On June 4, 2021, the European Commission adopted two new sets of standard contractual clauses (SCCs): one for data transfers from data controllers to data processors and one for data transfers from data exporters to data importers in the United States and other third countries. These new clauses update and replace the SCCs adopted in 2001, 2004, and 2010 that many employers currently use to legally transfer human resources (HR) data for employees based in the European Union (EU).
Retirement plans are increasingly subject to cybersecurity issues, and the U.S. Department of Labor (DOL) is taking notice. On April 14, 2021, the DOL published cybersecurity guidance “for plan sponsors, plan fiduciaries, record keepers and plan participants on best practices for maintaining cybersecurity, including tips” for hiring service providers and online security tips for participants. In recent years, DOL guidance that eased rules related to electronic communications to plan participants might have helped make participants more susceptible to phishing attempts that masquerade as official plan communications.
In addition to the potential uses of contact-tracing apps, discussed recently in episode 1 of the Global Solutions series, most employers now conduct some form of employee screening or monitoring to help prevent the spread of COVID-19 in the workplace and protect staff.
On July 16, 2020, the Court of Justice of the European Union (CJEU) announced its judgment in the so-called Schrems II case (Case C-311/18), declaring that the EU-U.S. Privacy Shield is invalid because it does not provide an adequate level of protection for the transfer of personal data from the European Union (EU) to the United States.
An employer’s response to COVID-19 involves numerous privacy issues. Below are some answers to frequently asked questions (FAQs) about these issues within the United States and globally, based on laws such as the Americans with Disabilities Act (ADA) (which applies in the United States) and the European Union’s General Data Protection Regulation (GDPR). While many of these principles can be applied globally, employers should always look to applicable local laws in their jurisdictions and guidance from public health authorities. Employers should also consult any applicable internal policies, data privacy notices, employee collective bargaining agreements, employment contracts, and individual employment terms.
The recent spread of the novel coronavirus (COVID-19) in the United States has caused employers to be increasingly concerned and uncertain regarding the future of their workforces. Here are some answers to frequently asked questions (FAQs) about the latest developments on the virus and guidance from federal agencies.
The European Data Protection Board (EDPB) and EU supervisory authorities have reported that they have received a large number of complaints during the first six months following the effective date of the GDPR. For example, the EDPB reported that it had received more than 42,000 complaints since May 25, 2018. The French Supervisory Authority (CNIL) reported a 20 percent increase in complaints filed during the first six months the GDPR was effective compared to the same period in 2017. Similarly, the Irish Supervisory Authority reported a 50 percent increase in data breach reports and a 65 percent increase in data protection complaints over the same period. The Irish Data Protection Commissioner also stated that several investigations of multijurisdictional complaints against large companies are being completed and that she expects major GDPR fines to be issued in 2019.
Article 35 of the GDPR provides that a data protection impact assessment (DPIA) must be performed for data processing that “is likely to result in a high risk to the rights and freedoms of natural persons.” DPIAs must contain (1) a description of the processing operation along with the purpose of the processing and, where applicable, the legitimate interest for the processing; (2) an assessment of the necessity and proportionality of the processing operation in relation to the purpose; (3) an assessment of the risks to the rights and freedoms of the data subjects; and (4) the measures to be taken to mitigate the risks.
Although the GDPR was intended to provide a uniform set of data protection requirements across the EU, the GDPR contains several provisions, known as “opening clauses,” that expressly permit individual EU countries to implement additional and/or stricter requirements for certain types of data that employers typically process.
Much has happened since the European Union (EU) General Data Protection Regulation (GDPR) went into effect on May 25, 2018. Many EU countries have enacted national legislation to implement and expand the requirements of the GDPR, while other developments have directly affected employers and created new obligations regarding the collection and processing of human resources (HR) data.
The Affordable Care Act (ACA) introduced mandatory coverage for a wide array of preventive care services. Section 2713 of the ACA requires most health plans to provide coverage for various preventive care services without cost-sharing requirements (e.g., copayments, deductibles, or coinsurance).
On April 19, 2018, the Article 29 Working Party (Working Party), which is comprised of representatives from the data protection authorities in each of the 28 European Union (EU) member states, issued a position paper stating that all employers of EU employees are required to prepare and maintain records of processing activities relating to human resources data pursuant to Article 30 of the General Data Protection Regulation (GDPR).
On March 27, 2018, Helen Dixon, the data protection commissioner for Ireland, outlined the enforcement priorities of the Irish data protection authority (DPA) for the General Data Protection Regulation (GDPR) during the International Association of Privacy Professionals Global Privacy Summit in Washington, D.C. The Irish DPA has been ramping up its compliance capabilities for the GDPR and will undoubtedly serve as the lead DPA for GDPR enforcement for numerous U.S. companies that are headquartered or have locations in Ireland.
With less than six months until the May 25, 2018, effective date for the European Union (EU) General Data Protection Regulation (GDPR), companies are assessing their GDPR readiness and concentrating their compliance efforts on the highest risk areas. What is the highest risk area for GDPR compliance?
The creation and implementation of the Patient Protection and Affordable Care Act (ACA or Obamacare) was a long, strange trip beset throughout by policy disagreements, shifting political winds, backroom legislative dealings, unexpected costs, legal challenges, and public relations fiascos. It should then come as no surprise that the Trump administration and the new Congress have experienced a similarly bumpy ride thus far in their efforts to dismantle the ACA.
The last couple of years have brought a steady rain of bad news for the healthcare industry when it comes to data security: Insurers faced with massive data breaches affecting thousands of health plans and millions of individuals. Hospitals having to choose between paying cybercriminals or suffering critical data losses. The temptation might be to dismiss some or all of this as the reporting of isolated events, a closer look at the issues makes clear that the threats to data are real, the cyberattacks potentially devastating, and the costs involved both significant and growing.
The recognition of same-sex marriages across the country will offer greater clarity for employers as they administer their employee benefit plans. Since the 2013 Supreme Court decision in United States v. Windsor, same-sex spouses have been recognized for federal tax purposes and in the federal government’s regulation of benefit plans, but until the Obergefell decision, state insurance departments, state taxing authorities, and state domestic relations courts were not required to recognize same-sex marriage.
This morning, Anthem Blue Cross and Blue Shield, one of the largest health insurers in the country, notified its policyholders, members, and business partners that it was recently the target of an external cyber attack that appears to have comprised the confidentiality of medical and other personal information maintained on…..
Finally, some guidance on mid-year cafeteria plan changes that many employers have already permitted in the wake of United States v. Windsor. On December 16, 2013, the Internal Revenue Service (IRS) released Notice 2014-1, which answers questions regarding the proper treatment of cafeteria plan elections, flexible spending account (FSA) expenses,…..
For many years, the Defense of Marriage Act (DOMA) defined marriage under federal law as a legal union between one man and one woman. In June 2013, however, in the case of United States v. Windsor, the Supreme Court of the United States declared this DOMA provision (known as “Section…..
Today’s post focuses on the treatment of genetic information under the new regulations for the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Ogletree Deakins has previously released a blog post describing the omnibus regulations and an article detailing the revised breach notification…..
Four years ago, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) introduced major revisions to the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The U.S. Department of Health and Human Services (HHS) is now publishing final regulations implementing…..
For those caught in the path of Hurricane Sandy, the past few days represent a life-changing event. Many employers are eager to find a way to assist employees as they address the damage and destruction. Tax provisions passed in the wake of the September 11, 2001 attacks provide employers a…..
The government recently issued Notice 2012-59 (August 31, 2012), describing the 90-day limit for waiting periods to enter group health plans, as added by the Affordable Care Act (ACA). This notice provides temporary guidance and builds on the safe harbor for determining who is a full-time employee described under Notice…..
Insurers have begun issuing medical loss ratio (MLR) rebate checks for 2011. Particularly when an MLR rebate is small, you may be tempted to put the check in a drawer and forget about it. Employers should resist that impulse and take quick action after they receive an MLR rebate check……