February

Many states and localities have been adopting “ban-the-box,” prohibiting employers (including private employers) from asking applicants to disclose information concerning their criminal histories prior to an initial interview or a conditional offer of employment.  Currently, all New England states except Maine and New Hampshire have a ban-the-box law that is applicable to private employers.  Bills that would have applied ban-the-box to private employers in both Maine and New Hampshire died in last year’s legislative sessions, but there is a good chance that similar legislation will resurface. 

Importantly, the ban-the-box law concerns criminal history information requested directly from applicants (and employees under certain state law).  Employers may request certain criminal history information from other sources (e.g., federal or state department of criminal justice systems) and/or through a third party vendor (e.g., consumer reporting agency), but there may be separate requirements for criminal background checks under applicable federal and/or state law.

Employers would be wise to review the relevant laws in all jurisdictions in which they do business and monitor further legislative activities on this topic.  In light of that information, employers may consider whether application documents, hiring practices, and criminal history check policies need to be updated.

Asking Applicants to Disclose Criminal History Information
The “ban-the-box” laws in Connecticut, Massachusetts, Rhode Island and Vermont impose restrictions on the timing of criminal history inquiries:  They prohibit employers from asking an applicant to disclose his or her criminal history information until a specified point in the hiring cycle (e.g., the interview stage or after a conditional offer of employment).  There are certain exemptions from such prohibition (e.g., required by law not to hire an individual convicted with certain offenses).  Significantly, Connecticut, Massachusetts and Vermont impose additional restrictions on the types of questions employers may ask even after they have passed the specified point in the hiring cycle.  Further, Connecticut and Massachusetts require certain disclaimers be included in certain hiring documents.  (See Conn. Gen. Stat. § 31-51i; M.G.L. ch. 151B, § 4 (9 1/2), (9); RI RSA § 28-5-7 (7); & 21 V.S.A. § 495j)

Here is a summary of the law regarding pre-employment inquiries into criminal history information in all six New England states:

• Maine.  Certain state government employees are protected from pre-employment criminal history inquires, but there is currently no ban-the-box law applicable to private employers.  A bill proposing prohibiting all Maine employers (including private employers) from asking an applicant to disclose the applicant’s criminal history until after the applicant received a conditional offer of employment was vetoed by Governor LePage in 2018. 
   
• Massachusetts.  Employers are generally prohibited from asking an applicant to furnish criminal offender record information prior to the interview.  In addition, an employer generally may not ask an applicant (at any point in the application process, even after receiving a conditional offer) or a current employee, whether in writing or orally, about certain criminal information (e.g., any misdemeanor convictions that occurred more than three years ago, criminal conviction records that have been sealed or expunged, an arrest or any offenses that did not result in conviction).  The law prohibits employers from taking adverse action against a prospective or current employee based on criminal history information obtained in contravention of ban-the-box.  Any form used by an employer that seeks information concerning an applicant’s criminal history must include the specific statement regarding expunged and sealed records as required by the law.
   
• New Hampshire.  New Hampshire has no restrictions.  A bill introduced last year that would have prohibited employers from asking about an applicant’s criminal history on a job application was vetoed by Governor Sununu.
   
• Rhode Island.  Employers are generally prohibited from inquiring on any application for employment or otherwise, orally or in writing, whether the applicant has ever been arrested, charged with or convicted of any crime.  The law permits employers to ask an applicant for information about his or her criminal convictions at the first interview or thereafter.
   
• Connecticut.  The Connecticut law generally prohibits employers from asking an applicant to disclose his or her criminal background information until after the interview or a conditional offer of employment.  Significantly, employers are prohibited from asking an applicant at any time during the hiring process, or a current employee, about erased criminal records.  Thus, the law effectively prohibits employers from relying on erased criminal records when making an adverse employment decision.  Further, any form used by an employer that contains any question concerning the criminal history of the applicant must contain specific disclosure language regarding erased records. 
   
• Vermont.  Employers are generally prohibited from asking an applicant to provide criminal history record information on the initial employment application form.  Employers are allowed to question applicants about their prior criminal records during a job interview or once the applicant has been deemed otherwise qualified for the position.  However, employers may not ask applicants to answer questions about arrests or convictions that have been expunged.  Further, the law requires that a person whose criminal history record is expunged or sealed by court order be treated as if he or she has never been arrested, convicted, or sentenced for the offense.  Thus, employers cannot rely on expunged or sealed records when considering an adverse employment decision. 

   

Obtaining Criminal History Information Elsewhere
Employers considering criminal background checks on applicants or employees should be aware that they may be subject to certain requirements under applicable state law, separate from the compliance with ban-the-box.  For example, Massachusetts generally requires that an employer obtain a written consent signed by an applicant/employee prior to conducting a criminal history background check, and that employers conducting five or more criminal history background checks a year have a written criminal background check policy in place, which must meet the minimum requirements under the law. 

Employers using a third-party vendor (e.g., consumer reporting agency) are generally subject to additional requirements under the federal Fair Credit Reporting Act (FCRA) as well as analogous state law.  For example, under the federal FCRA, employers must make certain disclosures to applicants/employees and obtain signed written authorizations from them before requesting background checks by a third party vendor.  Maine and Connecticut generally follow the federal FCRA, but Massachusetts, New Hampshire, Rhode Island, and Vermont require state-specific disclosures in addition to the federal requirements. 

Reliance on Criminal History Information
Whether obtained directly from an applicant and/or obtained through a background check on the applicant, criminal history information must be considered in a non-discriminatory fashion.  Under Equal Employment Opportunity Commission guidance, employers should make an individual assessment of a criminal offense in light of job-relatedness and business necessity, and consider all relevant factors, such as the nature and gravity of the offense or conduct; the time that has passed since the offense; and the nature of the job held or sought.  Moreover, certain states (e.g., Massachusetts) require additional factors to be considered in reviewing criminal history information (e.g., the age at the time of the offense, the number of offenses, any pending charges, etc.).

Action Items
Navigating through ban-the-box as well as the federal and state laws concerning criminal background checks can be complex.  As initial steps, we recommend the following:

• Update, if necessary, initial hiring documents (e.g., job applications) to ensure that such documents do not include a question about an applicant’s criminal history.
• Consider utilizing a criminal history questionnaire (including permissible criminal history questions) that should be used after the initial interview or after a conditional offer of employment.
• Train personnel involved in the hiring process on restrictions imposed by these ban-the-box laws, including permissible vs. impermissible questions.
• For multistate employers, determine whether a particular locality or state they operate in has a similar ban-the-box restriction.
• Take a fresh look at your current criminal background check policies and practices to ensure compliance with applicable law.

For questions regarding the ban-the-box laws in your state or criminal background checks in general, please contact Jim Erwin at jerwin@pierceatwood.com or 207.791.1237 or Soyoung Yoon at syoon@pierceatwood.com or 617.488.8129.

Image: CALmatters

2019 saw continued growth and change in data protection and cyber-security across the Asia-Pacific. Following the implementation of the GDPR in May, 2018, many jurisdictions moved to review and strengthen existing data privacy and cyber-security laws. In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020.

Reflecting the developments in 2019, the type and level of activity show that the Asia-Pacific region is not only dynamic in terms of changes to data protection laws but it also demonstrates the different stages the various jurisdictions are at in terms of their data privacy and cyber-security regimes.

Some, like Sri Lanka, are at the beginning of the journey while other regimes, like Hong Kong, have been in place since before the widespread use of the internet. However, despite these differences, the common denominators for countries in this region are that they are implementing and strengthening data privacy and cyber-security regimes and aligning them with international norms.

2020 is already shaping up to be an important year in terms of developments, with Hong Kong leading the way. Earlier this week, Hong Kong’s Panel on Constitutional Affairs released a discussion paper seeking views on proposed changes to Hong Kong’s long standing data protection law, the Personal Data (Privacy) Ordinance (PDPO).

When the PDPO was first implemented in 1995, no one could have imagined the data driven society and social media ecosystem we live in today nor the challenges that this would bring. The changes to the PDPO proposed in the discussion paper look to address some of these issues as well as introducing mandatory breach notifications, revenue based fines and bringing Hong Kong’s regime more in line with international trends.

For more information on the discussion paper, please read our recent article https://www.dataprotectionreport.com/2020/01/consultation-paper-published-on-hong-kongs-data-protection-law/.

In addition to the developments in Hong Kong, we are looking forward to watching how data protection law evolves throughout 2020 as countries in the Asia-Pacific region continue to review, develop and strengthen their data privacy and cyber-security regimes, and keeping you updated along the way.

The Indian government finally introduced its Personal Data Protection Bill in Parliament on Dec. 11, 2019, after more than two years of fierce debate on the bill’s provisions. Rather than pushing to immediately pass this hugely significant bill, India’s minister of information technology, Ravi Shankar Prasad, referred it for scrutiny to a joint parliamentary committee. After the committee publishes a report on the bill, it will then be debated in the Indian Parliament—and, given the huge majority the ruling coalition has in both houses, likely passed—in 2020.

This bill has implications far beyond India, as the country seeks to develop a comprehensive data governance framework that would affect virtually any company attempting to do business in India. India—thanks to its population size, gross domestic product and influx of new internet users—has a unique ability to exercise leverage over multinational tech companies and shape global policy.

As many countries begin to construct data governance regimes, this bill will have an important role in shaping the regulation governing today’s increasingly data-driven geopolitical landscape. All the while, the bill contains some elements of the protectionist and authoritarian-leaning data policies that are cropping up around the world as some countries attempt to curtail the global and open internet.

What are the main takeaways from the bill, and how do they impact global geopolitics and data policy?

A Brief History of the Bill

The narrative around data protection in India reached a crescendo during the hearings in the K.S. Puttaswamy vs. Union of India (2017) “right to privacy” case. In a landmark verdict, a nine-judge bench of the Supreme Court of India affirmed the right to privacy as a fundamental right.

During the case, the Indian government set up an expert committee to devise India’s data protection framework. After a public consultation on a white paper, the committee submitted a draft Personal Data Protection Bill and an accompanying report interestingly entitled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” Ultimately, the Personal Data Protection Bill was introduced into Parliament in December 2019.

The Bill’s Foundations

What are the stated motivations behind the law? The bill’s preamble identifies three key focal points:

• “[T]he right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy[.]”
• “[T]he growth of the digital economy has expanded the use of data as a critical means of communication between persons[.]”
• “[I]t is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation through digital governance and inclusion.”

Not explicitly mentioned is that the bill was developed through continued engagement and consultation with a host of stakeholders. These interests included Indian law enforcement’s desire to access U.S.-stored data during investigations and an aversion to so-called data colonialism by large Western technology firms—a grievance against large-scale collection of Indian citizens’ data by Western companies.

What’s in the Bill?

Many of the consent-related provisions in India’s data protection bill sound quite similar to those enshrined in the European Union’s General Data Protection Regulation (GDPR). According to the new Indian bill, to collect personal data, those entities classified as data fiduciaries must obtain consent from the individuals whose data is in question. Data fiduciaries are essentially any entity determining the “purpose and means of processing personal data,” a wide definition that could encompass everything from ride-sharing apps to social media platforms to data brokers that buy and resell customer data.

Data collectors are also subject to various new reporting requirements. For example, the bill imposes additional requirements, such as a requirement to obtain parent or guardian consent for the collection of data belonging to children.

That said, the legislation’s text does carve out a number of exceptions for when data fiduciaries may not have to obtain consent in order to collect personal data on Indian citizens. For instance, there are consent exemptions for state or other entities complying with court orders, enforcing the law, providing public benefits or services, and treating medical emergencies. There are other “reasonable purpose” carve-outs for situations like whistleblowing, mergers and acquisitions, credit scoring, and the operation of search engines. Europe’s GDPR, by comparison, also contains consent exemptions in areas such as law enforcement data access and functions related to taxation, but the exemptions in India’s draft bill are defined a bit more vaguely.

The legislation also contains provisions giving rights to “data principals,” those about whom data are being collected, to request information from data fiduciaries about what is being collected on them. Similarly, data principals are given rights to correct or erase data stored by the fiduciary—a “right to be forgotten,” like in the GDPR. Data principals will also have the right to view the data itself in a clear and portable manner, with the data presented in a “structured, commonly used and machine-readable” format.

These protections demonstrate that the Indian government is interested in both safeguarding the rights of Indian data principals and chipping away at the gross power imbalance that currently exists between large technology firms and individual Indian citizens around data collection. But, again, it remains to be seen how that relationship will play out when it comes to individuals and the government, not just individuals and corporations. For example, the numerous vaguely defined exemptions on data regulation could potentially enable forms of surveillance, when government organs deem collection and use pertinent to state functions. 

In fact, the biggest concern about the bill among academics and activists is the exemptions granted to the government for data collection. Section 35 states that exceptions can be made to collection rules, reporting requirements, and other requirements whenever the government feels that it is “necessary or expedient” in the “interests of sovereignty and integrity of India, national security, friendly relations with foreign states, and public order.” Most importantly, “necessary or expedient” has replaced the “necessary and proportionate” standard for government processing of data. The latter was a recognized standard in Indian constitutional and international law. Just last year, the right to privacy ruling had stated clearly that any intrusion into the right must be authorized by law, conducted in accordance with procedure established by law, and be necessary and proportionate to the objective being sought. The use of the term “necessary or expedient” does not impose an obligation to undertake the balancing act between the intrusion and the objective, thereby augmenting the government’s surveillance powers. This leaves a gaping regulatory vacuum around surveillance law in India and fails to adequately protect citizen privacy, as there are no clear rules that govern government use of data.

In a bid to regulate social media corporations, marking a departure from both the GDPR and the 2018 draft of the bill, the most recent bill proposes the creation of a special class of significant “data fiduciaries” known as “social media intermediaries.” These are defined as entities whose primary purpose is enabling online interaction among users (and does not include intermediaries that enable business transactions or access to the internet, or that are in the nature of search engines or encyclopedias). Essentially, a “data fiduciary” is a social media company. The bill includes vague language that stipulates that social media intermediaries allow for the voluntary verification of their accounts by any users who use their services from India or register from within India. However, the proof users need to submit to the social media intermediary to verify their accounts is unclear. No other country has the provision for a voluntary verification mechanism of this nature. 

Despite adding layers of regulatory obligations, the revised version of the bill does provide some cheer to foreign technology companies. After protracted lobbying and pushback from foreign companies, diplomats, and heads of state (including President Trump), the bill narrowed the scope of a data “mirroring” requirement for all data, which was present in the earlier draft. This data mirroring requirement would have mandated that a copy of all data on Indian citizens be stored within India’s borders. Now, the legislation only requires that certaintypes of data must be stored in India. The first, “critical personal data,” must be stored and processedonly in India. The second, “sensitive personal information,” must be stored within India but can be copied elsewhere provided certain conditions are met. This includes a provision that mimics the GDPR’s adequacy requirement: In order for data to be copied into a country, the destination country must apply sufficient privacy protections to the data and not impede Indian law enforcement access to the data.

Localized data storage requirements are also not entirely new to India. Rather, they would supplement measures that are already in place. Most important among the preexisting protections is a Reserve Bank of India (India’s central bank) requirement for the local storage of payment data. Major technology firms such as WhatsApp Pay, Google Pay, Mastercard and other payment companies have made attempts to comply with the new Reserve Bank regulation.

Finally, the government made sure to add Section 91—a provision clarifying that it reserves the right to interpret any policies for the benefit of India’s digital economy—as long as this does not involve the use of personal data that can be directly used to identify an individual. Section 91(2) states further that the government can direct data collectors to hand over anonymized personal information or other “non-personal data” for the purpose of “evidence-based policy-making.” Little clarity has been provided on what that might entail.

Implications for India and the World

Since the bill was introduced in Parliament, the global business community has expressed disapproval over certain aspects of the proposed legislation. For example, U.S.-India Business Council President Nisha Biswal criticized the obsensibly privacy-focused bill for reaching into other areas, such as liability of social media intermediaries, that she thinks should be handled in separate legislation. Despite her reservations about legislative overreach, Biswal praised the bill for relaxing India’s data localization requirements, a move she feels would provide access to global processing and data analytics that could benefit India’s economy. Moving forward, it will be interesting to watch other responses from the international business community to the now-diluted data localization elements of the bill.

There are also business costs associated with data localization compliance that many foreign companies would prefer to avoid. There is no doubt that many companies incorporated within India, and particularly those incorporated beyond, will continue to push back against other existing data localization requirements that raise storage and processing costs. The revised data localization provision in the new bill addresses these costs as the mandate is limited to “sensitive personal data” and “critical personal data.”

Beyond purely financial concerns, some observers in the business community may have other worries about the data localization rules because these rules can sometimes create legitimate cybersecurity and national security concerns. In Russia, for example, more aggressive data localization rules have created conflicts between the Russian government and Western technology companies. The Russian government has pressured foreign-incorporated companies to store their encryption keys within Russia’s borders, as part of a broader tightening control of Russian cyberspace. This has raised concerns about elevated (and unchecked) government access to sensitive communications. In light of some concerning provisions in the draft bill about government surveillance (notably exemptions when “the security of the State” is in question), it’s possible that foreign companies may have similar concerns around local data storage in India’s case.

The U.S. has broadly supported a business-led pushback against data localization in India, purportedly for economic reasons: At the G-20 summit this past summer, a major event for global data governance, President Trump stated that “the United States opposes data localization and policies, which have been used to restrict digital trade flows and violate privacy and intellectual property protections.”

Beyond business concerns, what does India’s Personal Data Protection Bill mean for the U.S. privacy stance? 

The Indian bill mirrors and appears to endorse parts of the stance taken by the GDPR. Federal data privacy approaches in the United States have to date taken a much more laissez-faire approach to data regulation than the approach embodied in the EU’s GDPR. This perhaps reflects a fundamentally different understanding of how human rights pertains to the protection of online speech and data privacy. The U.S. largely views the protection of online data and information as less the government’s responsibility than, for example, many counterparts in the European Union. 

While its data regulation model is far more controlling, China has already looked to the GDPR as a model for building out some elements of its emerging data governance regime. India’s proposal represents yet another country attempting to model its own data governance regime on the GDPR’s privacy standards. India’s bill reflects the GDPR’s further entrenchment as the global standard on which to base early-stage data protection regulations.

For those American policymakers who would have preferred India to take a slightly different approach, it’s worth wondering how better U.S. government action on the data governance front could influence this global contestation over data access and regulation.

What does the bill mean for India’s role in the global data conversation? India is an important player in the global internet policy space. Indian government leadership is eager to position India as a global leader on democratic data regulation and has largely succeeded. India has high levels of global internet policy participation—that is, activity in the UN General Assembly and elsewhere on internet issues—and analysts have rated the nation high on its ability to influence international policy.

The introduction of a data protection bill in furtherance of a constitutionally guaranteed right to privacy is a very small step toward occupying a leadership position on democratic data governance. However, the text of the bill largely appears to be a crude amalgamation of provisions in the GDPR with authoritarian leanings. In the Indian bill, these include the enabling framework for government surveillance in the bill, which undoubtedly entrenches government power to undermine citizen privacy. Further, the blurring of the distinctions between non-personal data and personal data remain is concerning. The bill ultimately dilutes protections on individual data rights by enabling the government to access anything it feels would fit within the laid-out categories of exemptions.

These authoritarian leanings ultimately undermine India’s potential to guide emerging market economies and smaller democratic states. The bill makes India a less appealing model for those nations looking to chart out a new vision of data governance that merges the right to privacy with important civil liberties. Though some privacy-protecting measures in the bill mimic several provisions of the GDPR, the legislation needs significant revisions if India wants to be a leader in forging a democratic, privacy-protecting approach to the internet.

India’s strategic interest likely lies in ensuring that it upholds its constitutional responsibility to its populace and privileges citizen rights and economic welfare over mere business or bureaucratic interests. But—particularly due to concerning exemptions in the text of the Personal Data Protection Bill—it is not clear whether this objective is satisfied. As the Joint Parliamentary Committee starts its deliberations on the draft of the bill, it remains to be seen whether the policymaking pendulum swings the right way.

Image: Ministry of Law & Justice GODL-India