LEGAL
As the ability of employers to monitor, collect, and store information about their workforce grows each year, so do the number of laws regulating these activities. In 2018, employers are once again facing a host of new privacy laws as well as court and agency rulings that will adjust the contours of employee data collection, monitoring, and surveillance. The following article discusses five potential issues that employers should be aware of.
1. The EU General Data Protection Regulation enforcement deadline
On May 25, 2018, the European Union’s (“EU”) data privacy regime will undergo a complete overhaul that will impact all U.S. employers with EU subsidiaries. On that date, the EU’s current data privacy framework known as the European Union Data Protection Directive (“the Directive”) will be replaced with the General Data Protection Regulation (“GDPR”). For employers with EU subsidiaries, ensuring compliance with the GDPR before the May 25 enforcement date is critical: the GDPR gives EU data protection regulators the power to impose fines of up to the higher of 20 million euro or 4% of a corporate group’s worldwide gross annual revenue for violations.
The GDPR implements five notable changes to an employer’s handling of an employee’s personal data, which is defined as all individually identifiable information about an employee. First, the GDPR imposes more stringent restrictions on the collection, use and disclosure of employees’ personal data, and the purposes for which employers can collect employees’ personal information. Of particular concern is “sensitive personal data,” which is defined to include information about an employee’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic information, biometric information, or information about an employee’s health, sex life, or sexual orientation. The GDPR prohibits employers from collecting, using, or accessing employees’ sensitive personal data unless one of a limited number of exceptions applies.
Second, the GDPR requires employers to give employees a detailed notice providing specific information about how their personal data will be used, the reason their personal data is being collected, and the employer’s legal basis for collecting employees’ personal data and any sensitive personal data, upon the first collection of the information.
Third, the GDPR provides employees with two new rights vis-à-vis their personal data: the right of erasure (or the “right to be forgotten”), and the right to data portability. The right of erasure permits employees, under certain circumstances, to require the return and deletion of their personal data. And the right to data portability provides employees with the right to transmit their electronically stored personal data from one entity to another.
Fourth, the GDPR introduces a mandatory breach notification requirement. Under the GDPR, notification of a data breach is required no later than 72 hours after the entity that suffers the breach becomes aware of it; the notification must be made directly to the relevant data protection authority. Employers must notify employees of the data breach “without undue delay” only if it “is likely to result in a high risk to [their] rights and freedoms.”
Fifth and finally, the GDPR imposes an obligation on employers to properly vet any vendors that will receive employees’ personal data. Specifically, the GDPR requires employers that provide employees’ personal data to vendors to enter into a contract with the vendor requiring: (1) that the vendor process personal data only if presented with express written instruction from the employer; (2) that vendor’s employees who are authorized to process the employer’s human resources data have committed themselves to confidentiality; (3) that the vendor implements the security measures required by the GDPR.
With the May 25 enforcement deadline fast approaching, employers should use the remaining time they have left in 2018 to ensure they are GDPR-compliant.
2. Social media: New state password protection laws and a new framework for analyzing social media policies
Screening new hires, investigating reports of employee misconduct, and preventing the unauthorized disclosure of proprietary business information are just some of the reasons that social media monitoring has become so important to employers. However, the ability of employers to monitor and access employees’ social media accounts remains a focus of state legislators. On January 1 of this year, Vermont’s social media account privacy law, which was passed by the legislature last year, went into effect. Under the law, employers are prohibited from, among other things, requiring, requesting, or coercing an employee or applicant to disclose access information to a personal social media account or content from the social media account, or requiring employees to add an employer to their list of contacts or “friends.” In 2017, New York, Georgia, Massachusetts, and Minnesota considered bills that would prohibit the same type of employer conduct. These bills are still pending and should be monitored by employers in 2018.
While legislatures work to constrain employers’ ability to monitor employees’ social media accounts, a recent ruling by the National Labor Relations Board (NLRB) may lead to employers being given more leeway to regulate employees’ social media conduct through social media policies. In December 2017, the NLRB ruled that it will apply a new standard when evaluating facially neutral handbook policies or rules, such as social media policies.1 Prior to the NLRB’s ruling, the legality of social media policies under the National Labor Relations Act (NLRA) was determined by analyzing whether an employee “would reasonably construe” provisions in the social media policy to prohibit activity that is protected under Section 7 of the NLRA. Recognizing that it has “far too often failed to give adequate consideration and weight to employer interests in its analysis of work rules,” in December 2017 the NLRB held that it will now determine whether facially neutral social media policy provisions violate the NLRA by assessing: (1) the nature and extent of the potential impact on NLRA rights; and (2) the employer’s “legitimate justifications” associated with the rule.
As the NLRB begins to evaluate social media policies under this framework in the year ahead, employers should pay close attention to the types of social media restrictions that are held to be permissible.
3. Biometric privacy: Continued litigation and potential new laws
One of the “hottest” areas of workplace privacy in 2017 was an employer’s collection of biometric information using timeclocks that scan an employee’s biometric identifiers (e.g., fingerprints, retina, or iris), commonly known as “biometric timeclocks.” Although biometric timeclocks were used by employers before 2017, the filing of more than 50 class action lawsuits in Illinois state and federal courts alleging violations of Illinois’ Biometric Information Privacy Act (BIPA) led to biometric privacy becoming a leading workplace privacy concern.
The pending class action lawsuits allege that employers violated BIPA by collecting employees’ biometric data without first giving employees proper notice and without obtaining employees’ written consent to the data collection. Recent rulings by the U.S. Court of Appeals for the Second Circuit and the Illinois Appellate Court have clarified that BIPA actions predicated on these “technical violations” will not survive. Nevertheless, BIPA actions are likely to continue to be filed in 2018 alleging new types of “injuries.”
Yet, BIPA is not the only biometric privacy law that employers must be concerned with; Texas has a biometric privacy law that requires employers to obtain employees’ consent before scanning biometric identifiers, and New York’s Labor Code prohibits employers from scanning employees’ fingerprints as a condition of employment that is applicable to biometric timeclocks. While the requirements in these laws are not as onerous as BIPA’s, employers cannot overlook these laws, as these states could be the new “ground zero” for biometric privacy litigation in the year ahead.
What’s more, employers are facing the prospect of complying with additional biometric information privacy laws. In 2017, biometric privacy bills were introduced in the New Hampshire (H.B. 523), Michigan (H.B. 5019) and Alaska (H.B. 72) legislatures. The bills, which are still pending, would also require that employers in those states provide employees with a notice and obtain written consent prior to collecting biometric data. Regardless of whether these bills are passed, employers in all states should seek to obtain their employees’ written consent before collecting biometric data.
4. New background check laws
2018 has already been a busy year in the area of background check legislation. One new “ban-the-box” law has already taken effect; another is set to take effect later this year. In addition, ban-the-box box legislation has been introduced in at least six other states since the beginning of the year.
On January 1, California Assembly Bill 1008 went into effect, banning employers in California with more than five employees from inquiring or considering an applicant’s “conviction history” until after the applicant has received a conditional offer of employment. If an applicant does have a conviction history, the law requires employers to conduct an “individualized assessment” of the conviction history that considers the nature and gravity of the offense, the time that has passed since the offense or the completion of any attendant sentence, and the nature of the job held or sought.
On June 14, employers will be required to comply with Spokane Washington’s new Fair Chance Hiring Ordinance, which prohibits employers from using criminal conviction records, or arrest records, to make employment decisions. Under Spokane’s ordinance, employers are prohibited from advertising employment opportunities in a manner that excludes people with arrest or conviction records from applying. Although the Spokane City Council has indicated that fines will not be imposed upon employers that violate the Ordinance until January 1, 2019, employers with operations in Spokane should ensure that their employment applications comply with the ordinance before the June enforcement deadline.
With ban-the-box legislation currently pending in Alabama, Arizona, Florida, Mississippi, Kansas City, and Washington, employers should be prepared to see (and comply with) more background check laws enacted in 2018.
5. Federal data breach law?
In the wake of the Equifax® data breach on November 30, 2017, the Data Security and Breach Notification Act was introduced in the U.S. Senate. The Act is intended to preempt the 48-state data breach notification laws that currently exist, and create a uniform set of federal standards that would apply to companies that suffer data breaches involving the personal information of more than 10,000 individuals.
Under the law, “covered entities” – defined as any private entity that acquires, maintains, or utilizes “personal information” – would be required to notify individuals of a security breach involving more than 10,000 individuals within 30 days of the discovery of the breach. The personal information that would trigger a notification obligation under the proposed law would be much broader than under existing state data breach notification laws. Under the Act, unauthorized access to an individual’s social security number, financial account number, or credit/debit card number – in combination with any security or access code or password – would trigger a notification obligation. The Act’s definition of “personal information” includes the categories of information covered in many of the 48 state data breach notification laws; specifically, an individual’s first and last name/first initial and last name, in combination with a driver’s license number, passport number, alien registration number, biometric data, unique account identifier, routing code, or access information, inclusive of unique identifiers such as a mother’s maiden name, home address, and month, day and year of birth, that is required for an individual to obtain money, goods, services, or any other thing of value.
In addition to permitting state attorneys general to bring a federal civil right of action on behalf of their residents for a violation of the Act, the Act would provide also that individuals who are found to have concealed a data breach can be imprisoned for up to five years.
With the impending mid-term congressional elections, the Data Security and Breach Notification Act may not see much traction in 2018. However, with more than 60 data breaches in January alone exposing more than 3,000,000 records, the Act, and data breaches, will remain topical in 2018.
Update: On February 1, 2018, the Kansas City, Missouri, City Council passed Ordinance No. 180034 into law. The law prohibits employers from inquiring about the criminal history of an applicant, or current employee who is being considered for a promotion, until “it has been determined that the individual is otherwise qualified for the position, and only after the applicant has been interviewed for the position.”
1 See The Boeing Co., 365 NLRB 154 (2017)
Kwabena A. Appenteng is an associate with Littler Mendelson, P.C. He counsels employers on a range of day-to-day employment issues with a focus on workplace privacy issues, and he has been certified by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional for the U.S. and Europe (CIPP/US; CIPP/E).