On November 29th, The FTC announced the final approval of settlements with three companies that allegedly falsely claimed participation in the EU-U.S. Privacy Shield framework. According to the FTC, Decusoft, LLC, Tru Communication, Inc., and Md7, LLC allegedly claimed that they completed the Privacy Shield certification process, in violation of the FTC Act (previously reported). In addition, the FTC alleged that Decusoft falsely claimed that it participated in the Swiss-U.S. Privacy Shield framework. Under the approved settlements, the Companies are prohibited from misrepresenting their participation in any privacy or data security program and are required to comply with FTC reporting requirements.
New York Court of Appeals Establishes Standard for Punitive Damages Under NYCHRL
The New York Court of Appeals, on a question certified by the Second Circuit, announced the standard for punitive damages in claims under the New York City Human Rights. Punitive damages are appropriate under the New York City Human Rights Law where the defendant’s actions amount to recklessness or willful or wanton negligence, or where there is “a conscious disregard of the rights of others or conduct so reckless as to amount to such disregard.” So held the state’s Court of Appeals in Chauca v. Abraham, resolving a long-undecided issue at the request of the Second Circuit.
In November 2010, Veronika Chauca (“Chauca”) sued her former employer, Park Management Systems, LLC., and two supervisory employees, in the Eastern District of New York for pregnancy discrimination under Title VII, the New York State Human Rights Law, and the New York City Human Rights Law (“NYCHRL”). At trial, over Chauca’s objection, the District Court declined to provide a punitive damages instruction, finding that Chauca had failed to introduce any evidence that the employer had intentionally discriminated with “malice” or with “reckless indifference” to her protected rights-the standard under Title VII. After receiving a jury award of $60,500 in compensatory damages, Chauca appealed, arguing that, with respect to her NYCHRL claim, the District Court erred in using the Title VII standard for punitive damages. She argued that the City law, which mandates that its provisions be “liberally” construed and analyzed “separately and independently” of federal law, calls for a more lenient, pro-plaintiff approach—specifically, that a punitive damages jury instruction is appropriate and necessary upon any finding of liability, regardless of whether the employer discriminated with malice or reckless indifference. The defendants argued, on the other hand, that the District Court was correct all along, and that the NYCHRL standard is the same as Title VII. The Second Circuit, after concluding that neither the statute nor case law provided sufficient guidance as to the appropriate standard, certified the following question to the New York Court of Appeals: “What is the standard for finding a defendant liable for punitive damages under the [NYCHRL]?”
New York Court of Appeals Analysis
On certification, the New York Court of Appeals, in a 6-1 decision, took a middle ground. Regarding Chauca’s argument, it noted that punitive damages are intended to address “gross misbehavior” or conduct that “willfully and wantonly causes hurt to another.” As a result, the court held, there must be some heightened standard for punitive damages, and a finding of liability cannot by itself automatically support a jury charge pertaining to punitive damages. As to the defendants’ argument, the court explained that New York City has twice amended the NYCHRL out of concern that the statute was being too strictly construed, cautioning courts that similarly worded federal statutes may be used as interpretive aids only to the extent that they are viewed “as a floor below which the City’s Human Rights Law cannot fall, rather than a ceiling above which the local law cannot rise,” and only to the extent that those decisions may provide guidance as to the “uniquely broad and remedial purposes of the local law.” Against this backdrop, the court held that the punitive damages standard must be less stringent than the one imposed by Title VII. The court then held that “punitive damages” is a legal term of art that has an established meaning under New York common law, under which punitive damages are appropriate in cases with “conduct having a high degree of moral culpability which manifests a conscious disregard of the rights of others or conduct so reckless as to amount to such disregard.” This standard requires neither a showing of malice nor awareness of the violation of a protected right.
The court’s decision now makes clear that the standard for punitive damages under the NYCHRL is broader, and more plaintiff-friendly, than under Title VII. (The State Human Rights Law does not permit punitive damages at all.) While punitive damages will not be available in every NYCHRL case where an employee prevails, the plaintiff will be entitled to a jury instruction on punitive damages whenever there is evidence that the defendant acted with “malice” or with “reckless indifference” to the plaintiff’s protected rights, or when the defendant’s actions amount to “a conscious disregard of the rights of others or conduct so reckless as to amount to such disregard.” As a practical matter, the standard foreshadows that trial courts will issue punitive damages charges more frequently than they have before now. As argued by the New York City Law Department in its amicus brief, which urged the court not to tie the standard to Title VII’s: “[T]he very same evidence that establishes liability in a given case may well warrant punitive damages. For example, if a jury finds that an employee has been fired because of his or her race, it will be quite difficult for a defendant acting in the year 2017 to claim that there is no basis to conclude that it was acting with at least reckless disregard or gross negligence toward the employee’s rights or toward the possibility that it was causing harm based on a protected characteristic.” The decision thus serves as a further reminder that employers in New York City should adopt and enforce strong anti-discrimination policies, train their employees on avoidance of discriminatory and harassing behaviors, thoroughly investigate internal complaints of such behavior, and swiftly discipline those who transgress. Juries throughout the five boroughs will be waiting to punish them through damages awards if they fail to do so.
U.S. Supreme Court Denied Cert in a Challenge to the Ninth Circuit’s Decision
Recently the U.S. Supreme Court denied cert in a challenge to the Ninth Circuit’s decision Sarmad Syed v. M-I, LLC, No. 14-17186 (9th Cir., Jan. 20, 2017) by M-I. The case centers around the employer provided disclosure and authorization as required by the Fair Credit Reporting Act (FCRA), the “stand-alone disclosure” requirement, and whether the inclusion of a liability waiver is a willful violation of the statute. As it stands now—at least in the Ninth Circuit—an employer’s inclusion of a liability waiver in the disclosure and authorization notice to the job applicant is considered a willful violation. However, the Supreme Court’s decision to refuse to hear a challenge to Syed goes to the issue of what qualifies as Article III standing under their decision in Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016). So, for now, we will continue to suffer under inconsistent lower court decisions on how to evaluate standing in order to bring a claim under the FCRA.
Echevarria v. Bank of America Settlement
On December 15th, TopClassActions reported that Bank of America agreed to settle a $5.5 million class-action lawsuit. According to the original complaint, Lead Plaintiff Michael Echevarria alleged that Bank of America failed to update credit reporting information for credit card accounts it sold to third parties that were discharged in bankruptcy. The error negatively affected his ability to obtain credit cards and access credit scores. The case is Michael Echevarria, et al. v. Bank of America Corporation, et al., Case No. 14-08216, in the U.S. District Court for the Southern District of New York.
The EEOC Continues to Press Litigation Under Title VII Concerning Employer Criminal Records Checks
In April 2012, the Equal Employment Opportunity Commission (“EEOC”) issued updated “Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964.” The guidance concerns how, in the EEOC’s view, Title VII restricts an employer’s discretion to consider criminal records for hiring decisions. What followed was a flurry of new EEOC charges and broad-based investigations relating to employment criminal records checks. Despite some setbacks in the courts, the EEOC is continuing enforcement activities. The EEOC’s Strategic Enforcement Plan for Fiscal Years 2017-2021 refers to “Eliminating Systemic Barriers in Recruitment and Hiring” (e.g., use of “screening tools” and “background screens”) and notes this as one of the agency’s “National Priorities” for the next several years. The EEOC’s longstanding lawsuit against Dollar General is an ongoing example of its commitment to these actions. Earlier this month, an Illinois federal judge largely denied Dollar General’s attempt to force the EEOC to provide additional evidence in support of its claim that the employer’s background check policy disparately excluded African-American workers from employment. This ruling significantly limited the discovery burdens placed on the EEOC for the case and may only strengthen the EEOC’s stated resolve to pursue future similar actions against employers.
The Dollar General Lawsuit
In 2013, the EEOC filed suit against Dollar General, alleging that the company’s use of criminal background checks disparately impacted African-American applicants in violation of Title VII. The individuals who filed the charges prompting the EEOC’s lawsuit are African Americans, one of whom alleged that Dollar General denied her employment because of a six-year-old conviction for possession of a controlled substance. The other individual alleged she was terminated because of a felony conviction that actually belonged to someone else. The lawsuit alleged that there was a “gross disparity in the rates at which Black and non-Black conditional employees were discharged,” in violation of Title VII. As the district court held, to succeed on its disparate impact claim, the EEOC must first offer “statistical evidence of a kind and degree sufficient to show that the [background check policy] has caused the exclusion of applicants for jobs…because of their membership in a protected group.” At that point, the burden would then shift to Dollar General to demonstrate that the policy is “job related for the position in question and consistent with business necessity.” If Dollar General makes this showing, the burden would shift back to the EEOC to “show that an equally valid and less discriminatory practice was available that Dollar General refused to use.”
The Discovery Dispute
Dollar General served discovery aimed at its burden to prove the policy was job-related for each position and consistent with business necessity. In particular, and in aid of this defense, Dollar General requested the EEOC to identify the specific job positions where African-American applicants experienced alleged disparate impact due to the criminal background check policy, and the portion of the policy that allegedly was responsible for the disparate impact. Dollar General also requested the EEOC to identify any alleged less-discriminatory policies and practices it believed Dollar General should implement and explain how those polices are consistent with the company’s business needs—which is the EEOC’s burden to prove should Dollar General meet its defense burden. When the EEOC balked, Dollar General moved to compel. With the narrow exception of requiring the EEOC to specifically identify the “universe of documents” it intends to use at trial, the district court denied the employer’s motion. The court explained that Dollar General had long maintained that the EEOC was required to demonstrate disparate impact on a position-by-position basis—this based on Dollar General’s wide range of varying positions, from store manager to corporate officer. However, the court accepted the EEOC’s position that it need not perform any position-by-position analysis of disparate impact because the EEOC alleged that Dollar General applied the same background check policy to all job applicants across all positions. The court found that the EEOC’s “global approach to analyzing the background check policy” was sufficient and noted that Dollar General was free to engage its own expert to perform a position-by-position analysis. Ultimately, the court held that the burden of demonstrating business necessity for each position fell squarely on Dollar General, and the EEOC has no obligation to assist with this showing. The court also rejected Dollar General’s request that the EEOC be ordered to further specify “the less discriminatory alternative practices (‘LDAs’) it should use in lieu of the criminal background check policy.” The EEOC did not dispute that it carried the burden on this issue, but claimed that it had already provided Dollar General with less-discriminatory options, including limiting the time frame for convictions, limiting the type of convictions considered, and conducting individualized assessments for each applicant. Dollar General responded that these were “merely generic suggestions that fail to provide any meaningful guidance regarding LDAs it could actually implement in the case.” However, the court refused to order the EEOC to respond further—finding the agency had “provided sufficient factual information regarding LDAs” at this “juncture” of the case. The court left open the possibility that the EEOC may have further identify LDAs via its expert once Dollar General’s expert explains why the policy is job-related and consistent with business necessity.
The Dollar General discovery order is most significant for how it reflects the EEOC’s resolve to continue to litigate broad background-check-related cases notwithstanding its very public failings in other such cases. And it has settled rather than lost other similar matters. Employers thus should continue to exercise caution and care in drafting their criminal record screening policies. Employers also should consider arranging for a privileged review of their credit and criminal check screening processes, policies and procedures to fortify compliance with Title VII and related requirements, particularly the Fair Credit Reporting Act (a regular source of class action litigation). Employers also should continue to be mindful of their obligations under the proliferating state and local ban the box laws.
Spokane City Council Approves Ban-the-Box Ordinance
On November 27th, the Spokane City Council approved a measure banning private employers from asking about a job applicant’s criminal history by a vote of 5 to 2. The ordinance authorizes the City to impose fines against employers for noncompliance, which goes into effect in 2019. Private employers could be subject to a fine if they “advertise for jobs indicating felons aren’t allowed to apply, if they include a question about criminal history on applications or ask about it before conducting a job interview.”
Check Those Pre-Adverse Action Letters – New California Law Goes into Effect
On January 1, 2018, California Government Code § 12952 goes into effect. § 12952 is yet another state law that regulates how employers can use criminal background checks in the hiring process. Although state laws governing this practice have become commonplace, § 12952 is unique in that it contains new requirements as to what a potential employer must include in a pre-adverse action letter to job applicants—beyond what the federal Fair Credit Reporting Act (“FCRA”) already mandates. California employers should review their forms to ensure they comply with this new California requirement. When a potential employer is considering not hiring a job applicant based on information the employer learns from a criminal background check (among other types of background checks), the employer must follow the FCRA’s pre-adverse action protocol. Under this protocol, the employer must provide the applicant with a copy of the background check and an FCRA summary of rights before making a final employment decision regarding the applicant. This gives the applicant the opportunity to review the background check and point out any errors he or she believes exist. Employers often deliver this information to applicants with a pre-adverse action letter, which typically informs the applicant about the possibility of adverse action. Importantly, the FCRA does not require any specific content in the pre-adverse action letter. The FCRA does not even require a letter at all. California Government Code § 12952 changes that for Californians. Under this new code section, the employer must provide the applicant with specific written notifications regarding the potential adverse action. These notifications include the following:
- Notification that the employer has made a “preliminary decision that the applicant’s conviction history disqualifies the applicant from employment;”
- Notification of the disqualifying conviction or convictions that are the basis for the preliminary decision to rescind the offer of employment;
- A copy of the conviction history report, if any; and
- An explanation of the applicant’s right to respond to the notice of the employer’s preliminary decision before that decision becomes final and notification of the deadline by which the applicant may respond. This explanation must inform the applicant that the response may include the submission of evidence challenging the accuracy of the conviction history report that is the basis for rescinding the offer, evidence of rehabilitation or mitigating circumstances, or both.
The employer may also explain its reasoning in making the preliminary decision, but that statement of reasoning is not required. These pre-adverse action mandates are only a sampling of § 12952’s new requirements. The legislation includes specific restrictions on when an employer can use criminal record information in the employment process, restrictions on the type of information an employer can use, and restrictions on the way an employer can use such information. The statute also includes specific requirements for the adverse action letter (as opposed to the pre-adverse action letter) above and beyond what the FCRA requires. With the new requirements poised to take effect, multistate employers should pay close attention to their pre-adverse action and adverse action letters to ensure they comply with this new California law. That is especially true here, as § 12952 is one of the first state laws to regulate the content of these letters.
What can employers do with regard to background checks and inquiries in California?
Criminal records and arrests: As a general matter, employers are prohibited from making any non-job-related inquiry of applicants or employees that directly or indirectly expresses a limitation, specification, or discrimination about any protected characteristic. In addition to the federal Fair Credit Reporting Act governing the use of background checks in employment, California employers must also comply with certain requirements in the California Investigative Consumer Reporting Agencies Act and the California Consumer Credit Reporting Agencies Act. An employer may not ask an applicant about any arrest or detention which did not result in a conviction (California Labor Code, §432.7). Neither can employers ask applicants to disclose information regarding a conviction for certain marijuana-related crimes or possession of certain drug-related paraphernalia when the conviction is more than two years old (California Labor Code, §432.8). With limited exceptions, employers may not ask for juvenile convictions or inquire or use information about juvenile arrests, detentions, or court dispositions in making an employment determination. Los Angeles employers are subject to ban-the-box local laws which prohibit inquiries on criminal records until after a conditional job offer has been made. San Francisco employers cannot inquire about applicants’ criminal records until after the initial job interview.
Medical history: As a general matter, employers may not inquire about any mental or physical disability or medical condition, but may ask the applicant if he or she can perform the essential functions of the job. The Fair Employment and Housing Act prohibits employers from requiring applicants to take a medical or psychological examination before the initial job offer (California Government Code, §§ 12900-12996). After extending an initial job offer, the employer may ask the applicant to undergo a pre-employment medical exam or laboratory test, so long as it relates specifically to the essential functions of the job. Background check reports may not include medical information without the employee’s or applicant’s authorization (California Civil Code, §1786.12(f)).
Drug screening: There is no specific statute on drug screening but California courts have generally permitted employers to require employees to pass a drug test as a condition of employment, so long as it tests all applicants and does not single out certain applicants due to protected characteristics. Note that employers in certain safety-sensitive industries such as transportation and aviation are subject to federal drug testing laws. The California Supreme Court has held that an employer may refuse to hire an applicant who tests positive for marijuana even where it is prescribed for medicinal purposes (Ross v. RagingWire Telecomms, Inc., 42 Cal 4th 920 (2008)).
Credit checks: Under the California Consumer Credit Reporting Agencies Act, employers generally may not obtain a consumer credit report or perform a credit check of an applicant or employee except in limited circumstances, such as where the position of the person for whom the report is requested involves:
- a managerial position;
- access to confidential/proprietary information or regular access to $10,000 or more of cash belonging to the employer/customer/client; or
- regular access to individuals’ bank or credit card account information or date of birth, or in cases where the person is, or would be, either a named signatory on the employer’s bank or credit card account, authorized to transfer money on the employer’s behalf or authorized to enter into financial contracts on the employer’s behalf.
Before obtaining a consumer credit report for employment purposes, employers must give written notice to the consumer specifying the exemption it is using to obtain the report (California Civil Code, §1785.20.5; California Labor Code, §1024.5).
Immigration status: The federal Immigration Reform and Control Act sets out certain requirements to establish authorization to work in the United States. California has additional requirements prohibiting employers from engaging in unfair immigration-related practices, such as using E-Verify to check a person’s authorization status at a time or in a manner not required under federal immigration law, or in retaliation for a person’s exercise of his or her employment rights under the Labor Code. Under the recently enacted Section 1019.1 of the Labor Code, employers may not:
- request more or different documents than required under federal law to verify work authorization status;
- refuse to honor documents that look genuine;
- refuse to honor documents or work authorizations based on the specific status/term accompanying the authorization to work; or
- attempt to re-investigate or re-verify an incumbent employee’s authorization to work using an unfair immigration-related practice.
A penalty of up to $10,000 per violation may be recovered by the applicant, employee or the labor commissioner.
Social media: While there is no specific statute prohibiting retrieval or review of applicant or employee social media information, relying on such information to make employment decisions can raise a host of issues under the state’s anti-discrimination and privacy laws. For example, an employer may be liable for discrimination if it conducts a social media search which reveals an applicant’s protected characteristics and then relies on such information in deciding whether to hire. In addition, Section 7 of the National Labor Relations Act prohibits employers from discriminating or taking adverse action against employees who engage in protected concerted activity, which may include online discussions of wages, hours or other working conditions. California employers must also refrain from asking applicants to access a personal social media account in its presence and may not require employees to provide log-in information for their social media accounts (California Labor Code, §980(b)).
Other: Employers may not demand or require applicants or employees to take a polygraph test nor request an applicant or employee to take a polygraph test without first advising him or her of rights under Section 432.2 of the Labor Code. Likewise, California employers cannot use the results of applicant or employee HIV tests for employment purposes (California Health and Safety Code, §120980(f)).
What can employers do with regard to background checks and inquiries in Ohio?
Criminal records and arrests: Ohio has “ban the box” legislation for public employers. Ohio law mandates that schools, daycare centers and healthcare facilities, among others, conduct background checks for applicants. Generally, Ohio mirrors federal law for private employers.
Medical history: Ohio has no specific law limiting a private employer’s ability to make medical inquiries of its employees. Ohio law mirrors federal law.
Drug screening: Ohio has no specific law regulating drug and alcohol testing for private employers. Generally, Ohio law mirrors federal law.
Credit checks: Ohio has no specific law regulating credit checks or the use of credit reports in the employment context.
Immigration status: Ohio has no specific law governing immigration status.
Social media: Ohio has no specific law governing social media passwords in the employment context.
What can employers do with regard to background checks and inquiries in Utah?
Criminal records and arrests: Utah law does not restrict an employer’s use of criminal history records for both arrests and convictions (Utah Code §53-10-108).
Medical history: Utah employers cannot, in connection with hiring, promotion, retention, or other related decisions, access or otherwise take into consideration private genetic information about an individual. An employer may seek an order compelling the disclosure of private genetic information in connection with an employment-related judicial or administrative proceeding in which the individual has placed his or her health at issue, or an employment-related decision in which the employer has a reasonable basis to believe that the individual’s health condition poses a real and unjustifiable safety risk requiring the change or denial of an assignment (Utah Code §34A-11-102; 26-45-103). It is unlawful for an employer to charge an applicant or employee a medical fee for a physical examination. If an employer conditions employment on a physical examination, the employer must pay all examination costs (Utah Code §34-33-1).
Drug screening: Utah law protects employers from liability related to testing for drugs and alcohol if the employer complies with the Utah Code Chapter on Drug and Alcohol Testing (Utah Code § 34-38-3). Employers may test employees or prospective employees as a condition of hiring or continued employment. However, employers and management must submit to the testing on a periodic basis.
Testing must be carried out pursuant to the employer’s written testing policy, which must be distributed to employees and made available for review by prospective employees. Permissible reasons for testing include:
- investigation of possible individual employee impairment;
- investigation of workplace accidents or incidents of workplace theft;
- maintenance of safety for employees or the general public; or
- maintenance of productivity, quality of products or services, or security of property or information (Utah Code §34-38-7).
Testing must occur during or immediately after the regular work period for current employees and will be deemed work time for pay and benefits purposes. The employer must pay all costs of testing, including the cost of transportation if testing is conducted at a place other than the workplace (Utah Code §34-38-5). An employer can take adverse action against an applicant or employee if the employee or applicant refuses to provide a sample, or produces a failed test that is confirmed and indicates a violation of the employer’s written policy (Utah Code §34-38-8).
Credit checks: Utah has no law restricting how employers can use credit reports.
Immigration status: Utah requires employers with 15 or more employees to verify the employment eligibility of employees through E-Verify or another status verification system.
Social media: Utah’s Internet Employment Privacy Act (Utah Code §34-48-101 et seq.) prohibits employers, with limited exceptions, from requesting an employee or an applicant for employment to disclose a username and password, or password that allows access to the individual’s personal online accounts. It also prohibits employers from taking adverse action, failing to hire, or otherwise penalizing an employee or applicant for failure to disclose usernames or passwords for personal online accounts. Exceptions under which an employer may request or require usernames or passwords include:
- when access to an electronic device or account provided by the employer is required;
- when disciplining or discharging an employee for transferring the employer’s proprietary or confidential data to an employee’s personal online account without authorization; and
- when conducting an investigation based on specific information about activity on the employee’s personal online account that may violate applicable laws or policies against work-related misconduct, or about an unauthorized transfer of the employer’s proprietary information to an employee’s personal online account.
Employers are not restricted from viewing, accessing, or using publicly available information. Employers are not prohibited from complying with a duty to screen employees and applicants before hiring or monitoring and retaining employee communications under applicable law. The law provides for a private right of action, but caps damages at $500.
Australia Plans to Join APEC Cross Border Privacy System
On November 23rd, the Australian Attorney-General’s Department announced that it plans to participate in the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules System. Over the next few months, the Department plans to work with the Office of the Australian Information Commissioner and businesses to implement the requirements.
EU-Japan Transfer Deal
On December 15th, Reuters reported that the EU is seeking to finalize a deal with Japan that will allow for the free transfer of personal data, including employee data, credit card information, and Internet browsing habits, between the regions. EU Justice Commissioner Vera Jourova said that the EU intends to give Japan an adequacy decision in 2018.
Article 29 Working Party Privacy Shield Opinion
On December 5th, the EU Article 29 Data Protection Working Party (WP29) published a report regarding the first annual review of the EU-U.S. Privacy Shield agreement. The WP29 “identified a number of significant concerns that need to be addressed by both the (European) Commission and the U.S. authorities.” Concerns include the U.S.’ ability to access EU citizens’ data under the section 702 of the “Foreign Intelligence Surveillance Act” and vacancies on the Privacy and Civil Liberties Oversight Board, among other things. According to the WP29, the concerns need to be addressed by the second Privacy Shield review or it “will take appropriate action, including bringing the Privacy Shield Adequacy decision” to the Court of Justice of the European Union for a ruling.
EU Data Protection Meeting
On December 12th, the European Parliament insisted that all EU bodies, institutions, and agencies follow the same data protection regulations in order to ensure coherency with member states and to align more closely with the General Data Protection Regulation, which goes into effect in May 2018. The request comes following a recent meeting to update regulations regarding the processing of personal data by EU institutions. According to Parliament Member Cornelia Ernst, the goal is to “create a single, unified framework for the protection of personal data by the EU institutions, bodies, offices and agencies.” Parliament argued that non-uniformity will make multistate enforcement unrealistic and also create loopholes. The Council of the European Union is currently “unwilling to discuss” Parliament’s position.
What can employers do with regard to background checks and inquiries in France?
Criminal records: Criminal records in France are available only to the individual to whom they concern and cannot be obtained by third parties (i.e., their employer). The general rule is that any request made by an employer to obtain a copy of a criminal record is prohibited. Some provisions allow certain employers, such as securities companies or regulated professions (e.g., attorneys and bankers) to request copies of criminal records.
Medical history: Job applicants are not required to inform their future employer of their state of health or disability. Only an occupational doctor is entitled to be informed during a medical check-up. An employer cannot collect information on the size, weight or vision of job candidates.
Drug screening: It is not permitted to use routine drug screening tests in the workplace. However, a drug screening can be considered if the position in question justifies it (e.g., a security position or a position in the transportation industry) and the job applicant is informed about the screening process.
Credit checks: Employers cannot seek or collect information relating to an applicant’s bank accounts or loans.
Immigration status: Employers are entitled to ask a candidate to provide his or her civil status and nationality. However, the principle of non-discrimination forbids the employer from dismissing or failing to hire a candidate because of his or her nationality.
Social media: No specific provision forbids an employer from using social media in order to collect information about an applicant. However, no personal information can be collected without the candidate being informed. This means that an employer should inform applicants that it investigates social media. Further, the Labour Code contains a general obligation of proportionality (between the position of the employee and the information requested), which applies to the collection and processing of personal data on employees, whether they are potential hires or existing employees. This means that information can be collected about an employee only if the information is intended to assess the professional abilities of the person.
Other: An employer may gather information concerning the professional training of an employee, his or her diplomas, his or her references and his or her past professional and work experience—but only in order to ensure his or her professional competence. French courts strictly apply these rules and do not allow employers to request information about an employee’s private life. For example, an employer can ask for copies of a candidate’s diplomas but cannot ask for his or her whole school file.
General Hiring Conditions and Background Checks in Germany
Employers are only allowed to carry out background checks in Germany if the information might be relevant for the role. For instance, inquiries regarding illness are permitted to the extent that such illness could permanently or periodically affect the applicant’s suitability for the job and to the extent they are not discriminatory on the grounds of disability. Questions regarding pregnancy are always prohibited. Criminal records can only be requested insofar as the respective crime is connected to the position to be filled. Thus, an applicant for a position in the financial industries can be asked about property and an applicant for a truck-driver position about traffic crimes. If a question is not permitted, the applicant is entitled to answer such questions incorrectly, with the consequence that the employment relationship (if the applicant is subsequently employed) cannot be terminated for such reason.
What can employers do with regard to background checks and inquiries in Greece?
Criminal records: This issue is addressed in the framework of Law 2472/1997 on the protection of personal data and the protection of an employee’s personal data under Article 57 of the Civil Code. As a criminal record contains sensitive personal data, only the employee concerned has the right to obtain it, with the exception of when the request is necessary for a specific job (e.g., money management workers and teachers).
Medical history: Medical confidentiality applies, alongside the principles of respect for an individual’s rights and the protection of personal data, as stated above. Therefore, medical history may be requested only within the context of a person’s job if legally required (e.g., in the interests of public safety) or for the person’s safety. All personal data can be used, at any time, only after an employee’s prior informed consent.
Drug screening: There is no specific legislation on workplace drug testing, though the Personal Data Protection Authority’s code of conduct refers to it. The code of conduct provides that alcohol and drugs testing in the workplace must be:
- carried out with the prior informed consent of the employees concerned;
- clearly stated in employment contracts; and
- form part of an explicit health information, education and rehabilitation policy.
Credit checks: The financial status of an employee falls under his or her personal data and is thus protected as above.
Immigration status: The employer is entitled to request a new foreign (i.e., non-EU) worker to furnish a copy of his or her passport bearing a type D visa and his or her residence permit for working purposes, or such other special permit (e.g., an EU Blue Card, long-term residence permit or permit for management executives).
Social media: There is no specific legislation on social media. The issue falls within the frame of the protection of personal data.
Other: Not applicable.
GDPR – A Twelve Step-Plan for Employers
The implementation of the long-awaited European Union (“EU”) General Data Protection Regulation (“GDPR” or the “Regulation”) is now clearly on the horizon. The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from 1995, when the Directive was established. Although the key principles of data privacy have been retained in the GDPR, many changes have been proposed to the regulatory policies. The GDPR takes effect and is enforceable from the 25 May 2018, at which point organizations in non-compliance may be liable to penalties.
Employees will have a right under the GDPR to obtain information from employers about whether their personal data is being processed and, if so, where and for what purpose. Employees will have the right to have their details used in line with data protection regulations, the right to information about their personal information, the right to access their personal details, the right to know if their personal details are being held, the right to change or remove their details, the right to prevent use of their personal details, the right to remove their details from a direct marketing list, the right to object to their details being used, the right to freedom from automated decision making, and the right to refuse direct marketing calls or mail. Employees have the right to data protection when their details are held on a computer, held on paper or other manual form as part of a filing system, and made up of photographs or video recordings of their image or recordings of their voice. The aim of these rights is to help the employee ensure that the information stored about them is: factually correct, only available to those who should have it and only used for stated purposes.
To assist companies with the initial preparation for the changes in the GDPR, the Data Protection Commissioner (“DPC”) has prepared an introductory document for companies which lists 12 steps that can be taken now to prepare for the changes expected to come into force in May 2018. It should be noted that the guide is not an exhaustive list and companies should ensure that their preparations take account of all actions required to bring them into compliance with the new law.
- Awareness: Employers should review and enhance their company’s risk managements processes and try to identify problem areas now. Implementing the GDPR could have significant resource implications, especially for larger and more complex companies.
- Information Employers hold: Employers should make an inventory of all personal data they hold. Why do they hold it, do they still need it, and is it safe? If the company has incomprehensive personal data and has shared this with another company, they will have to notify the other organization so it can correct its records. This can only be done if the company knows what personal data is held, where it came from and who it is shared with. Documenting these details will help to comply with the GDPR’s accountability principle requiring organizations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
- Communicating Privacy Information: Employers should review all their data privacy notices and make sure they keep service users fully informed about how their data is used. The current privacy notice is used when personal data is collected, it details the company’s identity and how it intends to use the personal information. Under the GDPR there are some additional items—it will need to explain the legal basis for processing the data, the data retention periods and that individuals’ have a right to complain to the DPC if they think there is a problem with the way their data is being handled.
- Individuals’ Rights: Employers should ensure their procedures cover all the rights individuals are entitled to, including deletion and data portability. Can the company respond appropriately to a request to have personal data deleted and would current systems and procedures help to locate and delete the data?
- Subject Access Requests: Employers should plan how they will handle all requests within the new timeline of one month. There will be different grounds for refusing to comply with subject access requests—unfounded or excessive requests can be charged for or refused. For refusals, policies and procedures must be in place to demonstrate why the request meets these criteria.
- Legal Basis for Processing Personal Data: Is the employer relying on consent, legitimate interests or a legal enactment to collect and process data? The legal basis for processing personal data must be explained in the privacy notice and when a subject access request is answered.
- Consent: Employers should review how they seek, obtain and record consent. Consent must be a positive indication of agreement to personal data being processed—it cannot be inferred from silence, pre-ticked boxes, “opt out” boxes or inactivity. If an individuals’ consent to process their data is relied upon, employers must ensure that it meets the standards required by the GDPR. Employers should note that consent must be verifiable and that individuals generally have stronger rights where a company relies on consent to process their data. The GDPR is clear that controllers must be able to demonstrate that consent was given and must review the systems used for recording consent to ensure there is an effective audit trail.
- Children: Although unlikely to arise in an employment relationship, employers should be aware that adequate systems must be in place to verify individual ages or gather consent from guardians. This aspect is likely to be more of an issue for commercial internet services like social networking sites. If a company collects information about children—generally those under 16 years of age, but Member States are given discretion to lower this to 13 years of age—then a parent or guardian’s consent will be needed in order to process their personal data lawfully.
- Data Breaches: Is the company ready for mandatory breach reporting? Employers should ensure that they have procedures in place to detect, report and investigate data breaches. The GDPR will bring in a breach notification duty for all companies. Not all breaches will have to be notified to the DPC—only those where the individual is likely to suffer some form of damage, such as through identity theft or a confidentiality breach. In some cases, the individuals whose data has been subject to the breach directly will need to be notified, for example where the breach might leave them open to financial loss. Larger companies will need to develop policies and procedures for managing data breaches. A failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself
- Data Protection by Design and Data Protection Impact Assessments (“DPIA”): A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them. It has always been good practice to adopt privacy by design as a default approach, privacy by design and the minimization of data have always been implicit requirements of the data protection principles. However, the GDPR will make this an express legal requirement. It is not always necessary to carry out a DPIA—but one is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals.
- Data Protection Officers (“DPO”): Will the company be required to designate a DPO? If so, it is important to ensure that the DPO (whether it is someone appointed from within the organization, or an external data protection advisor) takes proper responsibility for data protection compliance and has the knowledge, support and authority to do so effectively.
- International: The GDPR includes a ‘one stop shop’ provision which will assist those data controllers whose companies operate in many Member States. Companies should identify where their Main Establishment is located in the EU in order to identify their Lead Supervisory Authority. Companies may also need to review how transfers of personal data outside the EEA will continue to be permitted.
Article 29 Working Party Releases GDPR Guidelines on Transparency and Consent
On December 12th, the EU’s Article 29 Working Party published guidelines on transparency obligations under the General Data Protection Regulation (GDPR). The guidelines intend to provide “practical guidance and interpretive assistance” regarding transparency guidelines under the GDPR for data controllers. Under the obligations, controllers are required to provide certain information to data subjects regarding the processing of their personal data. The Working Party also adopted guidelines regarding consent under the GDPR. The Working Party states that data subjects must have “genuine choice” with regard to accepting or denying terms offered “without detriment.” The guidelines are open to public comment until January 23rd, 2018. Key takeaways include: (i) Information provided to data subjects regarding the processing of their data must be “concise, transparent, intelligible and easily accessible.” The Working Party recommends processing information be provided in a “layered structure” to allow individuals to read through the information; (ii) Information must be concise and easy to understand and provided for free; (iii) If the data is obtained directly, then data subjects must be provided information regarding the processing of their data once it is obtained. If the data is obtained indirectly, the information must be provided in a “reasonable” period of time and no later than one month after it is collected; (iv) Consent must be given for the processing of personal data for a specific purpose and certain information must be provided to the data subject before consent can be given: including the identity of the controller, the data that will be collected, and the purpose of the processing; and (v) Consent must be provided by a clear statement or by a “clear affirmative action” indicating agreement to the processing of a subject’s personal data. https://www.agg.com/files/uploads/documents/dpcra%202017/12%2022%202017%20DPCRA.%20docx.pdf
FTC Credit Questions
On December 13th, the FTC published a blogpost to answer frequently asked questions regarding fraud alerts, credit freezes and credit locks following the Equifax data incident to help consumers understand key service differences. The blogpost provided a chart to explain how each service works, the duration and the cost.
Experian Partner Suffers Data Breach
On December 19th, UpGuard reported that it discovered a cloud-based repository containing the personally identifiable information of 123 million households from analytics firm Alteryx, a partner of Experian, left publicly accessible. The repository also held personal data from the 2010 U.S census, which was already publicly available, but there was no nonpublic data exposed. The personal information was part of Experian’s ConsumerView database which is sold as a product to third parties. The database contained 248 categories of data related to consumers’ financial history, travel and spending habits, and household demographics. The database has since been secured.