Leading Subprime Auto Finance Company Settles With CFPB For Violations Of The Fair Credit Reporting Act
The Consumer Financial Protection Bureau recently announced a consent order against a subprime automobile finance company for violations of the Fair Credit Reporting Act resulting from systemic errors in data furnished to credit reporting agencies between January 2016 and August 2019.
The company consented to the issuance by stipulation without admitting or denying the findings. The Bureau determined that the errors “should have been readily apparent because the data for certain accounts was internally inconsistent.” Also, one CRA notified the company of certain reporting discrepancies. The bulk of the order alleges that the company engaged in a pattern of re-aging accounts.
During the affected time period, 35 percent of all instances in which the company furnished a date of first delinquency, this date equaled the date of account information.
The date of first delinquency is the field used in calculating when a tradeline should drop off of a consumer’s credit report. Simply put, the date of first delinquency is the reporting date associated with the time the account first went into default and was not later cured.
The Bureau explains the date of account information as the date the company “pulled information from its system of record each month in order to send” the information to credit reporting agencies. According to the Bureau, “when furnishing in the Metro 2 format, furnishers like Respondent must provide the [date of account information] so that date is updated each month until the company stops reporting a tradeline.”
While the Metro 2 reporting requirements are much more detailed and technical, essentially the consent order points out that these two dates are distinguishable and if an account is severely delinquent, then these dates should not match. In addition, it was noted that the company was reporting a date of first delinquency on accounts that were current.
The company was assessed a $4,750,000 civil money penalty. In addition to correcting the inaccuracies, the company is to establish a monthly audit process to assess the accuracy and integrity of the reporting information along with implementing policies and procedures.
Salary History Bans
As more states legalize cannabis, growth in job opportunities rises. However, with more jobs, the greater the risk of employment related lawsuits at the hiring stage. While there are a host of issues cannabis companies need to consider at the hiring stage (i.e. background checks, policies, benefits, payroll, etc.), this blog post focuses on salary histories.
Salary history bans at the State level. Many states and municipalities have enacted bans that prevent employers from asking applicants about their prior salary information.
For example, California employers cannot ask applicants for prior salary histories and, if the applicant shares this information voluntarily, employers cannot use the information to determine pay. San Francisco goes a step further and adds that employers cannot disclose a current or former employee’s salary without their consent unless it’s publicly available, required by law, or subject to a collective bargaining agreement.
New Jersey, where voters approved a cannabis legalization referendum, prohibits employers from requesting prior wages, salaries, or benefits. But employers can confirm pay history and consider pay history in determining the applicant’s salary, benefits, and other compensation if such history is voluntarily disclosed.
Oregon, which recently decriminalized drugs, prohibits employers from asking prospective employees about their compensation history until after an offer is made. Employers are also prohibited from paying employees who perform comparable work different pay rates because of their race, color, religion, sex, sexual orientation, national origin, marital status, veteran status, disability, or age.
Other states with similar salary bans (where cannabis has been legalized in some form) include: Colorado, Connecticut, Delaware, Hawaii, Illinois, Maine, Massachusetts, Michigan, Missouri, Vermont, and Washington.
The Federal government could soon invoke a salary history ban. President-elect Joe Biden has pledged to sign the Paycheck Fairness Act (Sec. 10) during his term, which, among other things, would create a federal ban on requesting a job applicant’s prior salary history.
Specifically, the Act would make it illegal for employers to use wage history to decide whether to hire a prospective employee. It would also prohibit employers from relying on or seeking prospective employees’ pay histories to determine their wages and prevent employers from taking any adverse action against any employee or prospective employee for refusing to provide salary histories. There is one exception though: “an employer may rely on wage history if it is voluntarily provided by a prospective employee, after the employer makes an offer of employment with an offer of compensation to the prospective employee, to support a wage higher than the wage offered by the employer.”
Employers who violate the Act may be subject to civil penalties and individual and collective/class actions.
EEOC Updates Its Compliance Manual On Religious Discrimination
On January 15, 2021, the U.S. Equal Employment Opportunity Commission (EEOC) issued an updated Compliance Manual on Religious Discrimination. The EEOC voted 3-2 to approve the update.
The update supersedes the EEOC’s Compliance Manual on Religious Discrimination issued on July 22, 2008. The EEOC noted that “the contents of the manual do not have the force and effect of law and are not meant to bind the public in any way. The manual is intended only to provide clarity to the public regarding existing requirements under the law or agency policies.”
According to the EEOC, the prior version of the manual, last updated in 2008, “did not reflect recent legal developments and emerging issues.” Since 2008, several Supreme Court decisions, as well as decisions from the lower courts, “have altered the legal landscape.” The update includes discussions of recent U.S. Supreme Court decisions and lower court decisions rendered subsequent to the publication of the prior compliance manual.
The updated manual covers topics ranging from discrimination in employment decisions to harassment to reasonable accommodations in the workplace. The manual also discusses the interaction of Title VII of the Civil Rights Act of 1964 (Title VII) with the First Amendment and the Religious Freedom Restoration Act (RFRA).
Religious Beliefs Broadly Defined
For example, the new manual notes that what constitutes religious beliefs is broadly defined. “The presence of a deity or deities is not necessary for a religion to receive protection under Title VII.” Moreover, “religious beliefs can include unique beliefs held by a few or even one individual; however, mere personal preferences are not religious beliefs.” “Individuals who do not practice any religion are also protected from discrimination on the basis of religion or lack thereof.” Finally, the guidance notes that “Title VII requires employers to accommodate religious beliefs, practices and observances if the beliefs are ‘sincerely held’ and the reasonable accommodation poses no undue hardship on the employer.
Practice Guidance on Accommodations, EEOC Investigations
The manual also lists examples of cases where the EEOC may find discrimination if an employer does not provide a reasonable accommodation—for example, if a supervisor is skeptical about an employee’s sincerely held religious belief.
Finally, the manual provides guidance to EEOC investigators. This will be helpful to employers and legal counsel as well, particularly in defending religious discrimination cases going forward.
New York City Council Amends Fair Chance Act To Further Protect Job Applicants And Employees
The amendments also expand the FCA’s protections to a job applicant or employee’s arrest or pending criminal accusation.
On December 10, 2020, the New York City Council passed a bill expanding employment protections under the New York City Fair Chance Act, also known as the ban-the-box law (FCA). Mayor Bill de Blasio has until January 9, 2021, to take action on the law, and if he does not sign or veto the law by then, the amendments will become law. The amendments impose hurdles for an employer taking adverse action against job applicants and current employees who have pending criminal charges or arrests, or convictions arising during employment.
The amendments require an employer to make an individualized assessment of the relationship between the charged conduct and the job, using a set of criteria much like the considerations made relating to an individual’s conviction history. The amendments also prohibit an employer from considering an adjournment in contemplation of dismissal or arrest or criminal accusations that do not result in a conviction or are no longer pending.
Existing FCA Requirements
Currently, the FCA incorporates the requirements of the New York State Human Rights Law and the New York Corrections Law, requiring employers to consider eight factors to decide whether a job applicant’s conviction history directly relates to the job applied for, or if the applicant would create an unreasonable risk to property, persons or the general public if hired. The FCA also (i) prohibits inquiries concerning a job applicant’s criminal history until a conditional offer of employment has been made, (ii) requires employers to provide the job applicant with a notice and written analysis of the eight FCA factors, and (iii) provides the job applicant with three business days to respond before a conditional offer of employment can be withdrawn.
Expansions to the FCA
The amendments significantly expand the employment protections of the FCA by imposing the following additional requirements:
Criminal Convictions During Employment
The amendments expressly prohibit adverse employment actions based on an employee’s conviction of a criminal offense, or by reason of finding the person lacks “good moral character” based on such criminal conviction, unless the employer considers the FCA factors and determines (i) the conviction has a direct relationship with the employment held by the person, or (ii) continuation of employment would involve an unreasonable risk to property or to the safety or welfare of any person or the general public. The seven FCA factors applied for criminal convictions during employment are similar to, but differ in a few ways from, the eight factors employers have used to analyze a job applicant’s conviction history.
First, for evaluating a job applicant’s criminal conviction, the employer must consider the length of time since the offense; for criminal convictions that have occurred during employment, there is no such consideration. Second, for evaluating a job applicant’s criminal conviction, the employer must consider the age of the person at the time of the criminal offense; for criminal convictions that have occurred during employment, the employer must consider whether the person was 25 years of age or younger at the time of the criminal offense. Third, the requirement to consider evidence of rehabilitation and good conduct has been expanded to require employers to consider “any additional information produced by the applicant or employee, or produced on their behalf, in regard to their rehabilitation or good conduct, including history of positive performance and conduct on the job or in the community, or other evidence of good conduct.”
After considering the seven FCA factors, an employer follows the same process as before and determines whether (i) there is a direct relationship between the criminal conviction and the employment held by the person, or if (ii) the continuation of employment would involve unreasonable risk to property or to the safety or welfare of specific persons or the general public. An employer is required to provide the employee with an FCA notice setting forth the employer’s analysis, and the employee has at least three business days to respond and provide any additional information for consideration. It is only after this that an employer can take an adverse action against an employee who has been convicted during employment. Note, however, that placing an employee on unpaid leave for a reasonable time while the employer undergoes the process of considering the FCA factors and making a determination is allowed and not deemed to be an adverse action.
Arrests and Pending Criminal Accusations Preceding and During Employment
The amendments also expand the FCA’s protections to a job applicant or employee’s arrest or pending criminal accusation. The same analysis and process for when an employee is convicted during employment applies when a job applicant or employee is arrested or faces a criminal accusation that is pending.
Adverse Action for Making Intentional Misrepresentations
Employers may take adverse action against a job applicant or employee who makes intentional misrepresentations regarding their arrest or conviction record, provided that (i) the adverse action is not based on a failure to provide information that the person was not required to provide, (ii) the employer provides the job applicant or employee with a copy of the documents upon which the determination that an intentional misrepresentation was made; and (iii) the job applicant or employee is provided a reasonable time to respond.
Non-Pending Arrests and Criminal Accusations and Disposition of Charges that an Employer May Not Consider
An employer may not inquire about, or take an adverse action based on, non-pending arrests and criminal accusations, adjournments in contemplation of dismissal unless the matter is restored to the calendar for adjudication, youthful offender adjudications or sealed convictions.
Violations and Non-Criminal Offenses
An employer also may not inquire about, or take adverse action based on, a job applicant or employee having been convicted of (i) a violation, as defined under the New York Penal Law as an offense other than a traffic infraction for which a sentence to a term of imprisonment in excess of 15 days cannot be imposed, or (ii) a conviction of a non-criminal offense, as defined by a law of another state.
Codifying Existing Rule Against Revoking Conditional Offer
The amendments codify an existing rule in the regulations disseminated by the New York City Commission on Human Rights, allowing an employer to revoke a conditional offer of employment only if it is based on (i) the results of a criminal background check performed after the FCA evaluation process has been followed, (ii) the results of a medical exam permitted by the American with Disabilities Act, or (iii) any other information the employer could not have reasonably known before making the conditional offer if the employer can show as an affirmative defense that, based on the information, the employer would not have made the offer of employment regardless of the results of the criminal background check.
Requirement to Request Information Relating to FCA Factors
The amendments also codify and expand on the regulations requiring employers to solicit evidence of rehabilitation and good conduct by requiring employers to solicit information concerning all FCA factors.
Pennsylvania Medical Marijuana User May Proceed With Disability Discrimination And Retaliation Claims
A federal court in Pennsylvania held that a medical marijuana user’s claims for disability discrimination and retaliation were sufficiently alleged to survive the employer’s motion to dismiss. Hudnell v. Jefferson University Hospitals, Inc., Civil Action No. 20-01621 (E.D. Pa. Jan. 7, 2021). The employer terminated the employee’s employment after she tested positive for marijuana on a return-to-duty drug test. The employee’s medical marijuana card was expired at the time she tested positive. However, she subsequently renewed it and provided a doctor’s note stating her positive test was consistent with her prescription (pre-expiration).
In September 2020, the employer moved to dismiss the employee’s claims for violation of the Pennsylvania Medical Marijuana Act (MMA), disability discrimination and retaliation. See Hudnell v. Jefferson University Hospitals, Inc., Civil Action No. 20-01621 (E.D. Pa. Sept. 25, 2020). The court denied the motion with respect to the MMA claim, but dismissed without prejudice disability discrimination and retaliation claims due the employee’s failure to exhaust her administrative remedies. After exhausting her administrative remedies under the Pennsylvania Human Rights Act (PHRA) and Philadelphia Fair Practice Ordinance (PFPO), the employee re-asserted her disability discrimination and retaliation claims. The employee specifically claimed the employer failed to accommodate her disability and terminated her employment in retaliation for requesting accommodations.
Again, the employer moved to dismiss the claims. First, the employer argued that the employee’s medical marijuana use could not constitute a disability under the PHRA and that using marijuana is not a reasonable accommodation. The court rejected these arguments, reasoning that the employee alleged a specific medical condition (herniated disc and related spinal injuries) and her disability was not solely based on using medical marijuana. The court also found that she had requested several accommodations other than marijuana use — some of which the employer had granted in the past — and that the employer failed to engage in the interactive process. The employer also argued the employee’s report of medical marijuana usage could not constitute protected activity for purposes of the employee’s retaliation claim. But the court found that the employee’s request to split her time between work and home constituted a request for a reasonable accommodation and was sufficient to satisfy her burden on a motion to dismiss. The court further reasoned that it did not matter whether the employee’s medical marijuana usage fell outside of the PHRA’s definition of disability or handicap, because the employee only needed to show that she requested an accommodation in good faith. Her retaliation claim was not contingent on showing an actual disability.
Although the decision is in the early stages of the case, it highlights the fact that medical marijuana use is often intertwined with reasonable accommodation requests and may subject employers to disability discrimination and retaliation claims.
9th Circuit Upholds Preemption Of California Meal And Rest Break Rules
The 9th Circuit Court of Appeals has upheld a decision by the Federal Motor Carrier Safety Administration (FMCSA) that FMCSA’s rest break regulations preempt the California meal and rest break rules (CA MRB Rules). The case is International Brotherhood of Teamsters, Local 2785 v. Fed. Motor Carrier Safety Admin.
The FMCSA is a federal agency within the Department of Transportation tasked with issuing regulations on commercial motor vehicle safety. Coupled with that power, the FMCSA is authorized to decide whether state laws on the same topic of safety are preempted. In 2018, the FMCSA made a determination that federal law—the FMCSA’s own rest break regulations—preempts the CA MRB Rules as applied to drivers of property-carrying commercial motor vehicles.
Previously, in 2008, the FMCSA declined to preempt the CA MRB Rules as applied in this context, finding that it lacked authority to preempt because the CA MRB Rules applied beyond just the trucking industry and were thus not “on commercial motor vehicle safety.” In 2018, two associations in the industry requested that the FMCSA revisit its 2008 decision. The FMCSA sought public comment and then decided that the CA MRB Rules were in fact preempted. California’s Labor Commissioner, certain labor organizations (including the Teamsters union), and other named individuals (together, the “Petitioners”) petitioned the 9th Circuit for review of the FMCSA’s preemption determination.
Under the Motor Carrier Safety Act of 1984 (“MCSA”), if a state law is “additional to or more stringent” than federal regulation, the state law may be enforced unless it is determined by the FMCSA that the state law (1) has no safety benefit, (2) is incompatible with the federal regulation, or (3) would cause an unreasonable burden on interstate commerce if enforced.
The FMCSA’s hours-of-service regulations impose specific limits on the driving time for property-carrying commercial motor vehicle drivers. The CA MRB Rules, on the other hand, cover all employees in California and impose more onerous meal and rest break requirements on those and other drivers, including more frequent breaks and less flexibility as to the timing of those breaks.
The 9th Circuit’s decision is generally good news for members of the trucking industry operating in California. It minimizes the administrative burden and cost of providing for additional breaks for drivers beyond those required by the MCSA.
However, the opinion applies only to those drivers who are subject to the MCSA. For example, certain short-haul drivers who fall into an exception to the hours-of-service rules (49 C.F.R. § 395.3) are still subject to the CA MRB Rules. Motor carriers should carefully assess which of their drivers may be subject to this exception.
Moreover, the Biden administration, could take action to overturn the FMCSA decision. There are two possible approaches it could take. First, the Biden administration could attempt to change the FMCSA interpretation without altering the underlying regulation. Such an approach may be vulnerable to attack on the grounds that it is arbitrary and capricious since such a rapid change in view would presumably lack a democratic process, an improved understanding, or a comprehensive analysis of changed circumstances. More likely, the administration will attempt to change the underlying regulations themselves to implement some level of deference to state meal and rest break laws. This approach, which would require notice and comment, could take some time but would be less susceptible to attack in the courts.
The Court’s opinion also does not address the critical issue of FAAAA preemption of state-level misclassification statutes (such as the ABC test in California) currently being faced by the transportation industry.
Philadelphia Enacts Amendments To And Expands Coverage Of Its Background Screening Ordinances
For years, Philadelphia has maintained ordinances substantially restricting employers’ use of criminal record and credit histories in employment screening.1 These regulations are in addition to, not in lieu of, the federal Fair Credit Reporting Act (FCRA) restrictions applicable nationwide and Pennsylvania’s state-wide Criminal History Record Information Act (CHRIA). The FCRA governs the process for ordering background reports, including criminal background reports, from background check companies (known as “consumer reporting agencies”). The CHRIA restricts the use of criminal records whether or not they are included in a criminal background report.
On January 20, 2021, Mayor Jim Kenney signed three bills amending Philadelphia’s Fair Criminal Record Screening Standards (FCRSS) and credit ban ordinances. Taken together, the bills: (1) expand coverage; (2) eliminate exceptions; and (3) change certain procedures required by the ordinances. The amendments become effective March 21, 2021 and April 1, 2021.2
Expansion of FCRSS to Gig Work and Independent Contractors
Bill No. 200479 expands the FCRSS ordinance’s definition of covered “employee” to “any person employed or permitted to work at or for a Private Employer within the geographic boundaries of the City, including as an independent contractor, transportation network company driver, rideshare driver, or other gig economy worker.” The bill also expands the definition of a covered “private employer” to “any third-party person or entity that facilitates the relationship of work for pay between two other parties, as full-time or part-time employees or as independent contractors.” Therefore, businesses must assess the impact of the panoply of FCRSS regulations and procedures for timing and use of criminal record history information on their independent contractor screening practices.
This may represent a substantial shift in contractor screening practices for some companies because the CHRIA applies only to applicants for employment. (It is unsettled precisely how the FCRA applies to independent contractors. Some authorities recognize such screening as screening for “employment purposes” just like with job applicants and employees.)
Expansion of FCRSS to Current Employees
Before the amendments, most of the FCRSS’s significant restrictions on use of criminal convictions in employment decisions applied by the FCRSS’s plain terms only to “applicants” for employment. These included the FCRSS’s “fair chance” process requirements and prohibitions against automatic exclusionary rules and consideration of criminal convictions over seven years old. The amendments in Bill No. 200479 change that and specify that all of these restrictions and procedural requirements apply also to current employees.3
Change in FCRSS Remedies
The FCRSS affords a private right of action. Pre-amendment, it allowed for the recovery of “punitive damages.” Bill No. 200479, however, changes “punitive damages” to “Liquidated damages, equal to the payment of the maximum allowable salary for the job subject to the complaint for a period of one month,” up to a maximum of $5,000. Given the expansion of the FCRSS in the same bill to independent contractors and gig economy companies, it is unclear how the “maximum allowable salary” will be determined for flexible work arrangements. Likewise, it is unclear if the city council intended the liquidated damages to apply to purely technical violations, such as the timing or procedural requirements under the ordinance, as it would make little sense to afford salary-calculated damages for violations that did not actually cause any income loss. Employers may be concerned that the inclusion of liquidated damages is designed to facilitate class action or mass action cases. In recent years, class action FCRA claims have exploded based on theories of technical violations with little to no real-life harm, in large part because of the FCRA’s provision of statutory damages for violations.4
Elimination of Exceptions to Credit Ban Ordinance
Philadelphia’s credit ban law, which makes employment credit screening off-limits for most employers and jobs, previously exempted “any law enforcement agency or financial institution” from its prohibitions. Bill No. 200413 removes those bright-line exceptions to the credit ban. Now, law enforcement agencies or financial institutions will be allowed to conduct credit screening only if one of the other exceptions in the credit ban ordinance applies, such as where the applicant or employee’s credit information “must be obtained pursuant to state or federal law” or where the “job requires an employee to be bonded under City, state, or federal law.”
Change in Procedures under Credit Ban Ordinance
Bill No. 200614 aligns previously unique procedural requirements when an employer uses credit history for an adverse employment decision with existing FCRA requirements. Before the amendment, the credit ban ordinance required employers to disclose their reliance on credit information to the applicant or employee in writing, and to identify and provide the particular information upon which the adverse decision was based, and also to “give the employee or applicant an opportunity to explain the circumstances surrounding the information at issue before taking any such adverse action.” Now, the amendments make clear that an employer need simply follow the FCRA’s pre-adverse action and adverse action requirements for credit screening. (Employers should be mindful the FCRA’s name—which refers to credit reporting—is somewhat misleading, because it governs all background checks for “employment purposes.”) Because the pre-amendment language did not exactly track the FCRA’s wording, it was unclear whether FCRA compliance alone was sufficient to satisfy the credit ban’s requirement. The amendment puts to rest any question whether the FCRA preempts the ordinance insofar as the ordinance requires such notices.
Philadelphia employers have faced a rash of new and modified obligations in recent months impacting many employment practices, of which the new amendments regarding employment screening are only a part.5 Thus, any employer with operations in Philadelphia must take care to review each area of their employment practices and determine whether modifications are needed to comply with Philadelphia’s many local rules. Meanwhile, gig economy companies and businesses that conduct independent contractor screening may need to make substantial practice changes to comply with the FCRSS’s individualized assessment and attendant “fair chance” requirements. Finally, given the continuing rise in background screening litigation nationwide, the new Philadelphia amendments provide a reminder for employers to review their overall screening programs for compliance under the FCRA, Title VII of the Civil Rights Act of 1964, and local law.
State AGs Reach $2 Million Settlement To Resolve Data Breach
On December 18, state attorneys general from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York and Oregon announced a $2 million settlement with an online retailer concerning allegations that the retailer failed to promptly and adequately respond to a 2019 data breach that compromised more than 22 million consumers’ personal information. According to the Assurance of Voluntary Compliance, the retailer failed to detect a data breach that allowed an unidentified attacker to obtain information including Social Security numbers and tax identification numbers. After learning about the vulnerability from a third-party security researcher, the retailer issued a patch to remediate the vulnerability and required users to reset passwords on their customer accounts. However, the AGs claim that the retailer took nearly six months to conduct a full investigation into whether its user database had been breached, and, after determining that users’ personal information was for sale on the dark web, later began notifying affected users of the breach.
In addition to paying $2 million to the AGs, which is partially suspended due to the retailer’s financial condition, the retailer—who has not admitted to the alleged violations—has agreed to (i) develop and implement a comprehensive information security program; (ii) design an incident response and data breach notification plan to encompass preparation, detection and analysis, containment, eradication, and recovery; (iii) ensure personal information safeguards and controls are in place, such as encryption, segmentation, penetration testing, risk assessment, password management, logging and monitoring, personal information deletion, and account closure notification; and (iv) ensure third-party security assessments occur biennially for the next five years.
EU-UK Trade Deal: What It Means for Post-Brexit Data Flows
On December 24, 2020, the European Union and the United Kingdom reached an agreement in principle on the historic EU-UK Trade and Cooperation Agreement (the “Trade Agreement”). For data protection purposes, there is a further transition period of up to six months to enable the European Commission to complete its adequacy assessment of the UK’s data protection laws. For the time being, personal data can continue to be exported from the EU to the UK without implementing additional safeguards.
The UK left the EU on January 31, 2020, and the established transition period will expire on December 31, 2020. Beginning January 1, 2021, the UK will be treated as a third country for purposes of the EU General Data Protection Regulation (“GDPR”). Following the expiration of an additional transition period (explained below), transfers of personal data from the EU to the UK will be prohibited unless EU data exporters take further steps to ensure adequacy for personal data. Those steps include entering into the EU Standard Contractual Clauses, implementing Binding Corporate Rules or relying on any of the available derogations in the GDPR. Both the EU and the UK have expressed a desire to grant formal data protection adequacy status to the UK, which would permit the ongoing free transfer of personal data from the EU to the UK without requiring the exporting or importing organizations to take any further steps.
While the Trade Agreement does not include a determination that the UK provides an adequate level of protection for personal data, it does include transitionary provisions stating that transfers of personal data from the EU to the UK will not be considered transfers of personal data to a third country during the Specified Period, and as such, will not be prohibited by the GDPR. The Specified Period begins on January 1, 2021 and ends either (1) on the date on which an adequacy decision in relation to the UK is adopted by the European Commission under Article 45(3) of the GDPR, or (2) four months after the Specified Period begins, which shall be extended by two months unless either the EU or the UK objects. The Trade Agreement also includes provisions that may end the Specified Period if the UK makes changes to its data protection legal framework that is in place as of January 1, 2021, unless the EU agrees upon such change.
As a result of these provisions, personal data may continue to be transferred freely between the EU and UK from January 1, 2021, for the duration of the Specified Period. It is expected that a UK adequacy determination will be adopted in 2021, although it remains to be seen whether that will happen before the end of the Specified Period.
The Trade Agreement also includes a number of more general measures relating to data protection and privacy, including commitments by the EU and UK not to enact measures that would restrict cross-border data flows between the EU and the UK or that would otherwise act as data localization requirements.
Transfers of personal data from the UK to the EU (and from the UK to other jurisdictions recognized by the EU as having adequate data protection) will continue to be permitted by the UK beginning January 1, 2021 without requiring additional measures. The UK government has previously indicated that it will recognize existing adequacy determinations and provided for this in the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.
In a statement published on December 28, 2020, the UK Information Commissioner’s Office (the “ICO”) welcomed the data protection provisions of the Trade Agreement. The ICO said:
“This is the best possible outcome for UK organisations processing personal data from the EU. This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.”
The ICO nevertheless recommends that UK-based organizations work with EU organizations to implement cross-border data transfer arrangements to safeguard against any future interruption to the free flow of personal data between the EU and the UK.
Although the Trade Agreement will take provisional effect on January 1, 2021, it must be adopted by the European Council and consented to by the European Parliament before it can be ratified and fully implemented. The Trade Agreement will also need to be approved by the UK Parliament.
2020 Has Been A Busy Year In Privacy Law Both Domestically And Around The Globe
Some of the most striking developments included enforcement of the California Consumer Privacy Act (CCPA) and passage of the California Privacy Rights Act (CPRA) expanding the CCPA; the invalidation of the U.S.-EU Privacy Shield Framework in July; the introduction of a new model for assessing the legitimacy of international data transfers and multiple new standard contractual clauses to govern those transfers; the EU’s introduction of the Digital Services Act and the Digital Markets Act for debate and review; and the passage of legislation closely mirroring Europe’s General Data Protection Regulation (GDPR) in multiple countries, including China and Brazil. For your convenience, click on the link below for a recap of 2020 issues to monitor in 2021.