The Education Ministry announced the setting up of a University Consortium on Blockchain Technology and launched the e-Scroll system – a university degree issuance and verification system based on blockchain technology. The program is focused on combatting the trade in fake degrees available internationally. “
“Currently, Malaysian universities receive thousands of requests globally to verify their genuine graduates. Such verification is still largely done via telephone and emails which contribute to its inefficiency,” it added.
The current plan calls for a verification process that can be done from anywhere in the world as long as there is Internet connectivity, and the process takes only a few seconds.
The National Privacy Commission (NPC) in the Philippines has intensified its monitoring efforts to ensure strict compliance to the country’s Data Privacy Act of 2012. The Commission has developed guidelines to ensure compliance, and will focus on monitoring specific sectors where personal data gathering and processing are critical, such as schools and banks. There will be three modes of compliance checks: privacy sweep, documents submission, and on-site visits.
South Korea Passes Bill Legalizing Cannabis for Medical Purposes
The Republic of Korea became the first East Asian nation to legalize medicinal cannabis. The move was surprising, as the country has been a vocal opponent of the legalization of recreational cannabis in other countries. The law will allow the import of cannabidiol (CBD), one of many cannabinoid molecules produced by cannabis, which contains no THC and has no intoxicating effect. It will be strictly controlled by the Korea Orphan Drug Center. The law will also allow cannabidiol to be recommended by physicians for a variety of ailments, including treating withdrawal symptoms associated with drug and alcohol abuse.
GDPR: New Guidelines on Territorial Scope
The European Data Protection Board has adopted new draft guidelines on the territorial scope of the GDPR that provide clarification for both EU and non-EU based companies to assess whether all or parts of their activities fall under the scope of the GDPR and to what extent they are subject to the application of the GDPR. The guidelines also clarify aspects that were controversial or misinterpreted in the six months since GDPR went into effect. The guidelines are subject to a public consultation before final adoption.
No Application of the GDPR in B2B
Brussels, 26th November 2018: In draft Guideline 3/2018 on the scope of application of the GDPR, the European Data Protection Committee specifies that the DSGVO covers those who offer goods and services to individuals. This means that the provision of goods and services to companies, i.e. B2B, is clearly not covered.
For a long time it was not clear how far the geographical scope of the DSGVO extends. Art. 3 DSGVO seemed to be in need of concretization.
The European Data Protection Authority (EDPB) therefore decided to issue a new draft for a guideline on the geographical scope of application. It is intended to ensure a uniform interpretation of the territorial scope of application of the EU DSGVO.
Until now, Art. 3 para. 2 lit. a) in particular left open the scope of interpretation that the DSGVO is not applicable to companies not established in the EU if they do not serve end customers (no B2C). The European Data Committee has now clearly specified this in its guideline.
When Does GDPR Apply to a Non-EU Entity? EDPB Provides Guidance
European Data Protection Board (“EDPB”) published on 16 November 2018 the long-awaited Guidelines 3/2018 on the territorial scope of the General Data Protection Regulation (“GDPR”). As those with even a cursory interest in the matter knew, a company not established in the EU can still be within the reach of GDPR’s strict rules. But exactly when that is the case was not entirely clear from GDPR’s provisions and recitals. With these guidelines EDPB aims to clarify the criteria for determining the territorial scope of GDPR.
Austrian DPA Issues Blacklist
The Austrian Data Protection Authority issued a list stipulating data processing operations that in all cases require a data protection impact assessment (DPIA). Under the GDPR, a controller must carry out a DPIA if certain criteria under Article 35 are met. The so-called “blacklist” issued by national data protection authorities will further specify all relevant scenarios that trigger a DPIA obligation without prejudice to the provisions of the GDPR.
First Supreme Court Decision On GDPR: Austrian Supreme Court Rules On "Prohibition Of Consent
In the case at hand, a consumer protection organisation filed an action against a company stating that the company uses inadmissible clauses in its general terms and conditions and claiming injunctive relief (i.e. prohibiting the company from using these clauses vis-à-vis customers going forward). The clauses in question also comprised of consent declarations for certain marketing measures which are not required for the performance of the contract. Without granting such consent, customers cannot conclude the relevant contract. The court proceedings were already initiated in 2017. The court of first instance rendered its decision in 2017, the appellate court in May 2018; both decisions were rendered before the GDPR became applicable and both courts considered the consent clauses as inadmissible already under the old data protection regime. Not surprisingly, the Austrian Supreme Court found the consent clauses at hand to be in violation of said prohibition of consent bundling. Further, the Supreme Court's ruling also contained more general statements on (the voluntariness of) consent declarations:
Belgian DPA Provides First Status Update After Six Months Of GDPR
In what circumstances can personal data be collected, stored and processed in Belgium? Thomas Daenens and Steven De Schrijver from Astrea discuss how the collection of personal data must be transparent. The person wishing to collect the data must clearly state the exact purpose for which the data will be collected and the data controller cannot obtain more data than is required for that purpose. They also discuss the limits or restrictions on the period for which an organization may (or must) retain records; and more.
First Data Protection Authority Issues GDPR Fine
The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) was the first German data protection authority to impose a fine under the GDPR. A social media has been fined €20,000 ($22,600) for not ensuring data security of processing of personal data pursuant to Article 32 GDPR. The company had contacted the LfDI with a data breach notification following a hacker attack in which passwords and email addresses of approximately 330,000 users were stolen and published. The company did not hash its customers’ passwords, but stored them in plain text and thus violated Art. 32 GDPR.
Data Protection Authority of Bavaria, Germany, Intensifies GDPR Compliance Monitoring
On 7 November 2018, the data protection authority of the Free State of Bavaria, Germany, issued a press release that, now that the European General Data Protection Regulation (GDPR) has been in effect for six months, the authority will intensify its GDPR compliance monitoring. The Bavarian data protection authority is responsible for monitoring GDPR compliance in the state of Bavaria within the non-public sector. The authority’s intensified monitoring activities will, in general, concern cybersecurity vulnerabilities and GDPR information duties.
The Hungarian DPA Issues Data Protection Impact Assessment Blacklist
The Hungarian Data Protection Authority has issued its data protection impact assessment blacklist that places regulations on data collection. Specifically, it requires a DPIA for several data processing activities, including the processing of biometric data for systematic monitoring for the purpose of identifying a natural person; processing of a natural person’s genetic data for the purpose of evaluation or scoring; monitoring of employees at work; large scale processing of personal data for law enforcement purposes; and more.
Data Protection Commission Confirms List of Processing Operations Requiring a DPIA
The Irish Data Protection Commission (DPC) has published a list of processing operations that requires a Data Protection Impact Assessment (DPIA). The list encompasses both national and cross-border data processing operations, and requires a DPIA for several types of processing operations, to include profiling vulnerable persons for marketing or online services; systematically monitoring, tracking or observing individuals’ location or behavior; profiling individuals on a large-scale; where a type of processing is likely to result in a high risk to the rights and freedoms of individuals; and more.
The Italian Data Protection Authority has Drafted the List of Processing Operations Subject to a DPIA – Practical Implications and Accountability Considerations
On October 11, 2018, the Italian Data Protection Authority issued, pursuant to Article 35(4) GDPR, the the list containing further processing activities [i.e. processing activities additional to those provided for in art. 35(3)] that require a Data Protection Impact Assessment (“DPIA”) to be carried out prior to the processing. The list was adopted after having positively implemented the opinion and instructions of the European Data Protection Board (“EDPB”) published on September 25, 2018 (see ICT Insider of October).
In short, each national Supervisory Authority (“SA”) was required to draw up a draft list containing the types of processing activities that would require a Data Protection Impact Assessment to be carried out prior to their initiation and implementation. The draft list had then to be sent to the EDPB with a view to scrutinise the use of the margin of discretion left to the SAs, in order to ensure a consistent application of the GDPR throughout the Union.
Hence, the final version of the list published today is the outcome of the implementation process of the Board’s opinion and views on the indicated processing types, as means of guaranteeing a uniform application of the GDPR.
New Law on Monitoring at the Workplace
Following the entry into force of the General Data Protection Regulation ("GDPR") on 25 May 2018, the Law of 1 August 2018 implements the provisions of the EU regulation into Luxembourg Labour Law. This Law entered into force on 20 August 2018. Article L.261-1 of the Labour Code now contains specific provisions regarding the processing of personal data for monitoring purposes in the context of the employment relationship.
The scope within which employers may process personal data for monitoring has been extended. The monitoring of employees is only permissible:
- if the employee gives their written consent to the processing of their personal data;
- if the processing of personal data is necessary for the performance of the employment contract;
- if the employer is subject to a legal obligation to process personal data; or if the processing of personal data is justified by a legitimate interest
Serbia Catches Up With the GDPR: New Data Protection Law Adopted
After a public hearing that lasted more than a year, the National Assembly of the Republic of Serbia adopted the new Data Protection Law (the "Law") on 9 November 2018. Until the Law comes into force on 21 August 2019, the currently valid law will apply except for the provisions on the Central Register of Databases, which are no longer in force. Nevertheless, according to the published Notice of the Commissioner
for Personal Data Protection (the "Commissioner"), the obligation to establish or register in already established databases still exists under Articles 48, 49 and 51 of the currently applicable law, as does the obligation to submit records of databases to the Commissioner. The provisions of the Law itself have been modelled after and largely comply with the provisions of the GDPR, as part of the wider process of harmonising the national law of Serbia with EU law, which was one of the main reasons for the adoption of the new Law. Besides many novelties, the new Law elaborates certain procedures, rights, obligations and competences in more detail.
Spanish Senate Signs-Off New GDPR-Compliant Data Protection Act
The Spanish Senate has approved the GDPR-compliant Spanish Data Protection Act, which contains a special regime for personal data of deceased people, includes additional duties for controllers and processors regarding the accuracy and confidentiality of the data, makes processing of criminal records information more flexible, and approves new rules to determine when a data agent is a data controller and not a data processor. The Act also establishes the divide between children and standard data subjects at 14 years, provides extensive additional regulation regarding CCTV systems and whistleblowing schemes, and more.
Turkey DPA Announces Starting Dates for Registration Obligation
Turkey’s DPA has announced registration dates for the Data Controllers Registry. They include: data controllers that employ more than 50 employees must register before September 2019; data controllers established outside of Turkey must register before September 2019; data controllers that employ less than 50 employees, but whose core business includes the processing of sensitive personal data must before March 2020; and public institutions and organizations that act as data controllers must register before June 2020.
Careers of People Working with Children Being Destroyed by ‘Misleading Police Checks’, Teachers Warn
“Misleading” criminal record checks are allegedly destroying the careers of people who want to work with children in the UK. Delegates at a recent Liverpool conference raised concerns that the Disclosure and Barring Service (DBS), which checks criminal records of those applying to work with children, is not fit for purpose. In response, DBS said “Each year we issue around four million certificates to help employers make safer recruitment decisions. What is included on our certificates is either set out in legislation or provided to us by the police. Any non-conviction information disclosed on a DBS certificate has been subject to a decision by a police force in accordance with a statutory test and with regard to statutory guidance.”
Guide to the General Data Protection Regulation (GDPR): Controllers and Processors
The Information Commissioner UK offers a checklist for data controllers and processors to understand the role they play in data processing. The checklist offers indicators to assist in deciding whether an employee is a controller, a processor or a joint controller. The checklist also discusses what’s new under the GDPR, how to determine whether you are a controller or processor, and more.
UK Government Issues Data Protection Guidance in the Event UK Leaves EU with “No Deal”
The UK Government has issued guidance regarding how the country’s data protection law will work in the event the UK leaves the EU without a deal. Regulations and more detailed guidance will soon be published that would preserve EU GDPR standards in domestic law, transitionally recognize all EEA countries and Gibraltar as ‘adequate’ to allow data flows from the UK to Europe to continue; preserve existing EU adequacy decisions on a transitional basis; recognize EU Standard Contractual Clauses in UK law and give the ICO the power to issue new clauses; maintain the extraterritorial scope of the UK data protection framework, and more.
Third in HR Fail to Delete Personal Data
One third of HR teams admit to breaching the General Data Protection Regulation (GDPR) by failing to delete personal data about employees, leavers and job candidates after data-retention periods expire, according to a survey by CIPHR. Although 83% of HR professionals have set retention periods for employee, leaver and job candidate data, only 69% put the policies into practice and deleted the data when the periods expired. The study also found that HR professionals have ignored the Information Commissioner's Office recommendation of enabling self-service access to data. Only one third of respondents said they had enabled self-service access to personal data for employees.
Why It’s Important to Check New Recruits’ References
A recent employment tribunal ruling highlights the importance of having a robust recruitment and selection process. In Francis-McGann v West Atlantic UK Ltd, an airline pilot successfully applied for a position as a captain, but resigned after the airline discovered that he lied on his application. He sued for three months’ pay, but lost the case. Homa Wilson, an employment law partner at Hodge Jones & Allen, offers precautions all organizations can take to minimize risks due to improper background checks.
How to Test Employees for Cannabis Impairment
Recent legal cases clarify the do’s and don’ts of cannabis testing, including one that revolved around the lack of correlation between the amount of cannabis in a person’s system and impairment. Employers should be aware of some of the main issues around their right to test, in addition to need to understand the importance of updating drug and alcohol policies to deal with the potentially greater presence of cannabis in the workplace. In addition, new technologies promise improved measurement, such as the Draeger DrugTest 5000 that has been used in some European countries for several years and has just been approved for use in Canada.
Saying No to Cannabis
Nearly one in five managers (19 percent) are at least somewhat likely to consume cannabis for recreational purposes before going to work, while 14 percent said it’s somewhat likely they will consume cannabis during work hours. As for workers, seven percent said they are likely to use cannabis before work, while four percent will consume it during work hours, according to a recent survey by ADP Canada. Over the next 18 or 24 months, HR managers can expect litigation in civil and criminal courts over the arbitrariness of cannabis use, and it’s important for employers to be as proactive as possible, and to create policies or amend policies to reflect the new legalization of cannabis.
The Human Rights Tribunal of Ontario Dismisses Discrimination Claim Made by Medical Pot User
The Human Rights Tribunal of Ontario has found a litigant failed to claim that her employer-sponsored insurance plan discriminated against her disability by refusing to pay for her medical cannabis. Lisa Cabel, a lawyer Norton Rose Fulbright Canada LLP, who represented the insurance company and employer sponsor, says the case shows that while the political climate around recreational marijuana has shifted, the terms of medical marijuana insurance contracts remain in effect. Therefore, employers need to ensure that all company cannabis regulations are up to date and in compliance under the Ontario Human Rights Code.
Legalization of Cannabis: A Guide for Employers
With the legalization of recreational cannabis as of October 17, 2018, Canadian employers must be prepared to understand their rights and responsibilities vis-à-vis their employees. Employers are encouraged to adopt or amend their substance and drug use policies to conform to cannabis legalization.
First, employers' drug policies should clearly stipulate that they apply to cannabis use, notwithstanding its legalization.
Second, regardless of the particular rules employers wish to adopt, it is advisable to institute policies that are clear with regard to the behaviors that are forbidden and the consequences of violating the policies. These policies should also be applied in a consistent and uniform manner to every employee (subject, of course, to any duty to accommodate, as discussed below).
The implementation of cannabis use policies should be accompanied by training on the various issues surrounding cannabis and the workplace, particularly for managers who will have to apply these policies.
It should be noted that the other provinces and territories of Canada can adopt their own rules regarding the use of cannabis in the workplace, and they may differ from the rules adopted in Québec and Ontario.
Five Steps to Compliance with Privacy Consent Guidelines
On January 1, 2019, the Privacy Commissioner of Canada will begin enforcing Guidelines for obtaining meaningful consent, which impose requirements for obtaining legally valid privacy consents. This bulletin summarizes five steps to compliance with the Guidelines.
In May 2018, the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia jointly issued Guidelines for obtaining meaningful consent (the "Guidelines") to help private sector organizations obtain legally valid consents to the collection, use and disclosure of personal information. The Guidelines criticize "the use of lengthy, legalistic privacy policies", and explain that the requirements and best practices summarized in the Guidelines are intended to "breathe life" into the ways that consent is obtained.
The Guidelines detail seven principles for private sector organizations to follow to obtain legally valid privacy consents.
GDPR Territorial Scope – Draft Guidelines Released that May Help Canadians Established Outside the EU Understand Whether They Must Comply
Canadian businesses, particularly those with no physical presence in the EU, have been struggling to manage their compliance efforts with respect to the GDRP. These Guidelines should help organizations better understand when they may be subject to the GDPR. The Guidelines are in draft form and comments must be submitted before January 18, 2019
The 5 Hottest Human Resources Questions about Cannabis
The holidays bring lots of holiday joy – and some holiday headaches for human resources professionals and employers. And this year's legalization of recreational cannabis use is fuelling lots of HR questions. The hottest one of the season: do employers that offer alcohol at holiday work parties also have to offer cannabis? Here's the answer to that question and to four other burning cannabis questions employers are asking us this season. Also, since this is a rapidly evolving area, employers are well-advised to continue to monitor the science and the criminal law standards for cannabis impairment, and to implement more frequent policy reviews and updates. And all employers, especially those that can't test any or all of their employees, should still train managers and supervisors to watch for and to recognize indicators of impairment.
Cayman Islands Data Protection Law Update
The Cayman Islands Government has announced that the date on which the Data Protection Law 2017 (“DPL”) will be brought into force is now 30 September 2019. The DPL was previously anticipated to be brought into force at the end of January 2019.
In order to assist the many public and private entities which will be affected by DPL, the supervisory body for data protection in the Islands, the Office of the Ombudsman, has released a draft document titled “Data Protection Law 2017 Guide for Data Controllers” which will serve as a practical manual for the way that systems, procedures and documents can be implemented and/or updated to ensure compliance.
Black, Latino Drivers Sue Amazon Over Firings Based on Background Checks
A lawsuit, filed in Suffolk Superior Court, is a class action suit of black and Latino former drivers for Amazon who have sued the online retailer, alleging that Amazon discriminated against them when it fired them based on a background check policy. Originally filed as a complaint with the Massachusetts Commission Against Discrimination, the drivers claim that in 2016, Amazon began implementing an overly strict background check policy, which highlighted old and minor offenses without taking job performance into consideration. One employee had been delivering packages for the retailer for 60 to 70 hours each week when he was terminated for an old charge of driving after a license suspension.
Reminder: Confusing Background Check Disclosures can get an Employer in FCRA Hot Water!
The Ninth Circuit Court of Appeals recently granted a dismissal for lack of standing in Mitchell v. Winco Foods. The Fair Credit Reporting Act (FCRA) case was dismissed when the Ninth Circuit agreed that Mitchell failed to establish the requisite standing because she alleged that WinCo’s job application forms were not FCRA-compliant, however she failed to demonstrate how those alleged violations harmed or presented the risk of harm to her protected interests. When discussing the possibility that Mitchell was simply confused by the disclosure, the court referenced its own decision in the case of Syed v. M-I, LLC, in which it held that “the [FCRA] disclosure requirement at issue … creates a right to information by requiring prospective employers to inform job applicants that they intend to procure their consumer reports as part of the employment application process.”
Court Grants Final Approval of $1.2M FCRA Class Action Settlement Against Petco
In November, the United States District Court for the Southern District of Columbia granted final approval of a $1.2 million Fair Credit Reporting Act (FCRA) class action settlement against Petco Animal Supplies, Inc. The putative class action was filed in June 2016, alleging that the company’s background check disclosure was hidden among other pages of fine print and went against the “stand alone” disclosure required by law. The Disclosure Class includes 37,279 members, who each will receive about $20 each, while the Adverse Action Subclass includes 52 class members, who each will receive an additional $150.
Some Clarity: Court Holds Screening Reports on Independent Contractors Not Subject to the FCRA Employment Purpose Requirements
In the case of Smith v. Mutual of Omaha Insurance Company, a court in the United States District Court for the Southern District of Iowa, ruled that the protections applicable when consumer reports are obtained for “employment purposes” under the Fair Credit Reporting Act (FCRA) do not extend to reports obtained for independent contractors. In the case, the plaintiff alleged he applied to contract with the business as an insurance salesperson, but was not hired due to a falsely reported felony on his background check. Claiming he was not provided with the statutorily-mandated prior notice, Mutual of Omaha moved to dismiss the claim on the basis that Smith was only applying to work as a contractor, stating that the pre-adverse action notice requirement did not apply.
How to Ward Off the Rising Number of Background Check Class Actions Summary
Companies are increasingly faced with class actions for alleged violations of the Fair Credit Reporting Act (FCRA). FCRA claims related to background checks have grown since last year.
Most companies perform background checks on employees as part of the employment application or new hire process.
Lyft was successful in convincing a federal judge to dismiss a FCRA class action and order the Plaintiff to submit his claims to arbitration. When he was hired the Lyft driver had accepted Lyft’s terms of service which included a mandatory arbitration agreement. Lyft used these terms to compel the matter to arbitration.
To avoid FCRA class actions, employers should consider having all applicants sign an arbitration agreement, at least before or at the same time the background disclosure / authorization forms are given to the applicant. Having an arbitration agreement with a class action waiver will go a long ways in defending against a FCRA class action.
Social Security Administration ‘No Match’ Letters to Employers Make Another Comeback
Social Security Administration (SSA) has begun notifying employers that the information reported on an individual employee’s W-2 form does not match the SSA’s records with “Request for Employer Information” letters, known as “No-Match” letters.
In July 2018, probably in response to President Donald Trump’s Buy American, Hire American Executive Order, SSA re-started the practice by sending “informational notifications”
to employers and third party providers telling them of mismatches on their 2017 Forms W-2 and explaining where to find helpful resources.
A mismatch does not necessarily mean that there is any wrongdoing. It can be caused by an administrative error or several other factors. If the issue is not easily resolved, the employer should contact legal counsel. There are no “safe harbors.” Each case is different and must be analyzed individually to avoid missteps and penalties from either SSA, ICE, or IER.
Can an Outside Investigation Constitute a “Consumer Report” Under FCRA? The Seventh Circuit Appears Skeptical
The Seventh Circuit Court of Appeals, in the case of Rivera v Allstate Ins. Co., 907 F.3d 1031 (7th Cir. 2018), recently wrestled with a novel question under the FCRA – whether an investigation conducted by third party into employee misconduct could be considered a consumer report under the FCRA. Ultimately, the Court did not rule on the issue, but it appeared skeptical that the FCRA would apply.
The Seventh Circuit overturned the FCRA verdict on Spokeo grounds, but not before expressing great skepticism for the applicability of the FCRA in these circumstances. It noted that this appeared to be a novel question of law and was an “odd application” of FCRA. Specifically, the Court questioned whether an investigation could be a “consumer report,” largely because it was conducted by a law firm which did not appear to be a “credit reporting agency.”
Eastern District of Pennsylvania Dismisses FCRA Claims for Lack of Standing
A Pennsylvania district court recently dismissed a complaint due to the plaintiff’s lack of standing to assert violations of the Fair Credit Reporting Act. In Harmon v. RapidCourt, LLC, Case No. 17-5699 (E.D. Pa. Nov. 20, 2018), consumer plaintiff Icarus Harmon asserted violations based on a stale criminal history that RapidCourt had provided to a consumer reporting agency.
Relying on the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins, the Court found that these allegations were insufficient to confer standing “because the disclosure of information to another consumer reporting agency, does not constitute a concrete harm.” The Court assumed, without finding, that RapidCourt itself was a consumer reporting agency, but was “unwilling to find that the transmission of allegedly prohibited information from one consumer reporting agency to another is a concrete injury that is ‘real and not abstract.’
FCRA Disclosures: Too Much Information, Not Enough, or Just Right?
The Northern District of California recently considered a case where a plaintiff alleged that her employer’s FCRA disclosure both had too much information and too little. The plaintiff in Soman v. Alameda Health Sys., applied for a job with the defendant. The defendant-employer provided written disclosures describing the nature and scope of the background check and plaintiff’s rights under FCRA. The FCRA disclosure contained three text boxes that advised applicants of their rights under the laws of four states to obtain a copy of their consumer reports. The FCRA disclosure also contained the contract information for the employer’s vendor who conducted the background investigation, but omitted a digit in the zip code for the vendor. The plaintiff filed suit against the employer alleging FCRA violations.
Given that the plaintiff failed to establish any concrete harm, the plaintiff lacked standing and thus the Court dismissed her claims. The Court essentially ruled that the employer’s FCRA disclosure contained the ‘right’ amount of information and dismissed her FCRA claims with prejudice.
University Faculty Background Checks to be Reviewed by Court
Pennsylvania’s highest court will decide whether the system of state-owned universities trampled on faculty union rights by unilaterally requiring criminal background checks and reports of arrests for serious crimes within 72 hours.
The policy, enacted in response to the Jerry Sandusky child molestation scandal at Penn State, was limited in an April decision by Commonwealth Court so that many professors would not be covered by it. The Supreme Court said it will review that decision and consider the schools’ argument that the policy “served the public interest in protecting minors.”
The universities have argued it was within their managerial powers to make all employees follow the policy, not just those who are likely to encounter children on campus. The unions say any such policy should be hammered out as part of contract negotiations.
Vermont AG Issues Guidance on New Data Broker Regulation
Vermont’s new Data Broker Regulation (“Regulation”) takes effect on January 1, 2019. The Regulation requires, among other things, that data brokers register with the Vermont Secretary State and protect personally identifiable information of Vermont residents. This week, the Vermont Attorney General issued guidance on the Regulation, which helps address questions on process and scope.
DATA PROTECTION & PRIVACY
Department of Commerce Updates Privacy Shield FAQs to Clarify Applicability to UK Personal Data
On December 20, 2018, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to clarify the effect of the UK’s planned withdrawal from the EU on March 29, 2019. The FAQs provide information on the steps Privacy Shield participants must take to receive personal data from the UK in reliance on the Privacy Shield after Brexit.
The deadline for implementing the steps identified in the FAQs depends on whether the UK and EU are able to finalize an agreement for the UK’s withdrawal from the EU. To the extent the UK and EU reach an agreement regarding withdrawal, thereby implementing a Transition Period in which EU data protection law will continue to apply to the UK, Privacy Shield participants will have until December 31, 2020, to implement the relevant changes to their public-facing Privacy Shield commitments described in the FAQs and below. To the extent no such agreement is reached, participants must implement the changes by March 29, 2019.
EU-US Privacy Shield Undergoes Second Review by EU Commission and (Re)Passes the Test—For Certifying Companies, Santa Has Come to Town
On December 19, the EU Commission ("Commission") published its report to the European Parliament and the Council on the second review of the functioning of the EU-US Privacy Shield (the "Report").
To the relief of the 3,850 US companies who have certified to the Privacy Shield, and those entities transferring personal data to them, the Commission concluded that the Privacy Shield framework ensures an adequate level of protection for personal data and, therefore, can still be used as one of the available transfer mechanisms under the General Data Protection Regulation ("GDPR"). Nonetheless, the review identified some immediate actions for the US government to take in order to continue to keep the Privacy Shield framework on secure footing.
New Suffolk County, NY, Bill Bans Inquiry into Salary History
Suffolk County has become the latest New York Jurisdiction to pass a bill that prevents employers from inquiring into the salary and benefits history of job applicants. Intended to establish pay equality and “break the cycle of wage discrimination,” the Restricting Information on Salaries and Earnings Act (RISE Act) will go into effect on or about June 30, 2019, if signed by County Executive Steve Bellone.
Surge in I.C.E. Immigration Enforcement is Wake-Up Call to U.S. Employers
Here is a wake-up call for employers thinking about shoring up their immigration compliance process as a New Year’s resolution. U.S. Immigration and Customs Enforcement (ICE) is targeting employers and has dramatically increased the number of worksite investigations, audits, and arrests.
How much has ICE increased its enforcement activity at U.S. employers’ worksites? Worksite investigations are up more than 300% from the fiscal year 2017. I-9 audits are up 340%. Criminal worksite related arrests are up 460%. And administrative worksite arrests are up 787% over 2017. These arrests can include not only undocumented workers but also the responsible hiring manager. Unlike most employment regulatory obligations, immigration compliance laws create the potential for personal, criminal liability for hiring managers and officials. Simply put, managers and company officials can go to jail for getting immigration compliance wrong.
9th Cir: Montana Law Doesn't Prevent Employers From Banning Marijuana
The 9th U.S. Circuit Court of Appeals has upheld a lower court's decision to dismiss a fired marijuana user's lawsuit against his employer, Charter Communications, LLC. The Montana Supreme Court's refusal to certify a question that plaintiff Lance Carson wanted answered before the state's high court will stand.
The federal appeals court concluded that a state's legalization of marijuana won't necessarily override a company's drug-free workplace policy. The Montana Marijuana Act (MMA) doesn't "prevent employers from prohibiting their employees from using marijuana or authorize wrongful termination or discrimination suits against employers," it said.
The court also noted that the MMA doesn't violate Montana's constitution and is in line with the state's "careful regulation of access to an otherwise illegal substance for limited use by persons for whom there is little or no other effective alternative" while "avoid[ing] entanglement with federal law."
Marijuana Sows Seeds of Conflict for San Francisco Employers, But Maybe Not for Utah Employers
San Francisco, known for its forward progress in the cannabis space, has done it again. Effective October 1, 2018, employers are prohibited from “inquiring about, requiring disclosure of, or basing employment decisions on convictions for decriminalized behavior, including the non-commercial use and cultivation of cannabis.” The ordinance restricts employers from asking questions about pot convictions and, instead, authorizes the City to impose penalties on employers who violate the ordinance. Some of the penalties include a private right of action for the victim and monetary payment.
As previously reported, Utah legalized medical marijuana this midterm through Proposition 2. Proposition 2 failed to include important provisions in its initiative, including what rights employers would have. However, Utah’s House of Representatives held a special legislative session whereby lawmakers changed Proposition 2 and adopted more restrictive provisions in what is being called the medical cannabis compromise. These restrictive provisions include employer protections.
Say What? The Employee Who Failed His Post-Accident Drug Test Gets Workers’ Comp.?
Employers might assume that an injured worker’s positive post-accident drug or alcohol test will automatically defeat a related workers’ compensation claim. However, in Ohio at least, the reality is a bit more complicated. Under Ohio law, a positive, post-accident drug test raises only a “rebuttable presumption” that the injured worker’s use of drugs or alcohol proximately caused the industrial injury. Since this legal presumption is “rebuttable,” the burden then shifts back to the employee to prove that the impairment did not cause the accident. This burden-shifting “rebuttable presumption” can be a potent defense to some claims.
Argentine DPA Approves Guidelines for Binding Corporate Rules
The Agency of Access to Public Information has approved a set of for multinational companies to comply with international data transfer laws. The Argentine Personal Data Protection Law No. 25, 326 prohibits the cross-border transfer of personal data from Argentina to other countries or to international organizations that do not provide for an adequate level of protection. The guidelines include information on third-party beneficiaries, supervisory authority, data protection training, administrative resources and more.