Union (CJEU) announced its judgment in the so-called Schrems II case (Case C-311/18), declaring that the EU-U.S. Privacy Shield is invalid because it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States.
Most readers are likely now familiar with the initial travel guidance for international travel issued by the U.S. Centers for Disease Control and Prevention (CDC). Since then, governors have taken the lead in issuing orders related to COVID-19 for, among other things, closing businesses, mandating citizens stay home, and only permitting essential businesses to operate. Along with those orders, many have issued guidance related to quarantines for out-of-state travelers, including those who have only traveled domestically within the United States. Many of these orders are expressly aimed at discouraging interstate travel other than for essential services.
Over the years, Congress has put forth various legislative proposals regarding data privacy. None of the past legislation received the support necessary to enable passage of a comprehensive national data privacy law. In the face of the ongoing COVID-19 pandemic, however, promising new privacy legislation has been introduced by Senator Roger Wicker (R-MS), chairman of the U.S. Senate Committee on Commerce, Science, and Transportation; Senator John Thune (R-SD), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Senator Jerry Moran (R-KN), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Senator Marsha Blackburn (R-TN).
With employers planning for employees to return to work following COVID-19–related closures, there are sure to be questions about sharing employee medical information as it relates to COVID-19 (symptoms, test results, status) within the workplace and with public authorities. Now may be a good time to review what has changed about federal privacy rules in light of the COVID-19 pandemic—and what hasn’t.