Educational Series

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

The legalities of monitoring employees online

As a general principle, employers are legally permitted to monitor their employees online during business hours. Keeping a close eye on workers can help maintain company confidentiality, limit workers from surfing the web on company time and ensure the prevention of harassment.

But such monitoring does come with caveats, as well as risks.

For example, screening employee email on the employer’s network may be permissible but may require advance notice. In states such as Connecticut and Delaware, laws are in place that require employers to provide prior notice before electronically monitoring employees. A union contract may also place certain limits on monitoring and public-sector employees may have some rights under the Fourth Amendment with regard to unreasonable search and seizure.

Federal law can also come into play. Although the Electronic Communications Privacy Act (ECPA) generally prohibits the monitoring of electronic communications, it contains a “business purpose exception” that permits employers to monitor the electronic communications of workers if the company has a “legitimate business purpose.” The statute also allows monitoring with consent and many companies do this by including such permission as part of the onboarding process for new employees before granting access to the company’s networks or systems.

Another wrinkle: third-party communications. States such as California and Illinois mandate that all parties to a communication provide consent to its interception in transit. For employers, that means providing notice to recipients of employee emails and obtaining their consent before scanning a message from a friend or third party. Many companies post a notice on the company’s website and/or include a statement in employee emails that all messages are subject to monitoring and any response implies consent with the employer’s practices.

Even with all these issues, monitoring emails may be more straightforward than focusing on employee social media accounts. The Stored Communications Act (SCA) addresses the situation of accessing electronic communications stored by a provider (such as Gmail or Microsoft), as distinct from an employer accessing emails on its own system. Under the SCA, employers can be liable for the unauthorized access and disclosure of electronic communications in storage on corporate servers of a provider.

Further, roughly half the states ban employers from either requiring or requesting a worker to verify a personal online account like a Facebook profile, blog or Instagram or to log on to their social media account. While technology is available for employers to get around these laws (using keystroke logging software, for example, or taking screenshots), some of the information being monitored by an employer could itself be protected – such as union organizing activities under the National Labor Relations Act, attorney-client communications or in some states, geolocation data.

Mobile devices add another layer to the analysis. For workers using employer-provided mobile phones or devices, the employer has the right to legally monitor use from contact lists to photos and videos to Internet visits and emails. As for bring-your-own-device (BYOD) situations, the terms are generally dictated by the employer’s BYOD policy, but this is an emerging area of law and therefore murky.

All of these legal considerations are centered in the United States. Companies that operate outside the U.S. borders will have international law to contend with as well, notably the European Union General Data Protection Regulation (GDPR) and regulations found in its member states. As a general matter, EU law and the GDPR offer employees a greater level of privacy than that found in the United States. Last year, the EU’s highest court did rule that companies can monitor employee email – if workers are notified in advance.

Perhaps most importantly, employers should recognize that like all things related to technology, the legalities of monitoring employees online are constantly evolving. Being able to adapt to changing laws, regulation and technology will keep employers on their toes.

Mid-Year Update on Employment Background Screening Legislation

BAN-THE-BOX

List of jurisdictions is growing

“Ban-the-box” measures, which generally prohibit employers from inquiring about a candidate’s criminal history (including performing background checks) until later in the hiring process, and impose significant compliance requirements, will soon be the norm rather than an exception. The list of localities that have enacted such legislation is growing fast and now includes Austin, Baltimore, Buffalo, Chicago, Columbia – MOLos Angeles (enforcement started July 1, 2017), Montgomery County – MD, New York City, Philadelphia, Portland, Prince George’s County – MD, Rochester, San Francisco, and Seattle, and ten states (Connecticut, District of Columbia, Hawaii, Illinois, Massachusetts, Minnesota, New Jersey, Oregon, Rhode Island, and Vermont (effective July 1, 2017)).

Although not labeled as “ban-the-box,” California’s Department of Fair Employment and Housing regulations (the “Regs”) that went into effect July 1, 2017 impose certain similar requirements when employers consider criminal history information in employment decisions. As reported in our previous blog, the Regs are substantially based on the enforcement guidance issued by the Equal Employment Opportunity Commission in April 2012, and prohibit employers from using a candidate’s criminal history in personnel decisions if such information will have an adverse impact on individuals that are in a legally protected class.

Amended rules for New York City’s “ban-the-box” take effect August 5, 2017

Nearly two years after the enactment of New York City’s Fair Chance Act (FCA), and without much fanfare, the City’s Commission on Human Rights published its amended rules that  establish certain definitions and procedures, and clarify the comprehensive requirements of the FCA when using criminal history in employment decisions, and considering applicants for licenses, registrations, and permits.

CREDIT CHECK RESTRICTIONS

Eleven states (California – AB 22; Colorado – The Employment Opportunity Act; Connecticut  – SB 361; District of Columbia – Fair Credit in Employment Amendment Act, Hawaii – HB 31 SD1; Illinois  – HB 4658; Maryland  HB 87;  Nevada – SB 127; Oregon – SB 1045; Vermont – Act No. 154 (S. 95); Washington – RCW 19.182 and  RCW 19.182.020) and at least two localities  (New York City – Stop Credit Discrimination in Employment Act, and Philadelphia – Bill No. 160072), have enacted laws that generally prohibit private employers from checking a candidate’s credit history, except in circumstances where a credit screen is justified by the position’s responsibilities or is required by law.

WAGE HISTORY INQUIRIES

Pay equity initiatives, which among their provisions include a ban on inquiries about a candidate’s wages, are gaining momentum nationwide. The following jurisdictions have enacted such laws and many more are considering similar measures: Delaware – HS1 (effective December 14, 2017); Massachusetts – Pay Equity Act (effective July 1, 2018); New York City – Intro 1253 (effective October 31, 2017); Oregon HB 2005 (effective December 1, 2019); Philadelphia – Fair Practices Ordinance: Protections Against Unlawful Discrimination (set to go into effect May 23, 2017 but now facing a legal challenge); Puerto Rico – Equal Pay Act (effective March 8, 2017); and San Francisco – Parity in Pay Ordinance (effective July 1, 2018).

Pending before California’s Senate is AB 168 that would prohibit employers from seeking an applicant’s salary history and impose significant penalties for violations. Notably, California already has a pay equity law, AB 1676, and although the law does not ban salary history inquiries, it does prohibit employers from using a candidate’s prior wages as the sole basis to justify a pay disparity.

WORK AUTHORIZATION VERIFICATIONS

Revised Form I-9

The USCIS released a revised version of Form I-9, Employment Eligibility Verification on July 17, 2017. Employers can use this revised version or continue using Form I-9 with a revision date of “11/14/16 N” through September 17, 2017. Beginning September 18, 2017, however, employers must use the new form (with the revision date of “07/17/17 N”).

Reminder to California employers

California’s  AB 1065 that went into effect January 1, 2017 makes it unlawful for employers to:

  1. request additional or different documents than those required under federal law to verify that an individual is not an unauthorized immigrant;
  2. refuse to accept documents provided by the applicant that reasonably appear to be genuine;
  3. refuse to honor documents or work authorization based on specific status or term that accompanies the authorization to work; and
  4. attempt to re-investigate or re-verify a candidate’s authorization to work using an unfair immigration-related practice.

Scherzer International Hosts C5LA Executive Leadership Lunch

C5LA Youth Leaders with SI employees on March 28th, 2017

On March 28th, Scherzer International had the pleasure of hosting an amazing group of students from the C5LA Youth Foundation. The students began their visit in the company’s conference room, where managers and executives gave presentations describing their duties, their department’s role in the company, and their personal academic and career paths. The session wrapped up with a lively discussion driven by the C5LA students’ questions about background checks, running a business and innovation.

Afterwards, students and staff gathered in the break room for a social lunch to get a sense of the company’s culture and work environment.  After filling up on lunch and conversation, the students were given a tour of SI’s office to see what happens “behind the scenes” when preparing background reports.

Our C5LA guests wrapped up their visit by hearing from our HR manager who described SI’s summer internship program, which has included C5LA students in past years, some of whom have chosen to return to SI as full time employees. Everyone at SI agrees that any one of the students who visited us in March would be a great asset to the team!

Larry and Carole Scherzer both serve on the C5LA foundation’s Board of Directors and are strong supporters of the organization’s mission and programs. C5LA aims to provide underserved adolescents throughout the Los Angeles area with the resources and opportunities necessary for them to successfully pursue a college education and lead in their communities.

About the C5LA visit, Larry Scherzer said, “It was very moving to see such bright, ambitious students engaging with SI’s employees and taking such interest in our business. I keep thinking about one of C5LA’s theme songs, Ain’t No Mountain High Enough.”

Scherzer International makes a conscious effort to give back to the community as much as possible. The company regularly participates in fundraisers and toy drives benefiting organizations such as the Arthritis Foundation and Child and Family Guidance Center.

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided  by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

CFPB publishes annual guide about consumer reporting agencies

Every year, the Consumer Financial Protection Bureau (the “CFPB”) updates and publishes a guide to consumer reporting companies, The guide includes information in connection with requesting a consumer report from the three largest nationwide consumer reporting companies and dozens of specialty reporting companies, tips regarding specialty reports, updated information about authentication of identity when requesting a consumer report, information on companies that provide free credit scores, and rights with respect to consumer reports.

The CFPB notes that in prior years, its guide referred to consumer reporting businesses as “agencies” or “bureaus,” and that these terms can be confusing because they may imply these businesses are government entities. They are not—these companies are private-sector, for-profit entities, and in this year’s guide, the CFPB refers to them as “companies” for better clarity.

Philadelphia expands its ban-the-box ordinance

On December 15, 2015, Philadelphia Mayor Michael Nutter signed Bill 150815 expanding the city’s ban-the-box legislation. The new ordinance, which goes into effect on or about March 14, 2016, amends Chapter 9-3500 of the Philadelphia Code entitled “Fair Criminal Records Screening Standards,” by modifying certain definitions and adding additional requirements regarding the screening of job and license applicants for criminal history. With limited exceptions, the new ordinance applies to employers having any employees within the city of Philadelphia. (The prior ordinance covered employers with 10 or more employees.)  The highlights of the law include:

  • questions about criminal records must be removed from the job application–the ordinance specifically notes that multi-state applications may not include the question with a disclaimer for Philadelphia applicants not to answer;
  • employment materials cannot contain questions or refer to  the applicant’s willingness to submit to a background check before a conditional offer has been extended;
  • criminal record inquiries must be postponed until after a conditional offer has been made;
  • notice of the background check must state that any consideration of the results will be tailored to the job;
  • employment decisions can only include a conviction that occurred less than seven years ago–employers may add to the seven year period any time of actual incarceration served because of the offense;
  • screening process must include individualized assessment for each applicant;
  • if the applicant is rejected based on a criminal conviction, he/she must be advised of the specific reason and provided with a copy of the record.

Importance of background checks in employment decisions

Performing a background check as part of the hiring process, promotion, or retention in today’s world is essential. Stakeholders expect it. Regulators mandate it.

In a turbulent economy, the pool of job candidates is greater than ever and misrepresentations abound. For many firms, once an offer of employment has been extended, it is common practice to check the candidate’s background. Depending on the risk level of the position and its requirements, background checks can run the gamut from reference calls done internally, to using a consumer reporting agency to perform comprehensive searches to determine the existence of potentially negative information, such as criminal matters, civil litigation, bankruptcy filings, tax liens, judgments, regulatory actions, driving violations, and adverse media publicity, and to verify academic, licensing, employment and other professional qualifications and claims.

The law is clear–an employer who hires or retains a dangerous or incompetent employee can be held liable for that employee’s wrongful acts, if committed in the course and scope of his or her employment. The theories of negligent hiring and retention go even further–someone who is injured by an employee can sue the employer even if the employee’s conduct is outside of the employer’s control. For instance, one court found the owner of an apartment complex liable for a handyman’s assault of a tenant after working hours. The liability existed because the owner failed to screen the handyman’s background, which included a long list of violent crimes.

Underpinning the negligent hiring and retention theories is the negligence of the employer—that is, the employer knew or should have known the employee was unfit for the job, posed an unreasonable risk of harm to others, and did nothing about it. Virtually every state recognizes these theories as causes of action, or if not, has a similar legal theory. One of the best ways to reduce the risk of negligent hiring and retention liability is to perform adequate background checks as part of the hiring process and in connection with promotions or retention.

A well-designed background screening program that is compliant with applicable laws and regulations makes good business sense, as an individual’s prior history is often a predictor of future performance, workplace behavior and cultural fit. Various studies have shown that the cost of a bad hire is one to five times the salary of the job in question, considering the direct and indirect cost involved in recruiting, hiring, training, development, administration, management, and potential litigation, as well as the wasted wages and benefits. Comprehensive background screening can help identify individuals who may have a propensity for violence, theft, fraud, dishonesty, substance abuse, absenteeism, and other misconduct, and at the same time, find the candidates that can make the employer more successful.

Many employers are also required by government regulation, their insurance carriers, and/or their clients to conduct background checks. A comprehensive background check is clearly worth the investment. Employers never want to say “we should have known,” as an uninformed employment decision can result in significant financial losses and quickly tarnish an employer’s reputation.

Right to be Forgotten movement gains backers in the U.S.

Seeking to expand recognition of the Right to be Forgotten to the United States, a consumer group has filed a petition with the Federal Trade Commission (the “FTC”) requesting that Google be required to remove links upon request.

Last year, the European Court of Justice ordered Google to remove links about the financial history of a Spanish attorney, finding that the links to stories about his debts were “inadequate, irrelevant or no longer relevant, or excessive,” establishing the Right to be Forgotten (“RTBF”). Over the last 12 months, Google has received 274,462 removal requests and evaluated 997,008 URLs for removal from its search results.

In the hopes of bringing the RTBF to the United States, Consumer Watchdog recently filed a petition with the FTC. The group argued that by providing the ability to request removal of links to European consumers in Europe, Google engaged in unfair and deceptive practices in violation of the Federal Trade Commission Act. Not offering Americans the right to request removal – while providing it to millions of users across Europe – is unfair, the group argued to the FTC. And Google’s claims in its privacy policy that “

[p]rotecting the privacy and security” of customer information “is a top priority,” are deceptive because the company limits protections by denying the RTBF, the consumer group added.

Consumer Watchdog listed several examples of U.S. citizens who have been harmed without the RTBF in this country, ranging from a guidance counselor who was fired after photos of her as a lingerie model from 20 years prior surfaced online to a woman whose mug shot appeared online after she was arrested defending herself against an abusive boyfriend. The group also told the FTC that Google already removes certain types of links from search results in this country (such as revenge porn), meaning it has the capability to remove other links as well.

“As clearly demonstrated by its willingness to remove links to certain information when requested in the United States, Google could easily offer the RTBF or the Right To Relevancy request option to Americans,” Consumer Watchdog wrote. “It unfairly and deceptively opts not to do so.”

The RTBF doesn’t implicate First Amendment concerns or constitute censorship, the group said, because the content remains on the Internet. The right “simply allows a person to request that links from their name to data that is inadequate, irrelevant, no longer relevant, or excessive be removed from search results,” according to the petition. “Americans deserve the same ability to make such a privacy-protecting request and have it honored.”

Further, the right isn’t automatic. “Removal won’t always happen, but the balance Google has found between privacy and the public’s right to know demonstrates Google can make the RTBF or Right To Relevancy work in the United States,” Consumer Watchdog concluded.

Meanwhile, the issue of expanding the RTBF has also come up in Europe. In July, a French regulatory authority ordered Google to remove all the links from its search pages including Google.com in the U.S. – not just the European pages. Google refused to comply and filed an appeal of the order. “We believe that no one country should have the authority to control what content someone in a second country can access,” Google’s global privacy counsel Peter Fleischer wrote on the company’s blog.

Read Consumer Watchdog’s petition to the FTC.

DOL offers new guidance on old question of employee or independent contractor

For the last few years, one of the top priorities for the Department of Labor (the “DOL”) has been the fight against the misclassification of employees as independent contractors. In the agency’s latest effort, it released new guidance for employers when classifying workers, using six factors to consider.

The Administrator’s Interpretation 2015-1 focuses on the issue of whether the worker is “economically dependent on the employer or truly in business for him or herself.” The more the worker relies upon an employer for income stream, business skills, and supplies, the more likely he or she is an employee – and entitled to all of the benefits included in that classification, such as overtime or worker’s compensation.

In “The Application of the Fair Labor Standards Act’s ‘Suffer or Permit’ Standard in the Identification of Employees Who Are Misclassified as Independent Contractors,” the DOL started with the Fair Labor Standards Act’s (the “FLSA”) definition of “employ:” “to suffer or permit to work.” Under this broad definition, “most workers are employees,” the agency stated unequivocally.

With that in mind, the DOL turned to the six factors of the economic realities test commonly used by courts when considering whether a worker is an employee or an independent contractor. The agency noted that the labels used by an employer are not determinative of the nature of the relationship and neither are tax filings.

“All of the factors must be considered in each case, and no one factor (particularly the control factor) is determinative of whether a worker is an employee,” the DOL wrote. “Moreover, the factors themselves should not be applied in a mechanical fashion, but with an understanding that the factors are indicators of the broader concept of economic dependence. Ultimately, the goal is not simply to tally which factors are met, but to determine whether the worker is economically dependent on the employer (and thus its employee) or is really in business for him or herself (and thus its independent contractor).”

Is the work an integral part of the employer’s business? If a worker is economically dependent upon the employer, he or she is likely an employee, while a “true independent contractor’s work, on the other hand, is unlikely to be integral to the employer’s business.” Recognizing the increasing use of telecommuting and other flexible work schedules in today’s economy, the DOL added that work can be integral even if it is performed away from the employer’s premises.

The second factor considers whether the worker’s managerial skill affects the worker’s opportunity for profit or loss. A worker in business for him or herself not only has the opportunity to profit but also to experience a loss, the DOL explained. The question isn’t whether a worker is on the job more hours or earns more money but if the worker makes decisions and exercises skill and initiative – hiring other workers or advertising his services, for example – to move the business forward.

In the third factor, the worker’s relative investment as compared to the employer’s investment should be evaluated. “The worker should make some investment (and therefore undertake at least some risk for a loss) in order for there to be an indication that he or she is an independent business,” according to the guidance. Simply purchasing tools or other equipment may not constitute an investment, the agency added, when considered relative to the employer’s investment.

Fourth: does the work performed require special skill and initiative? Technical skills alone will not indicate that a worker is an independent contractor, the DOL said. Instead, business skills, judgment, and initiative should be evaluated. For example, a highly skilled carpenter who provides his services to a construction company may simply be providing skilled labor as an employee. On the other hand, if the carpenter decides which jobs to take, advertises his services, and determines what materials to order, he is more likely to be classified as an independent contractor.

The length of the relationship between the worker and the employer is the focus of factor five. A permanent or indefinite relationship signals an employee, the DOL said. “After all, a worker who is truly in business for him or herself will eschew a permanent or indefinite relationship with an employer and the dependence that comes with such permanence or indefiniteness,” the agency wrote. The length of time should be considered in the context of the industry, however – seasonal positions may not always indicate an independent contractor relationship, for example.

In the sixth factor, the DOL advised employers to think about control. While the control factor should not receive more weight than the other factors in the economic realities test, the nature and degree of the employer’s control should be considered in light of the ultimate determination whether the worker is economically dependent on the employer or an independent contractor. Employers do not need to look over a worker’s shoulder every day to make them an employee, the guidance cautioned, as technological advancements permit many employees to work off-site and unsupervised.

Employers should review the new guidance and be prepared for agency oversight on the issue of worker classification, keeping in mind that the DOL repeatedly emphasized that “most workers are employees.”

Read the Administrator’s Interpretation No. 2015-1.

Go to Top